►
From YouTube: TGI Kubernetes 186: Pinniped
Description
Join Margo Crawford to discuss Kubernetes authentication with Pinniped (https://pinniped.dev).
B
C
B
B
So
this
update
just
kind
of
goes
over
what
that
means
for,
if
you're,
using
docker
as
your
container
runtime
and
how
to
migrate
smoothly.
If
that's
something
you
need
to
do
so
yeah
check
it
out
and
see
if
that's
something
you're
going
to
be
affected
by.
Hopefully
most
people
have
had
plenty
of
time.
A
B
B
C
B
B
Kernel
debugging
doesn't
sound
fun
but
yeah
the
there's
there's
a
kubecon
and
cloud
native
con
europe
has
announced
a
couple
more
co-located
events.
There's
still
calls
for
proposals
out
for
for
those
and
a
few
of
the
other
co-located
events.
It's
in
valencia,
spain
this
year
so
yeah
for
people
going
in
in
person
going
to
spain,
pretty
cool.
B
B
To
good
to
see
you
all
here,
I
guess
I
can
jump
jump
into
the
demo
that
I
was
planning
on,
doing,
which
is
pretty
much
so
for
for,
like
a
basic
rundown
of
what
pinniped
is
it's
a
identity
federation
project
lets
you
bring
in
your
identity
from
elsewhere.
So
from
you
know
your
corporate
identity
provider
like
active
directory
or
opta,
or
you
know
something
else.
B
You
know
your
username
and
groups
and
use
that
as
your
kubernetes
identity
across
multiple
clusters,
so
yeah,
I'm
gonna
do
a
little
demo
of
of
setting
that
up
where
you
can
even
log
in
once
and
have
identity
across
multiple
kubernetes
clusters,
and
I'm
mostly
going
to
be
following
this
tutorial
from
the
pin
pads
website
from
our
docs.
It's
like
a
kind
of
more
fully
featured
example.
There's
lots
of
ways
to
configure
it.
This
one
is
going
to
be
on
gke.
C
B
Yeah,
it
looks
like
I'm
already
on
version
14,
which
is
the
latest
version
of
pinniped.
I
can,
you
know
double
check
that
it
is
version
14..
I've
actually
already
done
this
part
because
it
it
takes
a
little
while
to
revision
the
clusters,
so
I
figured
I
didn't
want
to
do
it
live
just
wait
around
for
them
to
be
up
and
running
so
I'll
skip
down
to
this
step,
which
is.
B
B
So
I've
created
one
supervisor
cluster
and
one
workload
cluster
on
gke
and
I'm
going
to
create
a
second
work
load
cluster.
That's
actually
on
kind,
so
a
local
kubernetes
cluster
for
something
slightly
different,
so
yeah
I'll
just
get
this.
This
is
getting
an
admin
cube
config.
So
this
is
like
something
you
know
if
you're,
if
you're
a
cluster
admin
you
want
to
have
this
cube
config,
you
know
your
cluster
admin.
You
can
do
anything,
you
know
spin
up,
you
know
no!
A
B
B
B
You
know,
for
example,
this
oidc
identity
provider
is
something
that
you
configure
when
you're
trying
to
communicate
with
an
odc
external
identity
provider.
Oibc
is
sort
of
like
a
layer
on
top
of
olof
for
those
who
aren't
familiar
with
the
term,
it's
yeah
just
just
one
way
of
allowing
users
to
to
log
in
and
issuing
them
tokens
to
have
that
identity.
So
then,
the.
B
This
is
for
something
that
only
works
in
in
the
in
the
case
that
you
are
running
the
supervisor
on
something
that
supports
load,
balancer
service
types.
So
you
know
most
of
the
typical
cloud
providers
do,
but
like
kind
doesn't,
for
example.
So
if
you
were
running
this
one
kind,
you'd
wanna
do
some
other
kind
of.
C
B
Yeah
cool,
so
we
have
a
load
balancer
in
front
of
the
pen,
pen
supervisor,
and
it's
got
an
external
ip,
which
means
we
can
do
the
next
step,
which
is
using
cert
manager
to
get
real
certificates
because
yeah.
Well,
it's
it's
perfectly
possible
to
do
this,
all
with
self-signed
certificates.
It
does
end
up
being
a
little
bit
of
a
pain,
because
then
your
browser
will
open
up
and
it'll
say
like
this.
