20b21e8639
- The certs manager controller, along with its sibling certs expirer and certs observer controllers, are generally useful for any process that wants to create its own CA and TLS certs, but only if the updating of the APIService is not included in those controllers - So that functionality for updating APIServices is moved to a new controller which watches the same Secret which is used by those other controllers - Also parameterize `NewCertsManagerController` with the service name and the CA common name to make the controller more reusable |
||
|---|---|---|
| .github | ||
| apis | ||
| cmd | ||
| deploy | ||
| doc | ||
| generated | ||
| hack | ||
| internal | ||
| pkg/config | ||
| test | ||
| tools | ||
| .gitignore | ||
| .golangci.yaml | ||
| .pre-commit-config.yaml | ||
| Dockerfile | ||
| LICENSE | ||
| README.md | ||
| SECURITY.md | ||
| go.mod | ||
| go.sum | ||
README.md
Pinniped
Overview
Pinniped provides identity services to Kubernetes.
Pinniped allows cluster administrators to easily plug in external identity providers (IDPs) into Kubernetes clusters. This is achieved via a uniform install procedure across all types and origins of Kubernetes clusters, declarative configuration via Kubernetes APIs, enterprise-grade integrations with IDPs, and distribution-specific integration strategies.
Example Use Cases
- Your team uses a large enterprise IDP, and has many clusters that they
manage. Pinniped provides:
- Seamless and robust integration with the IDP
- Easy installation across clusters of any type and origin
- A simplified login flow across all clusters
- Your team shares a single cluster. Pinniped provides:
- Simple configuration to integrate an IDP
- Individual, revocable identities
Architecture
Pinniped offers credential exchange to enable a user to exchange an external IDP credential for a short-lived, cluster-specific credential. Pinniped supports various IDP types and implements different integration strategies for various Kubernetes distributions to make authentication possible.
Supported Identity Provider Types
The currently supported external IDP types are outlined here. More will be added in the future.
- Any webhook which implements the Kubernetes TokenReview API
Supported Cluster Integration Strategies
The currently supported cluster integration strategies are outlined here. More will be added in the future.
- Pinniped hosts a credential exchange API endpoint via a Kubernetes aggregated API server. This API returns a new cluster-specific credential using the cluster's signing keypair to issue short-lived cluster certificates. (In the future, when the Kubernetes CSR API provides a way to issue short-lived certificates, then the Pinniped credential exchange API will use that instead of using the cluster's signing keypair.)
kubectl Integration
With any of the above IDPs and integration strategies, kubectl commands receive the
cluster-specific credential via a
Kubernetes client-go credential plugin.
Users may use the Pinniped CLI as the credential plugin, or they may use any proprietary CLI
built with the Pinniped Go client library.
Cluster Authentication Sequence Diagram
Installation
Currently, Pinniped supports self-hosted clusters where the Kube Controller Manager pod is accessible from Pinniped's pods. Support for other types of Kubernetes distributions is coming soon.
To try Pinniped, see deploy/README.md.
Contributions
Contributions are welcome. Before contributing, please see the Code of Conduct and the contributing guide.
Reporting Security Vulnerabilities
Please follow the procedure described in SECURITY.md.
License
Pinniped is open source and licensed under Apache License Version 2.0. See LICENSE file.
Copyright 2020 VMware, Inc.