4.9 KiB
Trying Pinniped
Prerequisites
-
A Kubernetes cluster of a type supported by Pinniped. Currently, Pinniped supports self-hosted clusters where the Kube Controller Manager pod is accessible from Pinniped's pods. Support for other types of Kubernetes distributions is coming soon.
Don't have a cluster handy? Consider using kind on your local machine. See below for an example of using kind.
-
A kubeconfig where the current context points to that cluster and has admin-like privileges on that cluster.
Don't have an identity provider of a type supported by Pinniped handy? Start by installing
local-user-authenticatoron the same cluster where you would like to try Pinniped by following the directions in deploy-local-user-authenticator/README.md. See below for an example of deploying this on kind.
Steps
General Steps
- Install Pinniped by following the directions in deploy/README.md.
- Download the Pinniped CLI from Pinniped's github Releases page.
- Generate a kubeconfig using the Pinniped CLI. Run
pinniped get-kubeconfig --helpfor more information. - Run
kubectlcommands using the generated kubeconfig to authenticate using Pinniped during those commands.
Specific Example of Deploying on kind Using local-user-authenticator as the Identity Provider
-
Install the tools required for the following steps.
-
This example deployment uses
yttandkappfrom Carvel to template the YAML files and to deploy the app. Either installyttandkappor use the container image from Dockerhub. E.g.brew install k14s/tap/ytt k14s/tap/kappon a Mac. -
Install kind, if not already installed. e.g.
brew install kindon a Mac. -
kind depends on Docker. If not already installed, install Docker, e.g.
brew cask install dockeron a Mac. -
This demo requires
kubectl, which comes with Docker, or can be installed separately. -
This demo requires a tool capable of generating a
bcrypthash in order to interact with the webhook. The example below useshtpasswd, which is installed on most macOS systems, and can be installed on some Linux systems via theapache2-utilspackage (e.g.,apt-get install apache2-utils).
-
-
Create a new Kubernetes cluster using
kind create cluster. Optionally provide a cluster name using the--nameflag. kind will automatically update your kubeconfig to point to the new cluster. -
Clone this repo.
git clone https://github.com/suzerain-io/pinniped.git /tmp/pinniped --depth 1 -
Deploy the
local-user-authenticatorapp:cd /tmp/pinniped/deploy-local-user-authenticator ytt --file . | kapp deploy --yes --app local-user-authenticator --diff-changes --file - -
Create a test user.
kubectl create secret generic pinny-the-seal \ --namespace local-user-authenticator \ --from-literal=groups=group1,group2 \ --from-literal=passwordHash=$(htpasswd -nbBC 10 x password123 | sed -e "s/^x://") -
Fetch the auto-generated CA bundle for the
local-user-authenticator's HTTP TLS endpoint.kubectl get secret api-serving-cert --namespace local-user-authenticator \ -o jsonpath={.data.caCertificate} \ | base64 -d \ | tee /tmp/local-user-authenticator-ca -
Deploy Pinniped.
cd /tmp/pinniped/deploy ytt --file . | kapp deploy --yes --app pinniped --diff-changes --file - \ --data-value "webhook_url=https://local-user-authenticator.local-user-authenticator.svc/authenticate" \ --data-value "webhook_ca_bundle=$(cat /tmp/local-user-authenticator-ca)" -
Download the latest version of the Pinniped CLI binary for your platform from Pinniped's github Releases page.
-
Move the Pinniped CLI binary to your preferred directory and add the executable bit, e.g.
chmod +x /usr/local/bin/pinniped. -
Generate a kubeconfig.
pinniped get-kubeconfig --token "pinny-the-seal:password123" > /tmp/pinniped-kubeconfig -
Create RBAC rules for the test user to give them permissions to perform actions on the cluster. For example, grant the test user permission to view all cluster resources.
kubectl create clusterrolebinding pinny-can-read --clusterrole view --user pinny-the-seal -
Use the generated kubeconfig to issue arbitrary
kubectlcommands as thepinny-the-sealuser.kubectl --kubeconfig /tmp/pinniped-kubeconfig get pods -n pinniped