Pinniped v0.9.2 is a small security hardening release on top of the recent v0.9.1 release.
We've made several changes to harden the impersonation proxy against potential future security vulnerabilities. These changes are proactive based on our understanding of potential issues:
The impersonation proxy now always authorizes every request, rather than deferring authorization to the Kubernetes API.
The impersonation proxy now uses a distinct service account with no RBAC privileges other than impersonation.
On clusters where anonymous authentication is disabled (such as AKS), the impersonation proxy now refuses anonymous requests. The Pinniped TokenCredentialRequest API is still allowed, since it is necessarily a pre-authentication API.
Upgraded Go from 1.16.4 to 1.16.5.
A complete list of changes (16 commits, 15 changed files with 1,197 additions and 210 deletions) can be found here.