Unified Kubernetes authentication toolkit - supports KubeConfig, In-Cluster, OIDC, and OpenShift OAuth authentication

Navigation

Verified details

These details have been verified by PyPI
Maintainers
Avatar for szaher from gravatar.com szaher

Unverified details

These details have not been verified by PyPI
Project links
Meta
  • License: Apache Software License (Apache-2.0)
  • Author: Kube AuthKit Contributors
  • Tags authentication , k8s , kubeconfig , kubernetes , oauth , oidc , openshift
  • Requires: Python >=3.10
  • Provides-Extra: dev , keyring
Classifiers
Report project as malware

Project description

Kube AuthKit - Kubernetes Authentication Toolkit

A lightweight Python library that provides unified authentication for OpenShift and Kubernetes clusters. This library simplifies authentication by supporting multiple methods through a single, consistent interface.

Features

  • Universal Authentication Support

    • Standard Kubernetes KubeConfig (~/.kube/config)
    • In-Cluster Service Account (for Pods and Notebooks)
    • OIDC (OpenID Connect) with multiple flows
    • OpenShift OAuth

  • Auto-Detection: Automatically detects and uses the best authentication method for your environment

  • Multiple OIDC Flows

    • Authorization Code Flow with PKCE (for interactive apps)
    • Device Code Flow (for CLI tools and headless environments)
    • Client Credentials Flow (for service-to-service authentication)

  • Token Management

    • Automatic token refresh
    • Optional persistent storage via system keyring
    • Secure in-memory storage by default

  • Security First

    • TLS verification enabled by default
    • No sensitive data in logs
    • Minimal dependencies

Installation

pip install kube-authkit

For optional keyring support (persistent token storage):

pip install kube-authkit[keyring]

Quick Start

Automatic Authentication (Recommended)

The library automatically detects your environment and chooses the appropriate authentication method:

from kube_authkit import get_k8s_client
from kubernetes import client

# Auto-detect environment and authenticate
api_client = get_k8s_client()

# Use with standard Kubernetes client
v1 = client.CoreV1Api(api_client)
pods = v1.list_pod_for_all_namespaces()
print(f"Found {len(pods.items)} pods")

This works seamlessly whether you're running:

  • Locally with ~/.kube/config
  • Inside a Kubernetes Pod or OpenShift Notebook (using Service Account)
  • With OIDC credentials in environment variables

Explicit OIDC Authentication

For CLI tools or when you need explicit control:

from kube_authkit import get_k8s_client, AuthConfig

config = AuthConfig(
    method="oidc",
    oidc_issuer="https://keycloak.example.com/auth/realms/myrealm",
    client_id="my-cli-tool",
    use_device_flow=True  # Good for headless/CLI environments
)

# This will print: "Visit https://... and enter code: ABCD-EFGH"
api_client = get_k8s_client(config)

Interactive Browser-Based Authentication

For notebooks or interactive applications:

from kube_authkit import get_k8s_client, AuthConfig

config = AuthConfig(
    method="oidc",
    oidc_issuer="https://keycloak.example.com/auth/realms/myrealm",
    client_id="my-app",
    use_device_flow=False  # Use Authorization Code Flow (opens browser)
)

# Browser will open for authentication
api_client = get_k8s_client(config)

Persistent Token Storage

Store refresh tokens securely in your system keyring:

from kube_authkit import get_k8s_client, AuthConfig

config = AuthConfig(
    method="oidc",
    oidc_issuer="https://keycloak.example.com/auth/realms/myrealm",
    client_id="my-app",
    use_keyring=True  # Store tokens in system keyring
)

# First run: Interactive authentication
# Subsequent runs: Uses stored refresh token automatically
api_client = get_k8s_client(config)

Configuration

AuthConfig Options

Parameter Type Default Description
method str "auto" Authentication method: "auto", "kubeconfig", "incluster", "oidc", "openshift"
k8s_api_host str None Kubernetes API server URL (auto-detected if not provided)
oidc_issuer str None OIDC issuer URL (required for OIDC)
client_id str None OIDC client ID (required for OIDC)
client_secret str None OIDC client secret (for confidential clients)
scopes list ["openid"] OIDC scopes to request
use_device_flow bool False Use Device Code Flow instead of Authorization Code Flow
use_keyring bool False Store refresh tokens in system keyring
ca_cert str None Path to custom CA certificate bundle
verify_ssl bool True Verify SSL certificates (disable only for development)

Environment Variables

The library respects these environment variables:

  • KUBECONFIG: Path to kubeconfig file
  • KUBERNETES_SERVICE_HOST: Auto-detected in-cluster (set by Kubernetes)
  • OIDC_ISSUER: OIDC issuer URL
  • OIDC_CLIENT_ID: OIDC client ID
  • OIDC_CLIENT_SECRET: OIDC client secret
  • OPENSHIFT_TOKEN: OpenShift OAuth token

Architecture

This library uses the Strategy Pattern to provide a unified interface across different authentication methods:

AuthFactory (auto-detection)
    ├── KubeConfigStrategy (~/.kube/config)
    ├── InClusterStrategy (Service Account)
    ├── OIDCStrategy (OpenID Connect)
    └── OpenShiftOAuthStrategy (OpenShift OAuth)

Each strategy implements the same interface, making it easy to add new authentication methods in the future.

