From 671e13df7021663a721407f81fa496e195365865 Mon Sep 17 00:00:00 2001
From: Andrei Kvapil <kvapss@gmail.com>
Date: Tue, 14 Oct 2025 12:37:47 +0200
Subject: [PATCH] [api] Fix listing tenantnamespaces for non-oidc users

Signed-off-by: Andrei Kvapil <kvapss@gmail.com>
---
 pkg/registry/core/tenantnamespace/rest.go | 24 +++++++++++++++++------
 1 file changed, 18 insertions(+), 6 deletions(-)

diff --git a/pkg/registry/core/tenantnamespace/rest.go b/pkg/registry/core/tenantnamespace/rest.go
index f5196cad..56098740 100644
--- a/pkg/registry/core/tenantnamespace/rest.go
+++ b/pkg/registry/core/tenantnamespace/rest.go
@@ -294,13 +294,25 @@ func (r *REST) filterAccessible(
 		if _, ok := nameSet[rbs.Items[i].Namespace]; !ok {
 			continue
 		}
+	subjectLoop:
 		for j := range rbs.Items[i].Subjects {
-			if rbs.Items[i].Subjects[j].Kind != "Group" {
-				continue
-			}
-			if _, ok = groups[rbs.Items[i].Subjects[j].Name]; ok {
-				allowedNameSet[rbs.Items[i].Namespace] = struct{}{}
-				break
+			subj := rbs.Items[i].Subjects[j]
+			switch subj.Kind {
+			case "Group":
+				if _, ok = groups[subj.Name]; ok {
+					allowedNameSet[rbs.Items[i].Namespace] = struct{}{}
+					break subjectLoop
+				}
+			case "User":
+				if subj.Name == u.GetName() {
+					allowedNameSet[rbs.Items[i].Namespace] = struct{}{}
+					break subjectLoop
+				}
+			case "ServiceAccount":
+				if u.GetName() == fmt.Sprintf("system:serviceaccount:%s:%s", subj.Namespace, subj.Name) {
+					allowedNameSet[rbs.Items[i].Namespace] = struct{}{}
+					break subjectLoop
+				}
 			}
 		}
 	}