This guide will take you through configuring OIDC for Kubecost using a Microsoft Entra ID (formerly Azure AD) integration for SSO and RBAC.

Prerequisites

Before following this guide, ensure that:

• Kubecost is already installed

• Kubecost is accessible via a TLS-enabled ingress

• You are established as a Cloud Application Administrator in Microsoft. This may otherwise prevent you from accessing certain features required in this tutorial.

Entra ID OIDC configuration

Step 1: Registering your application in Entra ID

1. In the Microsoft Entra admin center, select Microsoft Entra ID (Azure AD).

2. In the left navigation, select Applications > App registrations. Then, on the App registrations page, select New registration.

3. Select an appropriate name, and provide supported account types for your app.

4. To configure Redirect URI, select Web from the dropdown, then provide the URI as https://{your-kubecost-address}/model/oidc/authorize.

5. Select Register at the bottom of the page to finalize your changes.

Step 2: Configuring values.yaml

1. After creating your application, you should be taken directly to the app's Overview page. If not, return to the App registrations page, then select the application you just created.

2. On the Overview page for your application, obtain the Application (client) ID and the Directory (tenant) ID. These will be needed in a later step.

3. Next to 'Client credentials', select Add a certificate or secret. The 'Certificates & secrets' page opens.

4. Select New client secret. Provide a description and expiration time, then select Add.

5. Obtain the value created with your secret.

6. Add the three saved values, as well as any other values required relating to your Kubecost/Microsoft account details, into the following values.yaml template:

# values.yaml
oidc:
  enabled: true
  useIDToken: true
  clientID: "{APPLICATION_CLIENT_ID}"
  clientSecret: "{CLIENT_CREDENTIALS} > {SECRET_VALUE}"
  secretName: "kubecost-oidc-secret"
  authURL: "https://login.microsoftonline.com/{YOUR_TENANT_ID}/oauth2/v2.0/authorize?client_id={YOUR_CLIENT_ID}&response_type=code&scope=openid&nonce=123456"
  loginRedirectURL: "https://{YOUR_KUBECOST_DOMAIN}/model/oidc/authorize"
  discoveryURL: "https://login.microsoftonline.com/{YOUR_TENANT_ID}/v2.0/.well-known/openid-configuration"

  authURL: "https://login.microsoftonline.com/{YOUR_TENANT_ID}/oauth2/v2.0/authorize?client_id={YOUR_CLIENT_ID}&response_type=code&scope=openid&nonce=123456&redirect_uri=https%3A%2F%2F{YOUR_KUBECOST_DOMAIN}/model/oidc/authorize"

Step 3 (optional): Configuring RBAC

First, you need to configure an admin role for your app. For more information on this step, see Microsoft's documentation.

1. Return to the Overview page for the application you created in Step 1.

2. Select App roles > Create app role. Provide the following values:

• Display name: admin

• Allowed member types: Users/Groups

• Value: admin

• Description: Admins have read/write permissions via the Kubecost frontend (or provide a custom description as needed)

• Do you want to enable this app role?: Select the checkbox

1. Select Apply.

Then, you need to attach the role you just created to users and groups.

1. In the Azure AD left navigation, select Applications > Enterprise applications. Select the application you created in Step 1.

2. Select Users & groups.

3. Select Add user/group. Select the desired group. Select the admin role you created, or another relevant role. Then, select Assign to finalize changes.

4. Update your existing values.yaml with this template:

oidc:
  enabled: true
  # THIS IS REQUIRED FOR AZURE. Azure communicates roles via the id_token instead of the access_token.
  useIDToken: true
  rbac:
    enabled: true
    groups:
      - name: admin
        # If admin is disabled, all authenticated users will be able to make configuration changes to the kubecost frontend
        enabled: true
        # SET THIS EXACT VALUE FOR ENTRA ID. This is the string Entra ID uses in its OIDC tokens.
        claimName: "roles"
        # These strings need to exactly match with the app roles created in Entra ID
        claimValues:
          - "admins"
          - "superusers"
      - name: readonly
        # If readonly is disabled, all authenticated users will default to readonly
        enabled: true
        claimName: "roles"
        claimValues:
          - "readonly"

Troubleshooting

Option 1: Inspect all network requests made by browser

Use your browser's devtools to observe network requests made between you, your Identity Provider, and Kubecost. Pay close attention to cookies and headers.

