Getting Started with Pinniped

Pinniped is an authentication service for Kubernetes clusters. As a Kubernetes cluster administrator or user, you can learn how Pinniped works, see how to use it on your clusters, and dive into internals of Pinniped’s APIs and architecture.

Have a question, comment, or idea? Please reach out via GitHub Issues, GitHub Discussions, or join the Pinniped community.

New to Pinniped?

• ⚠️ Start here:
  • Learn to use Pinniped for federated authentication to Kubernetes clusters in a production-like environment
  • Or, try Pinniped on your local computer in a demo-like environment

Background

• Architecture

  Dive into the overall design and implementation details of Pinniped.

Tutorials

• Learn to use Pinniped for federated authentication to Kubernetes clusters

  See how the Pinniped Supervisor streamlines login to multiple Kubernetes clusters.

• Learn to use Pinniped for federated authentication to Kubernetes clusters - running the whole demo on your local computer

  See how the Pinniped Supervisor streamlines login to multiple Kubernetes clusters.

• Learn to use the Pinniped Concierge

  See how the Pinniped Concierge works to provide a uniform login flow across different Kubernetes clusters.

• Learn to use the Pinniped Supervisor without the Concierge

  See how the Pinniped Supervisor can work directly with the Kube API server to provide authentication to Kubernetes clusters.

How-to guides

• Install the Pinniped command-line tool

  Download and set up the pinniped command-line tool on macOS, Linux, or Windows clients.

• Install the Pinniped Concierge

  Install the Pinniped Concierge service in a Kubernetes cluster.

• Install the Pinniped Supervisor

  Install the Pinniped Supervisor service in a Kubernetes cluster.

• Logging into your cluster using Pinniped

  Logging into your Kubernetes cluster using Pinniped for authentication.

• Using Pinniped for CI/CD cluster operations

  Using Pinniped for CI/CD cluster operations.

• Using the Pinniped Supervisor to provide authentication for web applications

  Allow your Kubernetes cluster users to authenticate into web apps using the same identities.

• Debugging Pinniped

Concierge Configuration

• Configure the Pinniped Concierge to validate JWT tokens

  Set up JSON Web Token (JWT) based token authentication on an individual Kubernetes cluster.

• Configure the Pinniped Concierge to validate JWT tokens issued by the Pinniped Supervisor

  Set up JSON Web Token (JWT) based token authentication on an individual Kubernetes cluster using the Pinniped Supervisor as the OIDC provider.

• Configure the Pinniped Concierge to validate webhook tokens

  Set up webhook-based token authentication on an individual Kubernetes cluster.

Supervisor Configuration

• Configure the Pinniped Supervisor as an OIDC issuer

  Set up the Pinniped Supervisor to provide seamless login flows across multiple clusters.

• Configure Identity Providers (IDPs) on a FederationDomain

  Learn how to use one or more identity providers, and identity transformations and policies, on a FederationDomain.

• Configure the Pinniped Supervisor to use Auth0 as an OIDC provider

  Set up the Pinniped Supervisor to use Auth0 login.

• Configure the Pinniped Supervisor to use Azure Active Directory as an OIDC provider

  Set up the Pinniped Supervisor to use Azure Active Directory login.

• Configure the Pinniped Supervisor to use Dex with Github as an OIDC provider

  Set up the Pinniped Supervisor to use Dex login.

• Configure the Pinniped Supervisor to use Miscrosoft Entra ID as an OIDC provider

  Set up the Pinniped Supervisor to use Miscrosoft Entra ID to login.

• Configure the Pinniped Supervisor to use GitHub as an identity provider

  Set up the Pinniped Supervisor to use GitHub as an identity provider.

• Configure the Pinniped Supervisor to use Okta as an OIDC provider

  Set up the Pinniped Supervisor to use Okta login.

• Configure the Pinniped Supervisor to use Workspace ONE Access as an OIDC provider

  Set up the Pinniped Supervisor to use Workspace ONE Access login.

• Configure the Pinniped Supervisor to use GitLab as an OIDC provider

  Set up the Pinniped Supervisor to use GitLab login.

• Configure the Pinniped Supervisor to use OpenLDAP as an LDAP provider

  Set up the Pinniped Supervisor to use OpenLDAP login.

• Configure the Pinniped Supervisor to use JumpCloud as an LDAP provider

  Set up the Pinniped Supervisor to use JumpCloud LDAP

• Configure the Pinniped Supervisor to use Microsoft Active Directory as an ActiveDirectoryIdentityProvider

  Set up the Pinniped Supervisor to use Microsoft Active Directory

Reference

• Active Directory Configuration

  See the default configuration values for the ActiveDirectoryIdentityProvider.

• Supported cluster types

  See the supported cluster types for the Pinniped Concierge.

• Command-Line Options Reference

  Reference for the pinniped command-line tool

• FIPS-compatible builds of Pinniped binaries

  Reference for FIPS builds of Pinniped binaries

• API Types

  Reference for the *.pinniped.dev Kubernetes API groups.

• Supervisor and Concierge Audit Logging

  Reference for audit log statements in Pinniped pod logs

• Code Walk-through

  A brief overview of the Pinniped source code.

• Tokens and credentials

  A description of every token and credential issued to clients by Pinniped.