README
¶
Overview
Pinniped provides identity services to Kubernetes.
Pinniped allows cluster administrators to easily plug in external identity providers (IDPs) into Kubernetes clusters. This is achieved via a uniform install procedure across all types and origins of Kubernetes clusters, declarative configuration via Kubernetes APIs, enterprise-grade integrations with IDPs, and distribution-specific integration strategies.
Example Use Cases
- Your team uses a large enterprise IDP, and has many clusters that they
manage. Pinniped provides:
- Seamless and robust integration with the IDP
- Easy installation across clusters of any type and origin
- A simplified login flow across all clusters
- Your team shares a single cluster. Pinniped provides:
- Simple configuration to integrate an IDP
- Individual, revocable identities
Architecture
Pinniped offers credential exchange to enable a user to exchange an external IDP credential for a short-lived, cluster-specific credential. Pinniped supports various IDP types and implements different integration strategies for various Kubernetes distributions to make authentication possible.
To learn more, see doc/architecture.md.
Trying Pinniped
Care to kick the tires? It's easy to install and try Pinniped.
Discussion
Got a question, comment, or idea? Please don't hesitate to reach out via the GitHub Discussions tab at the top of this page.
Contributions
Contributions are welcome. Before contributing, please see the contributing guide.
Reporting Security Vulnerabilities
Please follow the procedure described in SECURITY.md.
License
Pinniped is open source and licensed under Apache License Version 2.0. See LICENSE.
Copyright 2020 the Pinniped contributors. All Rights Reserved.
Directories
¶
| Path | Synopsis |
|---|---|
|
cmd
|
|
|
local-user-authenticator
Package main provides a authentication webhook program.
|
Package main provides a authentication webhook program. |
|
generated
|
|
|
1.17/apis
Module
|
|
|
1.17/client
Module
|
|
|
1.18/apis
Module
|
|
|
1.18/client
Module
|
|
|
1.19/apis
Module
|
|
|
1.19/client
Module
|
|
|
1.20/apis
Module
|
|
|
1.20/client
Module
|
|
|
1.21/apis
Module
|
|
|
1.21/client
Module
|
|
|
1.22/apis
Module
|
|
|
1.22/client
Module
|
|
|
1.23/apis
Module
|
|
|
1.23/client
Module
|
|
|
1.24/apis
Module
|
|
|
1.24/client
Module
|
|
|
1.25/apis
Module
|
|
|
1.25/client
Module
|
|
|
1.26/apis
Module
|
|
|
1.26/client
Module
|
|
|
1.27/apis
Module
|
|
|
1.27/client
Module
|
|
|
1.28/apis
Module
|
|
|
1.28/client
Module
|
|
|
1.29/apis
Module
|
|
|
1.29/client
Module
|
|
|
1.30/apis
Module
|
|
|
1.30/client
Module
|
|
|
1.31/apis
Module
|
|
|
1.31/client
Module
|
|
|
internal
|
|
|
certauthority
Package certauthority implements a simple x509 certificate authority suitable for use in an aggregated API service.
|
Package certauthority implements a simple x509 certificate authority suitable for use in an aggregated API service. |
|
certauthority/dynamiccertauthority
Package dynamiccertauthority implements a x509 certificate authority capable of issuing certificates from a dynamically updating CA keypair.
|
Package dynamiccertauthority implements a x509 certificate authority capable of issuing certificates from a dynamically updating CA keypair. |
|
client
Package client is a wrapper for interacting with Pinniped's CredentialRequest API.
|
Package client is a wrapper for interacting with Pinniped's CredentialRequest API. |
|
concierge/server
Package server is the command line entry point for pinniped-concierge.
|
Package server is the command line entry point for pinniped-concierge. |
|
config/concierge
Package concierge contains functionality to load/store Config's from/to some source.
|
Package concierge contains functionality to load/store Config's from/to some source. |
|
config/supervisor
Package supervisor contains functionality to load/store Config's from/to some source.
|
Package supervisor contains functionality to load/store Config's from/to some source. |
|
controller/apicerts
Package apicerts contains controllers that work together to provide rotating API certs.
