kubelogin

This is a kubectl plugin for Kubernetes OpenID Connect (OIDC) authentication, also known as kubectl oidc-login.

Here is an example of Kubernetes authentication with the Google Identity Platform:

Kubelogin is designed to run as a client-go credential plugin. When you run kubectl, kubelogin opens the browser and you can log in to the provider. Then kubelogin gets a token from the provider and kubectl access Kubernetes APIs with the token. Take a look at the diagram:

Getting Started

Setup

Install the latest release from Homebrew, Krew, Chocolatey or GitHub Releases.

# Homebrew (macOS and Linux)
brew install int128/kubelogin/kubelogin

# Krew (macOS, Linux, Windows and ARM)
kubectl krew install oidc-login

# Chocolatey (Windows)
choco install kubelogin

If you install via GitHub releases, save the binary as the name kubectl-oidc_login on your path. When you invoke kubectl oidc-login, kubectl finds it by the naming convention of kubectl plugins. The other install methods do this for you.

You need to set up the OIDC provider, cluster role binding, Kubernetes API server and kubeconfig. Your kubeconfig looks like this:

users:
  - name: oidc
    user:
      exec:
        apiVersion: client.authentication.k8s.io/v1
        command: kubectl
        args:
          - oidc-login
          - get-token
          - --oidc-issuer-url=ISSUER_URL
          - --oidc-client-id=YOUR_CLIENT_ID

See the setup guide for more.

Run

Run kubectl.

kubectl get pods

Kubectl executes kubelogin before calling the Kubernetes APIs. Kubelogin automatically opens the browser, and you can log in to the provider.

After the authentication, kubelogin returns the credentials to kubectl. Kubectl then calls the Kubernetes APIs with the credentials.

% kubectl get pods
Open http://localhost:8000 for authentication
NAME                          READY   STATUS    RESTARTS   AGE
echoserver-86c78fdccd-nzmd5   1/1     Running   0          26d

Kubelogin stores the ID token and refresh token to the cache. If the ID token is valid, it just returns it. If the ID token has expired, it will refresh the token using the refresh token. If the refresh token has expired, it will perform re-authentication.

Troubleshooting

Token cache

If the OS keyring is available, kubelogin stores the token cache to the OS keyring. Otherwise, kubelogin stores the token cache to the file system. See the token cache for details.

You can log out by deleting the token cache.

% kubectl oidc-login clean
Deleted the token cache at /home/user/.kube/cache/oidc-login
Deleted the token cache in the keyring

Kubelogin will ask you to log in via the browser again. If the browser has a cookie for the provider, you need to log out from the provider or clear the cookie.

ID token claims

You can run setup command to dump the claims of an ID token from the provider.

% kubectl oidc-login setup --oidc-issuer-url=ISSUER_URL --oidc-client-id=REDACTED
...
You got a token with the following claims:

{
  "sub": "********",
  "iss": "https://accounts.google.com",
  "aud": "********",
  ...
}

You can set -v1 option to increase the log level.

users:
  - name: oidc
    user:
      exec:
        apiVersion: client.authentication.k8s.io/v1
        command: kubectl
        args:
          - oidc-login
          - get-token
          - -v1

You can run the acceptance test to verify if kubelogin works with your provider.

Docs

• Setup guide
• Usage and options
• Standalone mode
• System test
• Acceptance_test for identity providers

Contributions

This is an open source software licensed under Apache License 2.0. Feel free to open issues and pull requests for improving code and documents.