A lightweight Python library that provides unified authentication for OpenShift and Kubernetes clusters. This library simplifies authentication by supporting multiple methods through a single, consistent interface.
-
Universal Authentication Support
- Standard Kubernetes KubeConfig (~/.kube/config)
- In-Cluster Service Account (for Pods and Notebooks)
- OIDC (OpenID Connect) with multiple flows
- OpenShift OAuth
-
Auto-Detection: Automatically detects and uses the best authentication method for your environment
-
Multiple OIDC Flows
- Authorization Code Flow with PKCE (for interactive apps)
- Device Code Flow (for CLI tools and headless environments)
- Client Credentials Flow (for service-to-service authentication)
-
Token Management
- Automatic token refresh
- Optional persistent storage via system keyring
- Secure in-memory storage by default
-
Security First
- TLS verification enabled by default
- No sensitive data in logs
- Minimal dependencies
pip install kube-authkitFor optional keyring support (persistent token storage):
pip install kube-authkit[keyring]The library automatically detects your environment and chooses the appropriate authentication method:
from kube_authkit import get_k8s_client
from kubernetes import client
# Auto-detect environment and authenticate
api_client = get_k8s_client()
# Use with standard Kubernetes client
v1 = client.CoreV1Api(api_client)
pods = v1.list_pod_for_all_namespaces()
print(f"Found {len(pods.items)} pods")This works seamlessly whether you're running:
- Locally with ~/.kube/config
- Inside a Kubernetes Pod or OpenShift Notebook (using Service Account)
- With OIDC credentials in environment variables
For CLI tools or when you need explicit control:
from kube_authkit import get_k8s_client, AuthConfig
config = AuthConfig(
method="oidc",
oidc_issuer="https://keycloak.example.com/auth/realms/myrealm",
client_id="my-cli-tool",
use_device_flow=True # Good for headless/CLI environments
)
# This will print: "Visit https://... and enter code: ABCD-EFGH"
api_client = get_k8s_client(config)For notebooks or interactive applications:
from kube_authkit import get_k8s_client, AuthConfig
config = AuthConfig(
method="oidc",
oidc_issuer="https://keycloak.example.com/auth/realms/myrealm",
client_id="my-app",
use_device_flow=False # Use Authorization Code Flow (opens browser)
)
# Browser will open for authentication
api_client = get_k8s_client(config)Store refresh tokens securely in your system keyring:
from kube_authkit import get_k8s_client, AuthConfig
config = AuthConfig(
method="oidc",
oidc_issuer="https://keycloak.example.com/auth/realms/myrealm",
client_id="my-app",
use_keyring=True # Store tokens in system keyring
)
# First run: Interactive authentication
# Subsequent runs: Uses stored refresh token automatically
api_client = get_k8s_client(config)| Parameter | Type | Default | Description |
|---|---|---|---|
method |
str | "auto" | Authentication method: "auto", "kubeconfig", "incluster", "oidc", "openshift" |
k8s_api_host |
str | None | Kubernetes API server URL (auto-detected if not provided) |
oidc_issuer |
str | None | OIDC issuer URL (required for OIDC) |
client_id |
str | None | OIDC client ID (required for OIDC) |
client_secret |
str | None | OIDC client secret (for confidential clients) |
scopes |
list | ["openid"] | OIDC scopes to request |
use_device_flow |
bool | False | Use Device Code Flow instead of Authorization Code Flow |
use_keyring |
bool | False | Store refresh tokens in system keyring |
ca_cert |
str | None | Path to custom CA certificate bundle |
verify_ssl |
bool | True | Verify SSL certificates (disable only for development) |
The library respects these environment variables:
KUBECONFIG: Path to kubeconfig fileKUBERNETES_SERVICE_HOST: Auto-detected in-cluster (set by Kubernetes)OIDC_ISSUER: OIDC issuer URLOIDC_CLIENT_ID: OIDC client IDOIDC_CLIENT_SECRET: OIDC client secretOPENSHIFT_TOKEN: OpenShift OAuth token
This library uses the Strategy Pattern to provide a unified interface across different authentication methods:
AuthFactory (auto-detection)
├── KubeConfigStrategy (~/.kube/config)
├── InClusterStrategy (Service Account)
├── OIDCStrategy (OpenID Connect)
└── OpenShiftOAuthStrategy (OpenShift OAuth)
Each strategy implements the same interface, making it easy to add new authentication methods in the future.
- TLS Verification: Enabled by default. Only disable for development/testing.
- Token Storage: In-memory by default. Use keyring for persistence across sessions.
- Logging: No sensitive data (tokens, secrets) is ever logged.
- Dependencies: Minimal dependency footprint to reduce supply chain risk.
# Clone repository
git clone https://github.com/openshift/kube-authkit.git
cd kube-authkit
# Create virtual environment
python -m venv venv
source venv/bin/activate # On Windows: venv\Scripts\activate
# Install with dev dependencies
pip install -e ".[dev]"# Run all tests with coverage
pytest
# Run specific test file
pytest tests/test_config.py
# Run with verbose output
pytest -v
# Type checking
mypy src/kube_authkit
# Code formatting
black src/ tests/
ruff check src/ tests/
# Security scanning
bandit -r src/See the examples/ directory for complete examples:
auto_auth.py- Simple auto-detectionoidc_device_flow.py- CLI tool with device flowoidc_auth_code.py- Interactive browser-based authnotebook_usage.py- Jupyter notebook exampleexplicit_config.py- All configuration optionscustom_ca.py- Custom CA certificate
Contributions are welcome! Please see CONTRIBUTING.md for guidelines.
Apache License 2.0 - see LICENSE for details.
- Issues: https://github.com/openshift/kube-authkit/issues
- Documentation: https://github.com/openshift/kube-authkit#readme
This library wraps and extends the official Kubernetes Python Client to provide simplified authentication workflows for OpenShift AI and Kubernetes environments.