OCL does an automatic login to an OpenShift cluster. It fetches cluster information from app-interface and performs a login via Red Hat SSO.
You can install this tool from PyPI with pip:
python3 -m pip install openshift-cluster-loginor install it with uv:
uv tool install openshift-cluster-loginYou can also use uv to run the tool without installing it:
uvx openshift-cluster-loginocl
This spawns a new shell with the following environment variables set:
KUBECONFIG- path to kubeconfig fileOCL_CLUSTER_NAME- cluster nameOCL_CLUSTER_CONSOLE- url to cluster console
OCL can act as a kubectl exec credential plugin, allowing kubectl to transparently fetch and refresh credentials without a separate login step.
One-time setup:
ocl --import-cluster <cluster>This adds the cluster to ~/.kube/config and creates a shared ocl user entry (if not already present) that all imported contexts reference. After that, any kubectl command against the cluster works directly — OCL handles authentication in the background.
To import all clusters at once:
ocl --import-clustersUse --overwrite to update existing entries.
How it works:
kubectl calls ocl --get-token whenever it needs credentials. OCL reads the cluster's server URL from the KUBERNETES_EXEC_INFO environment variable that kubectl sets, looks up the matching cluster, checks its token cache, validates via oc whoami if needed, re-authenticates if expired, and returns an ExecCredential JSON. Tokens are cached and revalidated at most once every 5 minutes to avoid per-command overhead.
Because all imported contexts share a single ocl user entry, running ocl --import-clusters is a true one-time setup — no per-cluster credential configuration required.
OCL currently provides the following features (get help with --help):
- OpenShift console login (
oc login) via GitHub or Red Hat authentication - kubectl exec credential plugin (
--get-token,--import-cluster,--import-clusters) - Get cluster and namespace information from app-interface or user-defined (
OCL_USER_CLUSTERS) - Open the OpenShift console in the browser (
--open-in-browser) - Star your most often used namespaces
Ctrl+Sin the UI - Shell completion (
--install-completion,--show-completion) - Credentials via environment variables or shell command (e.g., 1password CLI)
- Cache App-Interface queries (via GraphQL) for one week
| Variable Name | Description | Default |
|---|---|---|
| OCL_APP_INTERFACE_URL OCL_APP_INTERFACE_URL_COMMAND | App-Interface URL | |
| OCL_APP_INT_TOKEN OCL_APP_INT_TOKEN_COMMAND | App-Interface authentication token [optional] | |
| OCL_USER_CLUSTERS OCL_USER_CLUSTERS_COMMAND | User defined clusters as json format (e.g. [{"name": "local-kind", "serverUrl": "https://localhost:6443", "consoleUrl": "not available}]) |
"[]" |
| OCL_CACHE_TIMEOUT_MINUTES | GraphQL cache timeout in minutes | 1 hour |
| OCL_HISTORY | Enable/Disable the usage of the last selected namespace | enabled |
| OCL_CSS_PATH | Path to custom Textual CSS file |
You can either set a variable, e.g. export OCL_GITHUB_USERNAME="mail@example.com" or retrieve it via a command, e.g. export OCL_GITHUB_USERNAME_COMMAND="op read op://Private/Github/username".
If a variable is not set but needed, OCL will ask for it interactively.
OCL retrieves the cluster information from app-interface via GraphQL (OCL_APP_INTERFACE_URL) and caches them
in your user cache directory (on MacOS, e.g., ~/Library/Caches/ocl/gql_cache/).
Remove this directory to force a refresh.
- Kerberos authentication only
- Works only with a Red Hat associate account
