User Management - SSO/SAML/RBAC*

Note: SSO and RBAC capabilities are only included with a Kubecost Enterprise Subscription.
Kubecost supports Single Sign On (SSO) and Role Based Access Control (RBAC) with SAML 2.0. Kubecost works with most identity providers including Okta, Auth0, AzureAD, PingID, and KeyCloak.

Overview of features

  • User authentication (.Values.saml): SSO provides a simple mechanism to restrict application access internally and externally
  • Pre-defined user roles (.Values.saml.rbac):
    • admin: Full control with permissions to manage users, configure model inputs, and application settings.
    • readonly: User role with read-only permission.
    • editor: Role can change and build alerts and reports, but cannot edit application settings and otherwise functions as read-only.
  • Custom access roles (filters.json): Limit users based on attributes or group membership to view a set of namespaces, clusters, or other aggregations
# View setup guides below, for full list of Helm configuration values
enabled: true
secretName: "kubecost-okta"
idpMetadataURL: ""
appRootURL: ""
authTimeout: 1440
audienceURI: ""
nameIDFormat: "urn:oasis:names:tc:SAML:2.0:attrname-format:basic"
enabled: true
- name: admin
enabled: true
assertionName: "kubecost_group"
- "kubecost_admin"
- "kubecost_superusers"
- name: readonly
enabled: true
assertionName: "kubecost_group"
- "kubecost_users"
- assertionName: "kubecost_group"

Setup guides

Note: All SAML 2.0 providers also work. The above guides can be used as templates for what is required.

SAML troubleshooting guide

  1. 1.
    Disable SAML and confirm that the cost-analyzer pod starts.
  2. 2.
    If step 1 is successful, but the pod is crashing or never enters the ready state when SAML is added, it is likely that there is panic loading or parsing SAML data.
    kubectl logs deployment/kubecost-cost-analyzer -c cost-model -n kubecost
If you’re supplying the SAML from the address of an Identity Provider Server, curl the SAML metadata endpoint from within the Kubecost pod and ensure that a valid XML EntityDescriptor is being returned and downloaded. The response should be in this format:
$ kubectl exec deployment/kubecost-cost-analyzer -c cost-analyzer-frontend -n kubecost -it -- /bin/sh
$ curl
<EntityDescriptor entityID="" xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
<IDPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<KeyDescriptor use="signing">
<KeyInfo xmlns="">
<SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location=""/>
<SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location=""/>
<SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location=""/>
<SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location=""/>
<Attribute Name="" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="E-Mail Address" xmlns="urn:oasis:names:tc:SAML:2.0:assertion"/>
<Attribute Name="" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="Given Name" xmlns="urn:oasis:names:tc:SAML:2.0:assertion"/>
<Attribute Name="" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="Name" xmlns="urn:oasis:names:tc:SAML:2.0:assertion"/>
<Attribute Name="" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="Surname" xmlns="urn:oasis:names:tc:SAML:2.0:assertion"/>
<Attribute Name="" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="Name ID" xmlns="urn:oasis:names:tc:SAML:2.0:assertion"/>

Common SAML error states are as follows:

The URL returns a 404 error or returning HTML
Contact your SAML admin to find the URL on your identity provider that serves the raw XML file.
Returning an EntitiesDescriptor instead of an EntityDescriptor
Certain metadata URLs could potentially return an EntitiesDescriptor, instead of an EntityDescriptor. While Kubecost does not currently support using an EntitiesDescriptor, you can instead copy the EntityDescriptor into a new file you create called metadata.xml:
  • Download the XML from the metadata URL into a file called metadata.xml
  • Copy all the attributes from EntitiesDescriptor to the EntityDescriptor that are not present.
  • Remove the <EntitiesDescriptor> tag from the beginning.
  • Remove the </EntitiesDescriptor> from the end of the XML file.
You are left with data in a similar format to the example below:
<EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:dsig="" entityID="kubecost-entity-id">
Then, you can upload the EntityDescriptor to a secret in the same namespace as kubecost and use that directly.
kubectl create secret generic metadata-secret --from-file=./metadata.xml --namespace kubecost
To use this secret, in your helm values set metadataSecretName to the name of the secret created above, and set idpMetadataURL to the empty string:
metadataSecretName: “metadata-secret”
idpMetadataURL: “”
Invalid NameID format
On Keycloak, if you receive an “Invalid NameID format” error, you should set the option “force nameid format” in Keycloak. See Keycloak docs for more details.
Users of CSI driver for storing SAML secret
For users who want to use CSI driver for storing SAML secret, we suggest this guide.
InvalidNameIDPolicy format
From the following PingIdentity article:
An alternative solution is to add an attribute called "SAML_SP_NAME_QUALIFIER" to the connection's attribute contract with a TEXT value of the requested SPNameQualifier. When you do this, select the following for attribute name format: urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
On the PingID side: specify an attribute contract “SAML_SP_NAME_QUALIFIER” with the format urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified.
On the Kubecost side: in your Helm values, set saml.nameIDFormat to the same format set by PingID:
nameIDFormat: “urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified”
Make sure audienceURI and appRootURL match the entityID configured within PingFed.