diff --git a/README.md b/README.md
index 71955058..364ebb4f 100644
--- a/README.md
+++ b/README.md
@@ -7,36 +7,54 @@
     Free for commercial use without attribution. https://pixabay.com/service/license/
 -->
 
-## About Pinniped
+## Overview
 
-Pinniped provides authentication for Kubernetes clusters.
+Pinniped provides identity services to Kubernetes.
 
-## Developing
+Pinniped allows cluster administrators to easily plugin upstream identity
+providers (IDPs) into Kubernetes clusters. This is achieved via a uniform
+install procedure across all types and origins of Kubernetes clusters,
+declarative configuration via Kubernetes APIs, enterprise-grade integrations
+with upstream IDPs, and distribution-specific integration mechanisms.
 
-### Running Lint
+### Use cases
 
-```cmd
-./hack/module.sh lint
-```
+* **Your team uses a large enterprise IDP, and has many clusters that they
+  manage**; Pinniped provides:
+  * seamless and robust integration with the upstream IDP,
+  * the ability to be easily installed across clusters of any type and origin,
+  * and a simplified login flow across all clusters.
+* **You are on a small team that shares a single cluster**; Pinniped provides:
+  * simple configuration for your team's specific needs,
+  * and individual, revocable identities.
 
-### Running Tests
+### Architecture
 
-```cmd
-./hack/module.sh unittest
-```
+Pinniped offers a credential exchange API via a Kubernetes aggregated API where
+a user can exchange an upstream IDP credential for a cluster-specific
+credential. A specific example of this exchange is provided below where:
+* the upstream IDP is a webhook that supports the [Kubernetes TokenReview
+  API](https://kubernetes.io/docs/reference/access-authn-authz/authentication/#webhook-token-authentication),
+* the cluster-specific credential is minted using the cluster signing keypair to
+issue short-lived cluster certificates (note: this particular credential minting
+mechanism is temporary until the Kubernetes CSR API provides the ability to set
+a certificate TTL),
+* and the cluster-specific credential is provided to the `kubectl` binary using
+a [Kubernetes client-go credential
+plugin](https://kubernetes.io/docs/reference/access-authn-authz/authentication/#client-go-credential-plugins).
 
-### Pre-commit hooks
+![implementation](doc/img/pinniped.svg)
 
-This project uses the [pre-commit] to agree on some conventions about whitespace/file encoding.
+## Install
 
-```cmd
-$ brew install pre-commit
-[...]
-$ pre-commit install
-pre-commit installed at .git/hooks/pre-commit
-```
+To try out Pinniped, check out [our officially supported deployment mechanism
+with ytt](deploy/README.md).
 
-[pre-commit]: https://pre-commit.com/
+## Contribute
+
+If you want to contribute to (or just hack on) Pinniped (we encourage it!),
+first check out our [Code of Conduct](doc/code-of-conduct.md), and then [our
+contributing doc](doc/contributing.md).
 
 ## Licence
 
diff --git a/doc/code-of-conduct.md b/doc/code-of-conduct.md
new file mode 100644
index 00000000..7f904194
--- /dev/null
+++ b/doc/code-of-conduct.md
@@ -0,0 +1,3 @@
+# Contributor Code of Conduct
+
+Coming soon!
diff --git a/doc/contributing.md b/doc/contributing.md
new file mode 100644
index 00000000..a13c7610
--- /dev/null
+++ b/doc/contributing.md
@@ -0,0 +1,80 @@
+# Contributing to Pinniped
+
+We would love for you to contribute to Pinniped! Here is a basic list of things
+you may want to know to get started.
+
+1. Check out our [Code of Conduct](code-of-conduct.md).
+1. Learn about the [scope](scope.md) of our project.
+1. Coming soon: details about how to legally contribute to the project!
+1. See below for how to [file a bug report](#bugs).
+1. See below for how to [suggest a feature](#features).
+1. See below for how to [build the code](#building).
+1. See below for how to [run the tests](#testing).
+
+## Bugs
+
+To file a bug report, please first open an
+[issue](https://github.com/suzerain-io/pinniped/issues/new). The project team
+will work with you on your bug report.
+
+Once the bug has been validated, a [pull
+request](https://github.com/suzerain-io/pinniped/compare) can be opened to fix
+the bug.
+
+For specifics on what to include in your bug report, please follow the
+guidelines in the issue and pull request templates!
+
+## Features
+
+To suggest a feature, please first open an
+[issue](https://github.com/suzerain-io/pinniped/issues/new) and tag it with
+`proposal`. The project team will work with you on your feature request.
+
+Once the feature request has been validated, a [pull
+request](https://github.com/suzerain-io/pinniped/compare) can be opened to
+implement the feature.
+
+For specifics on what to include in your feature request, please follow the
+guidelines in the issue and pull request templates!
+
+## Building
+
+The [Dockerfile](../Dockerfile) at the root of the repo is how we build and
+package the `pinniped-server` code. After you make a change to the code, you can
+rebuild that docker image with the following command.
+
+```cmd
+# From the root of the repo...
+docker build .
+```
+
+## Testing
+
+### Running Lint
+
+```cmd
+./hack/module.sh lint
+```
+
+### Running Unit Tests
+
+```cmd
+./hack/module.sh unittest
+```
+
+### Running Integration Tests
+
+More details coming soon!
+
+### Pre-commit hooks
+
+This project uses the [pre-commit] to agree on some conventions about whitespace/file encoding.
+
+```cmd
+$ brew install pre-commit
+[...]
+$ pre-commit install
+pre-commit installed at .git/hooks/pre-commit
+```
+
+[pre-commit]: https://pre-commit.com/
diff --git a/doc/img/README.md b/doc/img/README.md
new file mode 100644
index 00000000..05ffb7d0
--- /dev/null
+++ b/doc/img/README.md
@@ -0,0 +1,8 @@
+# README
+
+Note! Some of the image files in this directory (e.g.,
+[pinniped.svg](pinniped.svg)) were generated using
+[`plantuml`](https://plantuml.com/). To use `plantuml` to regenerate the image
+files, you simply run `plantuml -tsvg <file.txt>` from this directory. For
+example, to regenerate [pinniped.svg](pinniped.svg), run `plantuml -tsvg
+pinniped.txt`.
diff --git a/doc/img/pinniped.svg b/doc/img/pinniped.svg
new file mode 100644
index 00000000..ea490377
--- /dev/null
+++ b/doc/img/pinniped.svg
