From 6ff3e4260248917f2612bd9a3247c1d8bb9f1fee Mon Sep 17 00:00:00 2001 From: Margo Crawford Date: Tue, 16 Mar 2021 10:24:01 -0700 Subject: [PATCH] Add description of impersonation proxy strategy to docs --- site/content/docs/background/architecture.md | 9 +++++---- .../docs/reference/supported-clusters.md | 17 +++++++++++------ 2 files changed, 16 insertions(+), 10 deletions(-) diff --git a/site/content/docs/background/architecture.md b/site/content/docs/background/architecture.md index 5e6469a2..bf258bac 100644 --- a/site/content/docs/background/architecture.md +++ b/site/content/docs/background/architecture.md @@ -1,3 +1,4 @@ + --- title: Architecture description: Dive into the overall design and implementation details of Pinniped. @@ -90,14 +91,14 @@ cleanly enable this integration. Pinniped supports the following cluster integration strategies. -* Pinniped hosts a credential exchange API endpoint via a Kubernetes aggregated API server. +* Kube Cluster Signing Certificate: Pinniped hosts a credential exchange API endpoint via a Kubernetes aggregated API server. This API returns a new cluster-specific credential using the cluster's signing keypair to issue short-lived cluster certificates. (In the future, when the Kubernetes CSR API provides a way to issue short-lived certificates, then the Pinniped credential exchange API will use that instead of using the cluster's signing keypair.) - -More cluster integration strategies are coming soon, which will allow Pinniped to -support more Kubernetes cluster types. +* Impersonation Proxy: Pinniped hosts an [impersonation](https://kubernetes.io/docs/reference/access-authn-authz/authentication/#user-impersonation) +proxy that performs actions on behalf of the end user. The impersonation proxy accepts and modifies user requests before passing them through to the +Kubernetes API server. ## kubectl Integration diff --git a/site/content/docs/reference/supported-clusters.md b/site/content/docs/reference/supported-clusters.md index 62ff07fe..278e51d4 100644 --- a/site/content/docs/reference/supported-clusters.md +++ b/site/content/docs/reference/supported-clusters.md @@ -15,15 +15,20 @@ menu: | [VMware Tanzu Kubernetes Grid (TKG) clusters](https://tanzu.vmware.com/kubernetes-grid) | Yes | | [Kind clusters](https://kind.sigs.k8s.io/) | Yes | | [Kubeadm-based clusters](https://kubernetes.io/docs/reference/setup-tools/kubeadm/) | Yes | -| [Amazon Elastic Kubernetes Service (EKS)](https://aws.amazon.com/eks/) | No | -| [Google Kubernetes Engine (GKE)](https://cloud.google.com/kubernetes-engine) | No | -| [Azure Kubernetes Service (AKS)](https://azure.microsoft.com/en-us/overview/kubernetes-on-azure) | No | +| [Amazon Elastic Kubernetes Service (EKS)](https://aws.amazon.com/eks/) | Yes | +| [Google Kubernetes Engine (GKE)](https://cloud.google.com/kubernetes-engine) | Yes | +| [Azure Kubernetes Service (AKS)](https://azure.microsoft.com/en-us/overview/kubernetes-on-azure) | Yes | ## Background -The Pinniped Concierge currently supports clusters where a custom pod can be executed on the same node running `kube-controller-manager`. +The Pinniped Concierge has two strategies available to support clusters, under the following conditions: + +1. Kube Cluster Signing Certificate: Can be run on any Kubernetes cluster where a custom pod can be executed on the same node running `kube-controller-manager`. This type of cluster is typically called "self-hosted" because the cluster's control plane is running on nodes that are part of the cluster itself. +Most managed Kubernetes services do not support this. -In practice, this means that many Kubernetes distributions are supported, but not most managed Kubernetes services +2. Impersonation Proxy: Can be run on any Kubernetes cluster where a `LoadBalancer` service can be created. Most cloud-hosted Kubernetes environments have this +capability. The Impersonation Proxy automatically provisions a `LoadBalancer` for ingress to the impersonation endpoint. -Support for more cluster types, including managed Kubernetes environments, is planned. +If a cluster is capable of supporting both strategies, the Pinniped Concierge will use the +kube cluster signing certificate strategy.