Security Considerations

  1. TLS Verification: Enabled by default. Only disable for development/testing.
  2. Token Storage: In-memory by default. Use keyring for persistence across sessions.
  3. Logging: No sensitive data (tokens, secrets) is ever logged.
  4. Dependencies: Minimal dependency footprint to reduce supply chain risk.

Development

Setup Development Environment

# Clone repository
git clone https://github.com/openshift/kube-authkit.git
cd kube-authkit

# Create virtual environment
python -m venv venv
source venv/bin/activate  # On Windows: venv\Scripts\activate

# Install with dev dependencies
pip install -e ".[dev]"

Running Tests

# Run all tests with coverage
pytest

# Run specific test file
pytest tests/test_config.py

# Run with verbose output
pytest -v

# Type checking
mypy src/kube_authkit

# Code formatting
black src/ tests/
ruff check src/ tests/

# Security scanning
bandit -r src/

Examples

See the examples/ directory for complete examples:

  • auto_auth.py - Simple auto-detection
  • oidc_device_flow.py - CLI tool with device flow
  • oidc_auth_code.py - Interactive browser-based auth
  • notebook_usage.py - Jupyter notebook example
  • explicit_config.py - All configuration options
  • custom_ca.py - Custom CA certificate

Contributing

Contributions are welcome! Please see CONTRIBUTING.md for guidelines.

License

Apache License 2.0 - see LICENSE for details.

Support

Acknowledgments

This library wraps and extends the official Kubernetes Python Client to provide simplified authentication workflows for OpenShift AI and Kubernetes environments.

Project details

Verified details

These details have been verified by PyPI
Maintainers
Avatar for szaher from gravatar.com szaher

Unverified details

These details have not been verified by PyPI
Project links
Meta
  • License: Apache Software License (Apache-2.0)
  • Author: Kube AuthKit Contributors
  • Tags authentication , k8s , kubeconfig , kubernetes , oauth , oidc , openshift
  • Requires: Python >=3.10
  • Provides-Extra: dev , keyring
Classifiers

Release history Release notifications | RSS feed

0.4.0

0.3.0

0.2.0

This version

0.1.0

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

kube_authkit-0.1.0.tar.gz (104.5 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

kube_authkit-0.1.0-py3-none-any.whl (30.3 kB view details)

Uploaded Python 3

File details

Details for the file kube_authkit-0.1.0.tar.gz.

File metadata

  • Download URL: kube_authkit-0.1.0.tar.gz
  • Upload date:
  • Size: 104.5 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.7

File hashes

Hashes for kube_authkit-0.1.0.tar.gz
Algorithm Hash digest
SHA256 412971b12980e32ce2d9ce9f965b1049de1ef82b199f3d4fa2a155fb55d13c64
MD5 cb4c7b7fec4f3a3a7d696e5a34f76648
BLAKE2b-256 e2a752b5eeedec0b5f5838fc1b00b878b9deb8fbb019be43b164d1be70a74c5e

See more details on using hashes here.

Provenance

The following attestation bundles were made for kube_authkit-0.1.0.tar.gz:

Publisher: publish.yml on opendatahub-io/kube-authkit

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file kube_authkit-0.1.0-py3-none-any.whl.

File metadata

  • Download URL: kube_authkit-0.1.0-py3-none-any.whl
  • Upload date:
  • Size: 30.3 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.7

File hashes

Hashes for kube_authkit-0.1.0-py3-none-any.whl
Algorithm Hash digest
SHA256 a137664ef1a382d54e8d0dc85818eaec67030cb714c1ed36426c6862ae5793e2
MD5 82eee9ae31f3878b7fbb7858c2155b73
BLAKE2b-256 b87732b1a8bc9286d55a67b480443bee831f9f1a58fcfc28e299c80d2d3dd183

See more details on using hashes here.

Provenance

The following attestation bundles were made for kube_authkit-0.1.0-py3-none-any.whl:

Publisher: publish.yml on opendatahub-io/kube-authkit

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page