@@ -0,0 +1,381 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?><svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" contentScriptType="application/ecmascript" contentStyleType="text/css" height="659px" preserveAspectRatio="none" style="width:1476px;height:659px;" version="1.1" viewBox="0 0 1476 659" width="1476px" zoomAndPan="magnify"><defs><filter height="300%" id="f18z4schppa162" width="300%" x="-1" y="-1"><feGaussianBlur result="blurOut" stdDeviation="2.0"/><feColorMatrix in="blurOut" result="blurOut2" type="matrix" values="0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 .4 0"/><feOffset dx="4.0" dy="4.0" in="blurOut2" result="blurOut3"/><feBlend in="SourceGraphic" in2="blurOut3" mode="normal"/></filter><filter height="1" id="b18z4schppa1620" width="1" x="0" y="0"><feFlood flood-color="#FFA07A" result="flood"/><feComposite in="SourceGraphic" in2="flood" operator="over"/></filter><filter height="1" id="b18z4schppa1621" width="1" x="0" y="0"><feFlood flood-color="#90EE90" result="flood"/><feComposite in="SourceGraphic" in2="flood" operator="over"/></filter></defs><g><rect fill="#FFFFFF" filter="url(#f18z4schppa162)" height="462.2578" style="stroke: #A80036; stroke-width: 1.0;" width="10" x="192.1" y="72.0328"/><rect fill="#FFFFFF" filter="url(#f18z4schppa162)" height="424.6367" style="stroke: #A80036; stroke-width: 1.0;" width="10" x="451.1" y="125.6539"/><rect fill="#FFFFFF" filter="url(#f18z4schppa162)" height="145.1973" style="stroke: #A80036; stroke-width: 1.0;" width="10" x="696.1" y="212.4078"/><rect fill="#FFFFFF" filter="url(#f18z4schppa162)" height="29.3105" style="stroke: #A80036; stroke-width: 1.0;" width="10" x="998.1" y="241.5406"/><rect fill="#FFFFFF" filter="url(#f18z4schppa162)" height="86.9316" style="stroke: #A80036; stroke-width: 1.0;" width="10" x="1182.3" y="447.359"/><rect fill="#FFFFFF" filter="url(#f18z4schppa162)" height="307.8828" style="stroke: #000000; stroke-width: 2.0;" width="973.7" x="140" y="87.0328"/><rect fill="#FFFFFF" filter="url(#f18z4schppa162)" height="133.375" style="stroke: #000000; stroke-width: 2.0;" width="1317.3" x="140" y="408.9156"/><line style="stroke: #A80036; stroke-width: 1.0; stroke-dasharray: 5.0,5.0;" x1="45" x2="45" y1="40.9" y2="559.2906"/><line style="stroke: #A80036; stroke-width: 1.0; stroke-dasharray: 5.0,5.0;" x1="197" x2="197" y1="40.9" y2="559.2906"/><line style="stroke: #A80036; stroke-width: 1.0; stroke-dasharray: 5.0,5.0;" x1="456" x2="456" y1="40.9" y2="559.2906"/><line style="stroke: #A80036; stroke-width: 1.0; stroke-dasharray: 5.0,5.0;" x1="700.5" x2="700.5" y1="40.9" y2="559.2906"/><line style="stroke: #A80036; stroke-width: 1.0; stroke-dasharray: 5.0,5.0;" x1="1002.5" x2="1002.5" y1="40.9" y2="559.2906"/><line style="stroke: #A80036; stroke-width: 1.0; stroke-dasharray: 5.0,5.0;" x1="1186.7" x2="1186.7" y1="40.9" y2="559.2906"/><rect fill="#90EE90" filter="url(#f18z4schppa162)" height="32.9" style="stroke: #A80036; stroke-width: 1.5;" width="70.2" x="8" y="3"/><image height="19" width="19" x="15" xlink:href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABMAAAATCAIAAAD9MqGbAAAA/0lEQVR4XmMwynmKiTy6LkYsOAxHmAqAiAGN79p2BVkPHPlPPo1TZ9D0k5ga0BBQDYpOTBUE0UDptCi9jyYav2pP/fX5fW8mdT2b2vNyctv9mckbd0QuOoSsBuhhBjRtqZu2Z2zbWnx0ddvDmUCdnU+mVZ5bChTJ378eTSW6zty9G4AagKj1way4lXtb7s2GcOuuLiBWJxAB7Yezaakzc/sWrDqrLy4moBOIopccbH80A66z8+k0IANTGRadEJS2eVvSul0FB9diSkF1kp8SIMkXUw4PMi9+gNDp1HQdUwVWBM9uiFxmW3MLUx0aCp55Aq4eJWeHzj6GqRoZISsGAAp7b+zGZEvTAAAAAElFTkSuQmCC" y="10"/><text fill="#000000" font-family="sans-serif" font-size="14" lengthAdjust="spacingAndGlyphs" textLength="31" x="40.2" y="23.5352">User</text><rect fill="#90EE90" filter="url(#f18z4schppa162)" height="32.9" style="stroke: #A80036; stroke-width: 1.5;" width="70.2" x="8" y="558.2906"/><image height="19" width="19" x="15" xlink:href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABMAAAATCAIAAAD9MqGbAAAA/0lEQVR4XmMwynmKiTy6LkYsOAxHmAqAiAGN79p2BVkPHPlPPo1TZ9D0k5ga0BBQDYpOTBUE0UDptCi9jyYav2pP/fX5fW8mdT2b2vNyctv9mckbd0QuOoSsBuhhBjRtqZu2Z2zbWnx0ddvDmUCdnU+mVZ5bChTJ378eTSW6zty9G4AagKj1way4lXtb7s2GcOuuLiBWJxAB7Yezaakzc/sWrDqrLy4moBOIopccbH80A66z8+k0IANTGRadEJS2eVvSul0FB9diSkF1kp8SIMkXUw4PMi9+gNDp1HQdUwVWBM9uiFxmW3MLUx0aCp55Aq4eJWeHzj6GqRoZISsGAAp7b+zGZEvTAAAAAElFTkSuQmCC" y="565.2906"/><text fill="#000000" font-family="sans-serif" font-size="14" lengthAdjust="spacingAndGlyphs" textLength="31" x="40.2" y="578.8258">User</text><rect fill="#B0C4DE" filter="url(#f18z4schppa162)" height="32.9" style="stroke: #A80036; stroke-width: 1.5;" width="90.2" x="150" y="3"/><image height="19" width="19" x="157" xlink:href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABMAAAATCAIAAAD9MqGbAAABWElEQVR4Xo2TS0sDMRCA9zd506MnwYNXBRU8qJXdFrcKbVGEngotFu3b11YpukJ9gCcVbUH/R7bZ1v/hZJMmu5NtFb5DmpmvyUx2jBnrR2cpP9o88SV6AmCg34tHEUeyXBhONFeLQ11AQE7E1DMQ6TO6XYns/Ne0W/S+T5L1CebTF4EwIMNmzec7kszlQJlzaWE+f4vw7SeTt06xBjiv4n/Xir4hT0g1oB6R3XjxEhW2vusRKDLnsNuWuuJAjjI52SuWBOQ7g6xDzTqFzf0LCvsoE5tA+cHjcqKKQ9NMK2hg+43Jbp/wx9g7p1Zw+DTT7ZHOB2sDLEC+eWfrVJPVDAXHm7K3bvAwZk0UHKbgqibFmMnxxQ6vsVx+9JQpv4SdqkDGAHgbwG6x2+ba6rbqiw9n60CHdptKm7VHylw4iB8unZXxuKkpm8/8La+X1JRHJnvjGKciwsm/9eaffLdcgfIAAAAASUVORK5CYII=" y="10"/><text fill="#000000" font-family="sans-serif" font-size="14" lengthAdjust="spacingAndGlyphs" textLength="51" x="182.2" y="23.5352">Kubectl</text><rect fill="#B0C4DE" filter="url(#f18z4schppa162)" height="32.9" style="stroke: #A80036; stroke-width: 1.5;" width="90.2" x="150" y="558.2906"/><image height="19" width="19" x="157" xlink:href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABMAAAATCAIAAAD9MqGbAAABWElEQVR4Xo2TS0sDMRCA9zd506MnwYNXBRU8qJXdFrcKbVGEngotFu3b11YpukJ9gCcVbUH/R7bZ1v/hZJMmu5NtFb5DmpmvyUx2jBnrR2cpP9o88SV6AmCg34tHEUeyXBhONFeLQ11AQE7E1DMQ6TO6XYns/Ne0W/S+T5L1CebTF4EwIMNmzec7kszlQJlzaWE+f4vw7SeTt06xBjiv4n/Xir4hT0g1oB6R3XjxEhW2vusRKDLnsNuWuuJAjjI52SuWBOQ7g6xDzTqFzf0LCvsoE5tA+cHjcqKKQ9NMK2hg+43Jbp/wx9g7p1Zw+DTT7ZHOB2sDLEC+eWfrVJPVDAXHm7K3bvAwZk0UHKbgqibFmMnxxQ6vsVx+9JQpv4SdqkDGAHgbwG6x2+ba6rbqiw9n60CHdptKm7VHylw4iB8unZXxuKkpm8/8La+X1JRHJnvjGKciwsm/9eaffLdcgfIAAAAASUVORK5CYII=" y="565.2906"/><text fill="#000000" font-family="sans-serif" font-size="14" lengthAdjust="spacingAndGlyphs" textLength="51" x="182.2" y="578.8258">Kubectl</text><rect fill="#FFB6C1" filter="url(#f18z4schppa162)" height="32.9" style="stroke: #A80036; stroke-width: 1.5;" width="140.2" x="384" y="3"/><image height="19" width="19" x="391" xlink:href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABMAAAATCAIAAAD9MqGbAAAA/klEQVR4XmMwynmKiZJq77Z0XYMjTAVAxIDGj66+h6wHjgqab+HUWdZ6E1MDGgKqQdGJqYIgooHOH1sOISNMBSCdDoWPMSU+bTqMjDAVlLXeYMAUBaLd884C0esNRyAMTAVAhF0nBD1ZexRTEI7QdV5YehKOgO5E5nb1XMWnc+dchNuQ7Zwx8fKEvivU1rlu5nlISH7ZBIoGeMB29169tAzkciBCNguLTmCQoumE+BldJzwltHdfA7oHiPrBruoHs4GotetaT+9VCLunF+pgRIqHm0QMsi14jNAZUnEfUwVWBM9uiFzmXfoAUx0aqmy7AVePkrNr269jqkZGyIoBR/GpWCi7oUcAAAAASUVORK5CYII=" y="10"/><text fill="#000000" font-family="sans-serif" font-size="14" lengthAdjust="spacingAndGlyphs" textLength="101" x="416.2" y="23.5352">Proprietary CLI</text><rect fill="#FFB6C1" filter="url(#f18z4schppa162)" height="32.9" style="stroke: #A80036; stroke-width: 1.5;" width="140.2" x="384" y="558.2906"/><image height="19" width="19" x="391" xlink:href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABMAAAATCAIAAAD9MqGbAAAA/klEQVR4XmMwynmKiZJq77Z0XYMjTAVAxIDGj66+h6wHjgqab+HUWdZ6E1MDGgKqQdGJqYIgooHOH1sOISNMBSCdDoWPMSU+bTqMjDAVlLXeYMAUBaLd884C0esNRyAMTAVAhF0nBD1ZexRTEI7QdV5YehKOgO5E5nb1XMWnc+dchNuQ7Zwx8fKEvivU1rlu5nlISH7ZBIoGeMB29169tAzkciBCNguLTmCQoumE+BldJzwltHdfA7oHiPrBruoHs4GotetaT+9VCLunF+pgRIqHm0QMsi14jNAZUnEfUwVWBM9uiFzmXfoAUx0aqmy7AVePkrNr269jqkZGyIoBR/GpWCi7oUcAAAAASUVORK5CYII=" y="565.2906"/><text fill="#000000" font-family="sans-serif" font-size="14" lengthAdjust="spacingAndGlyphs" textLength="101" x="416.2" y="578.8258">Proprietary CLI</text><rect fill="#D3D3D3" filter="url(#f18z4schppa162)" height="32.9" style="stroke: #A80036; stroke-width: 1.5;" width="99.2" x="649.5" y="3"/><image height="19" width="19" x="656.5" xlink:href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABMAAAATCAIAAAD9MqGbAAABY0lEQVR4XoWTSUvDQBiG85u8ildvXjx59yKiF4O4UdxF0OJKtFpKVKzYFmkNIlW7WE1JqwHBJG2zKGr9H37DlEkyYxp4DrO8D3zzzQzXM/bLMrTyxQsOgQ0AHDUfXPQ5hOHNz0BzZOuDFSgg4zPZRCiB5uSBk8o3aqqWrxizR/RuoHlTNsABdi5NAAYPsj4ds2mzj297l7CDmTt2Vk8sMp06dGNwYM6rLSRsHMoVjWXRfq7rG+eWKDXx4vqZ5Q37zHi2hUPRC3Pt1JJKRiSOisSLUtkINO+fOid8VDoVyi9u8UCgSRLJ22b6rrEk2rGr1l4KNSnEzBXRTQDZgiFkTNzkQlW/LqFBRdEDTaDqKS+aNJVXTcigwyuqBpfczeQ9Nct1HfoJHa6hG/LdJzLZlzCfsNS3d+ID+2mTyrgvntroTu9E2zUHIt9s4l/Id3N/Wf/MD5ujGN32/zLC+G7IF/WG/wCwIbwUGTv9YwAAAABJRU5ErkJggg==" y="10"/><text fill="#000000" font-family="sans-serif" font-size="14" lengthAdjust="spacingAndGlyphs" textLength="60" x="681.7" y="23.5352">Pinniped</text><rect fill="#D3D3D3" filter="url(#f18z4schppa162)" height="32.9" style="stroke: #A80036; stroke-width: 1.5;" width="99.2" x="649.5" y="558.2906"/><image height="19" width="19" x="656.5" xlink:href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABMAAAATCAIAAAD9MqGbAAABY0lEQVR4XoWTSUvDQBiG85u8ildvXjx59yKiF4O4UdxF0OJKtFpKVKzYFmkNIlW7WE1JqwHBJG2zKGr9H37DlEkyYxp4DrO8D3zzzQzXM/bLMrTyxQsOgQ0AHDUfXPQ5hOHNz0BzZOuDFSgg4zPZRCiB5uSBk8o3aqqWrxizR/RuoHlTNsABdi5NAAYPsj4ds2mzj297l7CDmTt2Vk8sMp06dGNwYM6rLSRsHMoVjWXRfq7rG+eWKDXx4vqZ5Q37zHi2hUPRC3Pt1JJKRiSOisSLUtkINO+fOid8VDoVyi9u8UCgSRLJ22b6rrEk2rGr1l4KNSnEzBXRTQDZgiFkTNzkQlW/LqFBRdEDTaDqKS+aNJVXTcigwyuqBpfczeQ9Nct1HfoJHa6hG/LdJzLZlzCfsNS3d+ID+2mTyrgvntroTu9E2zUHIt9s4l/Id3N/Wf/MD5ujGN32/zLC+G7IF/WG/wCwIbwUGTv9YwAAAABJRU5ErkJggg==" y="565.2906"/><text fill="#000000" font-family="sans-serif" font-size="14" lengthAdjust="spacingAndGlyphs" textLength="60" x="681.7" y="578.8258">Pinniped</text><rect fill="#FFB6C1" filter="url(#f18z4schppa162)" height="32.9" style="stroke: #A80036; stroke-width: 1.5;" width="197.2" x="902.5" y="3"/><image height="19" width="19" x="909.5" xlink:href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABMAAAATCAIAAAD9MqGbAAABBklEQVR4XmMwynmKiZJq77Z0XYMjTAVAxIDGj66+h6wHjgqab+HUWdZ6E1MDGgKqQdGJqYIgGiidDoWP0USnTLhye+Xx31sOftp0+PvmQy/WH503+VJ791VkNWWtNxjQtC2cemn59Iv75p95tf4IUOf7jYdPLzm1fPqFrXPOoalE17lp9nmgBiB6vu7opP4rT9cehXCvrzhBrE4gWjDlIpxNS50rpl/AqvPispMEdAJRV8/V1+Dggej8sPHwgqkXMZVh0QlBi6ZenDnp0o65ZzGloDrJTwmQ5IsphwfZFjxG6AypuI+pAiuCZzdELvMufYCpDg1Vtt2Aq0fJ2bXt1zFVIyNkxQBYM6mLybuGugAAAABJRU5ErkJggg==" y="10"/><text fill="#000000" font-family="sans-serif" font-size="14" lengthAdjust="spacingAndGlyphs" textLength="158" x="934.7" y="23.5352">TokenReview Webhook</text><rect fill="#FFB6C1" filter="url(#f18z4schppa162)" height="32.9" style="stroke: #A80036; stroke-width: 1.5;" width="197.2" x="902.5" y="558.2906"/><image height="19" width="19" x="909.5" xlink:href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABMAAAATCAIAAAD9MqGbAAABBklEQVR4XmMwynmKiZJq77Z0XYMjTAVAxIDGj66+h6wHjgqab+HUWdZ6E1MDGgKqQdGJqYIgGiidDoWP0USnTLhye+Xx31sOftp0+PvmQy/WH503+VJ791VkNWWtNxjQtC2cemn59Iv75p95tf4IUOf7jYdPLzm1fPqFrXPOoalE17lp9nmgBiB6vu7opP4rT9cehXCvrzhBrE4gWjDlIpxNS50rpl/AqvPispMEdAJRV8/V1+Dggej8sPHwgqkXMZVh0QlBi6ZenDnp0o65ZzGloDrJTwmQ5IsphwfZFjxG6AypuI+pAiuCZzdELvMufYCpDg1Vtt2Aq0fJ2bXt1zFVIyNkxQBYM6mLybuGugAAAABJRU5ErkJggg==" y="565.2906"/><text fill="#000000" font-family="sans-serif" font-size="14" lengthAdjust="spacingAndGlyphs" textLength="158" x="934.7" y="578.8258">TokenReview Webhook</text><rect fill="#B0C4DE" filter="url(#f18z4schppa162)" height="32.9" style="stroke: #A80036; stroke-width: 1.5;" width="143.2" x="1113.7" y="3"/><image height="19" width="19" x="1120.7" xlink:href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABMAAAATCAIAAAD9MqGbAAABU0lEQVR4XmMwynmKifwbn6ROeARHmAqAiAGN712HogeOItof49QZ0/UYUwMaAqpB0YmpgiDCqTN94qMJ6+6v2H9v9rb7WVPQZXHqnLkFpAeIahc8qFnwEMiYt+Ne5uSH6DqtilB0QvRAUM6UR8WzECIZkxDKYrseMSBry58OVTdt0/2imQ+X7LlXMfdh54oHEMHS2SjWouhsXQZVVDnvQcmsh9M338+dinAIkItT55ztUB8u2nVvxT4QY+lehOOBCKdOuIreNQ8mrntQOONR89IHdQtBgURAJ9B7EBVTNt5vWPxgBjiQ5+8AeRvkkN24dQLRMiTnVc59uHzfvcbFUM+nTURRia4zFcnNQE8CwxPi1ZypKAEL0omZEoBxs+YgSsDUL3qApgaR4tEk8CPLwicInR7V2DMXJoqEZTdELnMqJ6w5rhuRy1FydmIvulI0hKwYAMtBpB5YiiK8AAAAAElFTkSuQmCC" y="10"/><text fill="#000000" font-family="sans-serif" font-size="14" lengthAdjust="spacingAndGlyphs" textLength="104" x="1145.9" y="23.5352">Kubernetes API</text><rect fill="#B0C4DE" filter="url(#f18z4schppa162)" height="32.9" style="stroke: #A80036; stroke-width: 1.5;" width="143.2" x="1113.7" y="558.2906"/><image height="19" width="19" x="1120.7" xlink:href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABMAAAATCAIAAAD9MqGbAAABU0lEQVR4XmMwynmKifwbn6ROeARHmAqAiAGN712HogeOItof49QZ0/UYUwMaAqpB0YmpgiDCqTN94qMJ6+6v2H9v9rb7WVPQZXHqnLkFpAeIahc8qFnwEMiYt+Ne5uSH6DqtilB0QvRAUM6UR8WzECIZkxDKYrseMSBry58OVTdt0/2imQ+X7LlXMfdh54oHEMHS2SjWouhsXQZVVDnvQcmsh9M338+dinAIkItT55ztUB8u2nVvxT4QY+lehOOBCKdOuIreNQ8mrntQOONR89IHdQtBgURAJ9B7EBVTNt5vWPxgBjiQ5+8AeRvkkN24dQLRMiTnVc59uHzfvcbFUM+nTURRia4zFcnNQE8CwxPi1ZypKAEL0omZEoBxs+YgSsDUL3qApgaR4tEk8CPLwicInR7V2DMXJoqEZTdELnMqJ6w5rhuRy1FydmIvulI0hKwYAMtBpB5YiiK8AAAAAElFTkSuQmCC" y="565.2906"/><text fill="#000000" font-family="sans-serif" font-size="14" lengthAdjust="spacingAndGlyphs" textLength="104" x="1145.9" y="578.8258">Kubernetes API</text><rect fill="#FFFFFF" filter="url(#f18z4schppa162)" height="462.2578" style="stroke: #A80036; stroke-width: 1.0;" width="10" x="192.1" y="72.0328"/><rect fill="#FFFFFF" filter="url(#f18z4schppa162)" height="424.6367" style="stroke: #A80036; stroke-width: 1.0;" width="10" x="451.1" y="125.6539"/><rect fill="#FFFFFF" filter="url(#f18z4schppa162)" height="145.1973" style="stroke: #A80036; stroke-width: 1.0;" width="10" x="696.1" y="212.4078"/><rect fill="#FFFFFF" filter="url(#f18z4schppa162)" height="29.3105" style="stroke: #A80036; stroke-width: 1.0;" width="10" x="998.1" y="241.5406"/><rect