This topic explains how Tanzu Kubernetes Grid implements identity and access management.
Tanzu Kubernetes Grid implements user authentication with Pinniped, an open-source authentication service for Kubernetes clusters. Pinniped allows you to plug external OpenID Connect (OIDC) or LDAP identity providers (IdP) into Tanzu Kubernetes (workload) clusters, so that you can control user access to those clusters. For LDAP authentication, Pinniped uses Dex as the endpoint to connect to your upstream LDAP IdP. If you use OIDC, Pinniped provides its own endpoint, so Dex is not required. Pinniped and Dex run automatically as in-cluster services in your management clusters if you enable identity management. For instructions on how to enable identity management in Tanzu Kubernetes Grid, see Configure Identity Management.
The authentication flow between the management and workload clusters includes the following:
kubeconfigfor the workload cluster to the user.
kubeconfigto connect to the workload cluster, for example, by running
kubectl get pods --kubeconfig.
kubectl get podsrequest, depending on the permissions of the user’s role.
In the image below, the blue arrows represent the authentication flow between the workload cluster, the management cluster, and the external IdP. The green arrows represent Tanzu CLI and
kubectl traffic between the workload cluster, the management cluster, and the external IdP.
The diagram below shows the identity management components that Tanzu Kubernetes Grid deploys in the management cluster and in workload clusters when you enable identity management.
Understanding the diagram:
The purple-bordered rectangles show the identity management components, which include Pinniped, Dex, and a post-deployment job in the management cluster and Pinniped and a post-deployment job in the workload cluster. In Tanzu Kubernetes Grid v1.3.0, Pinniped uses Dex as the endpoint for both OIDC and LDAP providers. In v1.3.1 and later, Dex is deployed only for LDAP providers. If you configure an OIDC provider in v1.3.1 and later, Pinniped communicates with your provider directly, without going through Dex.
The gray-bordered rectangles show the components that Tanzu Kubernetes Grid uses to control the lifecycle of the identity management components, which include the Tanzu CLI,
The green-bordered rectangle shows the Pinniped add-on secret created for the management cluster.
The orange-bordered rectangle in the management cluster shows the Pinniped add-on secret created for the workload cluster. The secret is mirrored to the workload cluster.
Internally, Tanzu Kubernetes Grid deploys the identity management components as an auto-managed package,
pinniped. This package contains the
pinniped add-on. When you deploy a management cluster with identity management enabled or enable it as a post-deployment step, the Tanzu CLI creates a Kubernetes secret for the
pinniped add-on in the management cluster.
tanzu-addons-manager reads the secret, which contains your IdP configuration information, and instructs
kapp-controller to configure the
pinniped add-on using the configuration information from the secret.
The Tanzu CLI creates a separate
pinniped add-on secret for each workload cluster that you deploy from the management cluster. All secrets are stored in the management cluster. For more information, see Auto-Managed Packages.
Tanzu Kubernetes Grid uses role-based access control (RBAC) authorization. For instructions on how to configure RBAC, see Configure RBAC.