OpenID Connect Authentication

Configuring minikube to use OpenID Connect Authentication

The kube-apiserver in minikube can be configured to support OpenID Connect Authentication.

Read more about OpenID Connect Authentication for Kubernetes here:

Configuring the API Server

Configuration values can be passed to the API server using the --extra-config flag on the minikube start command. See for more details.

The following example configures your Minikube cluster to support RBAC and OIDC:

minikube start \
  --extra-config=apiserver.authorization-mode=RBAC \
  --extra-config=apiserver.oidc-issuer-url= \
  --extra-config=apiserver.oidc-username-claim=email \

Note that as stated in the Kubernetes documentation, for --extra-config=apiserver.oidc-issuer-url flag, only URLs which use the https:// scheme are accepted. Otherwise kube-apiserver will not start.

Configuring kubectl

You can use the kubectl oidc authenticator to create a kubeconfig as shown in the Kubernetes docs:

minikube start already creates a kubeconfig that includes a cluster, in order to use it with your oidc authenticator kubeconfig, you can run:

kubectl config set-context kubernetes-local-oidc --cluster=minikube --user
Context "kubernetes-local-oidc" created.
kubectl config use-context kubernetes-local-oidc

For the new context to work you will need to create, at the very minimum, a Role and a RoleBinding in your cluster to grant permissions to the subjects included in your oidc-username-claim.

Last modified July 23, 2020: Update OIDC documentation. (de65edffd)