With Kube configured to point to an external OpendID provider it seems through browsing through the code that Kube makes a call to the OpendID provider to get a refresh token. When that comes back it expects a id_token to come back. It seems through tracing through the code that Kube will respect the expire time for the bearer token and not make a call to the OpendID provider until the bearer token expires.
Is that the correct description of how the refresh tokens work in Kube?
Kubernetes doesn't have any concept of refresh tokens because the Kubernetes API server isn't a client of the OpenID provider, it simply validates id_tokens issues for a specific client.
Clients of the OpenID provider which wish to talk to the API server on the end user's behalf must manage the refresh tokens to issue more id_tokens as the current one expires. The API server wont do it for you.