Sections in this category

User Management - SSO/SAML/RBAC*

*Note that SSO and RBAC capabilities are only included with a Kubecost Enterprise Subscription.

Kubecost supports access control/Single Sign On (SSO) with SAML 2.0. Kubecost works with most identity providers including Okta, Auth0, AzureAD, PingID, and KeyCloak.

High-level access control options:

  • User authentication SSO provides a simple mechanism to restrict application access internally and externally
  • Custom access roles Limit users based on attributes or group membership to view a set of namespaces, labels, cluster, or other aggregations
  • Pre-defined user roles
    • admin: full control with permissions to manage users, configure model inputs, and application settings.
    • readonly: user role with read-only permission
    • editor: role can change and build alerts and reports, but cannot edit application settings and otherwise functions as read-only.

Note: All SAML 2.0 providers also work. The above guides can be used as templates for what is required.

Additional troubleshooting guide

Contact us via email ( or join us on Slack if you have questions!

Edit this doc on GitHub