README
¶
Overview
Pinniped provides identity services to Kubernetes.
Pinniped allows cluster administrators to easily plug in external identity providers (IDPs) into Kubernetes clusters. This is achieved via a uniform install procedure across all types and origins of Kubernetes clusters, declarative configuration via Kubernetes APIs, enterprise-grade integrations with IDPs, and distribution-specific integration strategies.
Example Use Cases
- Your team uses a large enterprise IDP, and has many clusters that they
manage. Pinniped provides:
- Seamless and robust integration with the IDP
- Easy installation across clusters of any type and origin
- A simplified login flow across all clusters
- Your team shares a single cluster. Pinniped provides:
- Simple configuration to integrate an IDP
- Individual, revocable identities
Architecture
Pinniped offers credential exchange to enable a user to exchange an external IDP credential for a short-lived, cluster-specific credential. Pinniped supports various IDP types and implements different integration strategies for various Kubernetes distributions to make authentication possible.
To learn more, see doc/architecture.md.
Trying Pinniped
Care to kick the tires? It's easy to install and try Pinniped.
Contributions
Contributions are welcome. Before contributing, please see the contributing guide.
Reporting Security Vulnerabilities
Please follow the procedure described in SECURITY.md.
License
Pinniped is open source and licensed under Apache License Version 2.0. See LICENSE.
Copyright 2020 the Pinniped contributors. All Rights Reserved.
Directories
¶
| Path | Synopsis |
|---|---|
|
cmd
|
|
|
local-user-authenticator
Package main provides a authentication webhook program.
|
Package main provides a authentication webhook program. |
|
generated
|
|
|
1.17/apis
Module
|
|
|
1.17/client
Module
|
|
|
1.18/apis
Module
|
|
|
1.18/client
Module
|
|
|
1.19/apis
Module
|
|
|
1.19/client
Module
|
|
|
1.20/apis
Module
|
|
|
1.20/client
Module
|
|
|
1.21/apis
Module
|
|
|
1.21/client
Module
|
|
|
1.22/apis
Module
|
|
|
1.22/client
Module
|
|
|
1.23/apis
Module
|
|
|
1.23/client
Module
|
|
|
1.24/apis
Module
|
|
|
1.24/client
Module
|
|
|
1.25/apis
Module
|
|
|
1.25/client
Module
|
|
|
1.26/apis
Module
|
|
|
1.26/client
Module
|
|
|
1.27/apis
Module
|
|
|
1.27/client
Module
|
|
|
1.28/apis
Module
|
|
|
1.28/client
Module
|
|
|
1.29/apis
Module
|
|
|
1.29/client
Module
|
|
|
internal
|
|
|
certauthority
Package certauthority implements a simple x509 certificate authority suitable for use in an aggregated API service.
|
Package certauthority implements a simple x509 certificate authority suitable for use in an aggregated API service. |
|
certauthority/dynamiccertauthority
Package dynamiccertauthority implements a x509 certificate authority capable of issuing certificates from a dynamically updating CA keypair.
|
Package dynamiccertauthority implements a x509 certificate authority capable of issuing certificates from a dynamically updating CA keypair. |
|
client
Package client is a wrapper for interacting with Pinniped's CredentialRequest API.
|
Package client is a wrapper for interacting with Pinniped's CredentialRequest API. |
|
controller/apicerts
Package apicerts contains controllers that work together to provide rotating API certs.
|
Package apicerts contains controllers that work together to provide rotating API certs. |
|
controller/identityprovider/idpcache
Package idpcache implements a cache of active identity providers.
|
Package idpcache implements a cache of active identity providers. |
|
controller/identityprovider/webhookcachecleaner
Package webhookcachecleaner implements a controller for garbage collectting webhook IDPs from an IDP cache.
|
Package webhookcachecleaner implements a controller for garbage collectting webhook IDPs from an IDP cache. |
|
controller/identityprovider/webhookcachefiller
Package webhookcachefiller implements a controller for filling an idpcache.Cache with each added/updated WebhookIdentityProvider.
|
Package webhookcachefiller implements a controller for filling an idpcache.Cache with each added/updated WebhookIdentityProvider. |
|
controller/issuerconfig
Package issuerconfig contains controller(s) for reconciling CredentialIssuerConfig's.
|
Package issuerconfig contains controller(s) for reconciling CredentialIssuerConfig's. |
|
controller/kubecertagent
Package kubecertagent provides controllers that ensure a set of pods (the kube-cert-agent), is colocated with the Kubernetes controller manager so that Pinniped can access its signing keys.
|
Package kubecertagent provides controllers that ensure a set of pods (the kube-cert-agent), is colocated with the Kubernetes controller manager so that Pinniped can access its signing keys. |
|
controllermanager
Package controllermanager provides an entrypoint into running all of the controllers that run as a part of Pinniped.
|
Package controllermanager provides an entrypoint into running all of the controllers that run as a part of Pinniped. |
|
downward
Package downward implements a client interface for interacting with Kubernetes "downwardAPI" volumes.
|
Package downward implements a client interface for interacting with Kubernetes "downwardAPI" volumes. |
|
dynamiccert
Package dynamiccert provides a simple way of communicating a dynamically updating PEM-encoded certificate and key.
|
Package dynamiccert provides a simple way of communicating a dynamically updating PEM-encoded certificate and key. |
|
mocks/credentialrequestmocks
Package credentialrequestmocks is a generated GoMock package.
|
Package credentialrequestmocks is a generated GoMock package. |
|
mocks/mocktokenauthenticator
Package mocktokenauthenticator is a generated GoMock package.
|
Package mocktokenauthenticator is a generated GoMock package. |
|
registry/credentialrequest
Package credentialrequest provides REST functionality for the CredentialRequest resource.
|
Package credentialrequest provides REST functionality for the CredentialRequest resource. |
|
server
Package server is the command line entry point for pinniped-server.
|
Package server is the command line entry point for pinniped-server. |
|
testutil/testlogger
Package testlogger implements a logr.Logger suitable for writing test assertions.
|
Package testlogger implements a logr.Logger suitable for writing test assertions. |
|
pkg
|
|
|
config
Package config contains functionality to load/store api.Config's from/to some source.
|
Package config contains functionality to load/store api.Config's from/to some source. |
|
test
|
|
Click to show internal directories.
Click to hide internal directories.