Pinniped v0.10.0: Managing OIDC Login Flows in Browserless Environments
Jul 30, 2021
Remote Host Environments and OIDC login flows
Enterprise workloads on Kubernetes clusters often run in a restricted environment behind a firewall. In such a setup, the clusters can be accessed via servers sometimes called “SSH jump hosts”. These servers pose restrictions on what the users can execute and typically allow only command line access. Users can use command line utilities such as kubectl,
pinniped CLI, etc. on these servers to access the Kubernetes clusters. However, this poses a problem for the OIDC login workflows since they require a browser to complete the authentication workflow.
Solution for Browserless clients
In the v0.10.0 release, we introduce the ability to use a manual workaround to complete the OIDC workflow in such restricted browserless environments by supporting
response_mode=form_post in the Pinniped Supervisor. As described in the OAuth 2.0 Form Post spec, the response parameters are “encoded as HTML form values that are auto-submitted in the User Agent, and thus are transmitted via the HTTP POST method to the Client”. To complete the authentication process, The Pinniped users can copy and paste the response from the HTML page hosted by the Pinniped Supervisor into the waiting CLI process on the Jump Host.
You can find more details in our design document.
High level overview of the workflow
- Pinniped Concierge is installed with JWTAuthenticator on the Kubernetes cluster.
- Pinniped Supervisor is configured with OIDC Identity Provider on the Kubernetes cluster.
- “Jump Host” server/machine with Kubectl and Pinniped CLI is installed but has no web-browser.
- Desktop environment with a web browser for the User is available.
- Kubeconfig pointing to the Kubernetes cluster is available.
- User accesses the Jump Host via SSH.
- User initiates a kubectl command with kubeconfig pointing to the cluster.
- User is prompted to complete the login process using the Desktop web-browser.
- User competes the web-browser OIDC workflow and gets an authorization response code.
- User will copy-paste the authorization code into the Jump Host environment to complete the login.
Additionally, the v0.10.0 release includes support for non-interactive password based LDAP logins. This feature provides the ability for Jenkins as well as other CI/CD tools that use LDAP Identity Platforms to access the cluster with centralized service account identities from the LDAP directory
We invite your suggestions and contributions to make Pinniped work across all flavors of Kubernetes.
With the release of v0.11.0, Pinniped offers CRDs for easy Active Directory configuration, OIDC password grant flow for CLI workflows, and Distroless images for security and performance
With the release of v0.7.0, Pinniped now supports a much wider range of real-world Kubernetes clusters, including managed Kubernetes environments on all major cloud providers.
We encountered a problem that’s familiar to many Kubernetes controller developers: we need to support multiple instances of our controller on one cluster.