This is a kubectl plugin for Kubernetes OpenID Connect (OIDC) authentication, also known as kubectl oidc-login.
This is designed to run as a client-go credential plugin. When you run kubectl, kubelogin opens the browser and you can log in to the provider. Then kubelogin gets a token from the provider and kubectl access Kubernetes APIs with the token.
Install the latest release from Homebrew, Krew or GitHub Releases as follows:
# Homebrew
brew install int128/kubelogin/kubelogin
# Krew
kubectl krew install oidc-login
# GitHub Releases
curl -LO https://github.com/int128/kubelogin/releases/download/v1.14.2/kubelogin_linux_amd64.zip
unzip kubelogin_linux_amd64.zip
ln -s kubelogin kubectl-oidc_loginYou need to configure the OIDC provider, Kubernetes API server and role binding. See the following documents for more:
- Getting Started with Keycloak
- Getting Started with dex and GitHub
- Getting Started with Google Identity Platform
Configure the kubeconfig to run kubelogin as a client-go credential plugin. It provides transparent login without manually running kubelogin command. For example,
users:
- name: keycloak
user:
exec:
apiVersion: client.authentication.k8s.io/v1beta1
command: kubectl
args:
- oidc-login
- get-token
- --oidc-issuer-url=https://issuer.example.com
- --oidc-client-id=YOUR_CLIENT_ID
- --oidc-client-secret=YOUR_CLIENT_SECRETRun kubectl.
kubectl get podsKubectl executes kubelogin before calling the Kubernetes APIs. Kubelogin automatically opens the browser and you can log in to the provider.
After authentication, kubelogin returns the credentials to kubectl and finally kubectl calls the Kubernetes APIs with the credential.
% kubectl get pods
Open http://localhost:8000 for authentication
You got a valid token until 2019-05-18 10:28:51 +0900 JST
NAME READY STATUS RESTARTS AGE
echoserver-86c78fdccd-nzmd5 1/1 Running 0 26d
Kubelogin writes the ID token and refresh token to the token cache file.
If the cached ID token is valid, kubelogin just returns it. If the cached ID token has expired, kubelogin will refresh the token using the refresh token. If the refresh token has expired, kubelogin will perform reauthentication.
You can log out by removing the token cache directory (default ~/.kube/cache/oidc-login).
Kubelogin will perform authentication if the token cache file does not exist.
As well as you can update the ID token in the kubeconfig by running the command. See standalone mode for more.
This document is for the development version. If you are looking for a specific version, see the release tags.
Kubelogin supports the following options:
% kubelogin get-token -h
Run as a kubectl credential plugin
Usage:
kubelogin get-token [flags]
Flags:
--listen-port ints Port to bind to the local server. If multiple ports are given, it will try the ports in order (default [8000,18000])
--skip-open-browser If true, it does not open the browser on authentication
--username string If set, perform the resource owner password credentials grant
--password string If set, use the password instead of asking it
--oidc-issuer-url string Issuer URL of the provider (mandatory)
--oidc-client-id string Client ID of the provider (mandatory)
--oidc-client-secret string Client secret of the provider
--oidc-extra-scope strings Scopes to request to the provider
--certificate-authority string Path to a cert file for the certificate authority
--insecure-skip-tls-verify If true, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure
--token-cache-dir string Path to a directory for caching tokens (default "~/.kube/cache/oidc-login")
-h, --help help for get-token
Global Flags:
--add_dir_header If true, adds the file directory to the header
--alsologtostderr log to standard error as well as files
--log_backtrace_at traceLocation when logging hits line file:N, emit a stack trace (default :0)
--log_dir string If non-empty, write log files in this directory
--log_file string If non-empty, use this log file
--log_file_max_size uint Defines the maximum size a log file can grow to. Unit is megabytes. If the value is 0, the maximum file size is unlimited. (default 1800)
--logtostderr log to standard error instead of files (default true)
--skip_headers If true, avoid header prefixes in the log messages
--skip_log_headers If true, avoid headers when opening log files
--stderrthreshold severity logs at or above this threshold go to stderr (default 2)
-v, --v Level number for the log level verbosity
--vmodule moduleSpec comma-separated list of pattern=N settings for file-filtered logging
See also the options in standalone mode.
You can set the extra scopes to request to the provider by --oidc-extra-scope.
- --oidc-extra-scope=email
- --oidc-extra-scope=profileYou can use your self-signed certificate for the provider.
- --certificate-authority=/home/user/.kube/keycloak-ca.pemYou can set the following environment variables if you are behind a proxy: HTTP_PROXY, HTTPS_PROXY and NO_PROXY.
See also net/http#ProxyFromEnvironment.
Kubelogin performs the authorization code flow by default.
It starts the local server at port 8000 or 18000 by default. You need to register the following redirect URIs to the provider:
http://localhost:8000http://localhost:18000(used if port 8000 is already in use)
You can change the ports by the option:
- --listen-port 12345
- --listen-port 23456As well as you can use the resource owner password credentials grant flow. Keycloak supports this flow but you need to explicitly enable the "Direct Access Grants" feature in the client settings. Most OIDC providers do not support this flow.
You can pass the username and password:
- --username USERNAME
- --password PASSWORDIf the password is not set, kubelogin will show the prompt.
% kubelogin --username USER
Password:
You can access the Kubernetes Dashboard using kubelogin and kauthproxy.
This is an open source software licensed under Apache License 2.0. Feel free to open issues and pull requests for improving code and documents.
Go 1.12 or later is required.
# Run lint and tests
make check
# Compile and run the command
make
./kubelogin