{"id":15637549,"url":"https://github.com/int128/kauthproxy","last_synced_at":"2026-02-16T11:26:46.709Z","repository":{"id":37801982,"uuid":"191071313","full_name":"int128/kauthproxy","owner":"int128","description":"Local authentication proxy for Kubernetes Dashboard (kubectl auth-proxy)","archived":false,"fork":false,"pushed_at":"2025-03-20T22:41:19.000Z","size":1028,"stargazers_count":107,"open_issues_count":8,"forks_count":4,"subscribers_count":2,"default_branch":"master","last_synced_at":"2025-03-30T01:10:02.069Z","etag":null,"topics":["golang","kubectl","kubectl-plugins","kubernetes","kubernetes-dashboard"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/int128.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2019-06-10T00:46:37.000Z","updated_at":"2025-03-12T19:53:42.000Z","dependencies_parsed_at":"2023-12-17T10:23:35.635Z","dependency_job_id":"b11f6740-9a76-4fed-99ac-9bf7bb1eab19","html_url":"https://github.com/int128/kauthproxy","commit_stats":{"total_commits":393,"total_committers":5,"mean_commits":78.6,"dds":"0.41730279898218825","last_synced_commit":"1574244940c5103c8d1f80899cf58555ec9935d8"},"previous_names":[],"tags_count":15,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/int128%2Fkauthproxy","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/int128%2Fkauthproxy/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/int128%2Fkauthproxy/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/int128%2Fkauthproxy/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/int128","download_url":"https://codeload.github.com/int128/kauthproxy/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":247423515,"owners_count":20936626,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["golang","kubectl","kubectl-plugins","kubernetes","kubernetes-dashboard"],"created_at":"2024-10-03T11:12:04.347Z","updated_at":"2026-02-16T11:26:46.703Z","avatar_url":"https://github.com/int128.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"# kauthproxy [![go](https://github.com/int128/kauthproxy/actions/workflows/go.yaml/badge.svg)](https://github.com/int128/kauthproxy/actions/workflows/go.yaml) [![e2e-test](https://github.com/int128/kauthproxy/actions/workflows/e2e-test.yaml/badge.svg)](https://github.com/int128/kauthproxy/actions/workflows/e2e-test.yaml)\n\nThis is a kubectl plugin of the authentication proxy to access [Headlamp](https://headlamp.dev).\n\nYou can access Headlamp with your credentials instead of entering a service account token.\nIt provides better **user experience and security**.\n\nkauthproxy supports the following environments:\n\n- Amazon EKS\n- Azure Kubernetes Service (with Azure AD)\n- Self-hosted Kubernetes cluster\n  - [OpenID Connect tokens authentication](https://kubernetes.io/docs/reference/access-authn-authz/authentication/#openid-connect-tokens)\n  - [Webhook token authentication](https://kubernetes.io/docs/reference/access-authn-authz/authentication/#webhook-token-authentication)\n  - [aws-iam-authenticator](https://github.com/kubernetes-sigs/aws-iam-authenticator)\n\nNote that kauthproxy does not work with [client certificate authentication](https://kubernetes.io/docs/reference/access-authn-authz/authentication/#x509-client-certs).\n\n## Getting Started\n\n### Install\n\nInstall the latest release from [Homebrew](https://brew.sh/), [Krew](https://github.com/kubernetes-sigs/krew), [aqua](https://aquaproj.github.io/), or [GitHub Releases](https://github.com/int128/kauthproxy/releases).\n\n```sh\n# Homebrew (macOS)\nbrew install int128/kauthproxy/kauthproxy\n\n# Krew (macOS, Linux and Windows)\nkubectl krew install auth-proxy\n\n# aqua\naqua g -i int128/kauthproxy\n```\n\nYou can deploy the manifest of Headlamp from [here](https://headlamp.dev/docs/latest/installation/in-cluster/).\n\n### Run\n\nTo access Headlamp in your cluster:\n\n```\n% kubectl auth-proxy -n kube-system http://headlamp.svc\nStarting an authentication proxy for pod/headlamp-57fc4fcb74-jjg77:8443\nOpen http://127.0.0.1:18000\nForwarding from 127.0.0.1:57866 -\u003e 8443\nForwarding from [::1]:57866 -\u003e 8443\n```\n\nIt will automatically open the browser.\nYou can see Headlamp logged in as you.\n\n[![screenshot](https://github.com/int128/kauthproxy/wiki/refs/heads/master/screenshot.png)](e2e_test)\n\n## How it works\n\n### Authentication\n\nHeadlamp supports header based authentication.\nkauthproxy forwards HTTP requests from the browser to Headlamp.\n\nTake a look at the diagram:\n\n![diagram](docs/kauthproxy.svg)\n\nWhen you access Headlamp, kauthproxy forwards HTTP requests by the following process:\n\n1. Acquire your token from the credential plugin or authentication provider.