https://deploy-preview-3014--pinniped-dev.netlify.app/Recent content on PinnipedHugo -- gohugo.ioen-usWed, 07 Aug 2024 00:00:00 +0000https://deploy-preview-3014--pinniped-dev.netlify.app/posts/externally-managed-ca-bundles/Wed, 07 Aug 2024 00:00:00 +0000https://deploy-preview-3014--pinniped-dev.netlify.app/posts/externally-managed-ca-bundles/Photo from Unsplash Pinniped’s v0.33.0 release enables Pinniped administrators to use externally-provided CA bundles for all custom resources for which Pinniped acts as a client. This includes OIDC identity providers, LDAP and Active Directory servers, GitHub Enterprise Servers, and any JWT or webhook authenticators running on or off the cluster. This should reduce manual steps to install or configure Pinniped, since administrators no longer need to provide the CA bundle inline within a Pinniped custom resource, and can instead use a ConfigMap or Secret object in the same namespace as Pinniped Supervisor or Concierge.https://deploy-preview-3014--pinniped-dev.netlify.app/posts/github-idp-support/Thu, 06 Jun 2024 00:00:00 +0000https://deploy-preview-3014--pinniped-dev.netlify.app/posts/github-idp-support/Photo from Unsplash Pinniped’s v0.31.0 release brings your enterprise’s developer and operator GitHub identities to all your Kubernetes clusters. Previously, Pinniped supported external identity providers of types OpenID Connect (OIDC), Lightweight Directory Access Protocol (LDAP), and Active Directory (AD) configured for either one or many clusters. If you’re already managing your source code on github.com or using GitHub Enterprise, then your developers and operators already have GitHub identities. Now you can easily control their authentication and authorization to your fleets of Kubernetes clusters using that same GitHub identity, with the same great security and user experience that Pinniped already offers.https://deploy-preview-3014--pinniped-dev.netlify.app/posts/multiple-idps-and-identity-transformations/Tue, 19 Sep 2023 00:00:00 +0000https://deploy-preview-3014--pinniped-dev.netlify.app/posts/multiple-idps-and-identity-transformations/Photo from Unsplash Pinniped’s v0.26.0 relase provides powerful new features enabling cluster administrators to configure their Kubernetes clusters to accept identities from multiple identity providers. Pinniped now enables the simultaneous support of OpenID Connect (OIDC), Lightweight Directory Access Protocol (LDAP), and Active Directory (AD) configured for either one or many clusters. In addition, Pinniped provides a powerful identity transformation mechanism via Common Expression Language (CEL) to enable disambiguation of identities funneled in from different identity providers and more.https://deploy-preview-3014--pinniped-dev.netlify.app/posts/v0-25-0-external-cert-mgmt-impersonation-proxy/Wed, 09 Aug 2023 00:00:00 +0000https://deploy-preview-3014--pinniped-dev.netlify.app/posts/v0-25-0-external-cert-mgmt-impersonation-proxy/Photo by karlheinz_eckhardt Eckhardt on Unsplash With Pinniped v0.25.0 you get the ability to configure an externally-generated certificate for Pinniped Concierge’s impersonation proxy to serve TLS. The impersonation proxy is a component within Pinniped that allows the project to support many types of clusters, such as Amazon Elastic Kubernetes Service (EKS), Google Kubernetes Engine (GKE), and Azure Kubernetes Service (AKS). To read more on this feature, and the design decisions behind it, see the proposal.https://deploy-preview-3014--pinniped-dev.netlify.app/posts/formatted-logs-ui-based-ldap-logins/Wed, 08 Jun 2022 00:00:00 +0000https://deploy-preview-3014--pinniped-dev.netlify.app/posts/formatted-logs-ui-based-ldap-logins/Photo by Steve Adams on Unsplash We’ve listened to your requests and are excited to bring some cool user-friendly features that will enhance your Kubernetes Authentication experience. From this release onwards, we will have Pinniped logs in JSON format. We also bring you the ability to use a User Interface (UI) to login with your LDAP or ActiveDirectory credentials. JSON Formatted logs Kubernetes 1.19 introduced the ability to have logs emitted in JSON log format.https://deploy-preview-3014--pinniped-dev.netlify.app/posts/fips-and-more/Wed, 20 Apr 2022 00:00:00 +0000https://deploy-preview-3014--pinniped-dev.netlify.app/posts/fips-and-more/Photo by karlheinz_eckhardt on Unsplash This release continues our theme of providing security-hardening for Kubernetes authentication solutions with Pinniped. Build-Your-Own FIPS compliant Pinniped Binaries We now bring to you information on how to Build-Your-Own Pinniped