Pinniped: The One-Stop Shop for All Your Kubernetes Authentication Needs

New to Pinniped?

Pinnipedis a "batteries included" authentication system for Kubernetes clusters that tightly integrates with Kubernetes using native API patterns. It's built using custom resource definitions (CRDs)and API aggregation, both of which are core to the configuration and runtime operation of Pinniped.

The many benefits to using Pinniped for Kubernetes authentication include:

• Easy to configureyour OIDC, LDAP or Active Directoryidentity providers using CRDs. A user's identity in the external identity provider (IDP) becomes their identity in Kubernetes.All other aspects of Kubernetes that are sensitive to identity, such as authorization policies and audit logging, are then based on the user identities from your identity provider.
• Support for various cluster-types that helps users use their identities from their IDP into many types of Kubernetes clusters in a consistent way. This includes both on-prem clusters, such as those offered by VMware Tanzu Kubernetes Grid, as well as clusters provided as a managed cloud service such as GKE, EKS or AKS.
• Safely distribute Kubeconfig filesas they have no user credentials in them, so they can be safely shared.
• Deep integration with kubectlmeans that when a user runs kubectl commands, they will be interactively prompted to login using their identity.
• Users login once a day to multiple clustersusing kubectl and can access clusters for the rest of the day without being asked to authenticate again.
• All credentials are short-lived and refreshed often.
• Frequent checks are made against yourIDPto ensure that the user can continue to access the clusters. For example, within minutes of locking an Active Directory account, that user will lose access to Kubernetes clusters, even if they were already logged in.
• Credentials are uniquely scoped to each cluster,which means users cannot misuse their privilege across clusters.
• Bootstrapping and break-glass accessis still available as Pinniped does not interfere with a cluster's original vendor-specific authentication system.

Most importantly, Pinniped is 100% open sourceand will never be tied to any one vendor's authentication system. We are constantly improving Pinniped and have some exciting new features, such as audit logging, integration with UI dashboards, as well as compliance control features like session management and secrets managementcoming soon! Check out our project roadmapand our project backlogfor more details.

Pinniped is better because of our contributors and maintainers. It's because of you that we can bring great software to the community. So, join us during our online community meetingsor reach out to us in #pinnipedon Kubernetes Slack to learn more and contribute!

Want to learn more about Pinniped and how you can securely distribute your Kubeconfigs?Attend or tune in virtually to Nigel Brown and Leigh Capili's talk entitled "Sharing Is NOT Caring: Stop Sharing Your Kubernetes Cluster Credentials" atOpen Source Summit North Americaon Wednesday, June 22nd at 2:35 PM CDT.

See you at the Summit!

Stay tuned to the Open Source Blogand follow us on Twitterfor more deep dives into the world of open source contributing.

Public link

Please use the above public link if you want to share this noodl on another website.