fill="#FFFFFF" filter="url(#f18z4schppa162)" height="86.9316" style="stroke: #A80036; stroke-width: 1.0;" width="10" x="1182.3" y="447.359"/><polygon fill="#A80036" points="180.1,68.0328,190.1,72.0328,180.1,76.0328,184.1,72.0328" style="stroke: #A80036; stroke-width: 1.0;"/><line style="stroke: #A80036; stroke-width: 1.0;" x1="45.1" x2="186.1" y1="72.0328" y2="72.0328"/><text fill="#000000" font-family="monospace" font-size="13" lengthAdjust="spacingAndGlyphs" textLength="128" x="52.1" y="66.9669">kubectl get pods</text><path d="M140,87.0328 L419,87.0328 L419,94.0328 L409,104.0328 L140,104.0328 L140,87.0328 " fill="#EEEEEE" style="stroke: #000000; stroke-width: 1.0;"/><rect fill="none" height="307.8828" style="stroke: #000000; stroke-width: 2.0;" width="973.7" x="140" y="87.0328"/><text fill="#000000" font-family="sans-serif" font-size="13" font-weight="bold" lengthAdjust="spacingAndGlyphs" textLength="234" x="155" y="100.6012">Acquire cluster-specific credential</text><polygon fill="#A80036" points="439.1,121.6539,449.1,125.6539,439.1,129.6539,443.1,125.6539" style="stroke: #A80036; stroke-width: 1.0;"/><line style="stroke: #A80036; stroke-width: 1.0;" x1="202.1" x2="445.1" y1="125.6539" y2="125.6539"/><text fill="#000000" font-family="sans-serif" font-size="13" lengthAdjust="spacingAndGlyphs" textLength="191" x="209.1" y="120.9117">Get cluster-specific credential</text><line style="stroke: #A80036; stroke-width: 1.0;" x1="461.1" x2="503.1" y1="170.275" y2="170.275"/><line style="stroke: #A80036; stroke-width: 1.0;" x1="503.1" x2="503.1" y1="170.275" y2="183.275"/><line style="stroke: #A80036; stroke-width: 1.0;" x1="462.1" x2="503.1" y1="183.275" y2="183.275"/><polygon fill="#A80036" points="472.1,179.275,462.1,183.275,472.1,187.275,468.1,183.275" style="stroke: #A80036; stroke-width: 1.0;"/><text fill="#000000" font-family="sans-serif" font-size="13" lengthAdjust="spacingAndGlyphs" textLength="220" x="468.1" y="150.2223">Retrieve upstream IDP credential in</text><text fill="#000000" font-family="sans-serif" font-size="13" lengthAdjust="spacingAndGlyphs" textLength="164" x="468.1" y="165.5328">organization-specific way</text><polygon fill="#A80036" points="684.1,208.4078,694.1,212.4078,684.1,216.4078,688.1,212.4078" style="stroke: #A80036; stroke-width: 1.0;"/><line style="stroke: #A80036; stroke-width: 1.0;" x1="461.1" x2="690.1" y1="212.4078" y2="212.4078"/><text fill="#000000" filter="url(#b18z4schppa1620)" font-family="monospace" font-size="13" lengthAdjust="spacingAndGlyphs" textLength="216" x="468.1" y="207.3419">POST /apis/pinniped.dev/...</text><polygon fill="#A80036" points="986.1,237.5406,996.1,241.5406,986.1,245.5406,990.1,241.5406" style="stroke: #A80036; stroke-width: 1.0;"/><line style="stroke: #A80036; stroke-width: 1.0;" x1="706.1" x2="992.1" y1="241.5406" y2="241.5406"/><text fill="#000000" filter="url(#b18z4schppa1620)" font-family="monospace" font-size="13" lengthAdjust="spacingAndGlyphs" textLength="144" x="713.1" y="236.4747">POST /authenticate</text><polygon fill="#A80036" points="717.1,266.8512,707.1,270.8512,717.1,274.8512,713.1,270.8512" style="stroke: #A80036; stroke-width: 1.0;"/><line style="stroke: #A80036; stroke-width: 1.0;" x1="711.1" x2="1002.1" y1="270.8512" y2="270.8512"/><text fill="#000000" font-family="monospace" font-size="13" lengthAdjust="spacingAndGlyphs" textLength="48" x="723.1" y="265.7853">200 OK</text><text fill="#000000" font-family="sans-serif" font-size="13" lengthAdjust="spacingAndGlyphs" textLength="204" x="775.1" y="266.109">with user and group information</text><line style="stroke: #A80036; stroke-width: 1.0;" x1="706.1" x2="748.1" y1="315.4723" y2="315.4723"/><line style="stroke: #A80036; stroke-width: 1.0;" x1="748.1" x2="748.1" y1="315.4723" y2="328.4723"/><line style="stroke: #A80036; stroke-width: 1.0;" x1="707.1" x2="748.1" y1="328.4723" y2="328.4723"/><polygon fill="#A80036" points="717.1,324.4723,707.1,328.4723,717.1,332.4723,713.1,328.4723" style="stroke: #A80036; stroke-width: 1.0;"/><text fill="#000000" font-family="sans-serif" font-size="13" lengthAdjust="spacingAndGlyphs" textLength="278" x="713.1" y="295.4195">Issue short-lived cluster-specific credential</text><text fill="#000000" font-family="sans-serif" font-size="13" lengthAdjust="spacingAndGlyphs" textLength="204" x="713.1" y="310.7301">with user and group information</text><polygon fill="#A80036" points="472.1,353.6051,462.1,357.6051,472.1,361.6051,468.1,357.6051" style="stroke: #A80036; stroke-width: 1.0;"/><line style="stroke: #A80036; stroke-width: 1.0;" x1="466.1" x2="700.1" y1="357.6051" y2="357.6051"/><text fill="#000000" filter="url(#b18z4schppa1621)" font-family="monospace" font-size="13" lengthAdjust="spacingAndGlyphs" textLength="48" x="478.1" y="352.5392">200 OK</text><polygon fill="#A80036" points="213.1,382.9156,203.1,386.9156,213.1,390.9156,209.1,386.9156" style="stroke: #A80036; stroke-width: 1.0;"/><line style="stroke: #A80036; stroke-width: 1.0;" x1="207.1" x2="450.1" y1="386.9156" y2="386.9156"/><text fill="#000000" font-family="sans-serif" font-size="13" lengthAdjust="spacingAndGlyphs" textLength="225" x="219.1" y="382.1734">Here is a cluster-specific credential</text><path d="M140,408.9156 L553,408.9156 L553,415.9156 L543,425.9156 L140,425.9156 L140,408.9156 " fill="#EEEEEE" style="stroke: #000000; stroke-width: 1.0;"/><rect fill="none" height="133.375" style="stroke: #000000; stroke-width: 2.0;" width="1317.3" x="140" y="408.9156"/><text fill="#000000" font-family="sans-serif" font-size="13" font-weight="bold" lengthAdjust="spacingAndGlyphs" textLength="368" x="155" y="422.484">Authenticate to cluster with cluster-specific credential</text><polygon fill="#A80036" points="1170.3,443.359,1180.3,447.359,1170.3,451.359,1174.3,447.359" style="stroke: #A80036; stroke-width: 1.0;"/><line style="stroke: #A80036; stroke-width: 1.0;" x1="202.1" x2="1176.3" y1="447.359" y2="447.359"/><text fill="#000000" filter="url(#b18z4schppa1621)" font-family="monospace" font-size="13" lengthAdjust="spacingAndGlyphs" textLength="128" x="209.1" y="442.2931">GET /api/v1/pods</text><line style="stroke: #A80036; stroke-width: 1.0;" x1="1192.3" x2="1234.3" y1="491.9801" y2="491.9801"/><line style="stroke: #A80036; stroke-width: 1.0;" x1="1234.3" x2="1234.3" y1="491.9801" y2="504.9801"/><line style="stroke: #A80036; stroke-width: 1.0;" x1="1193.3" x2="1234.3" y1="504.9801" y2="504.9801"/><polygon fill="#A80036" points="1203.3,500.9801,1193.3,504.9801,1203.3,508.9801,1199.3,504.9801" style="stroke: #A80036; stroke-width: 1.0;"/><text fill="#000000" font-family="sans-serif" font-size="13" lengthAdjust="spacingAndGlyphs" textLength="246" x="1199.3" y="471.9273">Glean