{"id":18677796,"url":"https://github.com/clastix/kubectl-login","last_synced_at":"2025-04-12T02:39:16.704Z","repository":{"id":42993933,"uuid":"302587148","full_name":"clastix/kubectl-login","owner":"clastix","description":"kubectl login manager","archived":false,"fork":false,"pushed_at":"2022-03-24T09:44:29.000Z","size":90,"stargazers_count":7,"open_issues_count":4,"forks_count":0,"subscribers_count":4,"default_branch":"master","last_synced_at":"2025-04-12T02:39:10.396Z","etag":null,"topics":["kubectl","kubectl-plugin","kubernetes","kubernetes-authentication","oauth2","oidc","openid-connect"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/clastix.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2020-10-09T08:57:41.000Z","updated_at":"2024-02-23T19:00:52.000Z","dependencies_parsed_at":"2022-09-09T17:11:53.983Z","dependency_job_id":null,"html_url":"https://github.com/clastix/kubectl-login","commit_stats":null,"previous_names":[],"tags_count":2,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/clastix%2Fkubectl-login","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/clastix%2Fkubectl-login/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/clastix%2Fkubectl-login/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/clastix%2Fkubectl-login/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/clastix","download_url":"https://codeload.github.com/clastix/kubectl-login/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":248507283,"owners_count":21115567,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["kubectl","kubectl-plugin","kubernetes","kubernetes-authentication","oauth2","oidc","openid-connect"],"created_at":"2024-11-07T09:35:01.268Z","updated_at":"2025-04-12T02:39:16.681Z","avatar_url":"https://github.com/clastix.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Kubernetes Login Manager CLI\n\nThis `kubectl-login` is an utility to securely login Kubernetes clusters across multiple operating environments, including local setups and cloud providers, i.e. EKS, AKS, GKE. It can be used as `kubectl` plugin or as standalone binary.\n\nBased on the configured authentication mechanism (e.g. TLS client, OIDC), it will login users in the Kubernetes clusters they are allowed to access and generate a `kubeconfig` for a chosen cluster.\n\n## Features\n\n- [ ] Authenticate with TLS client certificates\n- [x] Authenticate against OIDC Server\n    - [ ] Authorization Code Grant\n    - [x] Authorization Code Grant with PKCE\n    - [ ] Authorization with Resource Owner Password\n    - [ ] Authorization with Credentials\n    - [ ] Device Authorization Grant\n- [ ] Authenticate against GKE\n- [ ] Authenticate against EKS\n- [ ] Authenticate against AKS\n- [x] Create `kubeconfig`\n- [x] Configure login parameters\n- [ ] Store historical login parameters\n\n\n## Installation\n\nDownload the release from the GitHub Release section according to your OS and architecture:\n\n- [x] Darwin_i386\n- [x] Darwin_x86_64\n- [x] Linux_arm64\n- [x] Linux_armv6\n- [x] Linux_i386\n- [x] Linux_x86_64\n- [x] Windows_i386\n- [x] Windows_x86_64\n\nCopy the binary somewhere on your `PATH`, and ensure it's executable:\n\n```bash\n$ chmod u+x kubectl-login`\n```\n\n## Usage\nOnce you have installed `kubectl-login` you can see a list of the commands available by running:\n\n```\n$ kubectl login -h\nkubectl-login is a CLI utility to discover and securely login Kubernetes clusters across multiple operating\nenvironments, including local setups and cloud providers, i.e. EKS, AKS, GKE.\n\nBased on the configured authentication mechanism (e.g. TLS client, OIDC), it will login users in the Kubernetes clusters\nthey are allowed to access and generate a kubeconfig for a chosen cluster.\n\nUsage:\n  login [flags]\n  login [command]\n\nAvailable Commands:\n  get-token   Return a credential execution required by kubectl with the updated ID token\n  help        Help about any command\n\nFlags:\n      --config string                   config file (default is $HOME/.kubectl-login.yaml)\n  -h, --help                            help for login\n      --k8s-api-server string           Endpoint of the Kubernetes API server to connect to\n      --k8s-insecure-skip-tls-verify    Disable TLS certificate verification for the Kubernetes API server\n      --k8s-server-ca-path string       Path to the Kubernetes API server certificate authority PEM encoded file\n      --kubeconfig-path string          Path to the generated kubeconfig file upon resulting login procedure to access the Kubernetes cluster (default \"oidc.kubeconfig\")\n      --oidc-client-id string           The OIDC client ID provided\n      --oidc-client-timeout duration    Define the timeout in duration for the HTTP requests to the OIDC server\n      --oidc-insecure-skip-tls-verify   Disable TLS certificate verification for the OIDC server\n      --oidc-server string              The OIDC server URL to connect to\n      --oidc-server-ca-path string      Path to the OIDC server certificate authority PEM encoded file\n  -v, --verbose                         Toggle the verbose logging\n\nUse \"login [command] --help\" for more information about a command.