OIDC Login

The PSKE dashboard and Gardener API support login via OIDC with two-factor authentication (2FA). Access is granted per project and must be requested once via a service request.

Prerequisites

1. Set up 2FA in the customer portal — active 2FA is required for OIDC login.
2. Request access — submit a list of users via service request who should have access to the PSKE project. The PSKE team will configure the necessary permissions and confirm once complete.

Dashboard Login

1. In the PSKE dashboard, select the OIDC tab and click Login.
2. In the PlusIDM login screen, select PS-IDM.
3. Sign in with your credentials (email + 2FA).

kubectl Access to the Gardener API

OIDC login grants access to the Gardener API (managing projects and shoots). Access to individual shoot clusters requires a separate kubeconfig for that cluster.

Prerequisite: Install the oidc-login Plugin

kubectl krew install oidc-login

Installation guide: https://github.com/int128/kubelogin

Prepare the Kubeconfig

1. Download the kubeconfig for your user from the PSKE dashboard under Members.
2. Replace the users section in the downloaded kubeconfig with the following:

users:
- name: oidc
  user:
    exec:
      apiVersion: client.authentication.k8s.io/v1
      args:
      - oidc-login
      - get-token
      - --oidc-issuer-url=https://identity.prod.gardener.get-cloud.io
      - --oidc-client-id=kube-kubectl
      - --oidc-extra-scope=email
      - --oidc-extra-scope=profile
      - --oidc-extra-scope=groups
      command: kubectl
      env: null
      interactiveMode: Never
      provideClusterInfo: false

3. Update the context entry to reference the new user oidc.

On the first kubectl call, a browser window will open automatically for authentication.

Token Validity

Re-authentication is required after expiry.

Account Deactivated?

When a user is deactivated, new logins are immediately blocked. Already issued tokens remain valid until their regular expiry — after 24 hours at most, access is fully terminated.