Pinniped is the easy, secure way to log in to your Kubernetes clusters.
Go to file
Ryan Richard f6ded84f07 Implement upstream LDAP support in auth_handler.go
- When the upstream IDP is an LDAP IDP and the user's LDAP username and
  password are received as new custom headers, then authenticate the
  user and, if authentication was successful, return a redirect with
  an authcode. Handle errors according to the OAuth/OIDC specs.
- Still does not support having multiple upstream IDPs defined at the
  same time, which was an existing limitation of this endpoint.
- Does not yet include the actual LDAP authentication, which is
  hidden behind an interface from the point of view of auth_handler.go
- Move the oidctestutil package to the testutil directory.
- Add an interface for Fosite storage to avoid a cyclical test
  dependency.
- Add GetURL() to the UpstreamLDAPIdentityProviderI interface.
- Extract test helpers to be shared between callback_handler_test.go
  and auth_handler_test.go because the authcode and fosite storage
  assertions should be identical.
- Backfill Content-Type assertions in callback_handler_test.go.

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-04-08 17:28:01 -07:00
.github Ignore test coverage for local-user-authenticator. 2021-03-15 10:43:17 -05:00
apis Start to fill out LDAPIdentityProvider's fields and TestSupervisorLogin 2021-04-07 12:56:09 -07:00
cmd Generate more helpful context/cluster/user names in pinniped get kubeconfig 2021-04-05 12:36:02 -05:00
deploy Start to fill out LDAPIdentityProvider's fields and TestSupervisorLogin 2021-04-07 12:56:09 -07:00
generated Start to fill out LDAPIdentityProvider's fields and TestSupervisorLogin 2021-04-07 12:56:09 -07:00
hack Start to fill out LDAPIdentityProvider's fields and TestSupervisorLogin 2021-04-07 12:56:09 -07:00
internal Implement upstream LDAP support in auth_handler.go 2021-04-08 17:28:01 -07:00
pkg certauthority.go: Refactor issuing client versus server certs 2021-03-12 16:09:37 -08:00
site Display blog posts in reverse order by date. 2021-04-05 10:54:00 -05:00
test Supervisor pre-factor to make room for upstream LDAP identity providers 2021-04-07 16:12:13 -07:00
.dockerignore Rename dex namespace, add new ytt value to deploy/tools, and remove Tilt 2021-04-05 15:01:49 -07:00
.gitattributes Add .gitattributes as a hint to the GitHub diff viewer. 2020-09-15 11:44:23 -05:00
.gitignore Rename dex namespace, add new ytt value to deploy/tools, and remove Tilt 2021-04-05 15:01:49 -07:00
.golangci.yaml Don't lint generated code. 2021-02-16 13:18:18 -06:00
.pre-commit-config.yaml Rename dex namespace, add new ytt value to deploy/tools, and remove Tilt 2021-04-05 15:01:49 -07:00
ADOPTERS.md Updated adopters.md file to include TMC and TKG 2021-03-29 09:48:34 -05:00
CODE_OF_CONDUCT.md Rename the CoC and contributor guide to the names GitHub recognizes. 2020-10-02 15:53:48 -05:00
CONTRIBUTING.md Add -timeout 0 when describing how to run integration tests 2021-03-03 12:53:41 -08:00
Dockerfile Bump golang from 1.16.2 to 1.16.3 2021-04-02 05:56:43 +00:00
go.mod Upgrade to prereleased Kubernetes v1.20.5++ dependencies. 2021-03-31 12:53:41 -05:00
go.sum Upgrade to prereleased Kubernetes v1.20.5++ dependencies. 2021-03-31 12:53:41 -05:00
LICENSE Add Apache 2.0 license. 2020-07-06 13:50:31 -05:00
MAINTAINERS.md Add Margo and Mo as maintainers of Pinniped 2020-12-17 13:37:20 -05:00
proxy-kubeconfig.yaml Add initial implementation of impersonation proxy. 2021-02-03 09:31:13 -08:00
README.md Update Google Group Link 2021-03-26 22:11:16 -04:00
ROADMAP.md Update ROADMAP.md 2021-03-11 13:58:34 -08:00
SCOPE.md Move scope doc out of website to SCOPE.md. 2021-02-23 11:11:07 -06:00
SECURITY.md SECURITY.md: follow established pattern 2021-02-09 09:08:19 -05:00

Pinniped Logo

Overview

Pinniped provides identity services to Kubernetes.

Pinniped allows cluster administrators to easily plug in external identity providers (IDPs) into Kubernetes clusters. This is achieved via a uniform install procedure across all types and origins of Kubernetes clusters, declarative configuration via Kubernetes APIs, enterprise-grade integrations with IDPs, and distribution-specific integration strategies.

Example use cases

  • Your team uses a large enterprise IDP, and has many clusters that they manage. Pinniped provides:
    • Seamless and robust integration with the IDP
    • Easy installation across clusters of any type and origin
    • A simplified login flow across all clusters
  • Your team shares a single cluster. Pinniped provides:
    • Simple configuration to integrate an IDP
    • Individual, revocable identities

Architecture

The Pinniped Supervisor component offers identity federation to enable a user to access multiple clusters with a single daily login to their external IDP. The Pinniped Supervisor supports various external IDP types.

The Pinniped Concierge component offers credential exchange to enable a user to exchange an external credential for a short-lived, cluster-specific credential. Pinniped supports various authentication methods and implements different integration strategies for various Kubernetes distributions to make authentication possible.

The Pinniped Concierge can be configured to hook into the Pinniped Supervisor's federated credentials, or it can authenticate users directly via external IDP credentials.

To learn more, see architecture.

Getting started with Pinniped

Care to kick the tires? It's easy to install and try Pinniped.

Community meetings

Pinniped is better because of our contributors and maintainers. It is because of you that we can bring great software to the community. Please join us during our online community meetings, occurring every first and third Thursday of the month at 9 AM PT / 12 PM PT. Use this Zoom Link to attend and add any agenda items you wish to discuss to the notes document. Join our Google Group to receive invites to this meeting.

If the meeting day falls on a US holiday, please consider that occurrence of the meeting to be canceled.

Discussion

Got a question, comment, or idea? Please don't hesitate to reach out via the GitHub Discussions tab at the top of this page or reach out in Kubernetes Slack Workspace within the #pinniped channel.

Contributions

Contributions are welcome. Before contributing, please see the contributing guide.

Reporting security vulnerabilities

Please follow the procedure described in SECURITY.md.

License

Pinniped is open source and licensed under Apache License Version 2.0. See LICENSE.

Copyright 2020 the Pinniped contributors. All Rights Reserved.