djpbessems/ContainerImage.Pinniped
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Forgot to mention the CLI in the LDAP blog post

Browse Source
This commit is contained in:
Ryan Richard 2021-05-27 13:05:45 -07:00
parent 0d43105759
commit ec2956d54e
1 changed files with 10 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
site/content/posts/2021-05-31-first-ldap-release.md
View File

@ -1,7 +1,7 @@
---
title: "Pinniped v0.9.0: Bring your LDAP Identities to your Kubernetes Clusters"
slug: bringing-ldap-identities-to-clusters
date: 2021-05-26
date: 2021-05-31
author: Ryan Richard
image: https://cdn.pixabay.com/photo/2018/08/05/15/06/seal-3585727_1280.jpg
excerpt: "With the release of v0.9.0, Pinniped now supports using LDAP identities to log in to Kubernetes clusters."
@ -18,12 +18,13 @@ This post describes how v0.9.0 fits into Pinnipeds quest to bring a smooth, u
## Support for LDAP Identities in the Pinniped Supervisor
Pinniped is made up of two main components:
Pinniped is made up of three main components:
- The Pinniped [_Concierge_]({{< ref "docs/howto/install-concierge.md" >}}) component implements cluster-level authentication.
- The Pinniped [_Supervisor_]({{< ref "docs/howto/install-supervisor.md" >}}) component implements authentication federation
across lots of clusters, which each run the Concierge, and makes it easy to bring your own identities using any OIDC or LDAP provider.
- The `pinniped` [_CLI_]({{< ref "docs/howto/install-cli.md" >}}) acts as an authentication plugin to `kubectl`.
The new LDAP support lives in the Supervisor component.
The new LDAP support lives in the Supervisor component, along with enhancements to the CLI.
### Why LDAP? And why now?
@ -117,6 +118,12 @@ We've provided examples of using [OpenLDAP]({{< ref "docs/howto/install-supervis
and [JumpCloud]({{< ref "docs/howto/install-supervisor.md" >}}) as LDAP providers.
Stay tuned for examples of using Active Directory.
The `pinniped` CLI has also been enhanced to support LDAP authentication. Now when `pinnped get kubectl` sees
that your cluster's Concierge is configured to use a Supervisor which has an LDAPIdentityProvider, then it
will emit the appropriate kubeconfig to enable LDAP logins. When that kubeconfig is used with `kubectl`,
the Pinniped plugin will directly prompt the user on the CLI for their LDAP username and password and
securely transmit them to the Supervisor for authentication.
### What about SAML?
Now that we support OIDC and LDAP identity providers, the obvious next question is whether we should also support the third