@startuml "pinniped" !define K8S_BLUE #326CE5 !define K8S_SPRITES_URL https://raw.githubusercontent.com/michiel/plantuml-kubernetes-sprites/master/resource !include K8S_SPRITES_URL/k8s-sprites-unlabeled-25pct.iuml participant "User" as USER << ($pod{scale=0.30},K8S_BLUE) >> #LightGreen participant "Kubectl" as KUBECTL << ($ing{scale=0.30},K8S_BLUE) >> #LightSteelBlue participant "Proprietary CLI" as CLI << ($svc{scale=0.30},K8S_BLUE) >> #LightPink participant "Pinniped" as PINNIPED << ($node{scale=0.30},K8S_BLUE) >> #LightGray participant "TokenReview Webhook" as WEBHOOK << ($pod{scale=0.30},K8S_BLUE) >> #LightPink participant "Kubernetes API" as API << ($node{scale=0.30},K8S_BLUE) >> #LightSteelBlue legend # <back:lightsalmon>Message contains upstream IDP credentials</back> # <back:lightgreen>Message contains cluster-specific credentials</back> end legend USER -> KUBECTL : ""kubectl get pods"" activate KUBECTL group Acquire cluster-specific credential KUBECTL -> CLI : Get cluster-specific credential activate CLI CLI -> CLI : Retrieve upstream IDP credential in\norganization-specific way CLI -> PINNIPED : <back:lightsalmon>""POST /apis/pinniped.dev/...""</back> activate PINNIPED PINNIPED -> WEBHOOK : <back:lightsalmon>""POST /authenticate""</back> activate WEBHOOK WEBHOOK -> PINNIPED : ""200 OK"" with user and group information deactivate WEBHOOK PINNIPED -> PINNIPED : Issue short-lived cluster-specific credential\nwith user and group information PINNIPED -> CLI : <back:lightgreen>""200 OK""</back> deactivate PINNIPED CLI -> KUBECTL : Here is a cluster-specific credential end group Authenticate to cluster with cluster-specific credential KUBECTL -> API : <back:lightgreen>""GET /api/v1/pods""</back> activate API API -> API : Glean user and group information from\ncluster-specific credential API -> KUBECTL : ""200 OK"" with pods deactivate API deactivate KUBECTL end @enduml