ContainerImage.Pinniped/site/content/docs/reference/supported-clusters.md

---
title: Supported cluster types
description: See the supported cluster types for the Pinniped Concierge.
cascade:
  layout: docs
menu:
  docs:
    name: Supported Cluster Types
    weight: 10
    parent: reference
---

| **Cluster Type** | **Concierge Works?** |
|-|-|
| [VMware Tanzu Kubernetes Grid (TKG) clusters](https://tanzu.vmware.com/kubernetes-grid) | Yes |
| [Kind clusters](https://kind.sigs.k8s.io/) | Yes |
| [Kubeadm-based clusters](https://kubernetes.io/docs/reference/setup-tools/kubeadm/) | Yes |
| [Amazon Elastic Kubernetes Service (EKS)](https://aws.amazon.com/eks/) | Yes |
| [Google Kubernetes Engine (GKE)](https://cloud.google.com/kubernetes-engine) | Yes |
| [Azure Kubernetes Service (AKS)](https://azure.microsoft.com/en-us/overview/kubernetes-on-azure) | Yes |

## Background

The Pinniped Concierge has two strategies available to support clusters, under the following conditions:

1. Token Credential Request API: Can be run on any Kubernetes cluster where a custom pod can be executed on the same node running `kube-controller-manager`.
This type of cluster is typically called "self-hosted" because the cluster's control plane is running on nodes that are part of the cluster itself.
Most managed Kubernetes services do not support this.

2. Impersonation Proxy: Can be run on any Kubernetes cluster. Default configuration requires that a `LoadBalancer` service can be created. Most cloud-hosted Kubernetes environments have this
capability. The Impersonation Proxy automatically provisions (when `spec.impersonationProxy.mode` is set to `auto`) a `LoadBalancer` for ingress to the impersonation endpoint. Users who wish to use the impersonation proxy without an automatically
configured `LoadBalancer` can do so with an automatically provisioned `ClusterIP` or with a Service that they provision themselves. These options
can be configured in the spec of the [`CredentialIssuer`](https://github.com/vmware-tanzu/pinniped/blob/main/generated/{{< latestcodegenversion >}}/README.adoc#credentialissuer).

If a cluster is capable of supporting both strategies, the Pinniped CLI will use the
token credential request API strategy by default.

To choose the strategy to use with the concierge, use the `--concierge-mode` flag with `pinniped get kubeconfig`.
Possible values are `ImpersonationProxy` and `TokenCredentialRequestAPI`.

Do not use the command line option `--anonymous-auth=false` in the `kube-apiserver` CLI for a cluster that does not use the impersonation proxy strategy. This is because the `kube-apiserver` blocks unauthenticated access to the TokenCredentialRequest API of the Concierge, which will prevent users from being able to authenticate. 
This does not matter while using the impersonation proxy strategy, which will allow these TokenCredentialRequests requests anyway.
Restructure docs into new layout. Signed-off-by: Matt Moyer <moyerm@vmware.com> 2021-02-22 23:52:23 +00:00			`---`
			`title: Supported cluster types`
			`description: See the supported cluster types for the Pinniped Concierge.`
			`cascade:`
			`layout: docs`
			`menu:`
			`docs:`
			`name: Supported Cluster Types`
			`weight: 10`
			`parent: reference`
			`---`

Fix a broken link, a typo, and tweak menu text. Signed-off-by: Matt Moyer <moyerm@vmware.com> 2021-02-24 15:23:21 +00:00			`\| Cluster Type \| Concierge Works? \|`
Restructure docs into new layout. Signed-off-by: Matt Moyer <moyerm@vmware.com> 2021-02-22 23:52:23 +00:00			`\|-\|-\|`
			`\| [VMware Tanzu Kubernetes Grid (TKG) clusters](https://tanzu.vmware.com/kubernetes-grid) \| Yes \|`
			`\| [Kind clusters](https://kind.sigs.k8s.io/) \| Yes \|`
			`\| [Kubeadm-based clusters](https://kubernetes.io/docs/reference/setup-tools/kubeadm/) \| Yes \|`
Add description of impersonation proxy strategy to docs 2021-03-16 17:24:01 +00:00			`\| [Amazon Elastic Kubernetes Service (EKS)](https://aws.amazon.com/eks/) \| Yes \|`
			`\| [Google Kubernetes Engine (GKE)](https://cloud.google.com/kubernetes-engine) \| Yes \|`
			`\| [Azure Kubernetes Service (AKS)](https://azure.microsoft.com/en-us/overview/kubernetes-on-azure) \| Yes \|`
Restructure docs into new layout. Signed-off-by: Matt Moyer <moyerm@vmware.com> 2021-02-22 23:52:23 +00:00
			`## Background`

