►
From YouTube: TGI Kubernetes 186: Pinniped
Description
Join Margo Crawford to discuss Kubernetes authentication with Pinniped (https://pinniped.dev).
B
Hi
everyone
welcome
to
this
episode
of
tgi
kubernetes
happy
friday.
My
name
is
margot
crawford
I'll,
be
hosting
for
the
day,
I'm
a
maintainer
of
pinniped,
which
is
a
multi-cluster
identity
solution
for
kubernetes,
and
that's
what
I'm
gonna
be
talking
about
today.
C
B
Guess
I
can
start
with
the
week
in
review,
so
we've
got
some
you're
saying
I
guess
not
really
news,
but
just
a
nice
update
to
the
doctorship
removal
faq.
So
this
was
originally
announced
for
kubernetes
version
120,
but
it's
actually
going
to
be
removed
in
124.
B
So
this
update
just
kind
of
goes
over
what
that
means
for,
if
you're,
using
docker
as
your
container
runtime
and
how
to
migrate
smoothly.
If
that's
something
you
need
to
do
so
yeah
check
it
out
and
see
if
that's
something
you're
going
to
be
affected
by.
Hopefully
most
people
have
had
plenty
of
time.
A
B
That
so
far,
next
up
on
the
docket
there's
this
funny
article
about
how
I
got
comedies
to
run
on
a
playstation
4.
So
that
was
honestly
just
hilarious
that
that
this
was
possible.
B
Basically
required
a
lot
of
compiling
and
recompiling
and
changing
flags
on
the
linux
kernel
to
to
try
to
get
everything
working,
but
it
did
end
up
running.
So
it's.
C
B
There's
there's
a
couple
of
newly
announced
yeah
jason.
Getting
pinniped
on
the
ps4
is
the
next
friend
here
that'll
be
probably
possible
if
you
can
run
kubernetes,
although
networking
is
probably
a
huge
pain.
B
So
that
would
be
an
interesting
experiment,
not
one.
I
really
want
to
do
because
all
the
all
the.
B
Kernel
debugging
doesn't
sound
fun
but
yeah
the
there's
there's
a
kubecon
and
cloud
native
con
europe
has
announced
a
couple
more
co-located
events.
There's
still
calls
for
proposals
out
for
for
those
and
a
few
of
the
other
co-located
events.
It's
in
valencia,
spain
this
year
so
yeah
for
people
going
in
in
person
going
to
spain,
pretty
cool.
A
Yeah
and
then.
B
I
guess
I
also
found
this.
This
cool
article
about
kubernetes
are
back
by
anise
felix.
B
It's
a
pretty
nice
simple
explanation
of
how
to
how
to
configure
that.
So
I
recommend
using
it
a
read
if
you're
new
to
kubernetes
are
back
and
and
and
want
to
learn.
So
it's
a
nice
tutorial,
cool
and
yes,
hello.
Everyone.
B
Someone
from
the
netherlands-
that's
that's,
that's
cool.
B
To
good
to
see
you
all
here,
I
guess
I
can
jump
jump
into
the
demo
that
I
was
planning
on,
doing,
which
is
pretty
much
so
for
for,
like
a
basic
rundown
of
what
pinniped
is
it's
a
identity
federation
project
lets
you
bring
in
your
identity
from
elsewhere.
So
from
you
know
your
corporate
identity
provider
like
active
directory
or
opta,
or
you
know
something
else.
B
B
You
know
your
username
and
groups
and
use
that
as
your
kubernetes
identity
across
multiple
clusters,
so
yeah,
I'm
gonna
do
a
little
demo
of
of
setting
that
up
where
you
can
even
log
in
once
and
have
identity
across
multiple
kubernetes
clusters,
and
I'm
mostly
going
to
be
following
this
tutorial
from
the
pin
pads
website
from
our
docs.
It's
like
a
kind
of
more
fully
featured
example.
There's
lots
of
ways
to
configure
it.
This
one
is
going
to
be
on
gke.
B
B
Hello
from
tokyo
conrad:
this
is
it
probably
really
early
in
the
morning.
C
B
So
yeah
just
getting
started.
B
Yeah,
it
looks
like
I'm
already
on
version
14,
which
is
the
latest
version
of
pinniped.
I
can,
you
know
double
check
that
it
is
version
14..
I've
actually
already
done
this
part
because
it
it
takes
a
little
while
to
revision
the
clusters,
so
I
figured
I
didn't
want
to
do
it
live
just
wait
around
for
them
to
be
up
and
running
so
I'll
skip
down
to
this
step,
which
is.
B
Getting
getting
the
credentials
so
the
the
basic
idea
is:
there's
gonna,
be
one
supervisor
cluster.
So
the
supervisor
is
the
component
of
pinpad.
That's
like
talking
to
an
external
identity
provider.
B
And
taking
those
identities
helping
the
user
to
log
in
and
then
issuing
a
token
that
can
then
be
used
by
kubernetes
clusters
and
the
the
concierge
is
gonna,
be
on
on
our
workload
clusters,
and
so
that's
just
taking
the
token
from
supervisor
and
actually
issuing
a
a
certificate
or
basically
communicating
with
the
kubernetes
api
server
to
make
sure
that
the
the
user's
pedal
commands
work
and
are
associated
with
our
identity.
B
So
I've
created
one
supervisor
cluster
and
one
workload
cluster
on
gke
and
I'm
going
to
create
a
second
work
load
cluster.
That's
actually
on
kind,
so
a
local
kubernetes
cluster
for
something
slightly
different,
so
yeah
I'll
just
get
this.
This
is
getting
an
admin
cube
config.
So
this
is
like
something
you
know
if
you're,
if
you're
a
cluster
admin
you
want
to
have
this
cube
config,
you
know
your
cluster
admin.
You
can
do
anything,
you
know
spin
up,
you
know
no!
B
It's
in
yeah
read
and
write
anything,
but
for
for
most
like
developers,
you
might
not
want
each
and
every
one
of
them
to
have
that.
B
You
know
it's
associated
with
a
g
cloud
identity
rather
than
like
your
your
identity
from
from,
in
this
case,
I'm
going
to
be
using
git
lab,
but
you
know
it
could
be
your
identity
or
something,
and
so
at
the
end
of
this,
we're
gonna
have
other
q
configs
that
actually
don't
have
any
credentials
in
them,
but
allow
the
user
to
to
log
in
and
then
use
that
identity.
A
B
Yeah
gonna.
B
Use
google
cloud
dns
and
and
then
create
a
subdomain
on
pinpoint.dav,
because
that's
the
domain
we
own.
Obviously,
if
you're
following
along
at
home,
you're
gonna
have
some
some
other
domain.
If
you
wanna
have
like
a.
B
But
the
next
step
here
is
going
to
this
supervisor
cluster
and
we're
going
to
install
the
piniped
supervisor.
B
And
so
this
is
going
to
install
a
bunch
of
stuff.
We've
got
some
custom
resource
definitions
that
we're
configuring.
You
know,
we've
got
like
a
service
account
things
that
the
the
supervisor
itself
is
is
running.
So
our
back
rules
along
with
that
but
yeah
the.
B
Yeah
there
we
go
so.
B
You
know,
for
example,
this
oidc
identity
provider
is
something
that
you
configure
when
you're
trying
to
communicate
with
an
odc
external
identity
provider.
Oibc
is
sort
of
like
a
layer
on
top
of
olof
for
those
who
aren't
familiar
with
the
term,
it's
yeah
just
just
one
way
of
allowing
users
to
to
log
in
and
issuing
them
tokens
to
have
that
identity.
So
then,
the.
B
This
is
for
something
that
only
works
in
in
the
in
the
case
that
you
are
running
the
supervisor
on
something
that
supports
load,
balancer
service
types.
So
you
know
most
of
the
typical
cloud
providers
do,
but
like
kind
doesn't,
for
example.
So
if
you
were
running
this
one
kind,
you'd
wanna
do
some
other
kind
of.