binaries with FIPS Compliant BoringSSL Crypto. The Federal Information Processing Standard (FIPS) 140-2 publication describes United States government approved security requirements for cryptographic modules. Software that is validated by an accredited Cryptographic Module Validation Program (CVMP) laboratory can be suitable for use in applications for US governmental departments or in industries subject to US Federal regulations.https://deploy-preview-3014--pinniped-dev.netlify.app/posts/secure-tls-idp-refresh/Fri, 21 Jan 2022 00:00:00 +0000https://deploy-preview-3014--pinniped-dev.netlify.app/posts/secure-tls-idp-refresh/Photo by Neil Cooper on Unsplash Pinniped with tighter security posture Kubernetes users deploying Pinniped in production environments have certain compliance control requirements. With the current release of Pinniped, our efforts are to provide features in Pinniped that meet some of these compliance and regulatory requirements. We have added defaults that give secure deployment options to the administrator while maintaining the best user experience for cluster access. With v0.13.0 we include the use of secure TLS ciphers for all components and configurable listener for the Pinniped Supervisor server.https://deploy-preview-3014--pinniped-dev.netlify.app/posts/supporting-ad-oidc-workflows/Tue, 31 Aug 2021 00:00:00 +0000https://deploy-preview-3014--pinniped-dev.netlify.app/posts/supporting-ad-oidc-workflows/Photo by Eelco van der Wal on Unsplash CRDs for easy Active Directory Configuration! Microsoft Active Directory (AD) is one of the most popular and widely used Identity Providers. Active Directory Domain Services (AD DS) is the foundation of every Windows domain network. It stores information about members of the domain, including devices and users, verifies their credentials and defines their access rights. While AD is widely used in legacy systems, configuring Active Directory has been somewhat of a challenge in the cloud native environments.https://deploy-preview-3014--pinniped-dev.netlify.app/posts/supporting-remote-oidc-workflows/Fri, 30 Jul 2021 00:00:00 +0000https://deploy-preview-3014--pinniped-dev.netlify.app/posts/supporting-remote-oidc-workflows/Photo by Jaddy Liu on Unsplash Remote Host Environments and OIDC login flows Enterprise workloads on Kubernetes clusters often run in a restricted environment behind a firewall. In such a setup, the clusters can be accessed via servers sometimes called “SSH jump hosts”. These servers pose restrictions on what the users can execute and typically allow only command line access. Users can use command line utilities such as kubectl, pinniped CLI, etc.https://deploy-preview-3014--pinniped-dev.netlify.app/posts/bringing-ldap-identities-to-clusters/Wed, 02 Jun 2021 00:00:00 +0000https://deploy-preview-3014--pinniped-dev.netlify.app/posts/bringing-ldap-identities-to-clusters/Photo from matos11 on Pixabay Pinniped is a “batteries included” authentication system for Kubernetes clusters. With the release of v0.9.0, Pinniped now supports using LDAP identities to log in to Kubernetes clusters. This post describes how v0.9.0 fits into Pinniped’s quest to bring a smooth, unified login experience to all Kubernetes clusters. Support for LDAP Identities in the Pinniped Supervisor Pinniped is made up of three main components: The Pinniped Concierge component implements cluster-level authentication.https://deploy-preview-3014--pinniped-dev.netlify.app/posts/bringing-the-concierge-to-more-clusters/Thu, 01 Apr 2021 00:00:00 +0000https://deploy-preview-3014--pinniped-dev.netlify.app/posts/bringing-the-concierge-to-more-clusters/Photo by Fred Heap on Unsplash Pinniped is a “batteries included” authentication system for Kubernetes clusters. With the release of v0.7.0, Pinniped now supports a much wider range of real-world Kubernetes clusters, including managed Kubernetes environments on all major cloud providers. This post describes how v0.7.0 fits into Pinniped’s quest to bring a smooth, unified login experience to all Kubernetes clusters. Authentication in Kubernetes Kubernetes includes a pluggable authentication system right out of the box.https://deploy-preview-3014--pinniped-dev.netlify.app/posts/multiple-pinnipeds/Thu, 04 Feb 2021 00:00:00 +0000https://deploy-preview-3014--pinniped-dev.netlify.app/posts/multiple-pinnipeds/Photo by TRINH HUY HUNG on Unsplash Motivation Pinniped is a “batteries included” authentication system for Kubernetes clusters that tightly integrates with Kubernetes using native API patterns. Pinniped is built using custom resource definitions (CRDs) and API