Kubernetes API with OIDC in Auth0

Hi,

I’ve successfully setup my local Kubernetes cluster’ Kube API to use OIDC towards an Auth0 managed API. I can access my cluster with kubectl using the OIDC credentials. Now, I wanted to test the scenario, in which I would revoke/deny access of my user to access the Auth0 API. I therefore blocked the user in Auth0 and removed permission to the API - but kubectl remains to work - which is not what I have expected. How should this usually work?

As a help, below I mention the configuration I have done:

In Auth0:

  • having an API with an Application (Machine to Machine)
  • having a user myuser@mydomain.com with permission to the API

This is the users configuration in kube config file:

- name: myuser@mydomain.com
  user:
    auth-provider:
      config:
        client-id: <my-client-id>
        client-secret: <my-client-secret>
        id-token: <my-id-token>
        idp-issuer-url: https://myorganization.eu.auth0.com/
        refresh-token: <my-refresh-token>
      name: oidc

Starting the Kube API server has followingn parameters:

# Open ID Connect (OIDC)
--oidc-issuer-url=https://myorganization.auth0.com/
--oidc-client-id=<my-client-id>
--oidc-username-claim=email
--oidc-username-prefix=oidc:
--oidc-groups-prefix=oidc:
#~Open ID Connect (OIDC)

In Kubernetes, I’ve created the following ClusterRoleBinding:

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: oidc-admin-role
subjects:
- kind: User
  name: "oidc:myuser@mydomain.ch"
  apiGroup: rbac.authorization.k8s.io
roleRef:
  kind: ClusterRole
  name: cluster-admin
  apiGroup: rbac.authorization.k8s.io

Regards