Closed ktzsolt closed 4 months ago
davidfrickert
commented
4 months ago If you commit that to a repo then the client essentially becomes a public client. In these cases, where the secret cannot be safely protected you should use --oidc-use-pkce. It should be fine.
ktzsolt
commented
4 months ago Hi @davidfrickert!
I replaced the - --oidc-client-secret=... to - --oidc-use-pkce and rm -rf the ~/.kube/cache dir and the auth works, thanks!
lucj
commented
1 month ago Hi, I'm using GitLab as IDP and I was also concerned by the client secret in the kubeconfig but using --oidc-use-pkce instead of --oidc-client-secret gives me the following error:
% k get secret
error: get-token: authentication error: authcode-browser error: authentication error: authorization code flow error: oauth2 error: could not exchange the code and token: oauth2: "invalid_client" "Client authentication failed due to unknown client, no client authentication included, or unsupported authentication method."
E0823 18:18:15.479144 7433 memcache.go:265] "Unhandled Error" err="couldn't get current server API group list: Get \"https://my-api-serfver:443/api?timeout=32s\": getting credentials: exec: executable kubectl failed with exit code 1"Any idea what I'm missing ? Do I need to give additional rights to my GitLab application ?
Describe the question
I have set up kubelogin with (onprem) gitlab, all is working fine, I get this in my kubeconfig.yaml:
The set up procedure says that I can share this kubeconfig with my team, and it works fine with rolebindings as it is supposed.
I have set scopes only for openid, profile, email:
My question is how secure is it to share this kubeconfig file that includes the
oidc-client-idandoidc-client-secret. If the secret gets compromised (e.g.: pushed to a public repo ) can it be used to do harm in any way?Thank you!
Your environment