Edit on GitHub
Report issue
Page history

Kubernetes 1.6.1 authentication by using Google OpenID

Author(s): @miry ,   Published: 2017-06-24

Contributed by the Google Cloud community. Not official Google documentation.

In this tutorial you set up authentication and authorization to your own Kubernetes cluster using your Google account with the help of role-based access control (RBAC) and OpenID Connect. RBAC was introduced in the Kubernetes 1.6 article, RBAC Support in Kubernetes, and was based on Micah Hausle's Reduce administrative toil with Kubernetes 1.3.


  • Creating a Google API Console project and client ID
  • Setting up a Kubernetes cluster with kubeadm
  • Generating a local user's credentials
  • Granting permissions

Creating a Google API Console project and client ID

  1. Go to https://console.developers.google.com/projectselector/apis/library.
  2. From the project drop-down, select an existing project, or create a new one by selecting Create a new project.
  3. In the sidebar under API Manager, select Credentials, then select the OAuth consent screen tab.
  4. Choose an Email Address, specify a Product Name, and submit Save.
  5. In the Credentials tab, select the New credentials drop-down list, and choose OAuth client ID.
  6. Under Application type, select Other.
  7. From the resulting OAuth client dialog box, copy the Client ID. The Client ID lets your app access enabled Google APIs.
  8. Download the client secret JSON file of the credentials.

Setting up a Kubernetes cluster

After initializing the master instance, you need to update the kube api server arguments in the /etc/kubernetes/manifests/kube-apiserver.yaml. Each argument should be on a separate line. More information about the OIDC attributes can be found in the Authenticating reference documentation.

sed -i "/- kube-apiserver/a\    - --oidc-issuer-url=https://accounts.google.com\n    - --oidc-username-claim=email\n    - --oidc-client-id=[YOUR_GOOGLE_CLIENT_ID]" /etc/kubernetes/manifests/kube-apiserver.yaml

Add any network CNI plugin and the cluster is ready. Copy /etc/kubernetes/admin.conf to local ~/.kube/config and change the cluster ip.

kubectl get nodes

Output appears as follows:

NAME            STATUS    AGE       VERSION
ip-10-9-11-30   Ready     15m       v1.6.1

Generating local user credentials

  1. Install the helper on the client machine. Run the following command:

    go get github.com/micahhausler/k8s-oidc-helper
  2. Generate a user's credentials for kube config. Run the following command:

    k8s-oidc-helper -c path/to/client_secret_[CLIENT_ID].json

    This command should open the browser and ask permissions. After that, it provides you a token in the browser. Copy it and paste to the terminal for k8s-oidc-helper. The output of the command should look as follows:

    # Add the following to your ~/.kube/config
    - name: name@example.com
            client-id: 32934980234312-9ske1sskq89423480922scag3hutrv7.apps.googleusercontent.com
            client-secret: ZdyKxYW-tCzuRWwB3l665cLY
            id-token: eyJhbGciOiJSUzI19fvTKfPraZ7yzn.....HeLnf26MjA
            idp-issuer-url: https://accounts.google.com
            refresh-token: 18mxeZ5_AE.jkYklrMAf5.IMXnB_DsBY5up4WbYNF2PrY
            name: oidc
  3. Copy everything after users: and append it to your existing user list in the ~/.kube/config. Now you have 2 users: one from the new cluster configuration and one that you added.

Verifying the token

Test the id-token using https://jwt.io/. Be sure that you have "email_verified": true in the decoded message. Test connection of the new user:

kubectl --user=name@example.com get nodes

This results in the following output:

Error from server (Forbidden): User "name@example.com" cannot list nodes at the cluster scope. (get nodes)

This error message proves that id-token and api server arguments work and email is extracted from a request.

Granting permissions

For now, grant admin rights to the user name@example.com with an authorization specification:

kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1alpha1
    name: admin-role
    - apiGroups: ["*"]
    resources: ["*"]
    verbs: ["*"]
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1alpha1
    name: admin-binding
    - kind: User
    name: name@example.com
    kind: ClusterRole
    name: admin-role

After applying changes by using kubectl create -f admin.yaml, Do the test again:

$ kubectl --user=name@example.com get nodes


NAME            STATUS    AGE       VERSION
ip-10-9-11-30   Ready     20m       v1.6.1

You now have a Kubernetes cluster with authorization by email. Plus, you don't need to generate a new OpenID for new clusters.

Submit a tutorial

Share step-by-step guides

Submit a tutorial

Request a tutorial

Ask for community help

Submit a request

View tutorials

Search Google Cloud tutorials

View tutorials

Except as otherwise noted, the content of this page is licensed under the Creative Commons Attribution 4.0 License, and code samples are licensed under the Apache 2.0 License. For details, see our Site Policies. Java is a registered trademark of Oracle and/or its affiliates.