// the find
vmware/pinniped
Pinniped is the easy, secure way to log in to your Kubernetes clusters.
Pinniped is a Kubernetes auth federation layer that lets you plug your existing identity provider (OIDC, LDAP, Active Directory, GitHub) into any cluster and get consistent `kubectl` login across all of them. It runs as two in-cluster components: a Supervisor that handles IDP federation and token issuance, and a Concierge that validates those tokens at the API server boundary. The target audience is platform teams managing multiple clusters who are tired of per-cluster auth configurations.
The two-component architecture is genuinely well thought out — Supervisor handles the messy IDP side once, Concierge handles per-cluster validation, and the separation means you can federate dozens of clusters without repeating IDP configuration. The `pinniped get kubeconfig` CLI command that auto-generates kubeconfigs with exec credential plugins is the right UX call; users don't need to understand the plumbing. GitHub IDP support is a practical addition for teams already using GitHub for access control. The generated client libraries versioned per Kubernetes release (visible in the `generated/1.31/` directory tree) mean you're not guessing at API compatibility.
728 stars for a five-year-old VMware-originated project is a weak adoption signal — Dex handles similar federation use cases and has 10x the community. Everything is still v1alpha1, which is a real concern before you build a platform dependency on it; the API surfaces have been alpha for years with no clear GA timeline. The `.go.tmpl` pattern for generating per-Kubernetes-version APIs is maintenance overhead that will bite you when you need to support a new K8s version quickly. Documentation lives on an external site, which means the README is essentially a marketing brochure with no quick-start that works offline.