djpbessems/ContainerImage.Pinniped
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Merge pull request #1471 from vmware-tanzu/doc_updates

Browse Source 
Clarify audience value in Concierge-only auth doc, and other doc updates
This commit is contained in:
Ryan Richard 2023-04-04 08:34:45 -07:00 committed by GitHub
commit b4f5be1332
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
12 changed files with 110 additions and 23 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
MAINTAINERS.md
View File

@ -16,9 +16,3 @@
| Matt Moyer | [mattmoyer](https://github.com/mattmoyer) |
| Mo Khan | [enj](https://github.com/enj) |
| Pablo Schuhmacher | [pabloschuhmacher](https://github.com/pabloschuhmacher) |
## Pinniped Community Management
| Community Manager | GitHub ID |
|-------------------|---------------------------------------|
| Nigel Brown | [pnbrown](https://github.com/pnbrown) |

93
site/content/docs/howto/configure-concierge-jwt.md
View File

@ -15,11 +15,12 @@ This guide shows you how to use this capability _without_ the Pinniped Superviso
This is most useful if you have only a single cluster and want to authenticate to it via an existing OIDC provider.
If you have multiple clusters, you may want to [install]({{< ref "install-supervisor" >}}) and [configure]({{< ref "configure-supervisor" >}}) the Pinniped Supervisor.
Then you can [configure the Concierge to use the Supervisor for authentication]({{< ref "configure-concierge-supervisor-jwt" >}}).
Then you can [configure the Concierge to use the Supervisor for authentication]({{< ref "configure-concierge-supervisor-jwt" >}})
instead of following the guide below.
## Prerequisites
Before starting, you should have the [command-line tool installed]({{< ref "install-cli" >}}) locally and [Concierge running in your cluster]({{< ref "install-concierge" >}}).
Before starting, you should have the [Pinniped command-line tool installed]({{< ref "install-cli" >}}) locally and [Concierge running in your cluster]({{< ref "install-concierge" >}}).
You should also have some existing OIDC issuer configuration:
@ -37,6 +38,7 @@ metadata:
name: my-jwt-authenticator
spec:
issuer: https://my-issuer.example.com/any/path
# This audience value must be the same as your OIDC client's ID.
audience: my-client-id
claims:
username: email
@ -60,6 +62,9 @@ pinniped get kubeconfig \
> my-cluster.yaml
```
Note that the value for the `--oidc-client-id` flag must be your OIDC client's ID, which must also be the same
value declared as the `audience` in the JWTAuthenticator.
This creates a kubeconfig YAML file `my-cluster.yaml` that targets your JWTAuthenticator using `pinniped login oidc` as an [ExecCredential plugin](https://kubernetes.io/docs/reference/access-authn-authz/authentication/#client-go-credential-plugins).
It should look something like below:
@ -126,6 +131,82 @@ You should see:
--user my-username@example.com
```
## Including group membership
If your OIDC provider supports adding user group memberships as a claim in the ID tokens, then you can
use Pinniped to transmit those group memberships into Kubernetes.
For example, one popular OIDC provider can include group memberships in an ID token claim called `groups`,
if the client requests the scope called `groups` at authorization time.
Unfortunately, each OIDC provider handles scopes a little differently, so please refer to your provider's documentation
to see if it is possible for the provider to add group membership information to the ID token.
### Update the JWTAuthenticator
Update the JWTAuthenticator to describe the name of the ID token claim where groups names will reside:
```yaml
apiVersion: authentication.concierge.pinniped.dev/v1alpha1
kind: JWTAuthenticator
metadata:
name: my-jwt-authenticator
spec:
issuer: https://my-issuer.example.com/any/path
audience: my-client-id
claims:
username: email
# Tell the JWTAuthenticator the name of the ID token claim
# where groups names will reside. For example, the name of
# the ID token claim is "groups", then set it as the value
# here. The name of this key is always "groups".
groups: groups
```
If you've saved this into a file `my-jwt-authenticator.yaml`, then update it into your cluster using:
```sh
kubectl apply -f my-jwt-authenticator.yaml
```
### Generate an updated kubeconfig file
Generate a kubeconfig file to target the updated JWTAuthenticator. Note that this is almost the same command
as before, but since our particular OIDC issuer requires that we also request the `groups` scope at
authorization time, then we add it to the list of scopes here.
```sh
pinniped get kubeconfig \
--oidc-client-id my-client-id \
--oidc-scopes openid,email,groups \
--oidc-listen-port 12345 \
> my-cluster.yaml
```
### Use the kubeconfig file
Use the kubeconfig with `kubectl` to access your cluster, as before:
```sh
# Remove the client-side session cache, which is equivalent to
# performing a client-side logout.
rm -rf ~/.config/pinniped
# Log in again by issuing a kubectl command.
kubectl --kubeconfig my-cluster.yaml get namespaces
```
To see the username and group membership as understood by the Kubernetes cluster, you can use
this command:
```sh
pinniped whoami --kubeconfig my-cluster.yaml
```
If your groups configuration worked, then you should see your list of group names from your OIDC provider
included in the output. These group names may now be used with Kubernetes RBAC to provide authorization to
resources on the cluster.
## Other notes
- Pinniped kubeconfig files do not contain secrets and are safe to share between users.
@ -137,7 +218,9 @@ You should see:
- If your OIDC provider supports [wildcard port number matching](https://tools.ietf.org/html/draft-ietf-oauth-security-topics-16#section-2.1) for localhost URIs, you can omit the `--oidc-listen-port` flag to use a randomly chosen ephemeral TCP port.
- The Pinniped command-line tool can only act as a public client with no client secret.
If your provider only supports non-public clients, consider using the Pinniped Supervisor.
If your provider only supports non-public clients, consider using the Pinniped Supervisor instead of following this guide.
- In general, it is not safe to use the same OIDC client across multiple clusters.
If you need to access multiple clusters, please [install the Pinniped Supervisor]({{< ref "install-supervisor" >}}).
- In general, it is not safe to use the same OIDC client across multiple clusters. Each cluster should use its own OIDC client
to ensure that tokens sent to one cluster cannot also be used for another cluster.
If you need to provide access to multiple clusters, please consider [installing the Pinniped Supervisor]({{< ref "install-supervisor" >}})
instead of following this guide.

