-
Notifications
You must be signed in to change notification settings - Fork 1
Expand file tree
/
Copy pathsaml-rbac-enabled.yaml
More file actions
34 lines (34 loc) · 2.24 KB
/
saml-rbac-enabled.yaml
File metadata and controls
34 lines (34 loc) · 2.24 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
# SAML integration for user management and RBAC, enterprise key required
# Ref: https://github.com/kubecost/docs/blob/main/user-management.md
saml:
enabled: true
secretName: "kubecost-authzero"
#metadataSecretName: "kubecost-authzero-metadata" # One of metadataSecretName or idpMetadataURL must be set. defaults to metadataURL if set
idpMetadataURL: "https://dev-elu2z98r.auth0.com/samlp/metadata/c6nY4M37rBP0qSO1IYIqBPPyIPxLS8v2"
appRootURL: "http://localhost:9090" # sample URL
authTimeout: 1440 # number of minutes the JWT will be valid
redirectURL: "https://dev-elu2z98r.auth0.com/v2/logout" # callback URL redirected to after logout
# audienceURI: "http://localhost:9090" # by convention, the same as the appRootURL, but any string uniquely identifying kubecost to your samp IDP. Optional if you follow the convention
# nameIDFormat: "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" If your SAML provider requires a specific nameid format
# isGLUUProvider: false # An additional URL parameter must be appended for GLUU providers
# encryptionCertSecret: "kubecost-saml-cert" # k8s secret where the x509 certificate used to encrypt an Okta saml response is stored
# decryptionKeySecret: "kubecost-sank-decryption-key" # k8s secret where the private key associated with the encryptionCertSecret is stored
rbac:
enabled: true
groups:
- name: admin
enabled: false # if admin is disabled, all SAML users will be able to make configuration changes to the kubecost frontend
assertionName: "http://schemas.auth0.com/userType" # a SAML Assertion, one of whose elements has a value that matches on of the values in assertionValues
assertionValues:
- "admin"
- "superusers"
- name: readonly
enabled: false # if readonly is disabled, all users authorized on SAML will default to readonly
assertionName: "http://schemas.auth0.com/userType"
assertionValues:
- "readonly"
- name: editor
enabled: true # if editor is enabled, editors will be allowed to edit reports/alerts scoped to them, and act as readers otherwise. Users will never default to editor.
assertionName: "http://schemas.auth0.com/userType"
assertionValues:
- "editor"