aggregation, both of which are core to the configuration and runtime operation of the app. We encountered a problem that’s familiar to many Kubernetes controller developers: we need to support multiple instances of our controller on one cluster.https://deploy-preview-3014--pinniped-dev.netlify.app/posts/a-seal-of-approval/Thu, 12 Nov 2020 00:00:00 +0000https://deploy-preview-3014--pinniped-dev.netlify.app/posts/a-seal-of-approval/Kubernetes, containers, microservices: They’ve all turned conventional application development wisdom inside out. But for all the wonders introduced and new technologies released, there are still a few things that remain difficult, cumbersome, or just really really frustrating when it comes to Kubernetes. We have set out to make one of those things easier and more understandable: authentication. In a perfect world, you would be able to use a single authentication process of your choice to log in to all of your Kubernetes clusters, including on-premises and managed cloud environments.https://deploy-preview-3014--pinniped-dev.netlify.app/docs/reference/active-directory-configuration/Mon, 01 Jan 0001 00:00:00 +0000https://deploy-preview-3014--pinniped-dev.netlify.app/docs/reference/active-directory-configuration/This describes the default values for the ActiveDirectoryIdentityProvider user and group search. For more about ActiveDirectoryIdentityProvider configuration, see the API reference documentation. spec.userSearch.base Default Behavior: Queries the Active Directory host for the defaultNamingContext. Implications: Searches your entire domain for users. It may make sense to specify a subtree as a search base if you wish to exclude some users for security reasons or to make searches faster. spec.userSearch.attributes.username Default Behavior: The userPrincipalName attribute will become the user’s Kubernetes username.https://deploy-preview-3014--pinniped-dev.netlify.app/docs/reference/api/Mon, 01 Jan 0001 00:00:00 +0000https://deploy-preview-3014--pinniped-dev.netlify.app/docs/reference/api/Full API reference documentation for the Pinniped Kubernetes API is available on GitHub.https://deploy-preview-3014--pinniped-dev.netlify.app/docs/background/architecture/Mon, 01 Jan 0001 00:00:00 +0000https://deploy-preview-3014--pinniped-dev.netlify.app/docs/background/architecture/The principal purpose of Pinniped is to allow users to access Kubernetes clusters. Pinniped hopes to enable this access across a wide range of Kubernetes environments with zero configuration. Pinniped is composed of three parts. The Pinniped Supervisor is an OIDC server which allows users to authenticate with external identity providers (IDP), and then issues its own federation ID tokens to be passed on to clusters based on the user information from the IDP.https://deploy-preview-3014--pinniped-dev.netlify.app/docs/reference/code-walkthrough/Mon, 01 Jan 0001 00:00:00 +0000https://deploy-preview-3014--pinniped-dev.netlify.app/docs/reference/code-walkthrough/Audience and purpose The purpose of this document is to provide a high-level, brief introduction to the Pinniped source code for new contributors. The target audience is someone who wants to read the source code. Users who only want to install and configure Pinniped should not need to read this document. This document aims to help a reader navigate towards the part of the code which they might be interested in exploring in more detail.https://deploy-preview-3014--pinniped-dev.netlify.app/docs/reference/cli/Mon, 01 Jan 0001 00:00:00 +0000https://deploy-preview-3014--pinniped-dev.netlify.app/docs/reference/cli/pinniped completion bash Generate the autocompletion script for bash Synopsis Generate the autocompletion script for the bash shell. This script depends on the ‘bash-completion’ package. If it is not installed already, you can install it via your OS’s package manager. To load completions in your current shell session: source <(pinniped completion bash) To load completions for every new session, execute once: Linux: pinniped completion bash > /etc/bash_completion.d/pinniped macOS: pinniped completion bash > $(brew --prefix)/etc/bash_completion.https://deploy-preview-3014--pinniped-dev.netlify.app/docs/howto/supervisor/configure-supervisor-federationdomain-idps/Mon, 01 Jan 0001 00:00:00 +0000https://deploy-preview-3014--pinniped-dev.netlify.app/docs/howto/supervisor/configure-supervisor-federationdomain-idps/This guide explains how to associate one or more external identity providers (IDPs) with a FederationDomain. It also details how to configure identity transformations and identity policies for