Pinniped is the easy, secure way to log in to your Kubernetes clusters.
Go to file
Andrew Keesler 0fc1f17866
internal/groupsuffix: mutate TokenCredentialRequest's Authenticator
This is a partial revert of 288d9c999e. For some reason it didn't occur to me
that we could do it this way earlier. Whoops.

This also contains a middleware update: mutation funcs can return an error now
and short-circuit the rest of the request/response flow. The idea here is that
if someone is configuring their kubeclient to use middleware, they are agreeing
to a narrow-er client contract by doing so (e.g., their TokenCredentialRequest's
must have an Spec.Authenticator.APIGroup set).

I also updated some internal/groupsuffix tests to be more realistic.

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-02-10 15:53:44 -05:00
.github Add Codecov configuration file. 2021-02-01 14:28:38 -06:00
apis Rename off of main 2020-12-16 14:27:09 -08:00
cmd cmd/pinniped: delete get-kubeconfig + exchange-token 2021-02-09 17:01:57 -05:00
deploy deploy/concierge: add RBAC for flowschemas and prioritylevelconfigurations 2021-02-05 08:19:12 -05:00
generated Merge branch 'main' of github.com:vmware-tanzu/pinniped into kubernetes-1.20 2021-01-08 13:22:31 -08:00
hack prepare-for-integration-tests.sh: New cmdline option --api_group_suffix 2021-02-03 12:07:38 -08:00
internal internal/groupsuffix: mutate TokenCredentialRequest's Authenticator 2021-02-10 15:53:44 -05:00
pkg internal/groupsuffix: mutate TokenCredentialRequest's Authenticator 2021-02-10 15:53:44 -05:00
site Tweak some small bits in the blog post. 2021-02-04 17:51:35 -06:00
test internal/groupsuffix: mutate TokenCredentialRequest's Authenticator 2021-02-10 15:53:44 -05:00
.dockerignore Optimize image build using .dockerignore and BuildKit features. 2021-01-27 10:42:56 -06:00
.gitattributes Add .gitattributes as a hint to the GitHub diff viewer. 2020-09-15 11:44:23 -05:00
.gitignore Add Tilt-based local dev workflow. 2020-10-05 16:34:33 -05:00
.golangci.yaml Linter allows range of years in copyright 2021-01-05 13:35:09 -08:00
.pre-commit-config.yaml Got pre-commit to check for correct copyright year 2021-01-05 15:53:14 -08:00
ADOPTERS.md Update module/package names to match GitHub org switch. 2020-09-17 12:56:54 -05:00
CODE_OF_CONDUCT.md Rename the CoC and contributor guide to the names GitHub recognizes. 2020-10-02 15:53:48 -05:00
CONTRIBUTING.md Updated the community meeting info with new zoom link and agenda notes 2021-01-29 16:07:23 -06:00
Dockerfile Upgrade Go from 1.15.7 to 1.15.8. 2021-02-08 10:58:51 -06:00
go.mod Allow multiple Pinnipeds to work on same cluster 2021-02-02 15:18:41 -08:00
go.sum Allow multiple Pinnipeds to work on same cluster 2021-02-02 15:18:41 -08:00
LICENSE Add Apache 2.0 license. 2020-07-06 13:50:31 -05:00
MAINTAINERS.md Add Margo and Mo as maintainers of Pinniped 2020-12-17 13:37:20 -05:00
README.md Updated the community meeting info with new zoom link and agenda notes 2021-01-29 16:07:23 -06:00
SECURITY.md SECURITY.md: follow established pattern 2021-02-09 09:08:19 -05:00

Pinniped Logo

Overview

Pinniped provides identity services to Kubernetes.

Pinniped allows cluster administrators to easily plug in external identity providers (IDPs) into Kubernetes clusters. This is achieved via a uniform install procedure across all types and origins of Kubernetes clusters, declarative configuration via Kubernetes APIs, enterprise-grade integrations with IDPs, and distribution-specific integration strategies.

Example Use Cases

  • Your team uses a large enterprise IDP, and has many clusters that they manage. Pinniped provides:
    • Seamless and robust integration with the IDP
    • Easy installation across clusters of any type and origin
    • A simplified login flow across all clusters
  • Your team shares a single cluster. Pinniped provides:
    • Simple configuration to integrate an IDP
    • Individual, revocable identities

Architecture

The Pinniped Supervisor component offers identity federation to enable a user to access multiple clusters with a single daily login to their external IDP. The Pinniped Supervisor supports various external IDP types.

The Pinniped Concierge component offers credential exchange to enable a user to exchange an external credential for a short-lived, cluster-specific credential. Pinniped supports various authentication methods and implements different integration strategies for various Kubernetes distributions to make authentication possible.

The Pinniped Concierge can be configured to hook into the Pinniped Supervisor's federated credentials, or it can authenticate users directly via external IDP credentials.

To learn more, see architecture.

Pinniped Architecture Sketch

Trying Pinniped

Care to kick the tires? It's easy to install and try Pinniped.

Community Meetings

Pinniped is better because of our contributors and maintainers. It is because of you that we can bring great software to the community. Please join us during our online community meetings, occuring every first and third Thursday of the month at 9AM PT / 12PM PT. Use this Zoom Link to attend and add any agenda items you wish to discuss to the notes document. Join our Google Group to receive invites to this meeting.

If the meeting day falls on a US holiday, please consider that occurrence of the meeting to be canceled.

Discussion

Got a question, comment, or idea? Please don't hesitate to reach out via the GitHub Discussions tab at the top of this page or reach out in Kubernetes Slack Workspace within the #pinniped channel.

Contributions

Contributions are welcome. Before contributing, please see the contributing guide.

Reporting Security Vulnerabilities

Please follow the procedure described in SECURITY.md.

License

Pinniped is open source and licensed under Apache License Version 2.0. See LICENSE.

Copyright 2020 the Pinniped contributors. All Rights Reserved.