B
B
That
looks
like
it's
looks
itself
and
then
I
do
create
a
service
account.
So
there's
like
a
couple
of
of
challenge
types
that
you
can
you
can
use
with.
Let's
encrypt
the
one
that
I'm
going
to
use
in
this
tutorial
is
the
dns01
type,
which
involves
like
creating
a
dns
tfc
record
at
a
particular
path,
basically
to
prove
that
you
own
a
particular
domain,
so.
B
A
B
A
B
B
B
And
there's
those
two
types:
there's
like
an
issuer
and
a
cluster
issuer,
so
the
cluster
issuer
is
is
what
it
sounds
like
it.
You
can
you
can
you
do
it
anywhere
in
the
cluster,
whereas
an
issuer
is
namespace,
so
you
can
issue
certificates,
but
only
within
that
particular
namespace
which
actually
works
for
this
purposes.
But
I
think
in
a
lot
of
cases
you
probably
want
to
be
able
to
issue
certificates
in
multiple
namespaces.
D
D
A
B
B
A
D
D
D
A
B
D
C
B
A
A
D
C
B
B
E
B
B
D
B
B
Your
external
identity
provider
can
be
oidc,
it
can
be
ldap,
it
can
be
whatever
and
then
under.
The
hood.
Piniped
is
also
talking
oidc
between
like
rcli
and
the
supervisor,
and
so
the
thing
that
that
configures,
like
all
of
that
that
communication
is,
is
called
the
federation
domain.
So
this
is
referencing.
This
supervisor
tls
serve
that
we
just
created.
B
B
B
B
B
So
this
is
basically
yeah
you're
telling
gitlab
that
if
some
application
says
hey,
I
want
my
users
to
log
in
and
they
don't
tell
you
like
after
login
it
redirects
you
back
to
that
application.
So
this
is
the
only
thing
that
it's
gonna
allow.
I'm
gonna
give
some
scopes,
so
open
id
profile
and
email
scopes.
D
C
D
B
A
D
B
That's
the
upstream
configuration
yeah.
It
says
it
succeeded,
so
it's
been
able
to
communicate
with
get
lab.
The
lab
also
has
like
the
same
concept
of
a
discovery
document
which
we
then
use
to
find
out
information
about
it.
Let's
already
see
all
the
way
down
yeah,
so
that's
actually
the
whole
supervisor
config.
The
next
step
is,
of
course,
getting
it
to
work
on
on
a
cluster.
So
that's
I've
got
this.
This
workload,
one
admin
clip
admin,
cluster
or
workload.
B
B
A
B
B
B
B
B
B
Two-Step
install
process,
although
actually
I
think,
install
works
fine
but
like
delete,
doesn't
doesn't
work
if
you
like,
because
of
like
the
ordering
of
ctl
delete
with
the
file.
Like
you
end
up
like
trying
to
delete
the
namespace
first
and
everything
gets
weird.
So
so
we
have
these
two
files,
that's
not
too
cute
ctl
apply
the
second
one.
B
D
B
And
if
you
look
at
it
like
there's,
there's
no
like
there's
no
credentials
in
here,
there's
no
identifying
information
about
a
particular
user
at
all.
So
this
is
something
like
if
you're
using
piniped,
you
can
give
to
every
one
of
your
engineers
basically
and
they
can
all
use
the
same
cubeconfig
and
and
the
way
that
you
do
it
is
keep
ctl
get
name
spaces.
Let's
say.
C
B
That
should
just
where
you
don't
need
to
like
regenerate
the
yeah
okay,
I
didn't
need
to
regenerate
the
cue
config
or
anything
because
that
just
happens
like
behind
the
scenes
in
the
supervisor
and
there's
something
that's
it
works.
So
I'm
getting
like
a
kind
of
typical
consent
screen
from
gitlab
saying
that
asking
me
if
I
want
to
let
it
see
my
email
address
and
such
hit
authorize.
B
B
B
B
D
B
I
have
a
second
cluster
now
and
I
am
going
to
install
the
concierge
on
this
as
well.
This
is
just
so
that
I
can
show
that
you
can
log
into
a
second
cluster
and
you
don't
need
to
log
in
again
or
anything
you
your
session
transfers
into
the
new
cluster,
so
you
can
still
just
log
in
once,
once
per
day
for
for
as
many
clusters
are
using,
pin
bed.