We have used Keycloak extensively and I can confidently say that it supports all the features that you have listed. Moreover, Keycloak also supports extension with SPIs which even allowed us to develop some very customised authentication flows which wouldn’t be possible with most IDPs. Unless you really need that enterprise support provided by Okta and you can manage Keycloak on your own, you can easily go with Keycloak and save some cash.
Keycloak also runs well on a container. You could use the official image from JBoss’s DockerHub or the one that’s made by Bitnami. The Bitnami one offers some extra options. Helm Charts are available from Codecentric and Bitnami (for the JBoss and Bitnami version, respectively), so it’s pretty easy to get them running on your Kubernetes cluster, if you have one to use.