8f93fbb87b
This should simplify our build/test setup quite a bit, since it means we have only a single module (at the top level) with all hand-written code. I'll leave `module.sh` alone for now but we may be able to simplify that a bit more. Signed-off-by: Matt Moyer <moyerm@vmware.com> |
||
---|---|---|
.github | ||
apis | ||
cmd | ||
deploy | ||
doc | ||
generated | ||
hack | ||
internal | ||
pkg/config | ||
test | ||
tools | ||
.gitignore | ||
.golangci.yaml | ||
.pre-commit-config.yaml | ||
Dockerfile | ||
go.mod | ||
go.sum | ||
LICENSE | ||
README.md |
Pinniped
Overview
Pinniped provides identity services to Kubernetes.
Pinniped allows cluster administrators to easily plugin upstream identity providers (IDPs) into Kubernetes clusters. This is achieved via a uniform install procedure across all types and origins of Kubernetes clusters, declarative configuration via Kubernetes APIs, enterprise-grade integrations with upstream IDPs, and distribution-specific integration mechanisms.
Use cases
- Your team uses a large enterprise IDP, and has many clusters that they
manage; Pinniped provides:
- seamless and robust integration with the upstream IDP,
- the ability to be easily installed across clusters of any type and origin,
- and a simplified login flow across all clusters.
- You are on a small team that shares a single cluster; Pinniped provides:
- simple configuration for your team's specific needs,
- and individual, revocable identities.
Architecture
Pinniped offers a credential exchange API via a Kubernetes aggregated API where a user can exchange an upstream IDP credential for a cluster-specific credential. A specific example of this exchange is provided below where:
- the upstream IDP is a webhook that supports the Kubernetes TokenReview API,
- the cluster-specific credential is minted using the cluster signing keypair to issue short-lived cluster certificates (note: this particular credential minting mechanism is temporary until the Kubernetes CSR API provides the ability to set a certificate TTL),
- and the cluster-specific credential is provided to the
kubectl
binary using a Kubernetes client-go credential plugin.
Install
To try out Pinniped, check out our officially supported deployment mechanism with ytt.
Contribute
If you want to contribute to (or just hack on) Pinniped (we encourage it!), first check out our Code of Conduct, and then our contributing doc.
License
Pinniped is open source and licensed under Apache License Version 2.0. See LICENSE file.
Copyright 2020 VMware, Inc.