djpbessems
/
ContainerImage.Pinniped
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
Pinniped is the easy, secure way to log in to your Kubernetes clusters.
784 Commits 30 Branches 34 Tags 22 MiB
Go 97.3%
Shell 1.3%
HTML 0.5%
SCSS 0.5%
CSS 0.2%
Other 0.1%
Go to file
Andrew Keesler 080bb594b2 Supervisor authorize endpoint reuses existing CSRF cookies and signs new ones 
- To better support having multiple downstream providers configured,
  the authorize endpoint will share a CSRF cookie between all
  downstream providers' authorize endpoints. The first time a
  user's browser hits the authorize endpoint of any downstream
  provider, that endpoint will set the cookie. Then if the user
  starts an authorize flow with that same downstream provider or with
  any other downstream provider which shares the same domain name
  (i.e. differentiated by issuer path), then the same cookie will be
  submitted and respected.
- Just in case we are sharing the domain name with some other app,
  we sign the value of any new CSRF cookie and check the signature
  when we receive the cookie. This wasn't strictly necessary since
  we probably won't share a domain name with other apps, but it
  wasn't hard to add this cookie signing.

Signed-off-by: Ryan Richard <richardry@vmware.com>
 		2020-11-12 15:36:59 -08:00
.github Get rid of WIP workflow 2020-10-27 18:39:19 -04:00
apis Remove extraneous internal packages for CRD APIs. 2020-11-12 14:04:53 -06:00
cmd Merge pull request #185 from vmware-tanzu/authorize_endpoint 2020-11-11 16:03:15 -08:00
deploy Add YTT template value for setting log level 2020-11-11 09:01:38 -05:00
doc Merge pull request #154 from vmware-tanzu/change_release_static_yaml_names 2020-11-02 17:09:11 -08:00
generated Remove extraneous internal packages for CRD APIs. 2020-11-12 14:04:53 -06:00
hack Remove extraneous internal packages for CRD APIs. 2020-11-12 14:04:53 -06:00
internal Supervisor authorize endpoint reuses existing CSRF cookies and signs new ones 2020-11-12 15:36:59 -08:00
site Merge pull request #201 from amymanion/am-dev 2020-11-12 09:12:24 -06:00
test Remove an unfinished integration test 2020-11-11 15:40:40 -08:00
tools Save 2 lines by using inline-style comments for Copyright 2020-09-16 10:35:19 -04:00
.gitattributes Add .gitattributes as a hint to the GitHub diff viewer. 2020-09-15 11:44:23 -05:00
.gitignore Add Tilt-based local dev workflow. 2020-10-05 16:34:33 -05:00
.golangci.yaml Add Go vanity import paths. 2020-09-18 14:56:24 -05:00
.pre-commit-config.yaml Add Tilt-based local dev workflow. 2020-10-05 16:34:33 -05:00
ADOPTERS.md Update module/package names to match GitHub org switch. 2020-09-17 12:56:54 -05:00
CODE_OF_CONDUCT.md Rename the CoC and contributor guide to the names GitHub recognizes. 2020-10-02 15:53:48 -05:00
CONTRIBUTING.md Merge pull request #149 from mattmoyer/oidc-cli-part-2 2020-10-14 13:40:12 -05:00
Dockerfile Upgrade golang patch release to 1.15.3 and debian 10.5-slim -> 10.6-slim 2020-11-02 16:17:15 -08:00
LICENSE Add Apache 2.0 license. 2020-07-06 13:50:31 -05:00
MAINTAINERS.md MAINTAINERS.md: add initial draft 2020-09-15 13:14:50 -04:00
README.md Rename logo file 2020-10-26 15:06:04 -07:00
SECURITY.md Update precommit hook config to ignore generated files and fix whitespace. 2020-08-31 16:41:22 -05:00
go.mod WIP for saving authorize endpoint state into upstream state param 2020-11-10 17:58:00 -08:00
go.sum WIP for saving authorize endpoint state into upstream state param 2020-11-10 17:58:00 -08:00

README.md

Pinniped Logo

Overview

Pinniped provides identity services to Kubernetes.

Pinniped allows cluster administrators to easily plug in external identity providers (IDPs) into Kubernetes clusters. This is achieved via a uniform install procedure across all types and origins of Kubernetes clusters, declarative configuration via Kubernetes APIs, enterprise-grade integrations with IDPs, and distribution-specific integration strategies.

Example Use Cases

  • Your team uses a large enterprise IDP, and has many clusters that they manage. Pinniped provides:
    • Seamless and robust integration with the IDP
    • Easy installation across clusters of any type and origin
    • A simplified login flow across all clusters
  • Your team shares a single cluster. Pinniped provides:
    • Simple configuration to integrate an IDP
    • Individual, revocable identities

Architecture

Pinniped offers credential exchange to enable a user to exchange an external IDP credential for a short-lived, cluster-specific credential. Pinniped supports various IDP types and implements different integration strategies for various Kubernetes distributions to make authentication possible.

To learn more, see doc/architecture.md.

Pinniped Architecture Sketch

Trying Pinniped

Care to kick the tires? It's easy to install and try Pinniped.

Discussion

Got a question, comment, or idea? Please don't hesitate to reach out via the GitHub Discussions tab at the top of this page.

Contributions

Contributions are welcome. Before contributing, please see the contributing guide.

Reporting Security Vulnerabilities

Please follow the procedure described in SECURITY.md.

License

Pinniped is open source and licensed under Apache License Version 2.0. See LICENSE.

Copyright 2020 the Pinniped contributors. All Rights Reserved.