B
Way
to
expose
the
supervisor,
because
it's
essentially
like
just
a
bunch
of
end
points
that
that
that
happens
to
run
on
kubernetes
but
needs
to
just
be
accessible
to
to
users
who
are
trying
to
log
in
in
this
case,
it's
going
to
be
accessible
to
the
entire
internet.
C
B
Yeah
cool,
so
we
have
a
load
balancer
in
front
of
the
pen,
pen
supervisor,
and
it's
got
an
external
ip,
which
means
we
can
do
the
next
step,
which
is
using
cert
manager
to
get
real
certificates
because
yeah.
Well,
it's
it's
perfectly
possible
to
do
this,
all
with
self-signed
certificates.
It
does
end
up
being
a
little
bit
of
a
pain,
because
then
your
browser
will
open
up
and
it'll
say
like
this.
B
This
isn't
a
trustworthy
certificate
and
you
have
to
click
through
all
the
scary
warnings
and
things
so
yeah
better
to
better
do
real
certificates.
When
you
can.
B
So
yeah
I'm
gonna
do
that
via
cert
manager
and
lights
and
crypt
very
nice,
easy
to
use
tools
for
for
certificates.
B
That
looks
like
it's
looks
itself
and
then
I
do
create
a
service
account.
So
there's
like
a
couple
of
of
challenge
types
that
you
can
you
can
use
with.
Let's
encrypt
the
one
that
I'm
going
to
use
in
this
tutorial
is
the
dns01
type,
which
involves
like
creating
a
dns
tfc
record
at
a
particular
path,
basically
to
prove
that
you
own
a
particular
domain,
so.
B
B
Yeah
there
it
is,
I've
got
this
in
a
silver
key
and
then
I'm
gonna
put
it.
B
We're
gonna
like
create
an
issuer
and
it
will
have
access
to
the
secret.
So
then
it
can
like
issue
the
challenge
generate
some
sort
of
key
and
then
check
through
dns
that
it
can
reach
the
key.
And
then
that,
like
proves
that
you
have
the
domain
that
issues
the
certificate.
A
B
Have
to
use
a
a
real
email
address,
which
is
kind
of
funny.
What
cert
manager,
like
will
not
accept
example.com
only
really
uses
your
email
to
tell
you
when
your
search
is
about
to
expire.
I
think,
but
yeah
looking
through
this.
B
Actually,
one
thing:
that's
kind
of
fun
is
there's
there's
two
types
of
issuers,
so
the
issuer
is
the
the
component.
That's
like
listening
and
issues
issues
certificates
whenever
you
request
a
blessing
grip
certificate.
B
And
there's
those
two
types:
there's
like
an
issuer
and
a
cluster
issuer,
so
the
cluster
issuer
is
is
what
it
sounds
like
it.
You
can
you
can
you
do
it
anywhere
in
the
cluster,
whereas
an
issuer
is
namespace,
so
you
can
issue
certificates,
but
only
within
that
particular
namespace
which
actually
works
for
this
purposes.
But
I
think
in
a
lot
of
cases
you
probably
want
to
be
able
to
issue
certificates
in
multiple
namespaces.
B
So
then,
I'm
getting
the
the
ip
address
of
the
load,
balancer
that
I
just
provisioned
that's
sitting
in
front
of
the
supervisor.
B
Which
is
a
gpa
thing,
my
dns.
D
B
Run
these
commands,
so
this
is
just
creating
a
dns,
a
record
so
that
demo
supervisor
tjk.piniped.dev
points
at
this
ip
address,
which
is
the
load
balancer,
which
points
at
the
supervisor.
D
A
D
My
id
number
one-
hopefully
this
doesn't
take
too
long.
It
does
say
status
done.
D
For
this
supervisor,.
B
The
the
next
thing
is
we're
gonna
ask
cert
manager
to
create
a
tls
certificate,
which
is
then
gonna
store
as
a
kubernetes
secret.
B
Because
I
I
decided
to
be
fancy
and
make
it
a
cluster
issuer
that
requires.
