Release v0.13.0

Release Image

These images can also be referenced by their digest: sha256:7bdd608100ef594d51cb36d63b87558524140c349cb2bf925338e8d7c11e208f.

Changes

The theme of release was security improvements. New features include detecting changes to user accounts/sessions in OIDC/LDAP/AD identity providers to quickly reflect those changes into Kubernetes, more strict TLS client and server settings, configurable server ports, and lots of other improvements. See our blog post for more details on these highlights.

It has been a little while since the previous release, so there were 54 pull requests included in this release!

Major Changes

• Note that this release updates the internal session storage format version of the Pinniped Supervisor, so when an existing installation of Pinniped is upgraded to at least this version from any version below this version, then all pre-existing user sessions will fail to refresh, causing users to need to log in again. The Pinniped CLI will gracefully handle this case, and will automatically prompt the user to log in again.

• For OIDCIdenitityProviders, when a user's Pinniped session is refreshed (approximately every 5 minutes), perform a refresh on the OIDC provider to ensure that the user's session on the provider has not been revoked (#858, #876, #917).

  • Note that feature may require some Pinniped configuration changes, and/or some changes on the OIDC client in the OIDC provider's UI or API, to allow Pinniped to receive refresh tokens from the OIDC provider. See our blog post and docs for more details.
  • If the lifetime of the refresh token returned by your OIDC provider is less than 9 hours, then your Pinniped session will end when your refresh token ends, and you will be prompted to log in again on your next kubectl command. On the other hand, if the lifetime of the refresh token returned by your OIDC provider is greater than 9 hours, then your Pinniped session will end after about 9 hours, which is the hard-coded maximum session duration of Pinniped Supervisor sessions.
  • If your OIDC provider cannot return refresh tokens, then Pinniped will instead use the access token to call the provider's userinfo endpoint during session refreshing (#944, #904). In this case, if the lifetime of the access token is less than 9 hours, then the access token's lifetime will dictate the lifetime of the user's Pinniped session. If the access toke lifetime is below 3 hours, Pinniped will show a warning to indicate that the lifetime is probably lower than what is needed to provide a good user experience (#895, #951).
  • When the user's group membership changes in the OIDC provider during a Pinniped session, the new group membership should be reflected into the Kubernetes session on the next refresh, typically within approximately 5 minutes (#948).

• For LDAPIdentityProviders and ActiveDirectoryIdentityProviders, when a user's Pinniped session is refreshed (approximately every 5 minutes), perform additional queries to ensure that the user still exists and will still result in the same username and UID as the original login (#877).

  • For ActiveDirectoryIdentityProviders, it additionally checks for password changes (using the password changed timestamp field), deactivated users, and locked users before allowing the session to continue (#884).
  • Note that changes to the user's group memberships made on the LDAP or AD server since the user's original login will not be reflected in their Kubernetes session. This feature will come in a future release.

• TLS 1.2+ with a modern set of TLS ciphers is now required for all connections coming into or going out of all pinniped components (#873, #889). See our blog post for more details.

• Pinniped server ports are now configurable. See our blog post for more details.

  • For the Concierge (#888), this feature makes it possible to change the listening port numbers of the aggregated API server and impersonation proxy, which is typically not necessary but could be used for example on a cluster using host networking where these ports are already consumed by other services. The aggregated API server now defaults to port 10250 to allow it to work without needing further configuration on private GKE clusters.
  • For the Supervisor (#945), this feature makes it possible to configure how the HTTP and HTTPS ports listen. They can use tcp ports (on all or some interfaces), unix domain sockets, or be disabled. See endpoints option in deploy/supervisor/values.yml for details. Binding the HTTP listener to TCP addresses other than 127.0.0.1 or ::1 is now considered deprecated but still allowed in this release. For more information, see the Supervisor docs.

Minor Changes

• The pinniped get kubeconfig command now accepts the --install-hint flag to allow the cluster admin to customize an installation hint presented the user when the exec plugin binary does not exist. The default hint refers the user to the official Pinniped docs. For more details, see the Kubernetes installHint documentation (#875, #878).
• The pinniped concierge takes less time to load the cluster signer on upgrade (#846).
• Add new columns that are shown in the table output of kubectl get for some of the Pinniped CRDs (#845).
• Directly detect user info support for OIDC providers (#852).
• Do not truncate x509 errors in OIDC discovery (#854).
• Log claim keys at debug level for OIDC providers (#853).
• Tests use CertificatesV1 when available, otherwise use CertificatesV1beta1 (#848).
• Several documentation changes (#857, #872, #903, #908, #919)
• Minor Dockerfile changes (#883).
• Minor changes to get Github's Dependabot working again (#918).
• Several dependency bumps, including using the latest distroless/static (#851, #879, #931), the latest golang (#860, #885, #905, #909, #938), the latest Kubernetes client libraries (#914, #935, #968), the latest Fosite library (#925, #939, #957, #943), and the Javascript minifier library (#953).

Bug Fixes

• Pinniped components now tolerate a larger clock skew between the API servers and the kubelets running the pinniped pods (#849).
• Do not rotate impersonation proxy signer CA unless necessary (#856).
• Fixed several flaky tests and several tests which were failing due to PR merges (#842, #893, #940, #956, #967).
• Fixed a misleading log statement in the token credential request (#847).

A complete list of changes (225 commits, 245 changed files with 18,828 additions and 3,434 deletions) can be found here.

Acknowledgements

• Thank you, @siddhant94, for submitting a PR (#875) to add the --install-hint flag to the pinniped get kubeconfig command!