Sign in Subscribe
Concepts

Kubectl can speak OpenID Connect

Andrios Robert

1 min read

Kubectl can speak OpenID Connect. If you configure it right, you get short-lived tokens, no stored passwords, and secure access tied directly to your identity provider.

What is Kubectl OpenID Connect (OIDC)?
OIDC is an identity layer on top of OAuth 2.0. With it, Kubernetes can verify who you are through an external provider such as Google, Azure AD, Okta, or Auth0. Kubectl communicates with the Kubernetes API using credentials issued through this flow, making authentication more secure and easier to control.

Why use OIDC with Kubectl?

  • Centralized user management in your existing identity platform.
  • No static kubeconfigs with embedded passwords or certificates.
  • Token expiration reduces risk from stolen credentials.
  • Compliance-friendly audit trails mapped to real user accounts.

How the flow works

  1. Kubectl requests an access token via OIDC.
  2. Your identity provider authenticates you, often via SSO.
  3. The provider returns an ID token and refresh token.
  4. Kubectl uses the ID token to call the Kubernetes API.
  5. Tokens expire; Kubectl silently refreshes them until logout.

Setting up Kubectl OIDC

  1. Ensure your Kubernetes API server has --oidc-issuer-url, --oidc-client-id, and related flags configured.
  2. Register a client app in your identity provider with redirect URIs that match kubectl needs.
  3. Update your kubeconfig, setting auth-provider to oidc with issuer URL, client ID, and scopes.
  4. Test with kubectl get pods to confirm the flow works.

Best practices

  • Use short token lifetimes with automatic refresh.
  • Restrict scopes to only what Kubernetes needs.
  • Rotate client secrets if your provider requires them.
  • Monitor and log failed authentication attempts.

Kubectl OpenID Connect gives you clean authentication boundaries. Cluster admins can focus on RBAC, while identity teams maintain user accounts. No mismatched passwords, no rogue kubeconfigs—just strong, federated access control.

Configure it once, and each kubectl call becomes part of a secure, token-based chain of trust.

Want to see OIDC authentication in Kubernetes without spending hours on config? Try it on hoop.dev and watch it run live in minutes.