All posts
August 25, 20223 min read

K9s Single Sign-On (SSO): Simplify Kubernetes Cluster Access

Managing multiple Kubernetes clusters efficiently can become challenging, especially as your infrastructure scales. K9s, a popular terminal-based UI tool for Kubernetes, provides an excellent way to inspect and manage your workloads. While it simplifies day-to-day cluster interactions, integrating Single Sign-On (SSO) takes it one step further by streamlining access control and enhancing security practices. In this article, we’ll break down what implementing SSO with K9s means, why it’s benefic

Free White Paper

Single Sign-On (SSO) + Kubernetes API Server Access: The Complete Guide

Architecture patterns, implementation strategies, and security best practices. Delivered to your inbox.

Free. No spam. Unsubscribe anytime.
Andrios Robert

Managing multiple Kubernetes clusters efficiently can become challenging, especially as your infrastructure scales. K9s, a popular terminal-based UI tool for Kubernetes, provides an excellent way to inspect and manage your workloads. While it simplifies day-to-day cluster interactions, integrating Single Sign-On (SSO) takes it one step further by streamlining access control and enhancing security practices.

In this article, we’ll break down what implementing SSO with K9s means, why it’s beneficial, and the exact steps to make it work for your team.

What is Single Sign-On (SSO) in Kubernetes Context?

Single Sign-On (SSO) enables users to authenticate once and gain access to multiple applications or services without needing to log in repeatedly. Instead of juggling numerous logins or service-specific credentials, users authenticate through a central identity provider (IdP).

In the Kubernetes world, SSO applies directly to tools like K9s that require authenticated access to one or more clusters. This approach improves operational security by adhering to strong identity management protocols and reduces friction for developers pushing critical updates or debugging issues.

Identity protocols like OpenID Connect (OIDC) or SAML are typically used to implement SSO alongside providers such as Okta, Auth0, or Azure Active Directory. Tools like Kubernetes' API server, K9s, and even CI/CD systems benefit directly from these integrations.

Why Use SSO with K9s?

  1. Centralized Access Control
    Instead of managing kubectl configurations and personal credentials for every developer or administrator, SSO centralizes access. This ensures permissions can be updated universally in case of team member changes.
  2. Improved Security Posture
    Strong password policies, multifactor authentication (MFA), and session expiration — all essential elements of SSO — add an extra layer of protection.
  3. Simpler User Onboarding
    New employees or contractors can be onboarded quickly by assigning predefined roles in your identity provider, removing manual credential sharing or per-cluster configurations.
  4. Seamless Multi-Cluster Access
    Whether you're managing staging, production, or dev clusters, SSO lets you switch between clusters efficiently using a single identity across all tools, including K9s.

How to Set Up SSO with K9s

Step 1: Configure Your Kubernetes Cluster for SSO

K9s relies on Kubernetes' API server for authentication, so the first step is to enable SSO integration in your cluster. Most Kubernetes distributions support OIDC out-of-the-box.

Continue reading? Get the full guide.

Single Sign-On (SSO) + Kubernetes API Server Access: Architecture Patterns & Best Practices

Free. No spam. Unsubscribe anytime.
  • Select an Identity Provider (e.g., Okta, Auth0, Keycloak, Azure AD).
  • Generate client IDs/secrets and configure your IdP settings (like callback URLs) based on the Kubernetes API server's requirements.
  • Update your kube-apiserver configuration by adding these flags:
--oidc-issuer-url=https://[your-idp-domain] 
--oidc-client-id=[your-client-id] 
--oidc-username-claim=email 
--oidc-groups-claim=groups

Step 2: Create Kubernetes Role Bindings

Design roles and permissions in Kubernetes aligned with user needs. For example:

  • Developers may only require access to staging clusters with limited permissions.
  • Administrators need broader, often cluster-admin-level roles.

Use RoleBindings or ClusterRoleBindings to map your IdP's groups to Kubernetes roles.

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
 name: dev-team-binding
 namespace: example
subjects:
 - kind: Group
 name: dev-team
 apiGroup: rbac.authorization.k8s.io
roleRef:
 kind: Role
 name: view
 apiGroup: rbac.authorization.k8s.io

Step 3: Save SSO Tokens in kubeconfig with kubectl

Log in to your Kubernetes cluster using your IdP credentials. Tools like kubectl oidc-login or custom scripts from providers simplify the process. Update your kubeconfig file to reflect the token necessary for your selected identity provider.

Once authenticated, tokens issued through your IdP will be used for access, allowing K9s to function seamlessly.

Step 4: Start K9s

K9s works on top of your kubeconfig file, so once you’ve authenticated through your SSO implementation, launch K9s as usual:

k9s --kubeconfig ~/.kube/config

From here, your SSO-based identity ensures secure and unified access to all your clusters.

Increase Productivity with Secure Access

Integrating SSO with K9s removes redundancy from multi-cluster authentication while adhering to enterprise-grade security best practices. This streamlines daily workflows, ensuring developers focus on building and deploying, not struggling with authentication.

Want to see how SSO-powered Kubernetes operations work in minutes? Try Hoop.dev to experience seamless cluster access and fine-grained session control today.

Get started

See hoop.dev in action

One gateway for every database, container, and AI agent. Deploy in minutes.

Get a demoMore posts