Pinniped (k8s)

vmware/pinniped last check 49 releases
Notes

Pinniped provides identity services to Kubernetes.

  • Easily plug in external identity providers into Kubernetes clusters while offering a simple install and configuration experience. Leverage first class integration with Kubernetes and kubectl command-line.
  • Give users a consistent, unified login experience across all your clusters, including on-premises and managed cloud environments.
  • Securely integrate with an enterprise IDP using standard protocols or use secure, externally managed identities instead of relying on simple, shared credentials.

site : https://pinniped.dev/

Release notes
v0.2.0 · 1y+
view on github

Release v0.2.0

Release Image

docker.io/getpinniped/pinniped-server:v0.2.0

Changes

Major Changes

  • Splits Pinniped into two components:

    • The "concierge" extends a Kubernetes cluster to enable dynamic configuration of authenticators.
    • The "supervisor" is a federated OpenID Connect gateway that enables smooth multi-cluster user experience for CLI flows. Currently only the Concierge component is fully working.

  • Renamed several APIs for clarity and consistency:

    • config.pinniped.dev/CredentialIssuerConfig is now named config.concierge.pinniped.dev/CredentialIssuer.

    • idp.concierge.pinniped.dev/WebhookIdentityProvider is now authentication.concierge.pinniped.dev/WebhookAuthenticator.

    • login.pinniped.dev/TokenCredentialRequest is now named login.concierge.pinniped.dev/TokenCredentialRequest and the spec.identityProvider field is now named spec.authenticator.

    • config.supervisor.pinniped.dev/OIDCProvider is a new type for configuring a downstream OpenID Connect (OIDC) provider. This type and the rest of the supervisor functionality is not fully implemented in v0.2.0.

    Note that this is the last release where we intend to make breaking API changes. Future changes will be subject to a deprecation period.

  • Introduced new pinniped login oidc CLI command for performing an OIDC login flow from the CLI. This command is currently tested with third-party OIDC implementations, but in future versions it will integrate more tightly with the supervisor OIDC implementation. It uses a file-based session cache in ~/.config/pinniped/sessions.yaml.

  • Implemented the initial basic functionality of the Pinniped supervisor. This component is not yet finished, but the supervisor can be installed and serves working OIDC discovery and JWKS endpoints. It supports serving via a TLS-terminating Kubernetes Ingress or a TCP-level LoadBalancer Service with TLS terminated at the app layer using certificates configured via the spec.tls.secretName field in OIDCProvider.

    Future versions of the supervisor will implement the rest of the OIDC login flow with extensions to support a seamless multi-cluster user experience.

Minor Changes

  • Added support for specifying custom labels in our ytt template. These labels will be passed down to all installed resources including resources dynamically created at runtime.

  • Added support for installing the concierge and supervisor resources into existing namespaces instead of creating dedicated namespaces.

  • Added container resource requests/limits to all Pinniped pods.

  • Changed all container images and deployments to run as a non-root user. This change also involved updating the default listen ports to 8080/8443.

  • Added default permissions to permit the dynamically-created "cert agent" Pod to run even when a restrictive PodSecurityPolicy is configured on the cluster.

  • Upgraded to Go 1.15.3.

  • Upgraded container base image to Debian 10.6.

  • Added Tilt-based local development workflow scripts and configuration. This allows a much faster feedback cycle when developing locally.

  • Removed an erroneous namespace field on one of our ClusterRoleBinding resources.

  • Updated documentation and contribution guide.

A complete list of changes (189 commits, 656 changed files with 31,106 additions and 7,372 deletions!) can be found here.