B
A
slightly
slightly
different
syntax,
let
me
just
say,
like
kind
cluster.
D
I
think
this
is
what
I
called
it.
Everything
else.
B
It's
all
right,
so
this
is
saying
a
certificate
which
is
then
gonna
like
request
the
certificate.
This
is
like
the
standard
communities
metadata
and
then
the
the
secret
name
here
is
gonna,
be
like
after
this
is
issued.
B
That's
where
it's
gonna
be
stored,
which
that
means
then,
like
that's,
that's
what
you
can
can
reference
later.
A
B
Can
get
this
the
certificate
browser,
tls
search,
request.
D
D
D
B
I
can't
see
your
other
screen.
Can
you
see
this
terminal.
A
B
Maybe
it's
just
my
internet.
Basically,
what
I'm
doing
is
trying
to
figure
out.
B
D
The
debug
yeah,
the
the
joy
of
of
live
demos.
B
D
C
B
A
A
B
Make
it
a
little
easier
like?
Is
it
like
when
I'm
typing
that
it
gets
super
weird.
B
Somewhere
along
the
line
of
all
the
you
know
streaming
and
things
that
he's
having
trouble
with
this,
the
smaller
terminal.
B
Yeah,
the
well
the.
B
Struggle
to
get
it
to
work
is
part
of
the
fun
right,
peter.
D
B
Yes,
okay!
So
now
I'm
back
here.
C
B
Full
screening
it
maybe
and
just
having
these
instructions
off
screen
on
my
on
my
other
monitor,
I
wonder
if
that
would
be
like
easier
to.
B
Yeah
trying
to
hard
to
compress
video,
it
seems
like
a
possible
culprit.
Yeah
or
I
could
you
try
bumping
the
the
the
font
size,
maybe
and
then
there's
like
a
little
more.
B
I'd
be
a
little
more
likely
to
catch
catch.
All
the
all
the
text.
B
Oh
see
now
it's
off
my
screen,
that's
like
actually
too
big,
yeah
I'll,
just
like
yeah,
actually
full
screen.
It.
E
B
And
try
deleting
the
cluster
issuer.
B
B
I
swear
this
worked
when
I
was
testing
it
out
all
by
myself,
as
is,
as
is
that
usually
the
the.
B
D
B
So
moving
right
along
we've
got
a
certificate
which
the
which
the
supervisor
can
can
present.
B
It's
a
it's
a
lesson
group
certificate
yeah,
the
next.
The
next
step
is,
is
going
to
be
we're
going
to
be
creating
a
federation
domain
which
is
a
pinniped
component,
that
sort
of
represents
the
downstream
oac
identity
writer.
So.
B
Your
external
identity
provider
can
be
oidc,
it
can
be
ldap,
it
can
be
whatever
and
then
under.
The
hood.
Piniped
is
also
talking
oidc
between
like
rcli
and
the
supervisor,
and
so
the
thing
that
that
configures,
like
all
of
that
that
communication
is,
is
called
the
federation
domain.
So
this
is
referencing.
This
supervisor
tls
serve
that
we
just
created.
B
And
we've
got
an
iec
issuer.
B
So
this
yeah
means
that
it
should
have
all
the
standard
idc
the
endpoints,
so
you
can
like
curl
it.
The
the
discovery
endpoint
is
noisy
endpoint.
That
kind
of
tells
you
like,
essentially,
all
the
stuff
you
need
to
know
about.
B
You
know:
here's
the
authorization,
endpoint,
here's,
the
the
token
endpoint,
etc.
Here's
response
types
and
that
that
sort
of
thing
so
there's
like
you,
know
the
auth
code
flow
for
example,
or
you
know
just
using
client
credentials,
sorts.
B
B
And
then
the
next
steph
is
gonna,
be
configuring
the
supervisor
to
talk
to
git
lab
I'm
using
git
lab,
essentially
because
it's
easily
publicly
available-
and
I
can
just
like-
create
a
new.
B
B
That's,
I
guess,
here's
where
I
probably
want
to
actually
show
you
guys
my
browser,
because
it's
like
a
browser-based
thing.
