Tweaked some wording, updated the cli page
This commit is contained in:
parent
4470d3d2d1
commit
331fef8fae
@ -22,7 +22,8 @@ to be passed on to clusters based on the user information from the IDP.
|
|||||||
1. The Pinniped Concierge is a credential exchange API which takes as input a
|
1. The Pinniped Concierge is a credential exchange API which takes as input a
|
||||||
credential from an identity source (e.g., Pinniped Supervisor, proprietary IDP),
|
credential from an identity source (e.g., Pinniped Supervisor, proprietary IDP),
|
||||||
authenticates the user via that credential, and returns another credential which is
|
authenticates the user via that credential, and returns another credential which is
|
||||||
understood by the host Kubernetes cluster.
|
understood by the host Kubernetes cluster or by an impersonation proxy which acts
|
||||||
|
on behalf of the user.
|
||||||
|
|
||||||
![Pinniped Architecture Sketch](/docs/img/pinniped_architecture_concierge_supervisor.svg)
|
![Pinniped Architecture Sketch](/docs/img/pinniped_architecture_concierge_supervisor.svg)
|
||||||
|
|
||||||
@ -97,8 +98,7 @@ issue short-lived cluster certificates. (In the future, when the Kubernetes CSR
|
|||||||
provides a way to issue short-lived certificates, then the Pinniped credential exchange API
|
provides a way to issue short-lived certificates, then the Pinniped credential exchange API
|
||||||
will use that instead of using the cluster's signing keypair.)
|
will use that instead of using the cluster's signing keypair.)
|
||||||
* Impersonation Proxy: Pinniped hosts an [impersonation](https://kubernetes.io/docs/reference/access-authn-authz/authentication/#user-impersonation)
|
* Impersonation Proxy: Pinniped hosts an [impersonation](https://kubernetes.io/docs/reference/access-authn-authz/authentication/#user-impersonation)
|
||||||
proxy that performs actions on behalf of the end user. The impersonation proxy accepts and modifies user requests before passing them through to the
|
proxy that sends requests to the Kubernetes API server with user information and permissions based on a token.
|
||||||
Kubernetes API server.
|
|
||||||
|
|
||||||
## kubectl Integration
|
## kubectl Integration
|
||||||
|
|
||||||
|
@ -43,6 +43,9 @@ pinniped get kubeconfig [flags]
|
|||||||
- `--concierge-authenticator-type string`:
|
- `--concierge-authenticator-type string`:
|
||||||
|
|
||||||
Concierge authenticator type (e.g., 'webhook', 'jwt') (default: autodiscover)
|
Concierge authenticator type (e.g., 'webhook', 'jwt') (default: autodiscover)
|
||||||
|
- `--concierge-mode`:
|
||||||
|
|
||||||
|
Concierge mode of operation (e.g. 'ImpersonationProxy', 'TokenCredentialRequestAPI')(default: TokenCredentialRequestAPI)
|
||||||
- `--kubeconfig string`:
|
- `--kubeconfig string`:
|
||||||
|
|
||||||
Path to kubeconfig file
|
Path to kubeconfig file
|
||||||
|
Loading…
Reference in New Issue
Block a user