|
Package apicerts contains controllers that work together to provide rotating API certs. |
|
controller/authenticator/authncache
Package authncache implements a cache of active authenticators.
|
Package authncache implements a cache of active authenticators. |
|
controller/authenticator/webhookcachecleaner
Package webhookcachecleaner implements a controller for garbage collecting webhook authenticators from an authenticator cache.
|
Package webhookcachecleaner implements a controller for garbage collecting webhook authenticators from an authenticator cache. |
|
controller/authenticator/webhookcachefiller
Package webhookcachefiller implements a controller for filling an authncache.Cache with each added/updated WebhookAuthenticator.
|
Package webhookcachefiller implements a controller for filling an authncache.Cache with each added/updated WebhookAuthenticator. |
|
controller/issuerconfig
Package issuerconfig contains controller(s) for reconciling CredentialIssuer's.
|
Package issuerconfig contains controller(s) for reconciling CredentialIssuer's. |
|
controller/kubecertagent
Package kubecertagent provides controllers that ensure a set of pods (the kube-cert-agent), is colocated with the Kubernetes controller manager so that Pinniped can access its signing keys.
|
Package kubecertagent provides controllers that ensure a set of pods (the kube-cert-agent), is colocated with the Kubernetes controller manager so that Pinniped can access its signing keys. |
|
controllermanager
Package controllermanager provides an entrypoint into running all of the controllers that run as a part of Pinniped.
|
Package controllermanager provides an entrypoint into running all of the controllers that run as a part of Pinniped. |
|
downward
Package downward implements a client interface for interacting with Kubernetes "downwardAPI" volumes.
|
Package downward implements a client interface for interacting with Kubernetes "downwardAPI" volumes. |
|
dynamiccert
Package dynamiccert provides a simple way of communicating a dynamically updating PEM-encoded certificate and key.
|
Package dynamiccert provides a simple way of communicating a dynamically updating PEM-encoded certificate and key. |
|
httputil/httperr
Package httperr contains some helpers for nicer error handling in http.Handler implementations.
|
Package httperr contains some helpers for nicer error handling in http.Handler implementations. |
|
httputil/securityheader
Package securityheader implements an HTTP middleware for setting security-related response headers.
|
Package securityheader implements an HTTP middleware for setting security-related response headers. |
|
mocks/credentialrequestmocks
Package credentialrequestmocks is a generated GoMock package.
|
Package credentialrequestmocks is a generated GoMock package. |
|
mocks/mockkeyset
Package mockkeyset is a generated GoMock package.
|
Package mockkeyset is a generated GoMock package. |
|
mocks/mocktokenauthenticator
Package mocktokenauthenticator is a generated GoMock package.
|
Package mocktokenauthenticator is a generated GoMock package. |
|
multierror
Package multierror provides a type that can translate multiple errors into a Go error interface.
|
Package multierror provides a type that can translate multiple errors into a Go error interface. |
|
oidc
Package oidc contains common OIDC functionality needed by Pinniped.
|
Package oidc contains common OIDC functionality needed by Pinniped. |
|
oidc/discovery
Package discovery provides a handler for the OIDC discovery endpoint.
|
Package discovery provides a handler for the OIDC discovery endpoint. |
|
oidc/jwks
Package discovery provides a handler for the OIDC discovery endpoint.
|
Package discovery provides a handler for the OIDC discovery endpoint. |
|
oidcclient
Package oidcclient implements a CLI OIDC login flow.
|
Package oidcclient implements a CLI OIDC login flow. |
|
oidcclient/filesession
Package cachefile implements the file format for session caches.
|
Package cachefile implements the file format for session caches. |
|
oidcclient/nonce
Package nonce implements
|
Package nonce implements |
|
registry/credentialrequest
Package credentialrequest provides REST functionality for the CredentialRequest resource.
|
Package credentialrequest provides REST functionality for the CredentialRequest resource. |
|
testutil/testlogger
Package testlogger implements a logr.Logger suitable for writing test assertions.
|
Package testlogger implements a logr.Logger suitable for writing test assertions. |
|
test
|
|
Click to show internal directories.
Click to hide internal directories.