Pinniped is the easy, secure way to log in to your Kubernetes clusters.

active-directory authentication identity idp kubernetes ldap login oidc

Go to file

Matt Moyer 07bb2bb956 Simplify dependabot config now that we have fewer modules. Signed-off-by: Matt Moyer <moyerm@vmware.com>		2020-08-27 12:16:09 -05:00
.github	Simplify dependabot config now that we have fewer modules.	2020-08-27 12:16:09 -05:00
apis	Merge branch 'main' into self_test	2020-08-25 19:02:27 -07:00
cmd	Make `./pkg/client` into an internal package using the native k8s client.	2020-08-27 11:48:18 -05:00
deploy	Fix some copy issues in the docs	2020-08-27 08:39:57 -04:00
doc	Make feature proposal and bug report language more similar	2020-08-27 11:44:54 -04:00
generated	Merge branch 'main' into self_test	2020-08-25 19:02:27 -07:00
hack	Merge branch 'main' into self_test	2020-08-25 19:02:27 -07:00
internal	Make `./pkg/client` into an internal package using the native k8s client.	2020-08-27 11:48:18 -05:00
pkg/config	Make `./pkg/client` into an internal package using the native k8s client.	2020-08-27 11:48:18 -05:00
test	Make `./pkg/client` into an internal package using the native k8s client.	2020-08-27 11:48:18 -05:00
tools	Add generated mock for loginrequest.CertIssuer interface.	2020-07-27 12:33:33 -07:00
.gitignore	Hello, world!	2020-07-02 17:05:59 -07:00
.golangci.yaml	Fix latent linter issues.	2020-08-06 20:42:20 -05:00
.pre-commit-config.yaml	Add a .pre-commit-config.yaml file.	2020-08-14 14:41:11 -05:00
Dockerfile	Make `./pkg/client` into an internal package using the native k8s client.	2020-08-27 11:48:18 -05:00
LICENSE	Add Apache 2.0 license.	2020-07-06 13:50:31 -05:00
README.md	README.md: remove Pinni (for now)	2020-08-27 11:49:31 -04:00
go.mod	Make `./pkg/client` into an internal package using the native k8s client.	2020-08-27 11:48:18 -05:00
go.sum	Make `./pkg/client` into an internal package using the native k8s client.	2020-08-27 11:48:18 -05:00

README.md

Pinniped

Overview

Pinniped provides identity services to Kubernetes.

Pinniped allows cluster administrators to easily plugin upstream identity providers (IDPs) into Kubernetes clusters. This is achieved via a uniform install procedure across all types and origins of Kubernetes clusters, declarative configuration via Kubernetes APIs, enterprise-grade integrations with upstream IDPs, and distribution-specific integration mechanisms.

Use cases

Your team uses a large enterprise IDP, and has many clusters that they manage; Pinniped provides:
- seamless and robust integration with the upstream IDP,
- the ability to be easily installed across clusters of any type and origin,
- and a simplified login flow across all clusters.
You are on a small team that shares a single cluster; Pinniped provides:
- simple configuration for your team's specific needs,
- and individual, revocable identities.

Architecture

Pinniped offers a credential exchange API via a Kubernetes aggregated API where a user can exchange an upstream IDP credential for a cluster-specific credential. A specific example of this exchange is provided below where:

the upstream IDP is a webhook that supports the Kubernetes TokenReview API,
the cluster-specific credential is minted using the cluster signing keypair to issue short-lived cluster certificates (note: this particular credential minting mechanism is temporary until the Kubernetes CSR API provides the ability to set a certificate TTL),
and the cluster-specific credential is provided to the kubectl binary using a Kubernetes client-go credential plugin.

Install

To try out Pinniped, check out our officially supported deployment mechanism with ytt.

Contribute

If you want to contribute to (or just hack on) Pinniped (we encourage it!), first check out our Code of Conduct, and then our contributing doc.

License

Pinniped is open source and licensed under Apache License Version 2.0. See LICENSE file.