those identity providers. Prerequisites This how-to guide assumes that you have already installed the Pinniped Supervisor and have already read the guide about how to configure the Supervisor as an OIDC issuer. This guide focuses on the use of the spec.identityProviders setting on the FederationDomain resource.https://deploy-preview-3014--pinniped-dev.netlify.app/docs/howto/concierge/configure-concierge-jwt/Mon, 01 Jan 0001 00:00:00 +0000https://deploy-preview-3014--pinniped-dev.netlify.app/docs/howto/concierge/configure-concierge-jwt/The Concierge can validate JSON Web Tokens (JWTs), which are commonly issued by OpenID Connect (OIDC) identity providers. This guide shows you how to use this capability without the Pinniped Supervisor. This is most useful if you have only a single cluster and want to authenticate to it via an existing OIDC provider. If you have multiple clusters, you may want to install and configure the Pinniped Supervisor. Then you can configure the Concierge to use the Supervisor for authentication instead of following the guide below.https://deploy-preview-3014--pinniped-dev.netlify.app/docs/howto/concierge/configure-concierge-supervisor-jwt/Mon, 01 Jan 0001 00:00:00 +0000https://deploy-preview-3014--pinniped-dev.netlify.app/docs/howto/concierge/configure-concierge-supervisor-jwt/The Concierge can validate JSON Web Tokens (JWTs), which are commonly issued by OpenID Connect (OIDC) identity providers. This guide shows you how to use this capability in conjunction with the Pinniped Supervisor. Each FederationDomain defined in a Pinniped Supervisor acts as an OIDC issuer. By installing the Pinniped Concierge on multiple Kubernetes clusters, and by configuring each cluster’s Concierge as described below to trust JWT tokens from a single Supervisor’s FederationDomain, your clusters' users may safely use their identity across all of those clusters.https://deploy-preview-3014--pinniped-dev.netlify.app/docs/howto/concierge/configure-concierge-webhook/Mon, 01 Jan 0001 00:00:00 +0000https://deploy-preview-3014--pinniped-dev.netlify.app/docs/howto/concierge/configure-concierge-webhook/The Concierge can validate arbitrary tokens via an external webhook endpoint using the same validation process as Kubernetes itself. Prerequisites Before starting, you should have the command-line tool installed locally and Concierge running in your cluster. You should also have a custom TokenReview webhook endpoint: Your webhook endpoint must handle the authentication.k8s.io/v1 TokenReview API. Your webhook must be accessible from the Concierge pod over HTTPS. Create a WebhookAuthenticator Create a WebhookAuthenticator describing how to validate tokens using your webhook:https://deploy-preview-3014--pinniped-dev.netlify.app/docs/howto/supervisor/configure-supervisor/Mon, 01 Jan 0001 00:00:00 +0000https://deploy-preview-3014--pinniped-dev.netlify.app/docs/howto/supervisor/configure-supervisor/The Supervisor is an OpenID Connect (OIDC) issuer that supports connecting “upstream” identity providers to many “downstream” cluster clients. When a user authenticates, the Supervisor can issue JSON Web Tokens (JWTs) that can be validated by the Pinniped Concierge. This guide explains how to expose the Supervisor’s REST endpoints to clients. Prerequisites This how-to guide assumes that you have already installed the Pinniped Supervisor. Summary When the Pinniped Supervisor is installed using the YAML files which are attached to the GitHub releases, then the following additional configuration is required before your end users can use the Supervisor:https://deploy-preview-3014--pinniped-dev.netlify.app/docs/howto/supervisor/configure-supervisor-with-auth0/Mon, 01 Jan 0001 00:00:00 +0000https://deploy-preview-3014--pinniped-dev.netlify.app/docs/howto/supervisor/configure-supervisor-with-auth0/The Supervisor is an OpenID Connect (OIDC) issuer that supports connecting “upstream” identity providers to many “downstream” cluster clients. This guide shows you how to configure the Supervisor so that users can authenticate to their Kubernetes cluster using their Auth0 credentials. Prerequisites This how-to guide assumes that you have already installed the Pinniped Supervisor with working ingress, and that you have configured a FederationDomain to issue tokens for your downstream clusters.https://deploy-preview-3014--pinniped-dev.netlify.app/docs/howto/supervisor/configure-supervisor-with-azuread/Mon, 01 Jan 0001 00:00:00 +0000https://deploy-preview-3014--pinniped-dev.netlify.app/docs/howto/supervisor/configure-supervisor-with-azuread/The Supervisor is an OpenID Connect (OIDC) issuer that supports connecting a single “upstream” identity provider to many “downstream” cluster clients. This guide shows you how to configure the Supervisor so that users can authenticate to their Kubernetes cluster using their Azure Active Directory credentials. Prerequisites This how-to guide assumes that you have already installed the Pinniped Supervisor with working ingress, and that you have configured a FederationDomain to issue tokens for your downstream clusters.https://deploy-preview-3014--pinniped-dev.netlify.app/docs/howto/supervisor/configure-supervisor-with-dex/Mon, 01 Jan 0001 00:00:00 +0000https://deploy-preview-3014--pinniped-dev.netlify.app/docs/howto/supervisor/configure-supervisor-with-dex/The Supervisor is an OpenID Connect (OIDC) issuer that supports connecting “upstream” identity providers to many “downstream” cluster clients. This guide shows you how to configure the Supervisor so that users can authenticate to their Kubernetes cluster using Dex and Github. Prerequisites This how-to guide assumes that you have already installed the Pinniped Supervisor with working ingress, and that you have configured a FederationDomain to issue tokens for your downstream clusters.https://deploy-preview-3014--pinniped-dev.netlify.app/docs/howto/supervisor/configure-supervisor-with-github/Mon, 01 Jan 0001 00:00:00 +0000https://deploy-preview-3014--pinniped-dev.netlify.app/docs/howto/supervisor/configure-supervisor-with-github/The Supervisor is an OpenID Connect (OIDC) issuer that supports connecting “upstream” identity providers to many “downstream” cluster clients. This guide shows you how to configure the Supervisor so that users can authenticate to their Kubernetes cluster using their credentials from GitHub.com or GitHub enterprise server. Prerequisites This how-to guide assumes that you have already installed the Pinniped Supervisor with working ingress, and that you have configured a FederationDomain to issue tokens for your downstream clusters.https://deploy-preview-3014--pinniped-dev.netlify.app/docs/howto/supervisor/configure-supervisor-with-gitlab/Mon, 01 Jan 0001 00:00:00 +0000https://deploy-preview-3014--pinniped-dev.netlify.app/docs/howto/supervisor/configure-supervisor-with-gitlab/The Supervisor is an OpenID Connect (OIDC) issuer that supports connecting “upstream” identity providers to many “downstream” cluster clients. This guide shows you how to configure the Supervisor so that users can authenticate to their Kubernetes cluster using their GitLab credentials. Prerequisites This how-to guide assumes that you have already installed the Pinniped Supervisor with working ingress, and that you have configured a FederationDomain to issue tokens for your downstream clusters.https://deploy-preview-3014--pinniped-dev.netlify.app/docs/howto/supervisor/configure-supervisor-with-jumpcloudldap/Mon, 01 Jan 0001 00:00:00 +0000https://deploy-preview-3014--pinniped-dev.netlify.app/docs/howto/supervisor/configure-supervisor-with-jumpcloudldap/The Supervisor is an OpenID Connect (OIDC) issuer that supports connecting “upstream” identity providers to many “downstream” cluster clients. JumpCloud is a cloud-based service which bills itself as “a comprehensive and flexible cloud directory platform”. It includes the capability to act as an LDAP identity provider. This guide shows you how to configure the Supervisor so that users can authenticate to their Kubernetes cluster using their identity from JumpCloud’s LDAP service.https://deploy-preview-3014--pinniped-dev.netlify.app/docs/howto/supervisor/configure-supervisor-with-activedirectory/Mon, 01 Jan 0001 00:00:00 +0000https://deploy-preview-3014--pinniped-dev.netlify.app/docs/howto/supervisor/configure-supervisor-with-activedirectory/The Supervisor is an OpenID Connect (OIDC) issuer that supports connecting “upstream” identity providers to many “downstream” cluster clients. This guide shows you how to configure the Supervisor so that users can authenticate to their Kubernetes cluster using their identity from Active Directory. Prerequisites This how-to guide assumes that you have already installed the Pinniped Supervisor with working ingress, and that you have configured a FederationDomain to issue tokens for your downstream clusters.https://deploy-preview-3014--pinniped-dev.netlify.app/docs/howto/supervisor/configure-supervisor-with-entra-id/Mon, 01 Jan 0001 00:00:00 +0000https://deploy-preview-3014--pinniped-dev.netlify.app/docs/howto/supervisor/configure-supervisor-with-entra-id/Microsoft’s Entra ID is the rebranding of Microsoft Azure AD. For more information, read