Pinniped is the easy, secure way to log in to your Kubernetes clusters.
Go to file
Matt Moyer f0ebd808d7
Switch CSRF cookie from Same-Site=Strict to Same-Site=Lax.
This CSRF cookie needs to be included on the request to the callback endpoint triggered by the redirect from the OIDC upstream provider. This is not allowed by `Same-Site=Strict` but is allowed by `Same-Site=Lax` because it is a "cross-site top-level navigation" [1].

We didn't catch this earlier with our Dex-based tests because the upstream and downstream issuers were on the same parent domain `*.svc.cluster.local` so the cookie was allowed even with `Strict` mode.

[1]: https://tools.ietf.org/html/draft-ietf-httpbis-cookie-same-site-00#section-3.2

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-12-03 21:30:00 -06:00
.github Get rid of WIP workflow 2020-10-27 18:39:19 -04:00
apis Use omitempty on UpstreamOIDCProvider spec.authorizationConfig field. 2020-11-18 17:14:35 -06:00
cmd Use kube storage for the supervisor callback endpoint's fosite sessions 2020-12-02 17:40:01 -08:00
deploy Remove duplicate docs from the repo and change all links to point to the Hugo site 2020-12-02 23:58:19 +05:30
generated Use omitempty on UpstreamOIDCProvider spec.authorizationConfig field. 2020-11-18 17:14:35 -06:00
hack Parameterize the supervisor_redirect_uri in the test env Dex. 2020-12-03 12:45:56 -06:00
internal Switch CSRF cookie from Same-Site=Strict to Same-Site=Lax. 2020-12-03 21:30:00 -06:00
pkg/oidcclient Merge remote-tracking branch 'origin/main' into callback-endpoint 2020-12-02 16:09:08 -06:00
site Remove duplicate documentation images from the repo and change all links to point to the Hugo site 2020-12-02 23:58:19 +05:30
test Fix this comment (and retrigger CI). 2020-12-03 14:24:26 -06:00
tools Save 2 lines by using inline-style comments for Copyright 2020-09-16 10:35:19 -04:00
.gitattributes Add .gitattributes as a hint to the GitHub diff viewer. 2020-09-15 11:44:23 -05:00
.gitignore Add Tilt-based local dev workflow. 2020-10-05 16:34:33 -05:00
.golangci.yaml Add --ca-bundle flag to "pinniped login oidc" command. 2020-11-16 18:15:20 -06:00
.pre-commit-config.yaml Add Tilt-based local dev workflow. 2020-10-05 16:34:33 -05:00
ADOPTERS.md Update module/package names to match GitHub org switch. 2020-09-17 12:56:54 -05:00
CODE_OF_CONDUCT.md Rename the CoC and contributor guide to the names GitHub recognizes. 2020-10-02 15:53:48 -05:00
CONTRIBUTING.md Remove duplicate docs from the repo and change all links to point to the Hugo site 2020-12-02 23:58:19 +05:30
Dockerfile Bump golang from 1.15.3 to 1.15.5 2020-11-20 20:19:51 +00:00
go.mod Finished tests for pkce storage and added it to kubestorage 2020-12-01 14:53:22 -08:00
go.sum WIP for saving authorize endpoint state into upstream state param 2020-11-10 17:58:00 -08:00
LICENSE Add Apache 2.0 license. 2020-07-06 13:50:31 -05:00
MAINTAINERS.md MAINTAINERS.md: add initial draft 2020-09-15 13:14:50 -04:00
README.md Remove duplicate documentation images from the repo and change all links to point to the Hugo site 2020-12-02 23:58:19 +05:30
SECURITY.md Update precommit hook config to ignore generated files and fix whitespace. 2020-08-31 16:41:22 -05:00

Pinniped Logo

Overview

Pinniped provides identity services to Kubernetes.

Pinniped allows cluster administrators to easily plug in external identity providers (IDPs) into Kubernetes clusters. This is achieved via a uniform install procedure across all types and origins of Kubernetes clusters, declarative configuration via Kubernetes APIs, enterprise-grade integrations with IDPs, and distribution-specific integration strategies.

Example Use Cases

  • Your team uses a large enterprise IDP, and has many clusters that they manage. Pinniped provides:
    • Seamless and robust integration with the IDP
    • Easy installation across clusters of any type and origin
    • A simplified login flow across all clusters
  • Your team shares a single cluster. Pinniped provides:
    • Simple configuration to integrate an IDP
    • Individual, revocable identities

Architecture

Pinniped offers credential exchange to enable a user to exchange an external IDP credential for a short-lived, cluster-specific credential. Pinniped supports various IDP types and implements different integration strategies for various Kubernetes distributions to make authentication possible.

To learn more, see architecture.

Pinniped Architecture Sketch

Trying Pinniped

Care to kick the tires? It's easy to install and try Pinniped.

Discussion

Got a question, comment, or idea? Please don't hesitate to reach out via the GitHub Discussions tab at the top of this page.

Contributions

Contributions are welcome. Before contributing, please see the contributing guide.

Reporting Security Vulnerabilities

Please follow the procedure described in SECURITY.md.

License

Pinniped is open source and licensed under Apache License Version 2.0. See LICENSE.

Copyright 2020 the Pinniped contributors. All Rights Reserved.