2
site/content/docs/howto/configure-supervisor-with-activedirectory.md
View File

@ -104,7 +104,7 @@ spec:
base: "OU=my-department,OU=Users,DC=activedirectory,DC=example,DC=com"
# Specify how to filter the search to find the specific user by username.
# "{}" will be replaced # by the username that the end-user had typed
# "{}" will be replaced by the username that the end-user had typed
# when they tried to log in.
filter: "&(objectClass=person)(userPrincipalName={})"

2
site/content/docs/howto/configure-supervisor-with-jumpcloudldap.md
View File

@ -71,7 +71,7 @@ spec:
base: "ou=Users,o=YOUR_ORG_ID,dc=jumpcloud,dc=com"
# Specify how to filter the search to find the specific user by username.
# "{}" will be replaced # by the username that the end-user had typed
# "{}" will be replaced by the username that the end-user had typed
# when they tried to log in.
filter: "&(objectClass=inetOrgPerson)(uid={})"

2
site/content/docs/howto/configure-supervisor-with-openldap.md
View File

@ -219,7 +219,7 @@ spec:
base: "ou=users,dc=pinniped,dc=dev"
# Specify how to filter the search to find the specific user by username.
# "{}" will be replaced # by the username that the end-user had typed
# "{}" will be replaced by the username that the end-user had typed
# when they tried to log in.
filter: "&(objectClass=inetOrgPerson)(uid={})"

5
site/content/docs/howto/install-concierge.md
View File

@ -90,6 +90,11 @@ Pinniped uses [ytt](https://carvel.dev/ytt/) from [Carvel](https://carvel.dev/)
- `ytt --file . --file site/dev-env.yaml | kapp deploy --app pinniped-concierge --file -`
## Other notes
_Important:_ Configure Kubernetes authorization policies (i.e. RBAC) to prevent non-admin users from reading the
resources, especially the Secrets, in the Concierge's namespace.
## Next steps
Next, configure the Concierge for

5
site/content/docs/howto/install-supervisor.md
View File

@ -91,6 +91,11 @@ Pinniped uses [ytt](https://carvel.dev/ytt/) from [Carvel](https://carvel.dev/)
`ytt --file . --file site/dev-env.yaml | kapp deploy --app pinniped-supervisor --file -`
## Other notes
_Important:_ Configure Kubernetes authorization policies (i.e. RBAC) to prevent non-admin users from reading the
resources, especially the Secrets, in the Supervisor's namespace.
## Next steps
Next, [configure the Supervisor as an OIDC issuer]({{< ref "configure-supervisor" >}})!

14
site/themes/pinniped/layouts/partials/team.html
View File

@ -2,13 +2,6 @@
<div class="wrapper">
<h2>The Pinniped Project Team:</h2>
<div class="grid three">
<div class="bio">
<div class="image"><img src="/img/nigel-brown.png" /></div>
<div class="info">
<p class="name">Nigel Brown</p>
<p class="position">Community Manager</p>
</div>
</div>
<div class="bio">
<div class="image"><img src="/img/ryan-richard.png" /></div>
<div class="info">
@ -16,6 +9,13 @@
<p class="position">Engineer</p>
</div>
</div>
<div class="bio">
<div class="image"><img src="/img/joshua-casey.png" /></div>
<div class="info">
<p class="name">Joshua Casey</p>
<p class="position">Engineer</p>
</div>
</div>
<div class="bio">
<div class="image"><img src="/img/ben-petersen.png" /></div>
<div class="info">

BIN
site/themes/pinniped/static/img/joshua-casey.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 25 KiB

BIN
site/themes/pinniped/static/img/nigel-brown.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 9.0 KiB

2
test/integration/whoami_test.go → test/integration/concierge_whoami_test.go
View File

@ -1,4 +1,4 @@
// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
package integration

2
test/integration/concierge_kubectl_test.go → test/integration/smoke_test.go
View File

@ -1,4 +1,4 @@
// Copyright 2020 the Pinniped contributors. All Rights Reserved.
// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
package integration