github vmware-tanzu/pinniped v0.8.0

Release v0.8.0

Release Images

Image Registry
projects.registry.vmware.com/pinniped/pinniped-server:v0.8.0 VMware Harbor
docker.io/getpinniped/pinniped-server:v0.8.0 DockerHub

Changes

Major Changes

  • The Pinniped command-line tool now caches ephemeral cluster-specific credentials issued by the Concierge. This notably improves performance on clusters with poor request latency.

  • The Concierge impersonation proxy (used on managed Kubernetes cluster types) now supports more extended authentication features:

    • Support for authenticating with ServiceAccount tokens or other bearer tokens that are valid on the underlying Kubernetes cluster.

    • Support for using --as/--as-group via the proxy (nested impersonation). When a request using impersonation is made via the proxy, Pinniped now performs the requisite authorization checks and performs the impersonation. When these requests are audited by Kubernetes, the original user info is preserved in the original-user-info.impersonation-proxy.concierge.pinniped.dev extra field.

Minor Changes

  • The pinniped get kubeconfig command now generates more helpful "context", "cluster", and "user" names. The names will now be copied from the original kubeconfig but suffixed with "-pinniped". This suffix can be overridden with the--generated-name-suffix flag.

  • The Supervisor now produces more detailed error messages in the status conditions of OIDCIdentityProvider. This makes it easier to diagnose many common OIDC misconfigurations.

  • Fixed a bug in the Supervisor that caused refresh tokens to become invalid before their intended expiration. This caused unnecessary interactive logins when your CLI was idle for more than 20 minutes. The Supervisor now properly observes the intended 9 hour refresh token lifetime.

  • Added optional debug logging to the Pinniped CLI login flow. The new logs can be enabled by setting the $PINNIPED_DEBUG environment variable when running kubectl, for example export PINNIPED_DEBUG=true.

  • The Supervisor access token lifetime has been reduced from 15 minutes to 2 minutes, since the new Concierge credential caching means these tokens no longer need to be reused for performance reasons.

  • The kube-cert-agent pod used to collect the client certificate signing CA is now created via a Deployment instead of directly as a Pod. This fixes a bug that could cause the Concierge to become broken when a cluster is shut down and restarted or suspended and resumed (#493).

  • Refactored Supervisor garbage collection controller to use a singleton informer queue.

  • Upgraded Go from 1.16.2 to 1.16.4.

  • Upgraded Kubernetes runtime library dependencies to v1.21.0.

  • Improved the stability of several integration tests.

A complete list of changes (102 commits, 113 changed files with 6,710 additions and 5,086 deletions!) can be found here.

latest releases: v0.9.2, v0.9.1, v0.9.0...
one month ago