2020-11-12 02:40:49 +00:00
|
|
|
---
|
|
|
|
|
title: "Pinniped Architecture"
|
|
|
|
|
cascade:
|
|
|
|
|
layout: docs
|
|
|
|
|
---
|
|
|
|
|
|
2020-11-06 22:42:57 +00:00
|
|
|
# Architecture
|
|
|
|
|
|
|
|
|
|
The principal purpose of Pinniped is to allow users to access Kubernetes
|
|
|
|
|
clusters. Pinniped hopes to enable this access across a wide range of Kubernetes
|
|
|
|
|
environments with zero configuration.
|
|
|
|
|
|
2020-12-17 23:55:05 +00:00
|
|
|
This integration is composed of two parts.
|
2020-12-18 00:42:45 +00:00
|
|
|
One part, the supervisor, is an OIDC server which allows users
|
2020-12-17 23:55:05 +00:00
|
|
|
to authenticate with their external Identity Provider,
|
2020-12-18 00:42:45 +00:00
|
|
|
then issues its own federation id tokens to be passed on to clusters
|
|
|
|
|
based on the information from the external Identity Provider's token.
|
2020-12-17 23:55:05 +00:00
|
|
|
The other, the concierge, is a credential exchange API which takes as input a token
|
|
|
|
|
(from the supervisor or elsewhere), and returns a credential which is understood by
|
|
|
|
|
the host Kubernetes cluster.
|
2020-11-06 22:42:57 +00:00
|
|
|
|
2020-11-12 02:40:49 +00:00
|
|
|
|
2020-11-06 22:42:57 +00:00
|
|
|
|
|
|
|
|
Pinniped supports various IDP types and implements different integration strategies
|
|
|
|
|
for various Kubernetes distributions to make authentication possible.
|
|
|
|
|
|
|
|
|
|
## Supported Kubernetes Cluster Types
|
|
|
|
|
|
|
|
|
|
Pinniped supports the following types of Kubernetes clusters:
|
|
|
|
|
|
|
|
|
|
- Clusters where the Kube Controller Manager pod is accessible from Pinniped's pods.
|
|
|
|
|
|
|
|
|
|
Support for other types of Kubernetes distributions is coming soon.
|
|
|
|
|
|
|
|
|
|
## External Identity Provider Integrations
|
|
|
|
|
|
|
|
|
|
Pinniped will consume identity from one or more external identity providers
|
|
|
|
|
(IDPs). Administrators will configure external IDPs via Kubernetes custom
|
|
|
|
|
resources allowing Pinniped to be managed using GitOps and standard Kubernetes tools.
|
|
|
|
|
|
2020-12-17 23:55:05 +00:00
|
|
|
## Authenticators
|
|
|
|
|
|
|
|
|
|
The Pinniped concierge requires one or more **authenticators** to validate tokens before
|
|
|
|
|
issuing cluster specific certificates.
|
|
|
|
|
Administrators will configure external IDPs via Kubernetes custom
|
|
|
|
|
resources allowing Pinniped to be managed using GitOps and standard Kubernetes tools.
|
|
|
|
|
|
|
|
|
|
Pinniped supports the following authenticator types.
|
2020-11-06 22:42:57 +00:00
|
|
|
|
|
|
|
|
1. Any webhook which implements the
|
|
|
|
|
[Kubernetes TokenReview API](https://kubernetes.io/docs/reference/access-authn-authz/authentication/#webhook-token-authentication).
|
|
|
|
|
|
|
|
|
|
In addition to allowing the integration of any existing IDP which implements this API, webhooks also
|
|
|
|
|
serve as an extension point for Pinniped by allowing for integration of arbitrary custom authenticators.
|
|
|
|
|
While a custom implementation may be in any language or framework, this project provides a
|
|
|
|
|
sample implementation in Golang. See the `ServeHTTP` method of
|
2020-11-13 14:15:46 +00:00
|
|
|
[cmd/local-user-authenticator/main.go](https://github.com/vmware-tanzu/pinniped/blob/main/cmd/local-user-authenticator/main.go).
|
2020-11-06 22:42:57 +00:00
|
|
|
|
2020-12-17 23:55:05 +00:00
|
|
|
1. A JwtAuthenticator resource, which will validate and parse claims from
|
|
|
|
|
JWT id tokens.
|
|
|
|
|
This can be used to validate tokens that are issued by the supervisor.
|
2020-11-06 22:42:57 +00:00
|
|
|
|
|
|
|
|
## Cluster Integration Strategies
|
|
|
|
|
|
|
|
|
|
Pinniped will issue a cluster credential by leveraging cluster-specific
|
2020-12-17 23:55:05 +00:00
|
|
|
functionality. In the longer term,
|
2020-11-06 22:42:57 +00:00
|
|
|
Pinniped hopes to contribute and leverage upstream Kubernetes extension points that
|
|
|
|
|
cleanly enable this integration.
|
|
|
|
|
|
|
|
|
|
Pinniped supports the following cluster integration strategies.
|
|
|
|
|
|
2020-11-12 02:40:49 +00:00
|
|
|
* Pinniped hosts a credential exchange API endpoint via a Kubernetes aggregated API server.
|
2020-11-06 22:42:57 +00:00
|
|
|
This API returns a new cluster-specific credential using the cluster's signing keypair to
|
|
|
|
|
issue short-lived cluster certificates. (In the future, when the Kubernetes CSR API
|
|
|
|
|
provides a way to issue short-lived certificates, then the Pinniped credential exchange API
|
|
|
|
|
will use that instead of using the cluster's signing keypair.)
|
|
|
|
|
|
|
|
|
|
More cluster integration strategies are coming soon, which will allow Pinniped to
|
|
|
|
|
support more Kubernetes cluster types.
|
|
|
|
|
|
|
|
|
|
## kubectl Integration
|
|
|
|
|
|
|
|
|
|
With any of the above IDPs and integration strategies, `kubectl` commands receive the
|
|
|
|
|
cluster-specific credential via a
|
|
|
|
|
[Kubernetes client-go credential plugin](https://kubernetes.io/docs/reference/access-authn-authz/authentication/#client-go-credential-plugins).
|
|
|
|
|
Users may use the Pinniped CLI as the credential plugin, or they may use any proprietary CLI
|
2020-11-13 14:17:47 +00:00
|
|
|
built with the [Pinniped Go client library](https://github.com/vmware-tanzu/pinniped/tree/main/generated).
|
2020-11-06 22:42:57 +00:00
|
|
|
|
|
|
|
|
## Example Cluster Authentication Sequence Diagram
|
|
|
|
|
|
|
|
|
|
This diagram demonstrates using `kubectl get pods` with the Pinniped CLI configured as the credential plugin,
|
|
|
|
|
and with a webhook IDP configured as the identity provider for the Pinniped server.
|
|
|
|
|
|
|
|
|
|
|