\n1. Set `authorization: bearer TOKEN` header to a request and forward the request to the pod.\n\n### Authorization\n\nkauthproxy requires the following privileges:\n\n- Get the Service of Headlamp.\n- List the Pods of Headlamp.\n- Port-forward to the Pod of Headlamp.\n\nIf you need to assign the least privilege for production,\nsee [an example of `Role`](e2e_test/kauthproxy-role.yaml).\n\n## Usage\n\n```\nUsage:\n  kubectl auth-proxy POD_OR_SERVICE_URL [flags]\n\nFlags:\n      --add_dir_header                   If true, adds the file directory to the header\n      --address stringArray              The address on which to run the proxy. If set multiple times, it will try binding the address in order (default [127.0.0.1:18000,127.0.0.1:28000])\n      --alsologtostderr                  log to standard error as well as files\n      --as string                        Username to impersonate for the operation\n      --as-group stringArray             Group to impersonate for the operation, this flag can be repeated to specify multiple groups.\n      --cache-dir string                 Default HTTP cache directory (default \"~/.kube/http-cache\")\n      --certificate-authority string     Path to a cert file for the certificate authority\n      --client-certificate string        Path to a client certificate file for TLS\n      --client-key string                Path to a client key file for TLS\n      --cluster string                   The name of the kubeconfig cluster to use\n      --context string                   The name of the kubeconfig context to use\n  -h, --help                             help for kubectl\n      --insecure-skip-tls-verify         If true, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure\n      --kubeconfig string                Path to the kubeconfig file to use for CLI requests.\n      --log_backtrace_at traceLocation   when logging hits line file:N, emit a stack trace (default :0)\n      --log_dir string                   If non-empty, write log files in this directory\n      --log_file string                  If non-empty, use this log file\n      --log_file_max_size uint           Defines the maximum size a log file can grow to. Unit is megabytes. If the value is 0, the maximum file size is unlimited. (default 1800)\n      --logtostderr                      log to standard error instead of files (default true)\n  -n, --namespace string                 If present, the namespace scope for this CLI request\n      --request-timeout string           The length of time to wait before giving up on a single server request. Non-zero values should contain a corresponding time unit (e.g. 1s, 2m, 3h). A value of zero means don't timeout requests. (default \"0\")\n  -s, --server string                    The address and port of the Kubernetes API server\n      --skip-open-browser                If set, skip opening the browser\n      --skip_headers                     If true, avoid header prefixes in the log messages\n      --skip_log_headers                 If true, avoid headers when opening log files\n      --stderrthreshold severity         logs at or above this threshold go to stderr (default 2)\n      --token string                     Bearer token for authentication to the API server\n      --user string                      The name of the kubeconfig user to use\n  -v, --v Level                          number for the log level verbosity\n      --version                          version for kubectl\n      --vmodule moduleSpec               comma-separated list of pattern=N settings for file-filtered logging\n```\n\n## Contributions\n\nThis is an open source software.\nFeel free to open issues and pull requests.\n\n### End-to-end test\n\nTo provision a cluster:\n\n```sh\n# requires Docker, Kind and Chrome\nbrew cask install docker google-chrome\nbrew install kind\n\n# provision a cluster and deploy Headlamp\nmake -C e2e_test deploy\n```\n\nYou can access the cluster as follows:\n\n```sh\nexport KUBECONFIG=e2e_test/output/kubeconfig.yaml\n\n# show all pods\nkubectl get pods -A\n\n# open Headlamp\n./kauthproxy -n kube-system --user=tester http://headlamp.svc\n```\n\nTo run the automated test:\n\n```sh\nmake -C e2e_test test\n```\n\nTo delete the cluster.\n\n```sh\nmake -C e2e_test delete-cluster\n```\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fint128%2Fkauthproxy","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fint128%2Fkauthproxy","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fint128%2Fkauthproxy/lists"}