djpbessems/ContainerImage.Pinniped
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Add a small note about our test grid, and mention some limitations of the first version.

Browse Source 
Signed-off-by: Matt Moyer <moyerm@vmware.com>
This commit is contained in:
Matt Moyer 2021-04-01 13:00:17 -05:00
parent 23dbd7cab6
commit d2a6d7689f
No known key found for this signature in database
GPG Key ID: EAE88AD172C5AE2D
1 changed files with 13 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
site/content/posts/2021-04-01-concierge-on-managed-clusters.md
View File

@ -126,8 +126,9 @@ It has some disadvantages, namely the overhead involved in proxying requests and
## Conclusion and future work ## Conclusion and future work
Pinniped now supports a large majority of real-world Kubernetes clusters! Pinniped now supports a large majority of real-world Kubernetes clusters!
Our automated test suite ensures that Pinniped is stable and functional across a wide range of Kubernetes versions and several providers including EKS, AKS, and GKE.
There are more strategies left to build: This is a great start but there are more strategies left to build:
- A strategy that loads the cluster signing certificate/key directly from a Secret (for example, as it appears in OpenShift). - A strategy that loads the cluster signing certificate/key directly from a Secret (for example, as it appears in OpenShift).
@ -135,6 +136,17 @@ There are more strategies left to build:
- A strategy that issues non-certificate credentials, such as if a cluster has been statically configured to trust a JWT issuer. - A strategy that issues non-certificate credentials, such as if a cluster has been statically configured to trust a JWT issuer.
The current implementation also has a few missing features:
- There is no support for "nested" impersonation.
This means you can't use the `--as` or `--as-group` flags in `kubectl` when you're connecting through the impersonation proxy.
- It only supports certificate-based authentication.
You can't authenticate to the impersonation proxy directly with a ServiceAccount token, for example.
- Depending on your cloud provider's LoadBalancer implementation, you may experience timeouts in long idle requests.
For example, a `kubectl logs` command for a quiet app may exit after as few as four minutes of silence.
We invite your suggestions and contributions to make Pinniped work across all flavors of Kubernetes. We invite your suggestions and contributions to make Pinniped work across all flavors of Kubernetes.
{{< community >}} {{< community >}}