this. To learn how to configure Entra ID, read our Azure AD documentation.https://deploy-preview-3014--pinniped-dev.netlify.app/docs/howto/supervisor/configure-supervisor-with-okta/Mon, 01 Jan 0001 00:00:00 +0000https://deploy-preview-3014--pinniped-dev.netlify.app/docs/howto/supervisor/configure-supervisor-with-okta/The Supervisor is an OpenID Connect (OIDC) issuer that supports connecting “upstream” identity providers to many “downstream” cluster clients. This guide shows you how to configure the Supervisor so that users can authenticate to their Kubernetes cluster using their Okta credentials. Prerequisites This how-to guide assumes that you have already installed the Pinniped Supervisor with working ingress, and that you have configured a FederationDomain to issue tokens for your downstream clusters.https://deploy-preview-3014--pinniped-dev.netlify.app/docs/howto/supervisor/configure-supervisor-with-openldap/Mon, 01 Jan 0001 00:00:00 +0000https://deploy-preview-3014--pinniped-dev.netlify.app/docs/howto/supervisor/configure-supervisor-with-openldap/The Supervisor is an OpenID Connect (OIDC) issuer that supports connecting “upstream” identity providers to many “downstream” cluster clients. OpenLDAP is a popular open source LDAP server for Linux/UNIX. This guide shows you how to configure the Supervisor so that users can authenticate to their Kubernetes cluster using their identity from an OpenLDAP server. Prerequisites This how-to guide assumes that you have already installed the Pinniped Supervisor with working ingress, and that you have configured a FederationDomain to issue tokens for your downstream clusters.https://deploy-preview-3014--pinniped-dev.netlify.app/docs/howto/supervisor/configure-supervisor-with-workspace_one_access/Mon, 01 Jan 0001 00:00:00 +0000https://deploy-preview-3014--pinniped-dev.netlify.app/docs/howto/supervisor/configure-supervisor-with-workspace_one_access/The Supervisor is an OpenID Connect (OIDC) issuer that supports connecting “upstream” identity providers to many “downstream” cluster clients. This guide shows you how to configure the Supervisor so that users can authenticate to their Kubernetes cluster using their Workspace ONE Access credentials. Prerequisites This how-to guide assumes that you have already installed the Pinniped Supervisor with working ingress, and that you have configured a FederationDomain to issue tokens for your downstream clusters.https://deploy-preview-3014--pinniped-dev.netlify.app/docs/howto/debugging/Mon, 01 Jan 0001 00:00:00 +0000https://deploy-preview-3014--pinniped-dev.netlify.app/docs/howto/debugging/Debugging on the Client The PINNIPED_DEBUG=true environment variable can be set to enable additional CLI logging. Debugging on the Server To adjust the log level of either the Pinniped Supervisor or the Pinniped Concierge the log level value must be updated in the appropriate configmap associated with each deployment. The log level options are as follows: info (“nice to know” information) debug (developer information) trace (timing information) all (kitchen sink) Do not use trace or all on production systems, as credentials may get logged.https://deploy-preview-3014--pinniped-dev.netlify.app/docs/reference/fips/Mon, 01 Jan 0001 00:00:00 +0000https://deploy-preview-3014--pinniped-dev.netlify.app/docs/reference/fips/By default, the Pinniped supervisor and concierge use ciphers that are not supported by FIPS 140-2. If you are deploying Pinniped in an environment with FIPS compliance requirements, you will have to build the binaries yourself using the fips_strict build tag and Golang’s GOEXPERIMENT=boringcrypto compiler option. The Pinniped team provides an example Dockerfile demonstrating how you can build Pinniped images in a FIPS compatible way. However, we do not provide official support for FIPS configuration.https://deploy-preview-3014--pinniped-dev.netlify.app/docs/howto/install-cli/Mon, 01 Jan 0001 00:00:00 +0000https://deploy-preview-3014--pinniped-dev.netlify.app/docs/howto/install-cli/The pinniped command-line tool is used to generate Pinniped-compatible kubeconfig files, and is also an important part of the Pinniped-based login flow. It must be installed by administrators setting up a Pinniped cluster as well as by users accessing a Pinniped-enabled cluster. Install using Homebrew on macOS or Linux Use Homebrew to install from the Pinniped tap: brew install vmware/pinniped/pinniped-cli Download binaries Find the appropriate binary for your platform from the latest release:https://deploy-preview-3014--pinniped-dev.netlify.app/docs/howto/install-concierge/Mon, 01 Jan 0001 