Description
We can connect to our GKE clusters with Workload Identity that is now deprecated by Google. New clusters won't be able to enable it on the 1st of July 2025, so trying to setup Workforce Identity Federation.
I can also connect to a brand new cluster with gke-gcloud-auth-plugin credentials.
I followed the steps in Okta and GCP, tried almost everything to make it work. I get a token with a groups claim, everything seems to match, I can login the GCP Console with the Workforce Federation auth link and navigate the console using the Okta Identity. In the GCP console, I can view and edit GKE clusters, even deploy workloads on clusters, so I doubt this issue is on IAM or RBAC.
Trying to use kubectl, I get this error :
error: You must be logged in to the server (Unauthorized)
Tried various settings combinations on Okta and Workforce Federation. Here are my kubeconfig settings :
- oidc-login
- get-token
- --oidc-issuer-url=https://<org>.okta.com/oauth2/<redacted>
- --oidc-pkce-method=auto
- --oidc-use-access-token=true
- --oidc-client-secret=<redacted>
- --oidc-client-id=<redacted>
- --oidc-extra-scope=email
- --oidc-extra-scope=offline_access
- --oidc-extra-scope=profile
- --oidc-extra-scope=openid
- --v=1
- --force-refresh
This leaves me this plugin to explore. Is there a known issue that would prevent it to work, or did anybody else encountered the same issue ?
Your environment
OS: EndeavourOs on 6.12.8-arch1-1
kubelogin version: 1.32.2
kubectl version: 1.32.0
OpenID Connect provider: Okta