Add description of impersonation proxy strategy to docs 2021-03-16 17:24:01 +00:00			`The Pinniped Concierge has two strategies available to support clusters, under the following conditions:`

Naming changes 2021-03-16 17:46:06 +00:00			1. Token Credential Request API: Can be run on any Kubernetes cluster where a custom pod can be executed on the same node running `kube-controller-manager`.
Restructure docs into new layout. Signed-off-by: Matt Moyer <moyerm@vmware.com> 2021-02-22 23:52:23 +00:00			`This type of cluster is typically called "self-hosted" because the cluster's control plane is running on nodes that are part of the cluster itself.`
Add description of impersonation proxy strategy to docs 2021-03-16 17:24:01 +00:00			`Most managed Kubernetes services do not support this.`
Restructure docs into new layout. Signed-off-by: Matt Moyer <moyerm@vmware.com> 2021-02-22 23:52:23 +00:00
Change description of impersonation proxy strategy in supported clusters. This was wrong, since you don't need a LoadBalancer to run the impersonation proxy if you specify spec.service.type = "None" or "ClusterIP" on the CredentialIssuer. 2021-10-06 18:08:17 +00:00			2. Impersonation Proxy: Can be run on any Kubernetes cluster. Default configuration requires that a `LoadBalancer` service can be created. Most cloud-hosted Kubernetes environments have this
Update site/content/docs/reference/supported-clusters.md Co-authored-by: Mo Khan <i@monis.app> 2021-10-06 18:23:29 +00:00			capability. The Impersonation Proxy automatically provisions (when `spec.impersonationProxy.mode` is set to `auto`) a `LoadBalancer` for ingress to the impersonation endpoint. Users who wish to use the impersonation proxy without an automatically
Change description of impersonation proxy strategy in supported clusters. This was wrong, since you don't need a LoadBalancer to run the impersonation proxy if you specify spec.service.type = "None" or "ClusterIP" on the CredentialIssuer. 2021-10-06 18:08:17 +00:00			configured `LoadBalancer` can do so with an automatically provisioned `ClusterIP` or with a Service that they provision themselves. These options
Update docs to reference the latest k8s codegen version Signed-off-by: Margo Crawford <margaretc@vmware.com> 2022-03-03 01:01:57 +00:00			can be configured in the spec of the [`CredentialIssuer`](https://github.com/vmware-tanzu/pinniped/blob/main/generated/{{< latestcodegenversion >}}/README.adoc#credentialissuer).
Restructure docs into new layout. Signed-off-by: Matt Moyer <moyerm@vmware.com> 2021-02-22 23:52:23 +00:00
Naming changes 2021-03-16 17:46:06 +00:00			`If a cluster is capable of supporting both strategies, the Pinniped CLI will use the`
			`token credential request API strategy by default.`

			To choose the strategy to use with the concierge, use the `--concierge-mode` flag with `pinniped get kubeconfig`.
			Possible values are `ImpersonationProxy` and `TokenCredentialRequestAPI`.
command line option. 2023-05-30 17:54:05 +00:00
backtick changes Co-authored-by: Ryan Richard <richardry@vmware.com> 2023-06-01 16:55:24 +00:00			Do not use the command line option `--anonymous-auth=false` in the `kube-apiserver` CLI for a cluster that does not use the impersonation proxy strategy. This is because the `kube-apiserver` blocks unauthenticated access to the TokenCredentialRequest API of the Concierge, which will prevent users from being able to authenticate.
			`This does not matter while using the impersonation proxy strategy, which will allow these TokenCredentialRequests requests anyway.`