Tanzu Kubernetes Grid implements user authentication with Pinniped. Pinniped allows you to plug external OpenID Connect (OIDC) or LDAP identity providers (IDP) into Tanzu Kubernetes clusters, so that you can control user access to those clusters. Pinniped is an open-source authentication service for Kubernetes clusters. If you use LDAP authentication, Pinniped uses Dex as the endpoint to connect to your upstream LDAP identity provider. If you use OIDC, Pinniped provides its own endpoint, so Dex is not required. Pinniped and Dex run automatically as in-cluster services in your management clusters if you enable identity management during management cluster deployment.
IMPORTANT:
The process for implementing identity management is as follows:
kubeconfig
for the workload cluster to the user.kubeconfig
to connect to the workload cluster, for example, by running kubectl get pods --kubeconfig <kubeconfig-file>
.kubectl get pods
request, depending on the permissions of the user’s role.In the image below, the blue arrows represent the authentication flow between the workload cluster, the management cluster and the external IDP. The green arrows represent Tanzu CLI and kubectl
traffic between the workload cluster, the management cluster and the external IDP.
The diagram below shows the identity management components that Tanzu Kubernetes Grid deploys in the management cluster and in Tanzu Kubernetes (workload) clusters when you enable identity management.
Understanding the diagram:
The purple-bordered rectangles show the identity management components, which include Pinniped, Dex, and a post-deployment job in the management cluster and Pinniped and a post-deployment job in the workload cluster. In Tanzu Kubernetes Grid v1.3.0, Pinniped uses Dex as the endpoint for both OIDC and LDAP providers. In v1.3.1 and later, Dex is deployed only for LDAP providers.
The gray-bordered rectangles show the components that Tanzu Kubernetes Grid uses to control the lifecycle of the identity management components, which include the Tanzu CLI, tanzu-addons-manager
, and kapp-controller
.
The green-bordered rectangle shows the Pinniped add-on secret created for the management cluster.
The orange-bordered rectangle in the management cluster shows the Pinniped add-on secret created for the workload cluster. The secret is mirrored to the workload cluster.
Internally, Tanzu Kubernetes Grid deploys the identity management components as a core add-on, pinniped
. When you deploy a management cluster with identity management enabled, the Tanzu CLI creates a Kubernetes secret for the pinniped
add-on in the management cluster. tanzu-addons-manager
reads the secret, which contains your IDP configuration information, and instructs kapp-controller
to configure the pinniped
add-on using the configuration information from the secret.
The Tanzu CLI creates a separate pinniped
add-on secret for each workload cluster that you deploy from the management cluster. All secrets are stored in the management cluster.
Before you can deploy a management cluster with identity management enabled, you must have an identity provider. Tanzu Kubernetes Grid supports LDAPS and OIDC identity providers.
To use your company’s internal LDAPS server as the identity provider, obtain LDAPS information from your LDAP administrator.
To use OIDC as the identity provider, you must have an account with an IDP that supports the OpenID Connect standard, for example Okta.
To use Okta as your OIDC provider, you must create an account with Okta and register an application for Tanzu Kubernetes Grid with your account.
Enter a placeholder Login redirect URI.
For example, enter http://localhost:8080/callback
. You will update this with the real URL after you deploy the management cluster.
In the General tab for your application, copy and save the Client ID and Client secret.
You will need these credentials when you deploy the management cluster.
In the Assignments tab, assign people and groups to the application.
The people and groups that you assign to the application will be the users who can access the management cluster and the Tanzu Kubernetes clusters that you use it to deploy.
You can now deploy management clusters that implement identity management, to restrict access to clusters to authorized users.
If you implement identity management, after you deploy the management cluster, there are post-deployment steps to perform, that are described in Configure Identity Management After Management Cluster Deployment.