B
So
yeah,
this
is
what
I'm
doing.
I'm.
B
B
Call
it
tgik
the
redirect
uri,
so
that's
gonna,
be
our
dns
name
or
sorry.
Our
issuer
name
slash
callback
which
see
our
dns
name
that
I
configured
yes.
B
So
this
is
basically
yeah
you're
telling
gitlab
that
if
some
application
says
hey,
I
want
my
users
to
log
in
and
they
don't
tell
you
like
after
login
it
redirects
you
back
to
that
application.
So
this
is
the
only
thing
that
it's
gonna
allow.
I'm
gonna
give
some
scopes,
so
open
id
profile
and
email
scopes.
D
B
Cool,
it's
got
a
client
id
and
client
secret
I'll
go
back
to
full
screen
since
that's
easier
for
you
guys
to
to
see,
but.
B
Edit,
this,
the
additional
scopes
are
going
to
be
slightly
different
for
gitlab.
C
D
B
For
for
gitlab,
the
sorry
not
in
vim-
and
I
feel
like
I
am-
but
the
username
is
gonna-
be
the
the
the
nickname.
So
that's
like
your
your
handle.
Basically.
B
I
also
called
it
octa,
which
is
inaccurate,
but
doesn't
actually
matter
just
probably
a
little
confusing.
A
D
B
That's
the
upstream
configuration
yeah.
It
says
it
succeeded,
so
it's
been
able
to
communicate
with
get
lab.
The
lab
also
has
like
the
same
concept
of
a
discovery
document
which
we
then
use
to
find
out
information
about
it.
Let's
already
see
all
the
way
down
yeah,
so
that's
actually
the
whole
supervisor
config.
The
next
step
is,
of
course,
getting
it
to
work
on
on
a
cluster.
So
that's
I've
got
this.
This
workload,
one
admin
clip
admin,
cluster
or
workload.
B
One
cluster
which
I
have
an
admin
cube
config
for,
and
so
I
want
to
set
up
an
ipad
on
that
cluster.
The
yeah
component
that
I'm
going
to
install
is
called
the.
B
A
B
Installing
a
bunch
more
customer
resource
definitions,
this
the
concierge
takes
a
little
bit
less
work
to
set
up,
because
it
does
a
lot
of
like
api,
aggregation
and
stuff
you.
You
can
basically
skip
all
the
pretty
networking
stuff
that
I
just.
D
Did
in
most
cases,
there's.
B
B
B
Essentially
so,
like
it's
pretty
simple
but
yeah,
but
the
the
only
configuration
is
yeah.
What
the
issuers
name
is
and
then
you
have
each
each
cluster
has
a
unique
audience
because
there's
a
like
a
token
exchange
step.
B
That
means
each
kubernetes
cluster
gets
its
own
tokens
rather
than
sharing
tokens
just
like
an
extra
security
feature,
so
that
if,
in
the
unlikely
event
that
a
kubernetes
cluster
gets
compromised,
it
doesn't
mean
that
all
of
your
kubernetes
clusters
are
compromised,
because
now
that
cluster
has
like
all
the
tokens
that
work
against
all
the
other
clusters,
and
so
I'm
gonna
generate
a.
B
B
Two-Step
install
process,
although
actually
I
think,
install
works
fine
but
like
delete,
doesn't
doesn't
work
if
you
like,
because
of
like
the
ordering
of
ctl
delete
with
the
file.
Like
you
end
up
like
trying
to
delete
the
namespace
first
and
everything
gets
weird.
So
so
we
have
these
two
files,
that's
not
too
cute
ctl
apply
the
second
one.
B
Nevermind,
we'll
wait
a
couple
minutes,
so
you
can
see
in
some
of
this
output
message
it's
talking
about
different
strategies
so
that
the
concierge
has
like
sort
of
two
different
modes
that
it
can
can
work
in.
One
of
them
is
an
impersonation
proxy
where.
