From d2a6d7689fbe871ce774f772d002be65919727bc Mon Sep 17 00:00:00 2001 From: Matt Moyer Date: Thu, 1 Apr 2021 13:00:17 -0500 Subject: [PATCH] Add a small note about our test grid, and mention some limitations of the first version. Signed-off-by: Matt Moyer --- .../2021-04-01-concierge-on-managed-clusters.md | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) diff --git a/site/content/posts/2021-04-01-concierge-on-managed-clusters.md b/site/content/posts/2021-04-01-concierge-on-managed-clusters.md index 3a8fb7cf..1765835d 100644 --- a/site/content/posts/2021-04-01-concierge-on-managed-clusters.md +++ b/site/content/posts/2021-04-01-concierge-on-managed-clusters.md @@ -126,8 +126,9 @@ It has some disadvantages, namely the overhead involved in proxying requests and ## Conclusion and future work Pinniped now supports a large majority of real-world Kubernetes clusters! +Our automated test suite ensures that Pinniped is stable and functional across a wide range of Kubernetes versions and several providers including EKS, AKS, and GKE. -There are more strategies left to build: +This is a great start but there are more strategies left to build: - A strategy that loads the cluster signing certificate/key directly from a Secret (for example, as it appears in OpenShift). @@ -135,6 +136,17 @@ There are more strategies left to build: - A strategy that issues non-certificate credentials, such as if a cluster has been statically configured to trust a JWT issuer. +The current implementation also has a few missing features: + +- There is no support for "nested" impersonation. + This means you can't use the `--as` or `--as-group` flags in `kubectl` when you're connecting through the impersonation proxy. + +- It only supports certificate-based authentication. + You can't authenticate to the impersonation proxy directly with a ServiceAccount token, for example. + +- Depending on your cloud provider's LoadBalancer implementation, you may experience timeouts in long idle requests. + For example, a `kubectl logs` command for a quiet app may exit after as few as four minutes of silence. + We invite your suggestions and contributions to make Pinniped work across all flavors of Kubernetes. {{< community >}}