This is a kubectl plugin for Kubernetes OpenID Connect (OIDC) authentication
Kubelogin is a kubectl plugin designed to streamline OpenID Connect (OIDC) authentication for Kubernetes clusters. It simplifies the process of obtaining tokens by opening a browser for user login, which are then securely cached or stored in a keyring.
Key Features:
Browser-based login for seamless authentication.
Token caching with refresh capabilities to maintain session continuity.
Support for various OIDC providers and integration as a client-go credential plugin.
Secure token storage options using the system's keyring for enhanced security.
Logout functionality achieved by deleting cached tokens.
Ideal for developers, DevOps engineers, and IT teams managing Kubernetes clusters, Kubelogin enhances security and operational efficiency. It allows users to authenticate without manually handling tokens, ensuring a smooth and secure access process to Kubernetes APIs. Kubelogin can be installed via winget, making it easily accessible for integration into existing workflows.
Here is an example of Kubernetes authentication with the Google Identity Platform:
Kubelogin is designed to run as a client-go credential plugin.
When you run kubectl, kubelogin opens the browser and you can log in to the provider.
Then kubelogin gets a token from the provider and kubectl access Kubernetes APIs with the token.
Take a look at the diagram:
# Homebrew (macOS and Linux)
brew install kubelogin
# Krew (macOS, Linux, Windows and ARM)
kubectl krew install oidc-login
# Chocolatey (Windows)
choco install kubelogin
If you install via GitHub releases, save the binary as the name kubectl-oidc_login on your path.
When you invoke kubectl oidc-login, kubectl finds it by the naming convention of kubectl plugins.
The other install methods do this for you.
You need to set up the OIDC provider, cluster role binding, Kubernetes API server and kubeconfig.
Your kubeconfig looks like this:
Kubectl executes kubelogin before calling the Kubernetes APIs.
Kubelogin automatically opens the browser, and you can log in to the provider.
After the authentication, kubelogin returns the credentials to kubectl.
Kubectl then calls the Kubernetes APIs with the credentials.
% kubectl get pods
Open http://localhost:8000 for authentication
NAME READY STATUS RESTARTS AGE
echoserver-86c78fdccd-nzmd5 1/1 Running 0 26d
Kubelogin stores the ID token and refresh token to the cache.
If the ID token is valid, it just returns it.
If the ID token has expired, it will refresh the token using the refresh token.
If the refresh token has expired, it will perform re-authentication.
Troubleshooting
Token cache
Kubelogin stores the token cache to the file system by default.
For enhanced security, it is recommended to store it to the keyring.
See the token cache for details.
You can log out by deleting the token cache.
% kubectl oidc-login clean
Deleted the token cache at /home/user/.kube/cache/oidc-login
Deleted the token cache from the keyring
Kubelogin will ask you to log in via the browser again.
If the browser has a cookie for the provider, you need to log out from the provider or clear the cookie.
ID token claims
You can run setup command to dump the claims of an ID token from the provider.
% kubectl oidc-login setup --oidc-issuer-url=ISSUER_URL --oidc-client-id=REDACTED
...
You got a token with the following claims:
{
"sub": "********",
"iss": "https://accounts.google.com",
"aud": "********",
...
}
