Pinniped: The One-Stop Shop for All Your Kubernetes Authentication Needs

New to Pinniped?

Pinniped is a “batteries included” authentication system for Kubernetes clusters that tightly integrates with Kubernetes using native API patterns. It’s built using custom resource definitions (CRDs) and API aggregation, both of which are core to the configuration and runtime operation of Pinniped.

The many benefits to using Pinniped for Kubernetes authentication include:

  • Easy to configure your OIDC, LDAP or Active Directory identity providers using CRDs. A user’s identity in the external identity provider (IDP) becomes their identity in Kubernetes. All other aspects of Kubernetes that are sensitive to identity, such as authorization policies and audit logging, are then based on the user identities from your identity provider.
  • Support for various cluster-types that helps users use their identities from their IDP into many types of Kubernetes clusters in a consistent way. This includes both on-prem clusters, such as those offered by VMware Tanzu Kubernetes Grid, as well as clusters provided as a managed cloud service such as GKE, EKS or AKS.
  • Safely distribute Kubeconfig files as they have no user credentials in them, so they can be safely shared.
  • Deep integration with kubectl means that when a user runs kubectl commands, they will be interactively prompted to login using their identity.
  • Users login once a day to multiple clusters using kubectl and can access clusters for the rest of the day without being asked to authenticate again.
  • All credentials are short-lived and refreshed often. 
  • Frequent checks are made against your IDP to ensure that the user can continue to access the clusters. For example, within minutes of locking an Active Directory account, that user will lose access to Kubernetes clusters, even if they were already logged in.
  • Credentials are uniquely scoped to each cluster, which means users cannot misuse their privilege across clusters. 
  • Bootstrapping and break-glass access is still available as Pinniped does not interfere with a cluster’s original vendor-specific authentication system.

Most importantly, Pinniped is 100% open source and will never be tied to any one vendor’s authentication system. We are constantly improving Pinniped and have some exciting new features, such as audit logging, integration with UI dashboards, as well as compliance control features like session management and secrets management coming soon! Check out our project roadmap and our project backlog for more details.  

Pinniped is better because of our contributors and maintainers. It’s because of you that we can bring great software to the community. So, join us during our online community meetings or reach out to us in #pinniped on Kubernetes Slack to learn more and contribute! 

Want to learn more about Pinniped and how you can securely distribute your Kubeconfigs? Attend or tune in virtually to Nigel Brown and Leigh Capili’s talk entitled Sharing Is NOT Caring: Stop Sharing Your Kubernetes Cluster Credentialsat Open Source Summit North America on Wednesday, June 22nd at 2:35 PM CDT. 

See you at the Summit!

Stay tuned to the Open Source Blog and follow us on Twitter for more deep dives into the world of open source contributing.


Leave a Reply

Your email address will not be published.