user and group information from</text><text fill="#000000" font-family="sans-serif" font-size="13" lengthAdjust="spacingAndGlyphs" textLength="166" x="1199.3" y="487.2379">cluster-specific credential</text><polygon fill="#A80036" points="208.1,530.2906,198.1,534.2906,208.1,538.2906,204.1,534.2906" style="stroke: #A80036; stroke-width: 1.0;"/><line style="stroke: #A80036; stroke-width: 1.0;" x1="202.1" x2="1186.3" y1="534.2906" y2="534.2906"/><text fill="#000000" font-family="monospace" font-size="13" lengthAdjust="spacingAndGlyphs" textLength="48" x="214.1" y="529.2247">200 OK</text><text fill="#000000" font-family="sans-serif" font-size="13" lengthAdjust="spacingAndGlyphs" textLength="62" x="266.1" y="529.5484">with pods</text><rect fill="#DDDDDD" height="42.9766" rx="5" ry="5" style="stroke: #000000; stroke-width: 1.0;" width="338" x="565.65" y="605.1906"/><text fill="#000000" font-family="sans-serif" font-size="14" lengthAdjust="spacingAndGlyphs" textLength="13" x="571.65" y="623.7258">1.</text><text fill="#000000" filter="url(#b18z4schppa1620)" font-family="sans-serif" font-size="14" lengthAdjust="spacingAndGlyphs" textLength="295" x="588.65" y="623.7258">Message contains upstream IDP credentials</text><text fill="#000000" font-family="sans-serif" font-size="14" lengthAdjust="spacingAndGlyphs" textLength="13" x="571.65" y="640.2141">2.</text><text fill="#000000" filter="url(#b18z4schppa1621)" font-family="sans-serif" font-size="14" lengthAdjust="spacingAndGlyphs" textLength="309" x="588.65" y="640.2141">Message contains cluster-specific credentials</text><!--MD5=[f04453fa8c9282d7f6df00649ef942ae]
+@startuml "pinniped"
+
+!define K8S_BLUE #326CE5
+!define K8S_SPRITES_URL https://raw.githubusercontent.com/michiel/plantuml-kubernetes-sprites/master/resource
+!include K8S_SPRITES_URL/k8s-sprites-unlabeled-25pct.iuml
+
+participant "User" as USER << ($pod{scale=0.30},K8S_BLUE) >> #LightGreen
+participant "Kubectl" as KUBECTL << ($ing{scale=0.30},K8S_BLUE) >> #LightSteelBlue
+participant "Proprietary CLI" as CLI << ($svc{scale=0.30},K8S_BLUE) >> #LightPink
+participant "Pinniped" as PINNIPED << ($node{scale=0.30},K8S_BLUE) >> #LightGray
+participant "TokenReview Webhook" as WEBHOOK << ($pod{scale=0.30},K8S_BLUE) >> #LightPink
+participant "Kubernetes API" as API << ($node{scale=0.30},K8S_BLUE) >> #LightSteelBlue
+
+legend
+  # <back:lightsalmon>Message contains upstream IDP credentials</back>
+  # <back:lightgreen>Message contains cluster-specific credentials</back>
+end legend
+
+USER -> KUBECTL : ""kubectl get pods""
+activate KUBECTL
+
+group Acquire cluster-specific credential
+
+KUBECTL -> CLI : Get cluster-specific credential
+activate CLI
+
+CLI -> CLI : Retrieve upstream IDP credential in\norganization-specific way
+
+CLI -> PINNIPED : <back:lightsalmon>""POST /apis/pinniped.dev/...""</back>
+activate PINNIPED
+
+PINNIPED -> WEBHOOK : <back:lightsalmon>""POST /authenticate""</back>
+activate WEBHOOK
+
+WEBHOOK -> PINNIPED : ""200 OK"" with user and group information
+deactivate WEBHOOK
+
+PINNIPED -> PINNIPED : Issue short-lived cluster-specific credential\nwith user and group information
+
+PINNIPED -> CLI : <back:lightgreen>""200 OK""</back>
+deactivate PINNIPED
+
+CLI -> KUBECTL : Here is a cluster-specific credential
+
+end
+
+group Authenticate to cluster with cluster-specific credential
+
+KUBECTL -> API : <back:lightgreen>""GET /api/v1/pods""</back>
+activate API
+
+API -> API : Glean user and group information from\ncluster-specific credential
+
+API -> KUBECTL : ""200 OK"" with pods
+deactivate API
+
+deactivate KUBECTL
+
+end
+
+@enduml
+
+@startuml "pinniped"
+
+sprite $master [64x63/16z] {
+jLVRiiCW23G8Wa_v_xyjn5oCyP8qBNEcSzBfhkm2QkQv6N6F-Ok8ftY7VieGg_4EVPSXTkCTUiGGRyKxT8iXFeftw88XVXb_nqlmo5_Z5Jrf-21zV1VTPMZZ
+XM3Aei7GmaiuePiCTNoM-O2X1c-WwmnNl1HeXCbDkngK4JwSuHG5CGXkppp2unaVL0zdh660BzCdgmGUw-C5V_w2puK3zivMHRTPU36W9z-pB7oqqy80JwLx
+QVsE0UTdloQAYmyGEEa_y5JWY-hhhy6RJR9cJAmSYBijlhiZy59YrZuJM3BnQfXGLXIG7ZuaXO526a2Ch0b8NbNkuRNEBbKRHHYSDoxUnLGCkDeNU5r7lRTi
+xG_SrEYWmZu7MwrO0je3UhHFeXi6y6GPssgwifce_U2SMtBUDN3VFYJRVNHb2gaUgnXgTD2r-xnQ9pOAjBSZPdFPCJ2rkIfatVT9_y5zt_2j2QgCJ-3azx4-
+AUCsaN7G0FQZJMWgd3FGsaEXVwHbdGRc_w98pMHEscXq9cORYFUWSsIzh3e0XkAlEuYpOiinrY0tJkLy2r5001r_R7edBGzNX9M2rZhMl9kx7gwoeJavrUEJ
+eNfwjGxGleU7b0SN21sxCzhLnBVlBu9G1FMkSBL6BEBtDy3VtJ-_8PX_Z7zv_tv8y8VtXmS4yv_mBz-VRXByzltl0m00
+}
+
+sprite $etcd [64x63/16z] {
+jPT95eCW44I5dd3b_MyRY8g2qA1eBVAYoI_fIN5PgfgZbWUQ4utHTntceiReNeTPrHZTSfYxD4RN7EPR6gCpX_cXlkS5WTrZdi5urHrKtAsqwb3dJtIG9NU7
+p-YgGvalq1M78bwcomvNtg5H1Ax5Yr75BPvqdbfykdmRT3gUuC9duST_MoGH5oICnzbB0YhXhwaE-5hItK5qdhVBS60Gm2yV_4By4LGIK0oVV1tz5QT_pFuJ
+P5yPPdpM431jPQ8LZdbpMsQiq-u8U_euwoFW-9Del9pQH0ZXNpyWSMThHHnvYVaFNvn47ZKU8uyMUIs_hp-1tUE_Z40IFXpyjBTVuAQ3rn8Oku-pFZO7hoL0
+J0TFxVIfF7R4Bsly9Tvg3I2no7pklycWwwh_7e5Vusbe3VXfv6Rqvmx0q75CX8Z4ePUs0GRNuFSK9CySFygcOtgI59Wm-1n4CH8rTvSYDk- -_wLTJrLlmQNA
+ByeKDHuUnHjmqaPf2qdb0Qhai0Sl6IJTjtOWtTg_aCr4sXQkr4UPtjy1lhV_V6AmlCmFxhzl6dpm_d33OFc87tn_wZHuz_tl1m00
+}
+
+sprite $node [64x63/16z] {
+jPVT6eCW28OL4F2e-x_RKQkqKlhRE77Ri_TBFa5j6BgHrnWUHDx4E_gkGcx6E_ggGdRZ7Nsca2_5Exgda6_5Etgda1_6ttbb8ddCAsEqG5QVT-aOGb-Xpsk2
+YGO4PmuzNdccaxXPjFc5ZZ49CylyjQ7GmfUyn-2S3T95xgXmvBNG1pv6qZEUApocYPV2HpdZgUOZ2Kk2xOnSVZDzM_m8i1KyyDiVobmnoVHe6CTL5Gy6TD97
+5bLRElYEYm2SyAbOfyogY3gEnHRsUGp5Uh5d8TeebQrfn-zM7ogZHkx0exiZo6eq91LHI-SxhhgW7bzN3n9D513LYoeUNwede608yHZ9up5K_sES9e3aLL3R
+FX0hcddPk5Rr3LZj0r48O_iBekG4n73502xPsyTWtMCR6I9ntSFSvrF9VcmapYmqRQ2IBXbOkeUjvcLitjcquY7gbVK7iC9FLlzXzeDfSIPVAm1x9XLU5sds
+ZxJj_W7plCtERotwrREru5k4jeos2_4y3pVvnWRAMUm0GfvN1lJ2gPpgPX4Qjo_hGUXufww7007KQWUmvzrmvc5aTZgdUNmADFgswLtd_EK6tag-Uu58SRTr
+X5Ro_VkB4ko2lIjSgn1tyViRuE_kdqy4XX_pB-_VDmN-yFvmGs3u4__o_UcYm6_V_pu0
+}
+
+sprite $group [64x63/16z] {
+tPVTaeCW38KnX91SyVvlMvNQAifFG7Tszrn5nk-KQM888MGb7uKEoK5ZjDP1BZL6jpf8KMDqpK6QD4Rd74IbCJfna4xzHjvJKVw2toyvc8e2TpRO_pgOCc_0
+btYQgg8Ix-gyItdfv-KVyvOe5WCu8fldvPgtl9R3Z2y9PtlDIvRtstDytojvu0sBHWnTF6trbkKbi_-8uJHXKjYkz4L_UI0MNX_T711e-Ja3zWs1XLp-2xnP
+z0dLF5Z4RGTpfDi_8At_FpDXHEO0cddaVKkoxnfWREGF-99w4tCO3Uey9OjexAwxrNcVBcwy_naUapF36eW1gkglfV_yVPu7-MC3KPv_fmQiF7_F1o3Lpd-g
+311SdZ_uYVad3E9z1lVDdpq6uMP-SFvM6ZnmVr0OX8VumVjJey6zzxyN
+}
+
+sprite $sa [64x63/16z] {
+jPVDeeGW28LL97Jb-x_jjRfZLg2OTHQpQFoE2lvWIg9YKNgWUD8SFUeGMStHMeVOr1pTSuWgpT6IGnpI77rnY0_rEHyMW2KyvGE2pG8CRPx_az3PVpcabW5B
+-q9l3fu6-3njUnCN29PdQTw1mz5PKGuPWqllpbGz8X5Mep4kzFcZkTzQ1ryDO8J_DMO-gVWoMMpnKUINtxT5vEENl6ByJLuHltXRl7N-OCyVoFbZDgqxhJUY
+qteSv4tvUSPRbsM7-0YcMlqXgze11lg7eh_lrcD7-pwFzTuf3lwo96GHtz5kG7r-JpUnjX2YRWBtE6zvGSsjGaxY7Qck9I_nNdUjKJu2cVaRPVTR1AwHMgEA
+IdnhVC-_AlX726k3Z4kZ3s88e004ykHJ8udxnHsmaJhv-ivzhbV_MWJKO-bVWALwM8-ElFtpVfOgY7RzGJde9jEUdjO_-UW0f7u9rrWAuRCAyBtwyub1UfcV
