pinniped

pinniped copied to clipboard

Our [docs](https://pinniped.dev/docs/tutorials/concierge-and-supervisor-demo) use cert-manager on GKE. It would be good to migrate them to use [GKE workload identity](https://cert-manager.io/docs/configuration/acme/dns01/google/#gke-workload-identity) so that the cluster does not need direct access to the GCP...

enj

Provide support for a corporate compliance warning when authenticating

1

Provide a means to configure a corporate legal notice when a user authenticates using pinniped-cli. Common for organisations to require a legal noticed be displayed when accessing corporate systems. Would...

miclip

Add audit log backend for impersonation proxy

1

Today: generate bare minimum of k8s audit events, but drop them - Is this worth doing? This is a duplication of the actual API server audit logs. - If it...

mattmoyer

**Is your feature request related to a problem? Please describe.** Concierge deployments cause this warning: `Warning: spec.template.metadata.annotations[scheduler.alpha.kubernetes.io/critical-pod]: non-functional in v1.16+; use the "priorityClassName" field instead.` **Describe the solution you'd like**...

cfryanr

As a defensive change to handle https://github.com/kubernetes/kubernetes/pull/106768 I propose that the `pinniped` CLI: 1. Not send `expirationTimestamp` to `client-go`/`kubectl` - maybe allow this to be opt-ed into? - or a...

enj

Pinniped Supervisor - interactively authenticate once per day/week/month

5

**Is your feature request related to a problem? Please describe.** I'm always frustrated when I've to copy the Auth-Code manually cause I'm a Safari User. **Describe the solution you'd like**...

0hlov3

Enable registering new clients with supervisor

3

**Is your feature request related to a problem? Please describe.** I'm using Pinniped to enable a web app to authenticate requests to the API server and so have created a...

absoludity

Signed-off-by: Margo Crawford This implements client side logout-- i.e. deleting the cached tokens and certificates for a user without telling the supervisor to forget about the users tokens. From a...

margocrawf

[stub] document nested impersonation public API

1

i.e. we use the `original-user-info.impersonation-proxy.concierge.pinniped.dev` extra key to store the original user as JSON blob of `${some_struct}`.

enj

WIP: Prototype to provide user-defined upsteam-to-downstream identity transformations/filters via Starlark functions

1

## Problem Statement During login, when an identity is established from an upstream OIDC or LDAP provider, then a Pinniped admin might like to perform arbitrary transformations like adding a...

cfryanr