B
Users
talk
to
the
piniped
concierge
as
if
it
were
the
kubernetes
api
surfer
and
then
the
pinniped
concierge
turns
around
and
uses
the
impersonation
feature
of
of
kubernetes
to
issue
commands
on
that
user's
behalf
and
then
the
the
other
strategy
is
issuing
a
short-lived
x-509
certificate
on.
B
Use
it
using
the
kubernetes
api
servers
cluster
signing
key
pair
that
it's
like
a
valid
certificate
that
can
just
be
used
directly
against
kuwait's.
D
B
Server
without
using
the
impersonation
proxy
feature.
B
So
now
we've
got
yet
another
cute
config.
This
developer
cubeconfig.
B
And
if
you
look
at
it
like
there's,
there's
no
like
there's
no
credentials
in
here,
there's
no
identifying
information
about
a
particular
user
at
all.
So
this
is
something
like
if
you're
using
piniped,
you
can
give
to
every
one
of
your
engineers
basically
and
they
can
all
use
the
same
cubeconfig
and
and
the
way
that
you
do
it
is
keep
ctl
get
name
spaces.
Let's
say.
D
Okay,
that's
unfortunate
so
going
back.
C
B
That
should
just
where
you
don't
need
to
like
regenerate
the
yeah
okay,
I
didn't
need
to
regenerate
the
cue
config
or
anything
because
that
just
happens
like
behind
the
scenes
in
the
supervisor
and
there's
something
that's
it
works.
So
I'm
getting
like
a
kind
of
typical
consent
screen
from
gitlab
saying
that
asking
me
if
I
want
to
let
it
see
my
email
address
and
such
hit
authorize.
B
And
then
yeah,
so
I
I
was
able
to
communicate
and
I
didn't
set
up
our
back
roles
for
myself.
So,
of
course
I
am
not
allowed
to
list
namespaces
because
I
don't
have
permission
to
do
that,
but
yeah
I
can.
B
Do
that,
so
I
guess.
B
B
Yeah,
the
next.
B
One
thing
is,
I
can
create
a
second
cluster,
a
kind
cluster
this
is
the
config
is,
is
in
something
we
typically
use
for
for
integration
tests.
It's
mostly
just
got
a
little
bit
of
networking
and
config,
but
it's
probably
not.
B
Super
interesting
so
creating
a
local
pine
cluster.
B
I
might
have
overridden
my
other
workload.
One
admin
cube
config
sounds
a
little
too
hasty
with
the
copy
and
paste
so.
B
D
B
I
have
a
second
cluster
now
and
I
am
going
to
install
the
concierge
on
this
as
well.
This
is
just
so
that
I
can
show
that
you
can
log
into
a
second
cluster
and
you
don't
need
to
log
in
again
or
anything
you
your
session
transfers
into
the
new
cluster,
so
you
can
still
just
log
in
once,
once
per
day
for
for
as
many
clusters
are
using,
pin
bed.
B
And
so
this
is
saying
that
this
cluster
should
also
talk
to
the
same
supervisor
using
the
same
issuer,
but
it's
got
its
own
unique
audience
claim
that's
going
to
show
up
in
all
of
the
jaw
tokens
that.
B
And
you
can
see
it's
it's
talking
to
a
different
cluster
here.
It's
like
the
kind
cluster
rather
than
the
gku
workflow
cluster,
but
I
didn't
have
to
log
in
a
second
time.
It
still
uses
the
same,
get
lab
identity
of
this
being
my
git
lab
username
in
order
to
log
in
and.
B
By
from
this,
you
can
see
like
here's,
my
here's,
a
user
info,
I'm
in
a
test
group
then
my
username
shows
up.
If
I
do
the
same
thing
here,.
B
It's
a
different
cluster
info,
but
the
same
user
info.
So
I'm
the
same.
B
Easy
here
so
yeah.
B
That's
the
basic
idea
of
of
pinpad
that
you
can
do
this
to
as
many
clusters
as
as
you'd
like.
If
you
didn't
want
to
do,
oidc
and
gitlab
yeah,
you
can
swap
it
out
for
other
identity
providers.