+hBy73JvuFmmOf8_uoVUJqk3TzzyV
+}
+
+sprite $user [64x63/16z] {
+vPVH3iCW24LRK8Gd__zljonRqrfKb7PPilCeEVUXMDISgyX6da0E-EpH157nsTO4QUApUmbYmcVN4cG8drqao2I_w3CrOSNVBn6iJO3E0Rk514lRNo2rV5gx
+KCkFVJ-MlhHyW9Ol7JyGCuLfFpOM3Jw-cyquvvFQbTANghzrEbLzkTCdTTNk6xwV5F_kiLNX5S2Xth-IOlzWJ2dYEkttzl-N_6NA1uoKdb146FTnF-gOSCn7
+AYjRWiL7FfS-kyZW0sir1giVz6Bu6vzLpFvpwcke_MFd_tCS88Fdtsa03vw_Sidvxxr_kEy_sQdF1Lnt_vm9o1VxplltOC0DxuU1W7oJxtm_6GEkVVyz0000
+}
+
+sprite $pv [64x63/16z] {
+xPVHZiCW30HZR8pznF__xL5GUXTQ2CI9gaOtBv68PbN5Q0inDj4dyG2wmMRF9kXRRFPeWdQnsNi9EeJDRYNe53QxIj23tCHNjGLykQzg2xYZBn82-nNc8DBo
+Nrtsw1p0yWi0EAIKyYQWMWZa_feR0Bti-Buf5r3wFlRr1KBbl_xydeqitNb8-aXCsu-tkWxJ88ZxlWD7QLnfTeHf2Xb48fyN4S3l-L26bGH-E24_FH6MLppY
+mm8rwygOt-RVx_kBoLTsq4qWsMaKuRnHwf3I0HH6IYaL2EK6UUBoXWmoqMoF1YjxDpr5H2_26XoDkht_pV-_7p__HAD-BE2yy-UHW7YoRpn_JmPSS7-O28WN
+-SRxqs30kVU_7m00
+}
+
+sprite $job [64x63/16z] {
+tPVB4eCW34L1UIIh_F_V5WcrKofjJ71Hpoh3S6ujoJX2D0HtI06-ORFF9k0XDbkQW5-nsRyIK8JD7YNWAMnsbo3P3fc1WmY9l_hAahI-uu0BVDJwU0jVDYvX
+OTB74CbyQA3I7m_nN1zIhAJof3cskgodmEJUxnApRuDUDaOktJew_otWptsq-JZVhnkTL_eGkSznwt_hUUr_cuMCzmPM9fJ_dreTotfiTHQU_rBywBWE-_ax
+UVzXxvyFclcvZ- -c_BuNpdzEbLpVXQ_wkGpzVkEyaL6tl__9gEi3Q99FHbqNCE_xKnD0attZz_V9W0lk3oS2w2BVU7yI1ioz_pq0
+}
+
+sprite $pod [64x63/16z] {
+xPVD3eGW38IbG6bFlF_RRdMpYWQmM3tiPkUYndnJEb5-ScwAL-KBufrizAW3LsMZjGxSbOq-Ss2LR7JBWOTaemyEV54_mZFR3BwSxxnF60Ac4uF6AqhHWnE1
+Zua6US8WxEGMoGK2afh_5Dvh7eQENsfN30BM-4hZ9CFtUzXB0rI9eSB79J3QkjYUeuh_13OF0zQREKSbl_OhPQNmbaU5voQ_j4rK1X4r7sN9kvJSd__p8pos
+UTJmLFx-9G-1TDDg2ZK-9Ft4ZFx8UnoQsGcXv05fT6sW239Z23yvY6sQUa6-wtSRp_qWYVgncPQ_ymNmsGt4NVkVRCIl6Tot_xnYa6_cZVllGOC7pWy31laX
+tdX-KXhSU_vx0G00
+}
+
+sprite $crb [64x63/16z] {
+xPVRaeGW34I9NFk9___RZO1M3U8OZ5DRUpbFY7P3Ob38-HJiv1lW1PrwrW53T6gf0zwYKryvG8HEVUQ0ANJgpW4t-ILwG6Vmm_M0pk2FwuVzqRj2049j-NXY
+C59R8bDmWAij8Xk5-h0GFrxmW6zDGqiKwTDYo8POI7nPMy6IMT9HVxHqHExu8DBQBqWf3pyOvzsDBddRCDxk-6rYyLeVIjOOQtPiDIGA4tf7IsERa4ZFOTeI
+PajyUmryRKNnyxpR13eyjJWk4sZ8nLGeunQYu-ueMXH-BRyQ-Lf_BGTqCYsC2xYlVoxV85wMYT_zw_XS0sbgPVVnuvzndfJwh9Jhl__g_- -txt-oKdxFuBdz
+vns3_B1UkV-UDFZ0-M7287z8hpm_2GsUFVzz0G00
+}
+
+sprite $sts [64x63/16z] {
+tPVBeeGW28PJ573L-x_j0QmcxMPPc_ElcAOF425h70-L5eqFb0hrqNSzf5trqQqUqgdww2iFgKbzz967T4jzTEKXFTG_uLFgS_0DpnX591R5B1ORfslNF3hH
+4CIAWpEXs21sAFc3tAA368F53pa-MNnOyUcKZmTvjV6Cz9Hd4gb1a-PhMa7oLpnxAPRdoH21s3GRYRdWj-7bLW2zbGEOD201U7DQTy0U3xnR4T_CfnD-dN_D
+iueYSgrSUgphboey-0FzLbJitoP3QSzXi7vLobfOVmxMl0syaI4YvRG9CS3I_4tn0NcfH5utXSopZU15_C0wkP2JbtK7RMFClDN_WgU4VYYaBc7DmpbFO4LR
+S1yNtaNzEvxpzkYPErShgO-DYTVSEPto78dBOPIWCmzu-ZmqNiP4uoBAvcaYMhlL-g_vwN7tqqtUxV5HUW4nFUIrWyBrUM0yLFaF5j_vDXwbNNC6UOoac6ZN
+cLlumMkXI8wPeChRps4rFpMocJ_0eW5a_xqxviVD_5lESkIWddK1l2ldTtE2hd-2Ev2dumEuFZbsXFJ52yHRxpzZ9_xCmNlldqySZ2_pdU_VDnryyFrmmy7u
+4T_v_TJeuDtllpy0
+}
+
+sprite $ing [64x63/16z] {
+jLTB5iCW2An_xCRxtxPDeb4K6epfxF9UPiGH45DY4K-a6uW8Q-nPXKXYZIrLY3-nnhvIY2AiiJc5E8KrTgSW-XzSu2HaVAFz6l-bt29VMI3uGiCsFYcGFuBF
+0BnkEE2rsc02npSgm-6m5KRh8kQ_oY-jprOfNW1jl_9rZT4f0WvQWVZk-SgK7uAc-3L0UlslpNdpDDt25V_mSF1ky1VnXn0znKPPt6RFVigkzR2ih_UqqBst
+Xq2NPQxryB0lK_Rz6OY_-VN0RTc1v_AVv0FAGtVQHTJVnX_hf9wvtrWbOgB-6NZaOOaOR92sDZVauIuWRerWkpoSHVNGtnCuFMpIHHm_80-d_GlQKHvAps_B
+4z-d4Pi_8smvU8qzfFENEVjQF1Vrq-wxhL-BFEJhjxqVK9S0ilVs_MEuNoRx5yVFFbtsJuOlxjyqNtv_H4W4Ntn_eGPyu_wCZzpVwUxyyD3y8XCOwszk0Xpg
+VtB-xEV7wG4M7Xs07vw_9mN-y7wO44X_uY- -duG2pxx_FW00
+}
+
+sprite $role [64x63/16z] {
+pLVRZeGW39LIUddo__zsgw901LV7sMIRJAQWv_H2AJZFGz53vWz46tc7VigWNNc7likWb_8E_Hk3tf9tw163Ff9tQCUW7yg_mpE948dzi_tMGKzn-08740eX
+2GIG50AP4WK344F0HM5QPXp1CPH8AincdxbLri6XZF0gFi8rcbRumZvoYquG0gIMWO9BG4KTg3Q4Xbu46be2RWEe4435SGoLO0b3M4TusTyIYi59BCzaXDUS
+MygEM-pCwHZGNV_Jb6tQujcoPL-cTCgVElCvVobRP4q0A9mzI3cjqYIWNg_8DJwQhMc1OOrlYwJTFFdHXfzGSPgslzf-7Dl7shuLCqMJf7arEl5hOxw97oep
+0XKUUBIVZ_nVuMK8FqgZu6MhY0P_sb6d-YduPSi_zvzslC1awT_nrCcVzlB71pvkg0tFdVffuy_hjxw-nP-edUWrcNF_mLx-KJlrqxM_1d32izwDVuqRh5dk
+ikoWsEi__Vnd1oefvY_hf_HczFq7Jqtg4Y-kWPMatVBV4rGvlvC_Jr0lsOtwsK-F8tRf5Kbdv9XvpQ8xb5pzp4Fxwyif-IdNV_pv9SksMRhshlYPK_-lptyY
+0988qOvEE_MZTMy4O8Qis6Da7LqWh3GOaILXilDlKzGK4KHhfZRBY_Br-y_y4luPmVVkdvyGp5_6lxn_FoJuW- -71mJp7-5VVZ_T9FZkzzyF
+}
+
+sprite $cm [64x63/16z] {
+xPVB3eGW34L17gKh_lzlfqpcuTI2O77XnBDgCFV6z9fQSgw27_81y0UTUjG1HNJgNWTiebFlEM0NEdND0OVGgPa37kHFz8WwWulh4NK6x2W60gY0897szCvO
+QpmLmKh0sVhHzqVKDV3Y-jg353nH-XZz2jQ_EccX76sWofjlUeRbrzBRjxwHVmFvEuW9RxhwB-Vl1_8tvfN_2ct-It_-XVAs4DVS-RC-yuFWY5WQw0Gs-My6
+Y2inF-Ut4U3v2_E_n5oT_mli_G0X0ZnJJbHm8gI92yIi_IShvSSCvksVHmpoPBro_nuqEE7-C62GJz8hxq-T1dFlVmy0
+}
+
+sprite $netpol [64x63/16z] {
+pPVRiiCW24KZ8EXJ_lzlZyReCOdNsCvqlzdEse8YcdsloYRjBsGlMgDd7MnHQ_IeWsrgZUuvs26jqJK7EwKr-kPWN-h7UNEepvTX9WGlqj8nAFmX1EhKfe1a
+ZZSwqQUqcU0DgOTGglm3HrKGL0tQECGXcZ6URjEcR6Y8bqVKAI0UuA_HXwJZRs1AV6Fwk6RHe1X08tijugOq8Xpg0RkykHUEMpG11Oq46gldYjVn_3zy9d0B
+d_Fi8SoV_QPx9rhd9Uzt_ihJ37-C4W_4mZBFcy2Z37KallCA4SxYR_UYn_gV_BRvWPkTNJkYNXJP_dEM3VeiWB1K0QNw0yti8sO-B3PqnhwOkRi3vmAGoLkH
+u-NOUuFO2I0UbM1mZX9liPj0t05l45k72tsOJoUGJEeyufsGdA1VmcaBA7M-ox7cRWqKpZ1kusVeOQ0d-Vi5qkJBwybP6zsQVENoTjVlqJzKAFegttWz-Bx9
+HmUjywFFZme__7vXADsZ4-yVbqoGAJtXrfvFBmq-z_vyOx1_c5zyVqyQVE7xOS9W_nA_-FqqQF3Pxxy_
+}
+
+sprite $ns [64x63/16z] {
+xPVX2iCW38GXJJJto_T_szbjtTPgrJGT6sC7BQ7qEuq6eYdj2W-b0y9AFjhgWAfyzAW3clBHFGSCoKVlES0a7xrnm47z20_u3BwC3ynHcGN2h94vw3EG2h_1
+8nF5E14hqpG7CWSQA0T4MXgilsW6yqzwUotFFP1fW9VzV5NHvJdiyr6wuqCRwosL_64Ol-1HyiID-GVqUSlwbJnYOm6A_KDPl4sUj5VIpVcNuzjuTF7s_WKP
+C80lVrlzLF8trOzj_RIVlh5-yA-VRwkVQUuWcZj8UEqWCWSIkjFDd5ux2BqsZdjGcLggEEhIDBJe89KE28TEwRyVF_ya9txCuBppvn63T3BlF7yR3TvmVp0O
+f3VnpllJeC6vzxyB
+}
+
+sprite $secret [64x63/16z] {
+tPVPZiCW34K1WvSd_lzlnqwLJXf8ojPACrUAX9gUQs8x17A-b3oL1oGlcgDx7QIgERhLGMurHxzpa2RDqLSEqgKv-kGWW_edlCYSmH_dHUOCJZzXKf4EADN4
+xtXmthkeW-HLJkMFeYu-183Gnn_dZqI8XBVplyaE9uiT0EyIU7qFm_Ruce380ppwBVZs_C3TF2a7oC9aYKnN_6Nug3XPM4Gr28JHbBYnipWuZz72ne3gbQBr
+WJlLxuR7X8oFEfAMKYyewtzTkQYrrikc_51KE-s8jlcJBxJrPAigl1_ZtIJ_-_gCy065OUV96g0lVx3tiV59NuV6-ZrvFl0s27syJXht14H65N-vVilulluB
+hV6BV2G0I4naI-UB2FLEKVzY0G5RyEozjx-_ABYo_fNrVvzhgkJmNF_A1v1iqUTj1Q52IBnm0x5g_vCdyJ63TVlF4OEyc9_SVtSQVE3yq66GFyHFdfyQ3TQU
+_tu0
+}
+
+sprite $quota [64x63/16z] {
+hLV9jeCW39KXWol__syVnAS7I0IHPj7MXdl9H8B7yIZxBSS7sIjPGyyoxAQieTyox5rPGuyOxaK4FCzmwHc3Sp1hmwtaX7REyvGNXOh3bWb2VCtGQC29nDUX
+RFx64qyVyIJ-kx1_tP_0kytXQxnMCFZ0EpDX4cBk4rYQ18t1du7m8HBFuQM4jaqIALy1UGAVGYYW6Fu_qbEW1xpXlSGVaj7f5oPVG582De62n-ppQQ_WnPyS
+2rsH1bxWrqfqLnwhltlul2xm7SSxRdAiO8W_YrVMOTK4eYXGuHlhVOhqIO3LTZccAIljiMxnCJi9WYIt1Ixna5s8NJpvpQSyGxOyzm4gaWgt-XaFvGQWUq1i
+GtWexwaofd6NT0GQTQXtQqznvPCIgCt3civOqRfNizVkN9ITlXWQxq2LRA9yRcnvFy3Yf5DPorBDK1M5mZSrYiPZPx8eF1YFFNpAJeJYr6J2OdcgmUWw_kli
+4ZI3cBhnDmf6poReQWTJBtO72_kjFxT72-9WRi70GEoLnrbWNVwSmTowzBHXGDc-fMTbW4Sho7aI9AKwlKRxzix6MvSItO1bLEb98_D3MMzTFrAChAjJ9cYQ
