Skip to content
Switch branches/tags

kubelogin go Go Report Card

This is a kubectl plugin for Kubernetes OpenID Connect (OIDC) authentication, also known as kubectl oidc-login.

Here is an example of Kubernetes authentication with the Google Identity Platform:


Kubelogin is designed to run as a client-go credential plugin. When you run kubectl, kubelogin opens the browser and you can log in to the provider. Then kubelogin gets a token from the provider and kubectl access Kubernetes APIs with the token. Take a look at the diagram:

Diagram of the credential plugin

Getting Started


Install the latest release from Homebrew, Krew, Chocolatey or GitHub Releases.

# Homebrew (macOS and Linux)
brew install int128/kubelogin/kubelogin

# Krew (macOS, Linux, Windows and ARM)
kubectl krew install oidc-login

# Chocolatey (Windows)
choco install kubelogin

If you install via GitHub releases, you need to put the kubelogin binary on your path under the name kubectl-oidc_login so that the kubectl plugin mechanism can find it when you invoke kubectl oidc-login. The other install methods do this for you.

You need to set up the OIDC provider, cluster role binding, Kubernetes API server and kubeconfig. The kubeconfig looks like:

- name: oidc
      command: kubectl
      - oidc-login
      - get-token
      - --oidc-issuer-url=ISSUER_URL
      - --oidc-client-id=YOUR_CLIENT_ID
      - --oidc-client-secret=YOUR_CLIENT_SECRET

See setup guide for more.


Run kubectl.

kubectl get pods

Kubectl executes kubelogin before calling the Kubernetes APIs. Kubelogin automatically opens the browser, and you can log in to the provider.


After authentication, kubelogin returns the credentials to kubectl and kubectl then calls the Kubernetes APIs with these credentials.

% kubectl get pods
Open http://localhost:8000 for authentication
NAME                          READY   STATUS    RESTARTS   AGE
echoserver-86c78fdccd-nzmd5   1/1     Running   0          26d

Kubelogin writes the ID token and refresh token to the token cache file.

If the cached ID token is valid, kubelogin just returns it. If the cached ID token has expired, kubelogin will refresh the token using the refresh token. If the refresh token has expired, kubelogin will perform re-authentication (you will have to login via browser again).


You can log out by removing the token cache directory (default ~/.kube/cache/oidc-login). Kubelogin will ask you to login via browser again if the token cache file does not exist i.e., it starts with a clean slate

You can dump claims of an ID token by setup command.

% kubectl oidc-login setup --oidc-issuer-url --oidc-client-id REDACTED --oidc-client-secret REDACTED
You got a token with the following claims:

  "sub": "********",
  "iss": "",
  "aud": "********",

You can increase the log level by -v1 option.

- name: oidc
      command: kubectl
      - oidc-login
      - get-token
      - -v1

You can verify kubelogin works with your provider using acceptance test.


Related works

Kubernetes Dashboard

You can access the Kubernetes Dashboard using kubelogin and kauthproxy.


This is an open source software licensed under Apache License 2.0. Feel free to open issues and pull requests for improving code and documents.

Your pull request will be merged into master with squash.


Go 1.16+ is required.


See also: