- Authenticate using OIDC Resource Owner Password Flow (usually backed by LDAP).
- Hard-coded cluster authentication info (
internal/clusters
). - Assumes host already trusts OIDC issuer URL (TLS certificate).
- Always sets
certificate-authority-data
per cluster.
-
Uses TLS certificate validation for all OIDC queries preventing potential man in the middle attacks (instead of
insecure-skip-tls-verify
which so many do by default). -
Corrects a problem preventing Kubernetes dashboard from working with
kubectl proxy
in previous versions. -
Allows easily changing between different user names for a given cluster.
-
Respects existing configurations (other than those reserved in
internal/clusters
) including the Namespace of any context. -
Uses simplified 24-hour OIDC JWT (
id_token
) authentication and cleans up old authentication data from configuration file(s) for reserved cluster/contexts. -
Adds tab completion support for more shells than just bash (zsh, fish, and PowerShell).
-
Uses (only) official and industry-standard Kubernetes packages:
k8s.io/cli-runtime
k8s.io/client-go
github.com/coreos/go-oidc/v3/oidc
github.com/spf13/cobra
-
Observes and respects use of multi-file list path values in KUBECONFIG environment variable (same as kubectl).
-
Contains zero
execs
of thekubectl config
program other than to display contexts.
Released under Apache 2.0.
- Resource Owner Password Flow with OIDC
https://auth0.com/docs/authenticate/login/oidc-conformant-authentication/oidc-adoption-rop-flow - OAuth 2.0 and OpenID Connect Overview | Okta Developer
https://developer.okta.com/docs/concepts/oauth-openid/