00:00:00 +0000https://deploy-preview-3014--pinniped-dev.netlify.app/docs/howto/install-concierge/This guide shows you how to install the Pinniped Concierge. You should have a supported Kubernetes cluster. In the examples below, you can replace v0.45.0 with your preferred version number. You can find a list of Pinniped releases on GitHub. With default options Warning: the default Concierge configuration may create a public LoadBalancer Service on your cluster if that is the default on your cloud provider. If you’d prefer to customize the annotations or load balancer IP address, see the “With custom options” section below.https://deploy-preview-3014--pinniped-dev.netlify.app/docs/howto/install-supervisor/Mon, 01 Jan 0001 00:00:00 +0000https://deploy-preview-3014--pinniped-dev.netlify.app/docs/howto/install-supervisor/This guide shows you how to install the Pinniped Supervisor, which allows seamless login across one or many Kubernetes clusters. In the examples below, you can replace v0.45.0 with your preferred version number. You can find a list of Pinniped releases on GitHub. Prerequisites You should have a Kubernetes cluster with working HTTPS ingress or load balancer capabilities. Unlike the Concierge app, which can only run on supported Kubernetes cluster types, the Supervisor app can run on almost any Kubernetes cluster.https://deploy-preview-3014--pinniped-dev.netlify.app/docs/tutorials/concierge-and-supervisor-demo/Mon, 01 Jan 0001 00:00:00 +0000https://deploy-preview-3014--pinniped-dev.netlify.app/docs/tutorials/concierge-and-supervisor-demo/Why Pinniped? There are many benefits to using the Pinniped Supervisor, Concierge, and CLI components together to provide Kubernetes authentication. It’s easy to bring your own OIDC, LDAP, GitHub, or Active Directory identity provider to act as the source of user identities. A user’s identity in the external identity provider becomes their identity in Kubernetes. All other aspects of Kubernetes that are sensitive to identity, such as authorization policies and audit logging, are then based on the user identities from your identity provider.https://deploy-preview-3014--pinniped-dev.netlify.app/docs/tutorials/local-concierge-and-supervisor-demo/Mon, 01 Jan 0001 00:00:00 +0000https://deploy-preview-3014--pinniped-dev.netlify.app/docs/tutorials/local-concierge-and-supervisor-demo/Why Pinniped? There are many benefits to using the Pinniped Supervisor, Concierge, and CLI components together to provide Kubernetes authentication. It’s easy to bring your own OIDC, LDAP, GitHub, or Active Directory identity provider to act as the source of user identities. A user’s identity in the external identity provider becomes their identity in Kubernetes. All other aspects of Kubernetes that are sensitive to identity, such as authorization policies and audit logging, are then based on the user identities from your identity provider.https://deploy-preview-3014--pinniped-dev.netlify.app/docs/tutorials/concierge-only-demo/Mon, 01 Jan 0001 00:00:00 +0000https://deploy-preview-3014--pinniped-dev.netlify.app/docs/tutorials/concierge-only-demo/Overview This tutorial shows how to use the Pinniped Concierge on Kubernetes clusters. If you would like to learn how to use the Pinniped Supervisor and Concierge together to provided federated identity with a single sign-on user experience to many Kubernetes clusters, please instead see this other tutorial: Concierge with Supervisor: a complete example of every step, demonstrated using GKE clusters Installing and trying the Pinniped Concierge on any cluster consists of the following general steps.https://deploy-preview-3014--pinniped-dev.netlify.app/docs/tutorials/supervisor-without-concierge-demo/Mon, 01 Jan 0001 00:00:00 +0000https://deploy-preview-3014--pinniped-dev.netlify.app/docs/tutorials/supervisor-without-concierge-demo/Overview This tutorial shows how to use the Pinniped Supervisor and Pinniped command-line tool to provide federated identity with a single sign-on user experience on many Kubernetes clusters, without using the Pinniped Concierge. If you would like to learn how to use the Pinniped Supervisor and Concierge together, please instead see this other tutorial: Concierge with Supervisor: a complete example of every step, demonstrated using GKE clusters The Kubernetes API server can be configured to trust an OIDC identity provider to provide authentication for the cluster.https://deploy-preview-3014--pinniped-dev.netlify.app/docs/howto/login/Mon, 01 Jan 0001 00:00:00 +0000https://deploy-preview-3014--pinniped-dev.netlify.app/docs/howto/login/Prerequisites This