ContainerImage.Pinniped/README.md

# Pinniped

## Overview

Pinniped provides identity services to Kubernetes.

Pinniped allows cluster administrators to easily plug in external identity
providers (IDPs) into Kubernetes clusters. This is achieved via a uniform
install procedure across all types and origins of Kubernetes clusters,
declarative configuration via Kubernetes APIs, enterprise-grade integrations
with IDPs, and distribution-specific integration strategies.

### Example Use Cases

* Your team uses a large enterprise IDP, and has many clusters that they
  manage. Pinniped provides:
  * Seamless and robust integration with the IDP
  * Easy installation across clusters of any type and origin
  * A simplified login flow across all clusters
* Your team shares a single cluster. Pinniped provides:
  * Simple configuration to integrate an IDP
  * Individual, revocable identities

### Architecture

Pinniped offers credential exchange to enable a user to exchange an external IDP 
credential for a short-lived, cluster-specific credential. Pinniped supports various
IDP types and implements different integration strategies for various Kubernetes
distributions to make authentication possible.

#### Supported Identity Provider Types

The currently supported external IDP types are outlined here. More will be added in the future.

1. Any webhook which implements the 
[Kubernetes TokenReview API](https://kubernetes.io/docs/reference/access-authn-authz/authentication/#webhook-token-authentication)

#### Supported Cluster Integration Strategies

The currently supported cluster integration strategies are outlined here. More
will be added in the future.

1. Pinniped hosts a credential exchange API endpoint via a Kubernetes aggregated API server.
This API returns a new cluster-specific credential using the cluster's signing keypair to
issue short-lived cluster certificates. (In the future, when the Kubernetes CSR API
provides a way to issue short-lived certificates, then the Pinniped credential exchange API
will use that instead of using the cluster's signing keypair.)

#### `kubectl` Integration

With any of the above IDPs and integration strategies, `kubectl` commands receive the
cluster-specific credential via a 
[Kubernetes client-go credential plugin](https://kubernetes.io/docs/reference/access-authn-authz/authentication/#client-go-credential-plugins).
Users may use the Pinniped CLI as the credential plugin, or they may use any proprietary CLI
built with the [Pinniped Go client library](generated).

#### Cluster Authentication Sequence Diagram

![implementation](doc/img/pinniped.svg)

## Installation

Currently, Pinniped supports self-hosted clusters where the Kube Controller Manager pod
is accessible from Pinniped's pods.
Support for other types of Kubernetes distributions is coming soon.

To try Pinniped, see [deploy/README.md](deploy/README.md).

## Contributions

Contributions are welcome. Before contributing, please see
the [Code of Conduct](doc/code_of_conduct.md) and 
[the contributing guide](doc/contributing.md).

## Reporting Security Vulnerabilities

Please follow the procedure described in [SECURITY.md](SECURITY.md).

## License

Pinniped is open source and licensed under Apache License Version 2.0. See [LICENSE](LICENSE) file.

Copyright 2020 VMware, Inc.
Rename project 2020-08-20 17:54:15 +00:00			`# Pinniped`
First draft of moving API server TLS cert generation to controllers - Refactors the existing cert generation code into controllers which read and write a Secret containing the certs - Does not add any new functionality yet, e.g. no new handling for cert expiration, and no leader election to allow for multiple servers running simultaneously - This commit also doesn't add new tests for the cert generation code, but it should be more unit testable now as controllers 2020-08-09 17:04:05 +00:00
First draft of public README (and neighboring docs) Signed-off-by: Andrew Keesler <akeesler@vmware.com> 2020-08-26 14:06:21 +00:00			`## Overview`

			`Pinniped provides identity services to Kubernetes.`

Doc updates 2020-08-27 17:14:03 +00:00			`Pinniped allows cluster administrators to easily plug in external identity`
First draft of public README (and neighboring docs) Signed-off-by: Andrew Keesler <akeesler@vmware.com> 2020-08-26 14:06:21 +00:00			`providers (IDPs) into Kubernetes clusters. This is achieved via a uniform`
			`install procedure across all types and origins of Kubernetes clusters,`
			`declarative configuration via Kubernetes APIs, enterprise-grade integrations`
Doc updates 2020-08-27 17:14:03 +00:00			`with IDPs, and distribution-specific integration strategies.`
First draft of public README (and neighboring docs) Signed-off-by: Andrew Keesler <akeesler@vmware.com> 2020-08-26 14:06:21 +00:00
Doc updates 2020-08-27 17:14:03 +00:00			`### Example Use Cases`
First draft of public README (and neighboring docs) Signed-off-by: Andrew Keesler <akeesler@vmware.com> 2020-08-26 14:06:21 +00:00
Doc updates 2020-08-27 17:14:03 +00:00			`* Your team uses a large enterprise IDP, and has many clusters that they`
			`manage. Pinniped provides:`
			`* Seamless and robust integration with the IDP`
			`* Easy installation across clusters of any type and origin`
			`* A simplified login flow across all clusters`
			`* Your team shares a single cluster. Pinniped provides:`
			`* Simple configuration to integrate an IDP`
			`* Individual, revocable identities`
First draft of public README (and neighboring docs) Signed-off-by: Andrew Keesler <akeesler@vmware.com> 2020-08-26 14:06:21 +00:00
			`### Architecture`

