svcacct: pass pod information in user.Info.Extra() when available

Fixes https://github.com/kubernetes/kubernetes/issues/59670

pkg/serviceaccount/util.go

@@ -22,13 +22,42 @@ import (
 	"k8s.io/apiserver/pkg/authentication/user"
 )
 
+const (
+	// PodNameKey is the key used in a user's "extra" to specify the pod name of
+	// the authenticating request.
+	PodNameKey = "authentication.kubernetes.io/pod-name"
+	// PodUIDKey is the key used in a user's "extra" to specify the pod UID of
+	// the authenticating request.
+	PodUIDKey = "authentication.kubernetes.io/pod-uid"
+)
+
 // UserInfo returns a user.Info interface for the given namespace, service account name and UID
 func UserInfo(namespace, name, uid string) user.Info {
-	return &user.DefaultInfo{
-		Name:   apiserverserviceaccount.MakeUsername(namespace, name),
-		UID:    uid,
-		Groups: apiserverserviceaccount.MakeGroupNames(namespace),
+	return (&ServiceAccountInfo{
+		Name:      name,
+		Namespace: namespace,
+		UID:       uid,
+	}).UserInfo()
+}
+
+type ServiceAccountInfo struct {
+	Name, Namespace, UID string
+	PodName, PodUID      string
+}
+
+func (sa *ServiceAccountInfo) UserInfo() user.Info {
+	info := &user.DefaultInfo{
+		Name:   apiserverserviceaccount.MakeUsername(sa.Namespace, sa.Name),
+		UID:    sa.UID,
+		Groups: apiserverserviceaccount.MakeGroupNames(sa.Namespace),
 	}
+	if sa.PodName != "" && sa.PodUID != "" {
+		info.Extra = map[string][]string{
+			PodNameKey: {sa.PodName},
+			PodUIDKey:  {sa.PodUID},
+		}
+	}
+	return info
 }
 
 // IsServiceAccountToken returns true if the secret is a valid api token for the service account