oidc-client-secret in kubeconfig.yaml, how secure is it?

[ktzsolt]

Describe the question

I have set up kubelogin with (onprem) gitlab, all is working fine, I get this in my kubeconfig.yaml:

users:
- name: oidc
  user:
    exec:
      apiVersion: client.authentication.k8s.io/v1beta1
      args:
      - oidc-login
      - get-token
      - --oidc-issuer-url=https://mygitlab.com
      - --oidc-client-id=...
      - --oidc-client-secret=....
      - --oidc-extra-scope=email

The set up procedure says that I can share this kubeconfig with my team, and it works fine with rolebindings as it is supposed.

I have set scopes only for openid, profile, email:

My question is how secure is it to share this kubeconfig file that includes the oidc-client-id and oidc-client-secret. If the secret gets compromised (e.g.: pushed to a public repo ) can it be used to do harm in any way?

Thank you!

Your environment

• OS: ubuntu
• kubelogin version: v1.28.0
• kubectl version: v1.26.3
• OpenID Connect provider: gitlab (self hosted)

[davidfrickert]

If you commit that to a repo then the client essentially becomes a public client. In these cases, where the secret cannot be safely protected you should use --oidc-use-pkce. It should be fine.

[ktzsolt]

Hi @davidfrickert!

I replaced the - --oidc-client-secret=... to - --oidc-use-pkce and rm -rf the ~/.kube/cache dir and the auth works, thanks!