Doc updates 2020-08-27 17:14:03 +00:00			`Pinniped offers credential exchange to enable a user to exchange an external IDP`
			`credential for a short-lived, cluster-specific credential. Pinniped supports various`
			`IDP types and implements different integration strategies for various Kubernetes`
			`distributions to make authentication possible.`

Add more subtitles to README.md 2020-08-27 22:11:38 +00:00			`#### Supported Identity Provider Types`

Doc updates 2020-08-27 17:14:03 +00:00			`The currently supported external IDP types are outlined here. More will be added in the future.`

			`1. Any webhook which implements the`
			`[Kubernetes TokenReview API](https://kubernetes.io/docs/reference/access-authn-authz/authentication/#webhook-token-authentication)`

Add more subtitles to README.md 2020-08-27 22:11:38 +00:00			`#### Supported Cluster Integration Strategies`

Doc updates 2020-08-27 17:14:03 +00:00			`The currently supported cluster integration strategies are outlined here. More`
			`will be added in the future.`

Add more subtitles to README.md 2020-08-27 22:11:38 +00:00			`1. Pinniped hosts a credential exchange API endpoint via a Kubernetes aggregated API server.`
Doc updates 2020-08-27 17:14:03 +00:00			`This API returns a new cluster-specific credential using the cluster's signing keypair to`
			`issue short-lived cluster certificates. (In the future, when the Kubernetes CSR API`
Add more subtitles to README.md 2020-08-27 22:11:38 +00:00			`provides a way to issue short-lived certificates, then the Pinniped credential exchange API`
Doc updates 2020-08-27 17:14:03 +00:00			`will use that instead of using the cluster's signing keypair.)`

Add more subtitles to README.md 2020-08-27 22:11:38 +00:00			#### `kubectl` Integration

Doc updates 2020-08-27 17:14:03 +00:00			With any of the above IDPs and integration strategies, `kubectl` commands receive the
			`cluster-specific credential via a`
			`[Kubernetes client-go credential plugin](https://kubernetes.io/docs/reference/access-authn-authz/authentication/#client-go-credential-plugins).`
			`Users may use the Pinniped CLI as the credential plugin, or they may use any proprietary CLI`
Small readme changes 2020-08-27 21:43:16 +00:00			`built with the [Pinniped Go client library](generated).`
Doc updates 2020-08-27 17:14:03 +00:00
			`#### Cluster Authentication Sequence Diagram`
First draft of public README (and neighboring docs) Signed-off-by: Andrew Keesler <akeesler@vmware.com> 2020-08-26 14:06:21 +00:00
			`![implementation](doc/img/pinniped.svg)`

Doc updates 2020-08-27 17:14:03 +00:00			`## Installation`

Small readme changes 2020-08-27 21:43:16 +00:00			`Currently, Pinniped supports self-hosted clusters where the Kube Controller Manager pod`
			`is accessible from Pinniped's pods.`
			`Support for other types of Kubernetes distributions is coming soon.`
First draft of public README (and neighboring docs) Signed-off-by: Andrew Keesler <akeesler@vmware.com> 2020-08-26 14:06:21 +00:00
Doc updates 2020-08-27 17:14:03 +00:00			`To try Pinniped, see [deploy/README.md](deploy/README.md).`
First draft of public README (and neighboring docs) Signed-off-by: Andrew Keesler <akeesler@vmware.com> 2020-08-26 14:06:21 +00:00
Doc updates 2020-08-27 17:14:03 +00:00			`## Contributions`
First draft of public README (and neighboring docs) Signed-off-by: Andrew Keesler <akeesler@vmware.com> 2020-08-26 14:06:21 +00:00
Doc updates 2020-08-27 17:14:03 +00:00			`Contributions are welcome. Before contributing, please see`
Add code of conduct 2020-08-28 16:28:27 +00:00			`the [Code of Conduct](doc/code_of_conduct.md) and`
Doc updates 2020-08-27 17:14:03 +00:00			`[the contributing guide](doc/contributing.md).`
Rename project 2020-08-20 17:54:15 +00:00
First draft of instructions to report security vulnerabilities 2020-08-27 22:02:11 +00:00			`## Reporting Security Vulnerabilities`

			`Please follow the procedure described in [SECURITY.md](SECURITY.md).`

Fix some copy issues in the docs 2020-08-27 12:39:20 +00:00			`## License`
Rename project 2020-08-20 17:54:15 +00:00
Fix some copy issues in the docs 2020-08-27 12:39:20 +00:00			`Pinniped is open source and licensed under Apache License Version 2.0. See [LICENSE](LICENSE) file.`
Rename project 2020-08-20 17:54:15 +00:00
			`Copyright 2020 VMware, Inc.`