diff --git a/pkg/apis/proxy/v1alpha1/evaluation_helpers.go b/pkg/apis/proxy/v1alpha1/evaluation_helpers.go
index 072352f..91bafac 100644
--- a/pkg/apis/proxy/v1alpha1/evaluation_helpers.go
+++ b/pkg/apis/proxy/v1alpha1/evaluation_helpers.go
@@ -71,7 +71,12 @@ func UserOrServiceAccountMatches(users []string, serviceAccounts []ServiceAccoun
 		return true
 	}
 
-	if simpleMatches(users, []string{requestUser}) {
+	if simpleMatches(users, []string{requestUser}, func(m matcher) bool {
+		if strings.HasSuffix(m.value, "*") && strings.HasPrefix(requestUser, strings.TrimRight(m.value, "*")) {
+			return true
+		}
+		return false
+	}) {
 		return true
 	}
 
diff --git a/pkg/apis/proxy/v1alpha1/evaluation_helpers_test.go b/pkg/apis/proxy/v1alpha1/evaluation_helpers_test.go
index d889299..721e52a 100644
--- a/pkg/apis/proxy/v1alpha1/evaluation_helpers_test.go
+++ b/pkg/apis/proxy/v1alpha1/evaluation_helpers_test.go
@@ -267,6 +267,15 @@ func TestUserOrServiceAccountMatches(t *testing.T) {
 			},
 			true,
 		},
+		{
+			"match user suffix",
+			args{
+				[]string{"user-*"},
+				nil,
+				"user-test1",
+			},
+			true,
+		},
 		{
 			"match service account",
 			args{