Comment on page

User Management (SAML)

SSO and RBAC are only officially supported on Kubecost Enterprise plans.
Kubecost supports single sign-on (SSO) and role-based access control (RBAC) with SAML 2.0. Kubecost works with most identity providers including Okta, Auth0, Microsoft Entra ID (formerly Azure AD), PingID, and KeyCloak.

Overview of features

  • User authentication (.Values.saml): SSO provides a simple mechanism to restrict application access internally and externally
  • Pre-defined user roles (.Values.saml.rbac):
    • admin: Full control with permissions to manage users, configure model inputs, and application settings.
    • readonly: User role with read-only permission.
    • editor: Role can change and build alerts and reports, but cannot edit application settings and otherwise functions as read-only.
  • Custom access roles (filters.json): Limit users based on attributes or group membership to view a set of namespaces, clusters, or other aggregations
# View setup guides below, for full list of Helm configuration values
enabled: true
secretName: "kubecost-okta"
idpMetadataURL: ""
appRootURL: ""
authTimeout: 1440
audienceURI: ""
nameIDFormat: "urn:oasis:names:tc:SAML:2.0:attrname-format:basic"
enabled: true
- name: admin
enabled: true
assertionName: "kubecost_group"
- "kubecost_admin"
- "kubecost_superusers"
- name: readonly
enabled: true
assertionName: "kubecost_group"
- "kubecost_users"
- assertionName: "kubecost_group"

SAML setup guides

All SAML 2.0 providers also work. The above guides can be used as templates for what is required.

Using the Kubecost API

When SAML SSO is enabled in Kubecost, ports 9090 and 9003 of service/kubecost-cost-analyzer will require authentication. Therefore user API requests will need to be authenticated with a token. The token can be obtained by logging into the Kubecost UI and copying the token from the browser’s local storage. Alternatively, a long-term token can be issued to users from your identity provider.
curl -L '' \
-H 'Cookie: token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOlsiYWRtaW4iLCJncm91cDprdWJlY29zdF9hZG1pbiIsImdyb3VwOmFkbWluQG15Y29tcGFueS5jb20iXSwiZXhwIjoxNjkwMzA2MjYwLjk0OTYyMX0.iLbUuMo0eYhNg0hzv_EEHLIX5Z0du4woPevX3wEnAh8'
For admins, Kubecost additionally exposes an unauthenticated API on port 9004 of service/kubecost-cost-analyzer.
kubectl port-forward service/kubecost-cost-analyzer 9004:9004
curl -L 'localhost:9004/allocation?window=1d'

View your SAML Group

You will be able to view your current SAML Group in the Kubecost UI by selecting Settings from the left navigation, then scrolling to 'SAML Group'. Your access level will be displayed in the 'Current SAML Group' box.

SAML troubleshooting guide

  1. 1.
    Disable SAML and confirm that the cost-analyzer pod starts.
  2. 2.
    If step 1 is successful, but the pod is crashing or never enters the ready state when SAML is added, it is likely that there is panic loading or parsing SAML data.
    kubectl logs deployment/kubecost-cost-analyzer -c cost-model -n kubecost
If you’re supplying the SAML from the address of an Identity Provider Server, curl the SAML metadata endpoint from within the Kubecost pod and ensure that a valid XML EntityDescriptor is being returned and downloaded. The response should be in this format:
$ kubectl exec deployment/kubecost-cost-analyzer -c cost-analyzer-frontend -n kubecost -it -- /bin/sh
$ curl
<EntityDescriptor entityID="" xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
<IDPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<KeyDescriptor use="signing">
<KeyInfo xmlns="">
<SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location=""/>
<SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location=""/>
<SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location=""/>
<SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location=""/>
<Attribute Name="" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="E-Mail Address" xmlns="urn:oasis:names:tc:SAML:2.0:assertion"/>
<Attribute Name="" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="Given Name" xmlns="urn:oasis:names:tc:SAML:2.0:assertion"/>
<Attribute Name="" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="Name" xmlns="urn:oasis:names:tc:SAML:2.0:assertion"/>
<Attribute Name="" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="Surname" xmlns="urn:oasis:names:tc:SAML:2.0:assertion"/>
<Attribute Name="" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="Name ID" xmlns="urn:oasis:names:tc:SAML:2.0:assertion"/>

Common SAML errors

The URL returns a 404 error or returning HTML
Contact your SAML admin to find the URL on your identity provider that serves the raw XML file.
Returning an EntitiesDescriptor instead of an EntityDescriptor
Certain metadata URLs could potentially return an EntitiesDescriptor, instead of an EntityDescriptor. While Kubecost does not currently support using an EntitiesDescriptor, you can instead copy the EntityDescriptor into a new file you create called metadata.xml:
  • Download the XML from the metadata URL into a file called metadata.xml
  • Copy all the attributes from EntitiesDescriptor to the EntityDescriptor that are not present.
  • Remove the <EntitiesDescriptor> tag from the beginning.
  • Remove the </EntitiesDescriptor> from the end of the XML file.
You are left with data in a similar format to the example below:
<EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:dsig="" entityID="kubecost-entity-id">
Then, you can upload the EntityDescriptor to a secret in the same namespace as kubecost and use that directly.
kubectl create secret generic metadata-secret --from-file=./metadata.xml --namespace kubecost
To use this secret, in your helm values set metadataSecretName to the name of the secret created above, and set idpMetadataURL to the empty string:
metadataSecretName: “metadata-secret”
idpMetadataURL: “”
Invalid NameID format
On Keycloak, if you receive an “Invalid NameID format” error, you should set the option “force nameid format” in Keycloak. See Keycloak docs for more details.
Users of CSI driver for storing SAML secret
For users who want to use CSI driver for storing SAML secret, we suggest this guide.
InvalidNameIDPolicy format
An alternative solution is to add an attribute called "SAML_SP_NAME_QUALIFIER" to the connection's attribute contract with a TEXT value of the requested SPNameQualifier. When you do this, select the following for attribute name format: urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
On the PingID side: specify an attribute contract “SAML_SP_NAME_QUALIFIER” with the format urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified.
On the Kubecost side: in your Helm values, set saml.nameIDFormat to the same format set by PingID:
nameIDFormat: “urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified”
Make sure audienceURI and appRootURL match the entityID configured within PingFed.
©2023 Stackwatch, Inc. All rights reserved. Designed & built in California.