it came from the specified user.
Before User A can impersonate User B, User A is authenticated.
Then, an authorization check occurs to ensure that User A is allowed to
impersonate the user named User B. If User A is requesting to impersonate a
service account, system:serviceaccount:namespace:name, {product-title} confirms
that User A can impersonate the serviceaccount named name in
namespace. If the check fails, the request fails with a 403 (Forbidden) error
code.
By default, project administrators and editors can impersonate service accounts in their namespace.