+fts186_Vl3W-mDK4VCWWyzCLRlyaKzVcmHLq4JvFSFmOVop2vmW-lhiCta0MuSluOn7-Zk2txtz_
+}
+
+sprite $rb [64x63/16z] {
+pLVRaeCW33K1Sddo__zsmwLMg2WMExDdPcS3zkHkm7NjGZUiNq0hpB7lQj13pB57DUWfvjXN6dG8S-oU1hs5ENQZGR_4l-CpYH29_MVxIuiZeU6_wOX2044G
+K080cU340n8Z-2WmnPr6mROKHohCPf-v5j9Y4tfybO6W-SI-vsi-GPE0dMgW0Jvo7S2EZmDyOUtnXGOIKFsewHwMt_k_pvysvhVySV09jgOiXHUBlLG9s8Vc
+k9GOO4dmgZvB0ELXtIJrooCbGh2V9mJLKCG5Sk3x_cdjf_uHNC0H9qYiLm8vM53Q-BKod-Ft0FwW3XBts_mthHtpR-Rni8pbWV1vQt0sOu6x3I5jc0DytcGn
+NafPCxXbWyiA8SPtvV_6jt5Hy78eyw7FXnn_hb19V2b3x8uKF_kk_xb-RYaED0YGupXvHoHxiO2tIHMHDXFOspP_zC-1_MW8Ikon_qeEeBXr5NzfuBR_hNtf
+y_qzo7zon6fVsxSUa8FvquwcTsXj_2D3IcxFdux_m_FdE7_dvyTL_rmEuFxgxldL393RvrSpW6FyiLAnND8JFkR__lmdGYHnwCJQXjYXdVg8R1U3BDXZpzgx
+G5XhiBTN9_WWL8Gu_qNYIK2so-b8UFh-iqxIlrFmtFtp6mNhm_p9-_TD1J_uVhYXOFqHV_BxQL31izz_Vm00
+}
+
+sprite $ep [64x63/16z] {
+tPVRZeKW34Mvb5xcXV__sm6yCzO3eid9x0SJecktG5CXHbMoAjwG73H6zph8gSReLWUvr1ZzoK6QD4Ph3jAbCRfoa9lw9xp8cC4RFFfAsCU3gGGgVvfPi9M2
+EW7v6UJb2tamH_ny_KJT_U0g1Qq2bDBWIjB92- -zBYfGUO4bO_JfIGvK0nMtnYKev6VQ2zr0nqbcddsN0L9AViBJDkOiPWDiyc3dGy9HDduo08ijFELoAJY3
+TzPwc3FGQl3FrDSlIn4RNp98JjQty90XNsO_HQNLod7Bz7Fbp-qcvr8Ado75DoqBGCv1e3aGUxF4P0JViW1CV5ZCi7z5tHqMUmgFLl4KJXcgKr_R1ImREGcN
+VIboT54vMxUf-QqZVUIlutyJpt6CtpTWigPb_SoEF_m0EQpA06t33E0sv8SE44-TV-8WVi_WkVFd7OFuC3zu_kuqUE7-q64GN-87xq-D1i_U_tu1
+}
+
+sprite $pvc [64x63/16z] {
+tPVRSi8m34Inxdho__zj9QT3XvGu5q4xxJum0N8sThHMujutvNVr2_87rUYp3lvKDVgeWqzLe_SS_91gz9Q3drADNZduHVqJthrcyCTvzvh1stXR50SdULCH
+LuGXTa4aOj53l2aZj8QkhRM5vxP8tEmxly8nCQGuL_Lp_74aJ0Zg26HhWvKZ0OazdN0OKNZhX5SsizdzLcmquRcXpGl63HxEwAj_6x1kMfXWku7Dt5DnoqqV
+vZ5cDUe2RSwJ4iGK9KgNLLSN8iI8WaPb02MJCUCv4n0Km1WAEzsMCSLlOdjnjdl8B8ikyNLyVit6Y2lh9L8vcx-Ib7XUfUFdUIxnKhn-h7cQ5TdshY0GNKAU
+Bk1eIeIHedc8SWL3XZSQLYPHCqQH8a9OMj2-R2oKTbjQM8h6mWHYFPYoRA2SBNGecvdeHcCnhwaNyVhpf_py_VNtdrx4hncyxltpYa5_CLzy_pvfy8Rzmmc3
+_YQ-k7ywQF3Q_Ty7
+}
+
+sprite $c_role [64x63/16z] {
+tPVPheKW34KPEZxn_tzx7JX63N20QavozujnM9ksQe6Kgj93QK9waOqUTT2YR7IlWpPbexyvQ9TiTCr1XsIZRmuwgN_2gzeCNkI5IEPvmU1zG6dpjPiC2xqg
+0BSCAe63FmagQLHueUXlYaM7Cayvy2LtPZnEg9T7byTa5L79iJWiyeMeC8_8YY60S8u0YmdK-QZatOh15Ez0mRdzCCD7KegBKFFRAF9QuyFfVKceyVekBomc
+7dpWSPu-l0ItbF_3Ko_F1nztQkUvbzyUt_D7kbxe4vJg3_rzZKiyz_Dhte7bqFe7nP76kWLmqjZmkG8NmLXdbri3Yw8MWs7yQZ21hz_EaNi3RpdpLaLeLhuz
+Up8YVvj1rQ17vk-Vht-I4PypU6xzEMEG7kQDw-z1WnVs3mC6wINUk7_gD7Xs__S7
+}
+
+sprite $cronjob [64x63/16z] {
+tPVRheGW34MXfRSd__zl3rx6KLGiCfD9pdxH6DOkq88m39UoLSC3sKvzTAk3dQgFzZfOLNtqdOEvr4TVELYJ-kZ2mTDSPPQUM7XuZ9E0d_9XDlW2Rqzv-nUy
+hrmIpE934VbuNMGF-UiY_YolJ9CuzrHeUS_VEKqYAVd2KU9IwBaXpQy1r_eF-_aV3PmySrvydE017zDh0Pybu9vFQae8uqSinc-7sJ_of4eGb_ARt6ewy6IQ
+ubOWTJxC4ptn8OTJZ7kLSxZFFos97lEVdrf4l-z18LgfTpzGtRZ22oB5THBPpVCQbEpDutKyd3McYP4DJtdGk_aVMr3aT_Tt_FK0P1E1eaWyv-aNl60hlnq_
+v8N0q3J-a3PypfgiQ-6o0WMsyR6etbpLMC_VyfzdcVP2CIbAds0__DjAnXXh2-Xs-nOuybJPW2ihuBW5kNw0LCSTFO0Y1wtdbt43ZI7ayeKa9qSunpR2b30b
+bkSdmEeHj1DlDnW-p7UUlniDld1_Q30OliHttf-S1f-z__q1
+}
+
+sprite $ds [64x63/16z] {
+rPVPaeGW34KD44BcXV__sudOqme6PMchUkwB5CMvBD4OOgoAtue3uanpTAy3gvgZMntuKdFqdGCtQOwkEN2NvkZ2WGVrtNn8sbkf_Uuxy1NS6cF0oc0oIU2a
+rql35WOwJm0orksymOq7qyWRPVqSnAs93nRr_fBlFFGZdmpufnpYhOYaWNQJ0C79SpqDzZwFeBBo1G3MKGwI3AtJmgkpV0CK7f0eHPishMrvs4RU0AbRTngl
+ZTlVa4oODe8k70toe6EImvEsu9VdN_9kWOfGZT-9h-7fvTTuxk336eYSvnu-dV-_vjTyGCJ3FDXm-N7UyPZblv7z-sF-w-HHae8763e_urwVWFT-PFsNqpRm
+zchQjlrxH9hWWra0PtZ9m7TxmAKcr_Hp85TJPUSXJo1_2VkiK2q1ilM3qLKvkV87s93_b0Bai7vVKtYm_ecJ-9Z1v-hF4OFuONwo_kuqUE3-q64G7-ALKh3p
+1ZQ93zp_VW40
+}
+
+sprite $sc [64x63/16z] {
+tLVPSeCm3Anrgo_y_zzMCg493jW4afbEzw59YLVMiPRCDEt2Vp6TWAzmZVsg1T_4DVPH2zx5DVR8WX_2DVQU1Ny9rzYD1J-9lystnFpNkloMfiBYZ11Wgn-e
+HiIYjcbWzKWHIYbeZ4X4Oam9KvWVgrY7RoIQ-wXjHACgubJ8zlbQGDJs4sRAfMZ3VtG-VCnWqmMzvoxt3iULQX3Q1E3V3toM25PoMUO0bXocNLL45dxcF-ul
+iviY73MGchkeHI3ZoiW4nlmkp3jy6FAjBU0wlpRYoof-RzHZn8Fw0VJuN0l87Wbyh61DAB5H_4o-ppSen8HK5vPoKp-ev7yGXMKgi4xWMlnHzIhVs2ygg1xg
+ZzgPIVKd3XQkzTD0wxOb3bpboGtnbGYhYieHVYbVNwN1_SaHVW__c6yufcDFuaBOpN-Ka7k7Avf5gYIBdLZaa2qOQmFcHd- -eRz5zhLjvJ6uduAX_d9ZrTmj
+-evM1QfBbLyyZhE5VRva3r1AzwF_BQUep3D4mZKPyU_3osV_R-4iIzYEy0_slvQFEknVtIN31XYTPSMtfe40K1RGjmPW98-WqL_RW3cxn39zitA9B0ZMWW3A
+K_zlvt-EMLccVvLVL1wg8DgBHEV-iKXERnFqa_UVwIBzd87ttJ_F69ZUpBzu_txHm0VU7rumC7s8V_7zwQ21zxx__G00
+}
+
+sprite $svc [64x63/16z] {
+xPVH3eCW34KjqfO-yVz_Evs60O415fF5x3uO6dEkg1SjtbSbGVw2996E7dMGedHqhuDybOvkEKYNT7JDGOQaepC7kQY7y28wWpjuMZFH66-NJBRA5sU6a0ch
+D_18tYufNdv-KdtxQ0u1d0Ei9Q0I3VSM6yF7I0RvqyKOrqYWaXSTBx_6iqq4aDRSulFWTCKevi7IHsW0et8xsUQfVl_qvx-cXPbNmEtepcfRVnIL2EjPbSCM
+tlD-6GgbeVV4Gbanu3Gcz8aDfS7Y5Wyb7cxXdPBtEZx-03CiFSzlYVZa1-WmBFCTu53Y3b0uYMvI0p6h__5A_9h1lFxpYe6Vp2lxxq636_OF0mR-9bwvV-eq
+cBl_Um40
+}
+
+sprite $deploy [64x63/16z] {
+pPVRTeGW34K50WbF_F_VrbOkLHC8udJrlCmiP_OX148m9L6nAZrGF6cDddM8hDPehKFiQeqUEKILrcZ98KvfZRuun8VwzpmH8X8DUE5Nz62jCSOw2DGpu6cm
+PZC_sZ-ifocUm5nammIFpjp5X23Xrd02ta2BxmOgdbhm3hm7r-oyXg-f0pm29bySB8vvP19UbmFkl33yUQXgS0z0I5xWam8ZtWkfphwM1hpRs3Zhl2vnNN4w
+Xd7tJHM49MIpp_mhEuEAFqT97dRbTVd-YfDyJahMvcYEBujITZNDpfz-LvJ5plnB_aceYG4khJzgSM7_rPfcZp75_YyP3CEcmDPVoSiOP-k_s7fDLxgTFzLM
+XL_Elz2Uwl3p-RlLIWn0STwWjzUFk5Y3DWKxuFdksVhVW1VRT-w_MvyVz_ykhxb__C7z9otYpmpUkty-CKWlyultxqc33xm_J1Ya3_6BxqzAWtVV_xu0
+}
+
+sprite $crd [64x63/16z] {
+rPVTRiCm28M30Hkk_FvlkwbMjxOn-8TaqivT77t7H12CQpMbFweRqZV5w5K7xIf6ppgegnWzSj0fnMZBGPSKepyST5DZlZ1dsUSv0G3ABf_X8TDWW0iUpQ3u
+0PXyQZZm7b_WJ_XEqgZfoMDxxAIonsSmHJBc9Hss0OzvPtiuACZZcTS8h_-UrnZVRHbCoJ30KefCTAQ2TX299nnASZw39Y9WXuSy4O37Sv2ds-CNzAfWc00X
+PtSiBlfT8encxjq3wOhwlPHFH1ZW7vMUqoxFd_z2XnURJyztvF1E_w7JKgz_LRFmwRp44mSWmT7qmhU5qoJH7I0aOrF-xKPD9Alpq-G85yJt3AwRFtSCwiLy
+SFvUDBZX_h1WK6_YW_UdIODhxtzV
+}
+
+sprite $hpa [64x63/16z] {
+tPVHmeOG38Phasr7tV_T_eeq8KhVoV-UbJrlB8nrhKgYrXUIH6FqKmSfQepkTP1RZT4j1-dI65rpa4SQeoyEybB_X1SPCr0ls3J5jpnC3K63dnlAUNdFIuC7
+Ows1bpmkjCSoBVYKXmCEhobseuDtlURyNxEto7ZfvQd0Y-9vOSyZkFvRtN_P-m_e-Iqmvnd1yy1RnW1q_loJRtL1o1dFPexy0Ht_xx2A_1ndiS9d82PG8_GP
+KzdOUHzaqZHik6k3QuOOqgSOb1ful313694hirCP97WlVngaU3SV3RY-GWhZBmGIlE61pka5ptc5fmPzV887WyKkRJu4qMLv4Knw_bRvFMZAyCqWyBDQlIbl
+m_g30kvQCV0pKead3DbXjCLgGXmpPEZAaudPPQeMf9XXy7l4mVC2nVspoWS7pxE5olxhsgIw_xjXxhp5wlv_RY3b5M81hBcf7_91_Hgjdzh0JQrxFAdV-Vc5
+iVLzBF3QW1hYpqw0tvq_tnYi7_E3v- -71Z-uFpmmM7_43zwVEWs-lV_z0G00
+}
+
+sprite $psp [64x63/16z] {
+vPT9beKW34M1a93KnFtljeYbNrHQyO_gJJmsDta4uOHbAKe-MXv8JfgZHoD8LdDqRmIfQevkHP0kpT6b23AaEVeIGHwgpZFpSvu3WWCaVi8pUMUjiL7EKsZn
+zyGsLRGHk1OWUN0aFcHCCKIUlqY7mDp5itvuyO_SA61oZrQDCXys7Atb1F1KCY0_1n_7gduvdJzoQmqiX0AVvazAllq_-AcZfLvU1IGK0LehYEZr6WPuumM3
+iDkDwp20xxmKUEibpXaTMTL9na25ZzcyNaNMl10dSuXNPgrQ01q3Ri_6UJ06zQsvyzB7wrsEbowU4CCClxyTvaEST4-RVFuVBl4ax6-BsVhQZaRdz6Wpefe1
+WZGzc3lUA07JllB__lqx3urDdT5DyRALxJaVfytFyLh8ELvNx1Gl_uFdPOwlTIyTVBNzQQ-VHl_aS-iNU_idDL3VFveD7CUDyopYrph0z_hF9m6Mb_d9_dim
+m1VE3mC1bY_na-UdpW3ldlz-0G00
+}
+
+sprite $vol [64x63/16z] {
