github/kubelogin
1
0
Fork 0
mirror of https://github.com/int128/kubelogin.git synced 2026-05-20 23:02:50 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
v1.22.1
kubelogin/docs/standalone-mode.md
Hidetake Iwata 98b84d87e0 Refactor: change options description
2020-07-26 15:39:09 +09:00

3.7 KiB
Raw Permalink Blame History

Standalone mode

You can run kubelogin as a standalone command. In this mode, you need to manually run the command before running kubectl.

Configure the kubeconfig like:

- name: keycloak
  user:
    auth-provider:
      config:
        client-id: YOUR_CLIENT_ID
        client-secret: YOUR_CLIENT_SECRET
        idp-issuer-url: https://issuer.example.com
      name: oidc

Run kubelogin:

kubelogin

# or run as a kubectl plugin
kubectl oidc-login

It automatically opens the browser and you can log in to the provider.

keycloak-login

After authentication, kubelogin writes the ID token and refresh token to the kubeconfig.

% kubelogin
Open http://localhost:8000 for authentication
You got a valid token until 2019-05-18 10:28:51 +0900 JST
Updated ~/.kubeconfig

Now you can access the cluster.

% kubectl get pods
NAME                          READY   STATUS    RESTARTS   AGE
echoserver-86c78fdccd-nzmd5   1/1     Running   0          26d

Your kubeconfig looks like:

users:
- name: keycloak
  user:
    auth-provider:
      config:
        client-id: YOUR_CLIENT_ID
        client-secret: YOUR_CLIENT_SECRET
        idp-issuer-url: https://issuer.example.com
        id-token: ey...       # kubelogin will add or update the ID token here
        refresh-token: ey...  # kubelogin will add or update the refresh token here
      name: oidc

If the ID token is valid, kubelogin does nothing.

% kubelogin
You already have a valid token until 2019-05-18 10:28:51 +0900 JST

If the ID token has expired, kubelogin will refresh the token using the refresh token in the kubeconfig. If the refresh token has expired, kubelogin will proceed the authentication.

Usage

Kubeconfig

You can set path to the kubeconfig file by the option or the environment variable just like kubectl. It defaults to ~/.kube/config.

# by the option
kubelogin --kubeconfig /path/to/kubeconfig

# by the environment variable
KUBECONFIG="/path/to/kubeconfig1:/path/to/kubeconfig2" kubelogin

If you set multiple files, kubelogin will find the file which has the current authentication (i.e. user and auth-provider) and write a token to it.

Kubelogin supports the following keys of auth-provider in a kubeconfig. See kubectl authentication for more.

Key Direction Value
idp-issuer-url Read (Mandatory) Issuer URL of the provider.
client-id Read (Mandatory) Client ID of the provider.
client-secret Read (Mandatory) Client Secret of the provider.
idp-certificate-authority Read CA certificate path of the provider.
idp-certificate-authority-data Read Base64 encoded CA certificate of the provider.
extra-scopes Read Scopes to request to the provider (comma separated).
id-token Write ID token got from the provider.
refresh-token Write Refresh token got from the provider.

Extra scopes

You can set the extra scopes to request to the provider by extra-scopes in the kubeconfig.

kubectl config set-credentials keycloak --auth-provider-arg extra-scopes=email

Currently kubectl does not accept multiple scopes, so you need to edit the kubeconfig as like:

kubectl config set-credentials keycloak --auth-provider-arg extra-scopes=SCOPES
sed -i '' -e s/SCOPES/email,profile/ $KUBECONFIG

CA Certificates

You can use your self-signed certificates for the provider.

kubectl config set-credentials keycloak \
  --auth-provider-arg idp-certificate-authority=$HOME/.kube/keycloak-ca.pem
Reference in New Issue View Git Blame Copy Permalink