-
Notifications
You must be signed in to change notification settings - Fork 1
Expand file tree
/
Copy pathoidc-rbac.yaml
More file actions
28 lines (28 loc) · 1.71 KB
/
oidc-rbac.yaml
File metadata and controls
28 lines (28 loc) · 1.71 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
oidc:
enabled: true
clientID: "" # application/client client_id paramter obtained from provider, used to make requests to server
clientSecret: "" # application/client client_secret paramter obtained from provider, used to make requests to server
secretName: "kubecost-oidc-secret" # k8s secret where clientsecret will be stored
authURL: "https://my.auth.server/authorize" # endpoint for login to auth server
loginRedirectURL: "http://my.kubecost.url/model/oidc/authorize" # Kubecost url configured in provider for redirect after authentication
discoveryURL: "https://my.auth.server/.well-known/openid-configuration" # url for OIDC endpoint discovery
# hostedDomain: "example.com" # optional, blocks access to the auth domain specified in the hd claim of the provider ID token
rbac:
enabled: true
groups:
- name: admin
enabled: false # if admin is disabled, all authenticated users will be able to make configuration changes to the kubecost frontend
claimName: "roles" # Kubecost matches this string against the JWT's payload key containing RBAC info (this value is unique across identity providers)
claimValues: # Kubecost matches these strings with the roles created in your identity provider
- "admin"
- "superusers"
- name: readonly
enabled: false # if readonly is disabled, all authenticated users will default to readonly
claimName: "roles"
claimValues:
- "readonly"
- name: editor
enabled: false # if editor is enabled, editors will be allowed to edit reports/alerts scoped to them, and act as readers otherwise. Users will never default to editor.
claimName: "roles"
claimValues:
- "editor"