User Management (SSO/OIDC)
OIDC and RBAC are only officially supported on Kubecost Enterprise plans.
The OIDC integration in Kubecost is fulfilled via the
.Values.oidc
configuration parameters in the Helm chart.# EXAMPLE CONFIGURATION
# View setup guides below, for full list of Helm configuration values
oidc:
enabled: true
useIDToken: false # Set to 'true' for IdP's that use an 'id_token' cookie
clientID: ""
clientSecret: ""
secretName: "kubecost-oidc-secret"
authURL: "https://my.auth.server/authorize"
loginRedirectURL: "http://my.kubecost.url/model/oidc/authorize"
discoveryURL: "https://my.auth.server/.well-known/openid-configuration"
rbac:
enabled: false
groups:
- name: admin
enabled: false
claimName: "roles"
claimValues:
- "admin"
- "superusers"
- name: readonly
enabled: false
claimName: "roles"
claimValues:
- "readonly"
authURL
may require additional request parameters depending on the provider. Some commonly required parameters are client_id=***
and response_type=code
. Please check the provider documentation for more information.Please refer to the following references to find out more about how to configure the Helm parameters to suit each OIDC identiy provider integration.
Auth0 does not support Introspection; therefore we can only validate the access token by calling /userinfo within our current remote token validation flow. This will cause the Kubecost UI to not function under an Auth0 integration, as it makes a large number of continuous calls to load the various components on the page and the Auth0 /userinfo endpoint is rate limited. Independent calls against Kubecost endpoints (eg. via cURL or Postman) should still be supported.
Once the Kubecost application has been successfully integrated with OIDC, we will expect requests to Kubecost endpoints to contain the JWT access token, either:
- as a cookie named
token
, or - as a cookie named
id_token
(Set.Values.oidc.useIDToken = true
), or - as part of the Authorization header
Bearer token
The token is then validated remotely in one of two ways:
- 1.POST request to Introspect URL configured by identity provider
- 2.If no Introspect URL configured, GET request to /userinfo configured by identity provider
This parameter is only supported if using the Google OAuth 2.0 identity provider
If the
hostedDomain
parameter is configured in the Helm chart, the application will deny access to users for which the identified domain is not equal to the specified domain. The domain is read from the hd
claim in the ID token commonly returned alongside the access token.If the domain is configured alongside the access token, then requests should contain the JWT ID token, either:
- as a cookie named
id_token
, or - as part of an
Identification
header.
The JWT ID token must contain a field (claim) named
hd
with the desired domain value. We verify that the token has been properly signed (using provider certificates) and has not expired before processing the claim.To remove a previously set Helm value, you will need to set the value to an empty string:
.Values.oidc.hostedDomain = ""
. To validate that the config has been removed, you can check the /var/configs/oidc/oidc.json
inside the cost-model container.Use your browser's devtools to observe network requests made between you, your Identity Provider, and your Kubecost. Pay close attention to cookies, and headers.
kubectl logs deploy/kubecost-cost-analyzer
- Search for
oidc
in your logs to follow events - Pay attention to any
WRN
related to OIDC - Search for
Token Response
, and try decoding both theaccess_token
andid_token
to ensure they are well formed (https://jwt.io/)
kubecostModel:
extraEnv:
- name: LOG_LEVEL
value: debug