logo

Sharing is NOT Caring: Stop Sharing Your Kubernetes Cluster Credentials

Conference:  ContainerCon 2022

2022-06-22

Authors:   Nigel Brown, Leigh Capili


Summary

The presentation discusses the importance of identity and access management in Kubernetes and introduces Pinniped as a solution.
  • Kubernetes lacks a robust identity and access management system
  • Pinniped is a solution that provides a secure and flexible identity and access management system for Kubernetes
  • Pinniped offers a variety of authentication methods, including OAuth 2.0 and OpenID Connect
  • Pinniped is actively seeking input from the community to improve the project
The speaker emphasizes the importance of identity and access management in distributed systems, and how Pinniped can help solve this problem in Kubernetes. They explain that while Kubernetes has some lightweight options for identity management, they are not sufficient for managing identities outside of the cluster. The speaker also highlights the potential security risks of using service account tokens and handing out config files with secrets. Pinniped offers a more secure and flexible solution, with support for various authentication methods. The speaker encourages the audience to get involved in the Pinniped community and provide feedback to help improve the project.

Abstract

Attention Kubernetes admins! That kubeconfig your developer just downloaded has credentials that can compromise not just their system but potentially your entire Platform! Stop taking the risk and switch to using kubeconfigs that can be securely distributed to users. In this talk, we will discuss how an open source solution, Pinniped, helps solve your problem of secure kubeconfig generation. Pinniped kubeconfigs can be safely distributed as they don't have any user specific credentials. But users have authentication requirements beyond just safe kubeconfig generation, such as seamless cluster access without having to login multiple times a day, support for multiple clouds provider access, and the ability to integrate with various identity providers. In our session, we will deep dive into the architectural components of Pinniped and explain how they help solve the authentication challenges for Kubernetes users.

Materials: