Pinniped (k8s)

vmware/pinniped last check 49 releases
Notes

Pinniped provides identity services to Kubernetes.

  • Easily plug in external identity providers into Kubernetes clusters while offering a simple install and configuration experience. Leverage first class integration with Kubernetes and kubectl command-line.
  • Give users a consistent, unified login experience across all your clusters, including on-premises and managed cloud environments.
  • Securely integrate with an enterprise IDP using standard protocols or use secure, externally managed identities instead of relying on simple, shared credentials.

site : https://pinniped.dev/

Release notes
v0.15.0 · 1y+
view on github

Release v0.15.0

Release Image

Image Registry
ghcr.io/vmware-tanzu/pinniped/pinniped-server:v0.15.0 GitHub Container Registry
docker.io/getpinniped/pinniped-server:v0.15.0 DockerHub

These images can also be referenced by their digest: sha256:62be9ea6c98760439a4f471963c654fdc789ea839edbfb8102e7022462dcc782.

Changes

The user's group membership in Active Directory and LDAP is now refreshed as they interact with the supervisor to obtain new credentials.

Major Changes

Active Directory and LDAP group refresh allows group membership changes to be quickly reflected into Kubernetes clusters. Since group membership is often used to bind authorization policies, it is important to keep the groups observed in Kubernetes clusters in-sync with the identity provider. This functionality for OIDC was introduced in v0.13.0, and now Active Directory and LDAP identity providers will have the same experience.

Warning

In some Active Directory and LDAP environments, frequent group membership queries may result in a significant performance impact on the identity provider and/or the supervisor. The best approach to handle performance impacts is to tweak the group query to be more performant, for example by disabling nested group search or by using a more targeted group search base.

If the group search query cannot be made performant and you are willing to have group memberships remain static for approximately a day, then set spec.groupSearch.skipGroupRefresh to true in your ActiveDirectoryIdentityProvider or LDAPIdentityProvider. This is an insecure configuration as authorization policies that are bound to group membership will not notice if a user has been removed from a particular group until their next login.

skipGroupRefresh is an experimental feature that may be removed or significantly altered in the future. Consumers of this configuration should carefully read all release notes before upgrading to ensure that the meaning of this field has not changed.

Minor Changes

  • Update Go to v1.17.7 (#999)
  • The Pinniped CLI now requires https issuers (#1013)
  • Allow alternate deployment mechanisms for integration tests (#1028)
  • Add toleration for new "control-plane" node label for Concierge deploy (#1031)
  • Add generated code for Kubernetes 1.21, 1.22, and 1.23 (#1040)
  • Update Kubernetes dependencies to v0.23.4 (#1041)
  • Warn users when their groups have changed upon refresh (#1043)
  • Fix rendering of API reference docs when | characters are used (#1044)

Diffs

A complete list of changes (84 commits, 1,344 changed files with 47,336 additions and 1,934 deletions) can be found here.

Acknowledgements

  • Thanks to @jvanzyl for altering our helper scripts so that users can run integration tests using deployment mechanisms other than kapp.

Updates

The attached yaml files were updated on May 6, 2024 to use ghcr.io/vmware-tanzu/pinniped/pinniped-server instead of projects.registry.vmware.com/pinniped/pinniped-server.