Skip to content

v0.15.0

Compare
Choose a tag to compare
@pinniped-ci-bot pinniped-ci-bot released this 04 Mar 17:35
b987783

Release v0.15.0

Release Image

Image Registry
ghcr.io/vmware-tanzu/pinniped/pinniped-server:v0.15.0 GitHub Container Registry
docker.io/getpinniped/pinniped-server:v0.15.0 DockerHub

These images can also be referenced by their digest: sha256:62be9ea6c98760439a4f471963c654fdc789ea839edbfb8102e7022462dcc782.

Changes

The user's group membership in Active Directory and LDAP is now refreshed as they interact with the supervisor to obtain new credentials.

Major Changes

Active Directory and LDAP group refresh allows group membership changes to be quickly reflected into Kubernetes clusters. Since group membership is often used to bind authorization policies, it is important to keep the groups observed in Kubernetes clusters in-sync with the identity provider. This functionality for OIDC was introduced in v0.13.0, and now Active Directory and LDAP identity providers will have the same experience.

Warning

In some Active Directory and LDAP environments, frequent group membership queries may result in a significant performance impact on the identity provider and/or the supervisor. The best approach to handle performance impacts is to tweak the group query to be more performant, for example by disabling nested group search or by using a more targeted group search base.

If the group search query cannot be made performant and you are willing to have group memberships remain static for approximately a day, then set spec.groupSearch.skipGroupRefresh to true in your ActiveDirectoryIdentityProvider or LDAPIdentityProvider. This is an insecure configuration as authorization policies that are bound to group membership will not notice if a user has been removed from a particular group until their next login.

skipGroupRefresh is an experimental feature that may be removed or significantly altered in the future. Consumers of this configuration should carefully read all release notes before upgrading to ensure that the meaning of this field has not changed.

Minor Changes

  • Update Go to v1.17.7 (#999)
  • The Pinniped CLI now requires https issuers (#1013)
  • Allow alternate deployment mechanisms for integration tests (#1028)
  • Add toleration for new "control-plane" node label for Concierge deploy (#1031)
  • Add generated code for Kubernetes 1.21, 1.22, and 1.23 (#1040)
  • Update Kubernetes dependencies to v0.23.4 (#1041)
  • Warn users when their groups have changed upon refresh (#1043)
  • Fix rendering of API reference docs when | characters are used (#1044)

Diffs

A complete list of changes (84 commits, 1,344 changed files with 47,336 additions and 1,934 deletions) can be found here.

Acknowledgements

  • Thanks to @jvanzyl for altering our helper scripts so that users can run integration tests using deployment mechanisms other than kapp.

Updates

The attached yaml files were updated on May 6, 2024 to use ghcr.io/vmware-tanzu/pinniped/pinniped-server instead of projects.registry.vmware.com/pinniped/pinniped-server.