Pinniped is the easy, secure way to log in to your Kubernetes clusters.
Go to file
Matt Moyer abe3f1ba4b
Merge pull request #73 from mattmoyer/native-client
Simplify modules and switch from low level client to a client using generated code.
2020-08-27 12:15:35 -05:00
.github feature-proposal.md: I need more sleep 2020-08-27 11:46:43 -04:00
apis Merge branch 'main' into self_test 2020-08-25 19:02:27 -07:00
cmd Make ./pkg/client into an internal package using the native k8s client. 2020-08-27 11:48:18 -05:00
deploy Fix some copy issues in the docs 2020-08-27 08:39:57 -04:00
doc Make feature proposal and bug report language more similar 2020-08-27 11:44:54 -04:00
generated Merge branch 'main' into self_test 2020-08-25 19:02:27 -07:00
hack Merge branch 'main' into self_test 2020-08-25 19:02:27 -07:00
internal Make ./pkg/client into an internal package using the native k8s client. 2020-08-27 11:48:18 -05:00
pkg/config Make ./pkg/client into an internal package using the native k8s client. 2020-08-27 11:48:18 -05:00
test Make ./pkg/client into an internal package using the native k8s client. 2020-08-27 11:48:18 -05:00
tools Add generated mock for loginrequest.CertIssuer interface. 2020-07-27 12:33:33 -07:00
.gitignore Hello, world! 2020-07-02 17:05:59 -07:00
.golangci.yaml Fix latent linter issues. 2020-08-06 20:42:20 -05:00
.pre-commit-config.yaml Add a .pre-commit-config.yaml file. 2020-08-14 14:41:11 -05:00
Dockerfile Make ./pkg/client into an internal package using the native k8s client. 2020-08-27 11:48:18 -05:00
go.mod Make ./pkg/client into an internal package using the native k8s client. 2020-08-27 11:48:18 -05:00
go.sum Make ./pkg/client into an internal package using the native k8s client. 2020-08-27 11:48:18 -05:00
LICENSE Add Apache 2.0 license. 2020-07-06 13:50:31 -05:00
README.md README.md: remove Pinni (for now) 2020-08-27 11:49:31 -04:00

Pinniped

Overview

Pinniped provides identity services to Kubernetes.

Pinniped allows cluster administrators to easily plugin upstream identity providers (IDPs) into Kubernetes clusters. This is achieved via a uniform install procedure across all types and origins of Kubernetes clusters, declarative configuration via Kubernetes APIs, enterprise-grade integrations with upstream IDPs, and distribution-specific integration mechanisms.

Use cases

  • Your team uses a large enterprise IDP, and has many clusters that they manage; Pinniped provides:
    • seamless and robust integration with the upstream IDP,
    • the ability to be easily installed across clusters of any type and origin,
    • and a simplified login flow across all clusters.
  • You are on a small team that shares a single cluster; Pinniped provides:
    • simple configuration for your team's specific needs,
    • and individual, revocable identities.

Architecture

Pinniped offers a credential exchange API via a Kubernetes aggregated API where a user can exchange an upstream IDP credential for a cluster-specific credential. A specific example of this exchange is provided below where:

  • the upstream IDP is a webhook that supports the Kubernetes TokenReview API,
  • the cluster-specific credential is minted using the cluster signing keypair to issue short-lived cluster certificates (note: this particular credential minting mechanism is temporary until the Kubernetes CSR API provides the ability to set a certificate TTL),
  • and the cluster-specific credential is provided to the kubectl binary using a Kubernetes client-go credential plugin.

implementation

Install

To try out Pinniped, check out our officially supported deployment mechanism with ytt.

Contribute

If you want to contribute to (or just hack on) Pinniped (we encourage it!), first check out our Code of Conduct, and then our contributing doc.

License

Pinniped is open source and licensed under Apache License Version 2.0. See LICENSE file.

Copyright 2020 VMware, Inc.