K
Q

Use Google as the OIDC provider without leaking client secret in kubernetes

4/24/2019

We have a single kubernetes development cluster. We want to give every developer working on this development cluster a namespaced controlled access.

We wanted to authenticate it using Google as the OIDC provider which kubernetes API supports.

But this required client-secret to be part of ~/.kube/config

users:
- name: you@yourdomain.com
  user:
    auth-provider:
      name: oidc      
      config:
        client-id: <client-id>
        client-secret: <client-secret>
        idp-issuer-url: https://accounts.google.com        
        id-token: <id-token>
        refresh-token: <refresh-token>

We do not want to leak client secret to the user, since when the developer leaves the organization, the client secret will get leaked and can be misused to impersonate.

Please suggest how to authenticate the user in the kubernetes cluster using google as the OIDC provider and without leaking the client secret.

-- Alok Kumar Singh
authentication
google-oauth
kubernetes
openid-connect

Similar Questions

spec.loadBalancerSourceRanges for Linode Cloud provider
How can I edit elasticsearch.yml on kubernetes pods, with a statefulset, or something similar?
Kubernetes deployment update alert.?
kubectl format output of get-contexts
Cannot access from Init container with calico NetworkPolicy

1 Answer

6/26/2019

Client_secret is now optional for the k8s oidc config, which means that it can support public clients (with or without client_secret) and confidential clients (with client_secret, per kubectl user).

This mean that you don't need to use client secret to authentication but as I wrote in answer for your next question openid-kubernetes there is no need to concern about leaking credentials.

-- MaggieO
Source: StackOverflow