Pinniped (k8s)

vmware/pinniped last check 2026-06-20 21:06 UTC 49 releases

Notes

Pinniped provides identity services to Kubernetes.

Easily plug in external identity providers into Kubernetes clusters while offering a simple install and configuration experience. Leverage first class integration with Kubernetes and kubectl command-line.
Give users a consistent, unified login experience across all your clusters, including on-premises and managed cloud environments.
Securely integrate with an enterprise IDP using standard protocols or use secure, externally managed identities instead of relying on simple, shared credentials.

site : https://pinniped.dev/

Release notes

v0.3.0 · 1y+

view on github

Release v0.3.0

Release Images

Image	Registry
`ghcr.io/vmware-tanzu/pinniped/pinniped-server:v0.3.0`	GitHub Container Registry
`docker.io/getpinniped/pinniped-server:v0.3.0`	DockerHub

Changes

Major Changes

Implemented core login functionality of the Pinniped supervisor. The supervisor is an OpenID Connect (OIDC) server that passes identities from an upstream identity provider down to your Kubernetes clusters. In this release, we finish what we started in v0.2.0 by adding several new APIs and implementing all the core login functionality:
- config.supervisor.pinniped.dev/FederationDomain configures the "downstream" behavior of the supervisor as an OIDC issuer.
- idp.supervisor.pinniped.dev/OIDCIdentityProvider configures an "upstream" OIDC provider which will be the source of identities.
The supervisor is a standards-compliant OIDC provider supporting the authorization code and refresh token flows. It also includes support for a RFC8693 token exchange grant flow. This new flow is key to supporting smooth login flows involving multiple clusters.
Added support for JSON Web Token (JWT) validation to the Pinniped concierge. This is configured with a new API type:
- authentication.concierge.pinniped.dev/JWTAuthenticator configures JWT validation parameters for the cluster.
Added a new comprehensive command line interface that unifies the concierge and supervisor functionality:
- pinniped get kubeconfig generates a Pinniped-based kubeconfig YAML. This command can autodiscover all required parameters in most cases, and supports using only a subset of Pinniped components.

Minor Changes

Extended the pinniped login oidc subcommand. This command is normally not called directly, but via a kubeconfig generated by pinniped get kubeconfig. It now supports login flows combining OIDC browser-based login and the concierge TokenCredentialRequest API. It also now supports the RFC8693 token exchange functionality via a new --request-audience flag.
Added a new pinniped login static subcommand which is similar to pinniped login oidc but using static tokens. Tokens can be passed in the kubeconfig or via environment variable.
Deprecated the pinniped get-kubeconfig subcommand. This has been replaced with pinniped get kubeconfig and will be removed in a future release.
Deprecated the pinniped exchange-credential subcommand. This has been replaced with pinniped login static and will be removed in a future release.
Adjusted the default logging level to be less verbose. Debug log output can now be enabled via a configuration field.
Increased the overall timeout for pinniped login oidc to 90 minutes and added shorter timeouts for non-interactive portions of the login flow.
Reduced the lifetime of concierge-issued client certificates from 1 hour to 5 minutes.
Upgraded to Go 1.15.6.
Upgraded container base image to Debian 10.7 (slim).
Upgraded Kubernetes library components to v1.19.5.
Moved some stable OIDC client functionality from ./internal to ./pkg so it can be more easily imported by other projects.

Diffs

A complete list of changes (450 commits, 622 changed files with 38,117 additions and 16,689 deletions!) can be found here.

Updates

The attached yaml files were updated on May 6, 2024 to use ghcr.io/vmware-tanzu/pinniped/pinniped-server instead of projects.registry.vmware.com/pinniped/pinniped-server.