Option 2: Review logs, and decode your JWT tokens

Run the following command:

kubectl logs deploy/kubecost-cost-analyzer

Search for oidc in your logs to follow events. Pay attention to any WRN related to OIDC. Search for Token Response, and try decoding both the access_token and id_token to ensure they are well formed. Learn more about JSON web tokens.

Option 3: Enable debug logs for more granularity on what is failing

You can find more details on these flags in Kubecost's cost-analyzer-helm-chart repo README.

kubecostModel:
  extraEnv:
    - name: LOG_LEVEL
      value: debug

Gluu is an open-source Identity and Access Management (IAM) platform that can be used to authenticate and authorize users for applications and services. It can be configured to use the OpenID Connect (OIDC) protocol, which is an authentication layer built on top of OAuth 2.0 that allows applications to verify the identity of users and obtain basic profile information about them.

To configure a Gluu server with OIDC, you will need to install and set up the Gluu server software on a suitable host machine. This will typically involve performing the following steps:

1. Install the necessary dependencies and packages.

2. Download and extract the Gluu server software package.

3. Run the installation script to set up the Gluu server.

4. Configure the Gluu server by modifying the /etc/gluu/conf/gluu.properties file and setting the values for various properties, such as the hostname, LDAP bind password, and OAuth keys.

5. Start the Gluu server by running the /etc/init.d/gluu-serverd start command.

   You can read for more detailed help with these steps.

   Note: Later versions of Gluu Server also support deployment to Kubernetes environments. You can read more about their Kubernetes support .

   Once the Gluu server is up and running, you can connect it to a Kubecost cluster by performing the following steps:

6. Obtain the OIDC client ID and client secret for the Gluu server. These can be found in the /etc/gluu/conf/gluu.properties file under the oxAuthClientId and oxAuthClientPassword properties, respectively.
7. In the Kubecost cluster, create a new OIDC identity provider by running kubectl apply -f oidc-provider.yaml command, where oidc-provider.yaml is a configuration file that specifies the OIDC client ID and client secret, as well as the issuer URL and authorization and token endpoints for the Gluu server.

   In this file, you will need to replace the following placeholders with the appropriate values:

   • <OIDC_CLIENT_ID>: The OIDC client ID for the Gluu server. This can be found in the /etc/gluu/conf/gluu.properties file under the oxAuthClientId property.

   • <OIDC_CLIENT_SECRET>: The OIDC client secret for the Gluu server. This can be found in the /etc/gluu/conf/gluu.properties file under the oxAuthClientPassword property.

   • <GLUU_SERVER_HOSTNAME>: The hostname of the Gluu server.

   • <BASE64_ENCODED_OIDC_CLIENT_ID>: The OIDC client ID, encoded in base64.

   • <BASE64_ENCODED_OIDC_CLIENT_SECRET>: The OIDC client secret, encoded in base64.

8. Set up a Kubernetes service account and bind it to the OIDC identity provider. This can be done by running the kubectl apply -f service-account.yaml command, where service-account.yaml is a configuration file that specifies the name of the service account and the OIDC identity provider.

   In this file, you will need to replace the following placeholders with the appropriate values:

   • <SERVICE_ACCOUNT_NAME>: The name of the service account. This can be any name that you choose.

   • <GLUU_SERVER_HOSTNAME>: The hostname of the Gluu server.

   • <OIDC_CLIENT_ID>: The OIDC client ID for the Gluu server. This can be found in the /etc/gluu/conf/gluu.properties file under the oxAuthClientId property.

   Note: You should also ensure that the kubernetes.io/oidc-issuer-url, kubernetes.io/oidc-client-id, kubernetes.io/oidc-username-claim, and kubernetes.io/oidc-groups-claim annotations are set to the correct values for your Gluu server and configuration. These annotations specify the issuer URL and client ID for the OIDC identity provider, as well as the claims to use for the username and group membership of authenticated users.

Once these steps are completed, the Gluu server should be configured to use OIDC and connected to the Kubecost cluster, allowing users to authenticate and authorize themselves using their Gluu credentials.

Overview of features

The OIDC integration in Kubecost is fulfilled via the .Values.oidc configuration parameters in the Helm chart.

# EXAMPLE CONFIGURATION
# View setup guides below, for full list of Helm configuration values
oidc:
  enabled: true
  useIDToken: false # Set to 'true' for IdP's that use an 'id_token' cookie
  clientID: ""
  clientSecret: ""
  secretName: "kubecost-oidc-secret"
  authURL: "https://my.auth.server/authorize"
  loginRedirectURL: "http://my.kubecost.url/model/oidc/authorize"
  discoveryURL: "https://my.auth.server/.well-known/openid-configuration"
  skipOnlineTokenValidation: false # Set to 'true' to skip online token validation and attempt to locally validate JWT claims
  rbac:
    enabled: false
    groups:
      - name: admin
        enabled: false
        claimName: "roles"
        claimValues:
          - "admin"
          - "superusers"
      - name: readonly
        enabled: false
        claimName:  "roles"
        claimValues:
          - "readonly"

Setup guides

• Microsoft Entra ID (formerly Azure AD) guide

• Configure Keycloak Identity Provider for Kubecost

• Gluu Server with OIDC Configuration Guide

Supported identity providers

Please refer to the following references to find out more about how to configure the Helm parameters to suit each OIDC identity provider integration.

• Auth0 docs

• Azure docs

• Gluu docs

• Keycloak

• Google OAuth 2.0 docs

• Okta docs

Token validation

Once the Kubecost application has been successfully integrated with OIDC, we will expect requests to Kubecost endpoints to contain the JWT access token, either:

• As a cookie named token,

• As a cookie named id_token (Set .Values.oidc.useIDToken = true),

• Or as part of the Authorization header Bearer token

The token is then validated remotely in one of two ways:

1. POST request to Introspect URL configured by identity provider

2. If no Introspect URL configured, GET request to /userinfo configured by identity provider

If skipOnlineTokenValidation is set to true, Kubecost will skip accessing the OIDC introspection endpoint for online token validation and will instead attempt to locally validate the JWT claims.

Hosted domain

If the hostedDomain parameter is configured in the Helm chart, the application will deny access to users for which the identified domain is not equal to the specified domain. The domain is read from the hd claim in the ID token commonly returned alongside the access token.

If the domain is configured alongside the access token, then requests should contain the JWT ID token, either:

• As a cookie named id_token

• As part of an Identification header

The JWT ID token must contain a field (claim) named hd with the desired domain value. We verify that the token has been properly signed (using provider certificates) and has not expired before processing the claim.

To remove a previously set Helm value, you will need to set the value to an empty string: .Values.oidc.hostedDomain = "". To validate that the config has been removed, you can check the /var/configs/oidc/oidc.json inside the cost-model container.

Read-only mode

Kubecost's OIDC supports read-only mode. This leverages OIDC for authentication, then assigns all authenticated users as read-only users.

oidc:
  enabled: true
readonly: true

Troubleshooting

Option 1: Inspect all network requests made by browser

Use your browser's devtools to observe network requests made between you, your Identity Provider, and your Kubecost. Pay close attention to cookies, and headers.

Option 2: Review logs, and decode your JWT tokens

kubectl logs deploy/kubecost-cost-analyzer

• Search for oidc in your logs to follow events

• Pay attention to any WRN related to OIDC

• Search for Token Response, and try decoding both the access_token and id_token to ensure they are well formed (https://jwt.io/)

Option 3: Enable debug logs for more granularity on what is failing

Code reference for the below example can be found here.

kubecostModel:
  extraEnv:
    - name: LOG_LEVEL
      value: debug

For further assistance, reach out to support@kubecost.com and provide both logs and a HAR file.

1. Create a new .

2. Navigate to Realm Settings > General > Endpoints > OpenID Endpoint Configuration > Clients.

3. Select Create to add Kubecost to the list of clients. Define a clientID. Ensure the Client Protocol is set to openid-connect.

4. Select your newly created client, then go to Settings.

   1. Set Access Type to confidential.

   2. Set Valid Redirect URIs to http://YOUR_KUBECOST_ADDRESS/model/oidc/authorize.

   3. Set Base URL to http://YOUR_KUBECOST_ADDRESS.

The for Keycloak should be as follows: