What Is Keycloak?
Keycloak provides SSO, identity federation, and fine-grained authorization for applications. CNCF project (donated by Red Hat). Supports OIDC, SAML 2.0, OAuth 2.0, and LDAP/AD integration.
Core Capabilities
- Single Sign-On (SSO) β one login for all applications
- Identity Federation β connect Google, GitHub, LDAP, SAML IdPs
- Fine-grained RBAC β roles, groups, client scopes
- Multi-tenancy β isolated realms per tenant/environment
- Admin console β full web UI for user/role management
- Token exchange β impersonation, cross-realm trust
Kubernetes Deployment
apiVersion: k8s.keycloak.org/v2alpha1
kind: Keycloak
metadata:
name: keycloak
namespace: keycloak
spec:
instances: 3
hostname:
hostname: auth.yourdomain.com
db:
vendor: postgres
host: postgres.keycloak.svc
usernameSecret:
name: keycloak-db
key: username
passwordSecret:
name: keycloak-db
key: password
http:
tlsSecret: keycloak-tls
features:
enabled:
- docker
- token-exchangeIntegrate with Kubernetes OIDC
# kube-apiserver flags
--oidc-issuer-url=https://auth.yourdomain.com/realms/kubernetes
--oidc-client-id=kubernetes
--oidc-username-claim=preferred_username
--oidc-groups-claim=groupsNow kubectl uses Keycloak tokens:
# kubelogin plugin
kubectl oidc-login setup \
--oidc-issuer-url=https://auth.yourdomain.com/realms/kubernetes \
--oidc-client-id=kubernetesIntegrate with ArgoCD
# argocd-cm ConfigMap
data:
oidc.config: |
name: Keycloak
issuer: https://auth.yourdomain.com/realms/argocd
clientID: argocd
clientSecret: $oidc.keycloak.clientSecret
requestedScopes: ["openid", "profile", "email", "groups"]Integrate with Grafana
[auth.generic_oauth]
enabled = true
name = Keycloak
client_id = grafana
client_secret = xxx
auth_url = https://auth.yourdomain.com/realms/monitoring/protocol/openid-connect/auth
token_url = https://auth.yourdomain.com/realms/monitoring/protocol/openid-connect/token
api_url = https://auth.yourdomain.com/realms/monitoring/protocol/openid-connect/userinfo
role_attribute_path = contains(groups[*], 'grafana-admin') && 'Admin' || 'Viewer'High Availability
βββββββββββββββββββββββββββββββββββββββββββ
β Load Balancer β
ββββββββ¬βββββββββββ¬βββββββββββ¬βββββββββββββ
β β β
ββββββββΌβββ ββββββΌβββββ βββββΌβββββββ
βKeycloak β βKeycloak β βKeycloak β
β Pod 1 β β Pod 2 β β Pod 3 β
ββββββ¬βββββ ββββββ¬βββββ ββββββ¬ββββββ
β β β
βββββββββββββΌβββββββββββββ
β
ββββββββββΌβββββββββ
β PostgreSQL β
β (HA cluster) β
βββββββββββββββββββKeycloak uses Infinispan distributed cache β sessions shared across all pods. Zero-downtime rolling updates.
Security Hardening
# Realm settings for production
bruteForceDetection:
enabled: true
maxFailureWaitSeconds: 900
maxLoginFailures: 5
waitIncrementSeconds: 60
passwordPolicy: "length(12) and upperCase(1) and digit(1) and specialChars(1)"
sslRequired: "all"
loginWithEmail: false
duplicateEmailsAllowed: false
