User Management (SAML)
SSO and RBAC are only officially supported on Kubecost Enterprise plans.
Kubecost supports single sign-on (SSO) and role-based access control (RBAC) with SAML 2.0. Kubecost works with most identity providers including Okta, Auth0, Microsoft Entra ID (formerly Azure AD), PingID, and KeyCloak.
Overview of features
User authentication (
.Values.saml
): SSO provides a simple mechanism to restrict application access internally and externallyPre-defined user roles (
.Values.saml.rbac
):admin
: Full control with permissions to manage users, configure model inputs, and application settings.readonly
: User role with read-only permission.editor
: Role can change and build alerts and reports, but cannot edit application settings and otherwise functions as read-only.
Custom access roles (filters.json): Limit users based on attributes or group membership to view a set of namespaces, clusters, or other aggregations
SAML setup guides
All SAML 2.0 providers also work. The above guides can be used as templates for what is required.
Using the Kubecost API
When SAML SSO is enabled in Kubecost, the following ports will require authentication:
service/kubecost-cost-analzyer
: ports 9003 and 9090service/kubecost-aggregator
: port 9004
For admins, Kubecost additionally exposes unauthenticated APIs:
service/kubecost-cost-analyzer
: port 9007
service/kubecost-aggregator
: port 9008
View your SAML Group
You will be able to view your current SAML Group in the Kubecost UI by selecting Settings from the left navigation, then scrolling to 'SAML Group'. Your access level will be displayed in the 'Current SAML Group' box.
Read-only mode
Kubecost's SAML supports read-only mode. This leverages SAML for authentication, then assigns all authenticated users as read-only users. Note, that this overrides any existing RBAC configurations.
Troubleshooting
Disable SAML and confirm the
cost-analyzer
pod starts. IfkubecostAggregator.enabled
is unspecified ortrue
in the values.yaml file, confirm that theaggregator
pod starts.If Step 1 is successful, but the pod is crashing or never enters the ready state when SAML is added, it is likely there is panic when loading or parsing SAML data.
If
kubecostAggregator.enabled
istrue
or unspecified in values.yaml, runkubectl logs statefulsets/kubecost-aggregator
andkubectl logs deploy/kubecost-cost-analyzer
If
kubecostAggregator.enabled
isfalse
in values.yaml, runkubectl logs services/kubecost-aggregator
andkubectl logs deploy/kubecost-cost-analyzer
If you’re supplying the SAML from the address of an Identity Provider Server, curl
the SAML metadata endpoint from within the kubecost
pod and ensure that a valid XML EntityDescriptor is being returned and downloaded. The response should be in this format:
Common SAML errors
The URL returns a 404 error or returning HTML
Contact your SAML admin to find the URL on your identity provider that serves the raw XML file.
Returning an EntitiesDescriptor instead of an EntityDescriptor
Certain metadata URLs could potentially return an EntitiesDescriptor, instead of an EntityDescriptor. While Kubecost does not currently support using an EntitiesDescriptor, you can instead copy the EntityDescriptor into a new file you create called metadata.xml:
Download the XML from the metadata URL into a file called metadata.xml
Copy all the attributes from
EntitiesDescriptor
to theEntityDescriptor
that are not present.Remove the
<EntitiesDescriptor>
tag from the beginning.Remove the
</EntitiesDescriptor>
from the end of the XML file.
You are left with data in a similar format to the example below:
Then, you can upload the EntityDescriptor to a secret in the same namespace as kubecost and use that directly.
kubectl create secret generic metadata-secret --from-file=./metadata.xml --namespace kubecost
To use this secret, in your helm values set metadataSecretName to the name of the secret created above, and set idpMetadataURL to the empty string:
Invalid NameID format
On Keycloak, if you receive an “Invalid NameID format” error, you should set the option “force nameid format” in Keycloak. See Keycloak docs for more details.
Users of CSI driver for storing SAML secret
For users who want to use CSI driver for storing SAML secret, we suggest this guide.
InvalidNameIDPolicy format
From a PingIdentity article:
An alternative solution is to add an attribute called "SAML_SP_NAME_QUALIFIER" to the connection's attribute contract with a TEXT value of the requested SPNameQualifier. When you do this, select the following for attribute name format:
urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
On the PingID side: specify an attribute contract “SAML_SP_NAME_QUALIFIER” with the format urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
.
On the Kubecost side: in your Helm values, set saml.nameIDFormat
to the same format set by PingID:
Make sure audienceURI
and appRootURL
match the entityID configured within PingFed.
Last updated