Skip to content
dexter is a Kubernetes OIDC helper with as much automation as possible
Branch: master
Clone or download
Latest commit 8a03b77 Apr 9, 2019


Build Status

dexter is a OIDC (OpenId Connect) helper to create a hassle-free Kubernetes login experience powered by Google or Azure as Identity Provider. All you need is a properly configured Google or Azure client ID & secret.

Authentication Flow

dexter will open a new browser window and redirect you to your configured Idp. The only interaction you have is the login at your provider and your k8s config is updated automatically.

dexter flow

See dexter in action

dexter in action


Google credentials

Or, configure Azure credentials

Auto pilot configuration

Dexter also support auto pilot mode. If your existing kubectl context uses one of the supported OIDC-providers, Dexter will try to use the OIDC details from kubeconfig.


You can download a prebuilt version from the Github release section or build it yourself:

go get -u
cd $GOPATH/src/

# Linux
OS=linux make

# MacOS
OS=darwin make

It is possible to embed your Google credentials into the resulting binary. CLIENT_SECRET=mySecret OS=linux make

Run dexter

Run dexter without a command to access the help screen/intro.

❯ ./build/dexter_darwin_amd64
    .___               __
  __| _/____ ___  ____/  |_  ___________
 / __ |/ __ \\  \/  /\   __\/ __ \_  __ \
/ /_/ \  ___/ >    <  |  | \  ___/|  | \/
\____ |\___  >__/\_ \ |__|  \___  >__|
     \/    \/      \/           \/

dexter is a authentication helper for Kubernetes that does the heavy
lifting for SSO (Single Sign On) for Kubernetes.

  dexter [command]

Available Commands:
  auth        Authenticate with OIDC provider
  help        Help about any command
  version     Print the version number of dexter

  -h, --help      help for dexter
  -v, --verbose   verbose output

Use "dexter [command] --help" for more information about a command.

Running dexter auth will start the authentication process.

 ❯ ./build/dexter_darwin_amd64 auth --help
Use your Google login to get a JWT (JSON Web Token) and update your
local k8s config accordingly. A refresh token is added and automatically refreshed
by kubectl. Existing token configurations are overwritten.
For details go to:

dexters authentication flow

1. Open a browser window/tab and redirect you to Google (
2. You login with your Google credentials
3. You will be redirected to dexters builtin webserver and can now close the browser tab
4. dexter extracts the token from the callback and patches your ~/.kube/config

➜ Unless you have a good reason to do so please use the built-in google credentials (if they were added at build time)!

  dexter auth [flags]

  -c, --callback string        Callback URL. The listen address is dreived from that. (default "")
  -i, --client-id string       Google clientID (default "REDACTED")
  -s, --client-secret string   Google clientSecret (default "REDACTED")
  -d, --dry-run                Toggle config overwrite
  -e, --endpoint string        OIDC-providers: google or azure (default "google")
  -h, --help                   help for auth
  -k, --kube-config string     Overwrite the default location of kube config (~/.kube/config) (default "/Users/dkerwin/.kube/config")
  -t, --tenant string          Your azure tenant (default "common")

Global Flags:
  -v, --verbose   verbose output

Contribution Guidelines

It's awesome that you consider contributing to dexter and it's really simple. Here's how it's done:

  • fork repository on Github
  • create a topic/feature branch
  • push your changes
  • update documentation if necessary
  • open a pull request


Initial code was written by Daniel Kerwin & David González Ruiz


dexter was inspired by this blog post series by Joel Speed, Micah Hausler's k8s-oidc-helper & CoreOS dex.


MIT License. See License for full text.

You can’t perform that action at this time.