djpbessems
/
ContainerImage.Pinniped
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
ContainerImage.Pinniped/site/content/posts/2020-11-12-a-seal-of-approv...

4.7 KiB
Raw Blame History

title slug date author image excerpt tags
A Seal of Approval: Project Pinniped a-seal-of-approval 2020-11-12 Pablo Schuhmacher /img/logo.svg Pinniped intends to bring that dream state — log in once and youre done — to reality.
Pablo Schuhmacher
release

Kubernetes, containers, microservices: Theyve all turned conventional application development wisdom inside out. But for all the wonders introduced and new technologies released, there are still a few things that remain difficult, cumbersome, or just really really frustrating when it comes to Kubernetes. We have set out to make one of those things easier and more understandable: authentication.

In a perfect world, you would be able to use a single authentication process of your choice to log in to all of your Kubernetes clusters, including on-premises and managed cloud environments. This process would be highly secure, easy to configure, and tightly integrated with standard upstream identity providers. The reality is quite different. Authentication can be a tricky affair.

Pinniped, a newly released VMware-originated open source project, intends to bring that dream state — log in once and youre done — to reality.

The state of Kubernetes

Kubernetes offers a wide range of authentication backends, but the end-to-end login flow for your clusters is up to you. Kubernetes itself handles only credential validation, and usually requires extra tools and configuration to integrate with external identity providers. Unfortunately, this means that in practice many clusters wind up with less secure options, like shared “admin” certificates.

Even if you are consuming a managed Kubernetes solution or distribution that provides integrated authentication, the authentication configuration is often controlled solely by the provider. As a consumer of Kubernetes in these situations, there hasnt been a single, unified way to customize authentication. In some cases, users need to know how to log in several different ways to access multiple clusters.

Pinniped delivers a consistent user authentication experience in Kubernetes that prioritizes security, interoperability, and low-effort management at scale. Using Pinniped, youre able to:

  • Install and integrate with nearly any cluster in one step
  • Log in once to safely access many clusters
  • Leverage first-class integration with Kubernetes and kubectl CLI
  • Use standards-based protocols and login flows

Pinniped provides identity services to Kubernetes

Pinniped allows cluster administrators to easily plug in external IDPs to Kubernetes clusters. It can be installed on nearly any cluster and configured via declarative Kubernetes custom resource definitions (CRDs).

Were still in “start-up scramble mode” for Pinniped—the team has more ideas and energy than time! And we know that the community can help make this project flourish. But in the meantime, our initial concept use cases include:

  • You administer many clusters across cloud and on-premises:

    • More securely integrate with an enterprise IDP using standard protocols
    • Give users a consistent, unified login experience across all your clusters
    • Manage configuration using GitOps or existing Kubernetes configuration pipelines

  • You run a small cluster for your team:

    • Install and configure quickly
    • Use more secure, externally-managed identities instead of relying on simple, shared credentials

Just getting started

Lets be clear: Were not there yet, but thats where were headed with Pinniped. Want to explore Pinniped, and add your ideas to the mix? Join the community and help us:

  • Simplify the user experience of authenticating to Kubernetes
  • Create a unified login experience across clusters regardless of provider or distribution
  • Advance the state of the art in Kubernetes login security

From contributing code to uploading documentation to sharing how youd like to use Pinniped in the wild, there are many ways to get involved. Feel free to ask questions via #pinniped on Kubernetes Slack, or check out the Contribute to Pinniped page for details on how to contribute to the Pinniped project. There youll find out how you can:

  • Propose or request new features
  • Try writing a plugin
  • Share how your team plans to use Pinniped

As to where the name “pinniped” come from - Pinnipeds are marine mammals that have front and rear flippers, such as seals. A “seal” is also a mark of authenticity. And thats what Pinniped hopes to be: a seal or mark of authenticity across and between Kubernetes clusters.

{{< community >}}