\n```\n\nCreate an initial setup:\n\n```\n$ kubectl login --k8s-api-server=https://kube-apiserver:6443 --k8s-server-ca-path=/path/to/k8s/ca.pem --oidc-server=https://sso.clastix.io --oidc-client-id=kubectl -v\n2021-01-27T18:15:16.988Z        INFO    cmd/root.go:102 Starting the login procedure\n2021-01-27T18:15:16.988Z        INFO    actions/oidc_config.go:63       Starting OIDC login with PKCE\n2021-01-27T18:15:16.988Z        INFO    actions/oidc_config.go:74       Getting OIDC configuration from the server      {\"OIDCServer\": \"https://sso.clastix.io\"}\n2021-01-27T18:15:17.022Z        INFO    actions/code_verifier.go:38     Generating PKCE Code Verifier and Challenge\n2021-01-27T18:15:17.022Z        INFO    actions/code_verifier.go:39     PKCE code verifier generated    {\"code\": \"PZD4n80AepGINMw1au4fMj73K0R38EXyPGd0QhmsIF3a3KRU3NBh2QwzSd9PAQ5dt1JifcbaixysCXIAQKhkV0lPituFgtTeWBIcWFmrfMCwvt8Cni2OP6vTc3sWOgPe\"}\n2021-01-27T18:15:17.023Z        INFO    actions/create_auth_uri.go:45   Creating authorization URI\n\nProceed to login to the following link using your browser:\n\nhttps://sso.clastix.io/openid-connect/auth?access_type=offline\u0026client_id=kubectl\u0026code_challenge=EYpNK9lNI3g9ridirZLUxzZZC4uJPdIIdheVOYHZReY\u0026code_challenge_method=S256\u0026prompt=consent\u0026redirect_uri=urn:ietf:wg:oauth:2.0:oob\u0026response_type=code\u0026scope=openid+groups+offline_access\u0026state=TDE5a90dfVLyeXxaHIbExowZoa344IztYcPXRgX0M\n\nType the verification code: *******************\n2021-01-27T18:15:28.832Z        DEBUG   cmd/root.go:137 User input code is *******************\nYour login procedure has been completed!\n\nYou can start interacting with your Kubernetes cluster using the generated kubeconfig file:\nexport KUBECONFIG=oidc.kubeconfig\n\nHappy Kubernetes interaction!\n```\n\nThe initial setup creates and stores configurations in the file `~/.kubectl-login.yaml`\n\n```bash\nkubernetes:\n  ca:\n    insecure: false\n  endpoint: https://kube-apiserver:6443\n  kubeconfig: oidc.kubeconfig\noidc:\n  ca:\n    insecure: false\n  clientid: kubectl\n  server: https://sso.clastix.io\ntoken:\n  endpoint: https://sso.clastix.io/openid-connect/token\n  id: REDACTED\n  refresh: REDACTED\n```\n\nThe resulting generated Kubernetes configuration file will be saved and merged to the specified path, using the CLI/configuration file option, or fallbacking to the exported `KUBECONFIG` environment variable, or finally to the default location `$HOME/.kube/config`, as follows:\n\n```yaml\napiVersion: v1\nclusters:\n  - cluster:\n      server: https://kube-apiserver:6443\n    name: http_kube-apiserver_6443\ncontexts:\n  - context:\n      cluster: http_kube-apiserver_6443\n      user: oidc\n    name: oidc\ncurrent-context: oidc\nkind: Config\nusers:\n  - name: oidc\n    user:\n      exec:\n        apiVersion: client.authentication.k8s.io/v1beta1\n        args:\n          - login\n          - get-token\n        command: kubectl\n```\n\nIn case of different export path using `--kubeconfig-path` or configuration file option `kubernetes.kubeconfig`, export the path as `KUBECONFIG`.\n\n```\n$ export KUBECONFIG=oidc.kubeconfig\n$ kubectl --user=oidc get pods -n oil-production\nNAME                       READY   STATUS    RESTARTS   AGE\nexample-5b64df8865-96f2p   1/1     Running   0          13h\nexample-5b64df8865-fg9mv   1/1     Running   0          13h\nexample-5b64df8865-z6ts9   1/1     Running   0          13h\n```\n\nYou can start the login process any time by simply running:\n\n```\n$ kubectl login\n```\n\n## Contributions\n`kubectl-login` is released with Apache 2 open source license. Contributions are very welcome!\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fclastix%2Fkubectl-login","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fclastix%2Fkubectl-login","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fclastix%2Fkubectl-login/lists"}