+xPVHZiCW30HZR8pznF__xL5GUXTQ2CI9gaOtBv68PbN5Q0inDj4dyG2wmMRF9kXRRFPeWdQnsNi9EeJDRYNe53QxIj23tCHNjGLykQzg2xYZBn82-nNc8DBo
+Nrtsw1p0yWi0EAIKyYQWMWZa_feR0Bti-Buf5r3wFlRr1KBbl_xydeqitNb8-aXCsu-tkWxJ88ZxlWD7QLnfTeHf2Xb48fyN4S3l-L26bGH-E24_FH6MLppY
+mm8rwygOt-RVx_kBoLTsq4qWsMaKuRnHwf3I0HH6IYaL2EK6UUBoXWmoqMoF1YjxDpr5H2_26XoDkht_pV-_7p__HAD-BE2yy-UHW7YoRpn_JmPSS7-O28WN
+-SRxqs30kVU_7m00
+}
+
+sprite $rs [64x63/16z] {
+tPVRieCW34KXX90yyVz_Movjnr9G93hdJDUBgBCs2AWGun1v4nUG3tJssGJfehDd4sGNdNsK85Fex562d49dDmcoo8_u8hg0_-apkWIoI70LdwxIyxZn1zd1
+PbpseHGjPZyTWJy2XZw4H6v9g70f4qpwWFtdclI5UTKFFf5RJhwIXLU1w-dRxzJWJEebIYKqjUT2hlPriHd1dc_nk_vKXaaVSeKTSCuN1xpZ4stkDZfJndjg
+UGu-D_tVukq8tns_xnOECAZpo-GlCqhXUmWgl_J_d_ekJKNowxxTgNl6no0gdqJbGrZsNNfjc6NPF-ow0n_GgtmSVMMLVjJvpGSOZUc__WR7Fz3DEJdeusXk
+0S4Zxbp_HAM-5d3T-dCb85xiAzVV9mDks3-S28Wt-ShzqsJ0jVk_1m00
+}
+
+sprite $limits [64x63/16z] {
+vPT14eCW34KB2YGhxd_RgbEB18A6uCBshJAZx-E0Go165lmIEy0CdIrDm2ew-se2Dj7PPmbu2PtD9Q08dKqIi9CVyH5r0SDy22lGh5l-R5RSLlkYdXa_3M-D
+NVWujbgx6MX0yYVZ0VRdi47gvPN0-pP_MAFfJrRbB_ECSb-suiH7gUyTyBvt9HvE_a0ypd-5zfmSX-_nyM4-dN-fFpM-vmzyq8vFzf_7_JzFzmFTJ-3KXsDF
+ADO_stzU5N_hFNxlGwROFxF-mv7we0ry0mmigG_3m0F4gFDFLEfz0UFEdpq1SR2lF7yB0swuFmW2uas-ylvqCM3i_UyD
+}
+
+
+participant "User" as USER << ($pod{scale=0.30},#326CE5) >> #LightGreen
+participant "Kubectl" as KUBECTL << ($ing{scale=0.30},#326CE5) >> #LightSteelBlue
+participant "Proprietary CLI" as CLI << ($svc{scale=0.30},#326CE5) >> #LightPink
+participant "Pinniped" as PINNIPED << ($node{scale=0.30},#326CE5) >> #LightGray
+participant "TokenReview Webhook" as WEBHOOK << ($pod{scale=0.30},#326CE5) >> #LightPink
+participant "Kubernetes API" as API << ($node{scale=0.30},#326CE5) >> #LightSteelBlue
+
+legend
+  # <back:lightsalmon>Message contains upstream IDP credentials</back>
+  # <back:lightgreen>Message contains cluster-specific credentials</back>
+end legend
+
+USER -> KUBECTL : ""kubectl get pods""
+activate KUBECTL
+
+group Acquire cluster-specific credential
+
+KUBECTL -> CLI : Get cluster-specific credential
+activate CLI
+
+CLI -> CLI : Retrieve upstream IDP credential in\norganization-specific way
+
+CLI -> PINNIPED : <back:lightsalmon>""POST /apis/pinniped.dev/...""</back>
+activate PINNIPED
+
+PINNIPED -> WEBHOOK : <back:lightsalmon>""POST /authenticate""</back>
+activate WEBHOOK
+
+WEBHOOK -> PINNIPED : ""200 OK"" with user and group information
+deactivate WEBHOOK
+
+PINNIPED -> PINNIPED : Issue short-lived cluster-specific credential\nwith user and group information
+
+PINNIPED -> CLI : <back:lightgreen>""200 OK""</back>
+deactivate PINNIPED
+
+CLI -> KUBECTL : Here is a cluster-specific credential
+
+end
+
+group Authenticate to cluster with cluster-specific credential
+
+KUBECTL -> API : <back:lightgreen>""GET /api/v1/pods""</back>
+activate API
+
+API -> API : Glean user and group information from\ncluster-specific credential
+
+API -> KUBECTL : ""200 OK"" with pods
+deactivate API
+
+deactivate KUBECTL
+
+end
+
+@enduml
+
+PlantUML version 1.2020.15(Sun Jun 28 07:39:45 EDT 2020)
+(GPL source distribution)
+Java Runtime: OpenJDK Runtime Environment
+JVM: OpenJDK 64-Bit Server VM
+Default Encoding: UTF-8
+Language: en
+Country: US
+--></g></svg>
diff --git a/doc/img/pinniped.txt b/doc/img/pinniped.txt
new file mode 100644
index 00000000..d986814a
--- /dev/null
+++ b/doc/img/pinniped.txt
@@ -0,0 +1,61 @@
+@startuml "pinniped"
+
+!define K8S_BLUE #326CE5
+!define K8S_SPRITES_URL https://raw.githubusercontent.com/michiel/plantuml-kubernetes-sprites/master/resource
+!include K8S_SPRITES_URL/k8s-sprites-unlabeled-25pct.iuml
+
+participant "User" as USER << ($pod{scale=0.30},K8S_BLUE) >> #LightGreen
+participant "Kubectl" as KUBECTL << ($ing{scale=0.30},K8S_BLUE) >> #LightSteelBlue
+participant "Proprietary CLI" as CLI << ($svc{scale=0.30},K8S_BLUE) >> #LightPink
+participant "Pinniped" as PINNIPED << ($node{scale=0.30},K8S_BLUE) >> #LightGray
+participant "TokenReview Webhook" as WEBHOOK << ($pod{scale=0.30},K8S_BLUE) >> #LightPink
+participant "Kubernetes API" as API << ($node{scale=0.30},K8S_BLUE) >> #LightSteelBlue
+
+legend
+  # <back:lightsalmon>Message contains upstream IDP credentials</back>
+  # <back:lightgreen>Message contains cluster-specific credentials</back>
+end legend
+
+USER -> KUBECTL : ""kubectl get pods""
+activate KUBECTL
+
+group Acquire cluster-specific credential
+
+KUBECTL -> CLI : Get cluster-specific credential
+activate CLI
+
+CLI -> CLI : Retrieve upstream IDP credential in\norganization-specific way
+
+CLI -> PINNIPED : <back:lightsalmon>""POST /apis/pinniped.dev/...""</back>
+activate PINNIPED
+
+PINNIPED -> WEBHOOK : <back:lightsalmon>""POST /authenticate""</back>
+activate WEBHOOK
+
+WEBHOOK -> PINNIPED : ""200 OK"" with user and group information
+deactivate WEBHOOK
+
+PINNIPED -> PINNIPED : Issue short-lived cluster-specific credential\nwith user and group information
+
+PINNIPED -> CLI : <back:lightgreen>""200 OK""</back>
+deactivate PINNIPED
+
+CLI -> KUBECTL : Here is a cluster-specific credential
+
+end
+
+group Authenticate to cluster with cluster-specific credential
+
+KUBECTL -> API : <back:lightgreen>""GET /api/v1/pods""</back>
+activate API
+
+API -> API : Glean user and group information from\ncluster-specific credential
+
+API -> KUBECTL : ""200 OK"" with pods
+deactivate API
+
+deactivate KUBECTL
+
+end
+
+@enduml
diff --git a/doc/scope.md b/doc/scope.md
new file mode 100644
index 00000000..eea4ed7c
--- /dev/null
+++ b/doc/scope.md
@@ -0,0 +1,32 @@
+# Project Scope
+
+The Pinniped project is guided by the following principles.
+* Pinniped lets you plug any upstream identitiy providers into
+  Kubernetes. These integrations follow enterprise-grade security principles.
+* Pinniped is easy to install and use on any Kubernetes cluster via
+  distribution-specific integration mechanisms.
+* Pinniped uses a declarative configuration via Kubernetes APIs.
+* Pinniped provides optimal user experience when authenticating to many
+  clusters at one time.
+* Pinniped provides enterprise-grade security posture via secure defaults and
+  revocable or very short-lived credentials.
+* Where possible, Pinniped will contribute ideas and code to upstream
+  Kubernetes.
+
+When contributing to Pinniped, please consider whether your contribution follows
+these guiding principles.
+
+## Out Of Scope
+
+The following items are out of scope for the Pinniped project.
+* Authorization.
+* Standalone identity provider for general use.
+* Machine-to-machine (service) identity.
+* Running outside of Kubernetes.
+
+## Roadmap
+
+More details coming soon!
+
+For more details on proposing features and bugs, check out our
+[contributing](contributing.md) doc.