Skip to content


We use Google Cloud as a provider for the sake of the example. Check your vendor documentation in case if you use some other vendor.

Notes on stand-alone providers#

If you are using stand-alone OIDC provider, you might need to specify oidc-ca-file argument for the kube-api.

Google Cloud#

We use k8s-oidc-helper tool to create proper kubeconfig user record.

The issuer URL for the Google cloud is

Creating an application#

  • Go to the Google Cloud Dashboard
  • Create a new project in your organization
  • Go to the "Credentials" page
  • Create "OAuth consent screen"

Creating a user credentials#

  • Go to the Google Cloud Dashboard
  • Go to the "Credentials" page
  • Create new credentials. Select "OAuth client ID" as a type.
  • Select "Desktop" app as an application type.
  • Save client ID and client secret

Creating kubeconfig user record#

Use the command and follow the instructions:

k8s-oidc-helper --client-id=<CLIENT_ID> \
  --client-secret=<CLIENT_SECRET> \

Using kubelogin#

For other OIDC providers it is possible to use kubelogin plugin. Please refer to the setup guide for details.

Google Cloud example using kubelogin#

kubectl oidc-login setup \
  --oidc-issuer-url= \
  --oidc-client-id=<CLIENT_ID> \

  kubectl config set-credentials oidc \ \
  --exec-command=kubectl \
  --exec-arg=oidc-login \
  --exec-arg=get-token \
  --exec-arg=--oidc-issuer-url= \
  --exec-arg=--oidc-client-id=<CLIENT_ID>  \

You can switch the current context to oidc.

kubectl config set-context --current --user=oidc