The Pinniped command-line tool now caches ephemeral cluster-specific credentials issued by the Concierge. This notably improves performance on clusters with poor request latency.
The Concierge impersonation proxy (used on managed Kubernetes cluster types) now supports more extended authentication features:
Support for authenticating with ServiceAccount tokens or other bearer tokens that are valid on the underlying Kubernetes cluster.
Support for using
--as-groupvia the proxy (nested impersonation). When a request using impersonation is made via the proxy, Pinniped now performs the requisite authorization checks and performs the impersonation. When these requests are audited by Kubernetes, the original user info is preserved in the
pinniped get kubeconfigcommand now generates more helpful "context", "cluster", and "user" names. The names will now be copied from the original kubeconfig but suffixed with "-pinniped". This suffix can be overridden with the
The Supervisor now produces more detailed error messages in the status conditions of OIDCIdentityProvider. This makes it easier to diagnose many common OIDC misconfigurations.
Fixed a bug in the Supervisor that caused refresh tokens to become invalid before their intended expiration. This caused unnecessary interactive logins when your CLI was idle for more than 20 minutes. The Supervisor now properly observes the intended 9 hour refresh token lifetime.
Added optional debug logging to the Pinniped CLI login flow. The new logs can be enabled by setting the
$PINNIPED_DEBUGenvironment variable when running kubectl, for example
The Supervisor access token lifetime has been reduced from 15 minutes to 2 minutes, since the new Concierge credential caching means these tokens no longer need to be reused for performance reasons.
kube-cert-agentpod used to collect the client certificate signing CA is now created via a Deployment instead of directly as a Pod. This fixes a bug that could cause the Concierge to become broken when a cluster is shut down and restarted or suspended and resumed (#493).
Refactored Supervisor garbage collection controller to use a singleton informer queue.
Upgraded Go from 1.16.2 to 1.16.4.
Upgraded Kubernetes runtime library dependencies to v1.21.0.
Improved the stability of several integration tests.
A complete list of changes (102 commits, 113 changed files with 6,710 additions and 5,086 deletions!) can be found here.