how-to guide assumes that you have already configured the following Pinniped server-side components within your Kubernetes cluster(s): If you would like to use the Pinniped Supervisor for federated authentication across multiple Kubernetes clusters then you have already: Installed the Pinniped Supervisor with working ingress. Configured a FederationDomain to issue tokens for your downstream clusters. Configured an OIDCIdentityProvider, LDAPIdentityProvider, ActiveDirectoryIdentityProvider, or GitHubIdentityProvider for the Supervisor as the source of your user’s identities.https://deploy-preview-3014--pinniped-dev.netlify.app/docs/_index-styles/Mon, 01 Jan 0001 00:00:00 +0000https://deploy-preview-3014--pinniped-dev.netlify.app/docs/_index-styles/Getting Started Bullets Lorem ipsum dolor sit amet, consectetur cillum dolore eu fugiat -Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat. List of Links Lorem Ipsum Dolor Sit Amet Consectetur Code Examples Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat.https://deploy-preview-3014--pinniped-dev.netlify.app/docs/reference/audit-logging/Mon, 01 Jan 0001 00:00:00 +0000https://deploy-preview-3014--pinniped-dev.netlify.app/docs/reference/audit-logging/The Pinniped Supervisor and Pinniped Concierge components provide audit logging capabilities to help you meet your security and compliance standards. The configuration of the Pinniped Supervisor and Pinniped Concierge is managed by Kubernetes custom resources. These resources are protected by the standard Kubernetes authorization controls and audited by the standard Kubernetes audit logging capabilities. Pinniped also offers additional audit logging capabilities. These additional audit logs appear in the pod logs of the Supervisor and Concierge pods.https://deploy-preview-3014--pinniped-dev.netlify.app/docs/reference/supported-clusters/Mon, 01 Jan 0001 00:00:00 +0000https://deploy-preview-3014--pinniped-dev.netlify.app/docs/reference/supported-clusters/Cluster Type Concierge Works? VMware Tanzu Kubernetes Grid (TKG) clusters Yes Kind clusters Yes Kubeadm-based clusters Yes Amazon Elastic Kubernetes Service (EKS) Yes Google Kubernetes Engine (GKE) Yes Azure Kubernetes Service (AKS) Yes Background The Pinniped Concierge has two strategies available to support clusters, under the following conditions: Token Credential Request API: Can be run on any Kubernetes cluster where a custom pod can be executed on the same node running kube-controller-manager.https://deploy-preview-3014--pinniped-dev.netlify.app/docs/reference/tokens-and-credentials/Mon, 01 Jan 0001 00:00:00 +0000https://deploy-preview-3014--pinniped-dev.netlify.app/docs/reference/tokens-and-credentials/Pinniped issues several types of tokens and credentials to clients to help users access Kubernetes clusters. This document will explain the tokens and credentials issued when the Pinniped Supervisor, Concierge, and CLI are all configured to work together. All issued tokens and credentials are short-lived and therefore must be refreshed often. Forcing users to refresh tokens and credentials often gives Pinniped an opportunity to revalidate the user’s identity and group memberships.https://deploy-preview-3014--pinniped-dev.netlify.app/docs/howto/cicd/Mon, 01 Jan 0001 00:00:00 +0000https://deploy-preview-3014--pinniped-dev.netlify.app/docs/howto/cicd/This guide shows you how to configure Pinniped so that your CI/CD system of choice can administrate Kubernetes clusters. Pinniped provides user authentication to Kubernetes clusters. It does not provide service-to-service (non-user) authentication. There are many other systems for service-to-service authentication in Kubernetes. If an organization prefers to manage CI/CD access with non-human user accounts in their external identity provider (IDP), Pinniped can provide authentication for those non-human user accounts. Humans can also use the same steps below to log into clusters non-interactively.https://deploy-preview-3014--pinniped-dev.netlify.app/docs/howto/configure-auth-for-webapps/Mon, 01 Jan 0001 00:00:00 +0000https://deploy-preview-3014--pinniped-dev.netlify.app/docs/howto/configure-auth-for-webapps/The Pinniped Supervisor is an OpenID Connect (OIDC) issuer that can be used to bring your user identities from an external identity provider into your Kubernetes clusters for all your kubectl users. It can also be used to bring those same identities to web applications that are intended for use by the same users. For example, a Kubernetes dashboard web application for cluster developers could use the Supervisor as its OIDC identity provider.