All posts
September 9, 20251 min read

How to Integrate K9s with Keycloak for Secure and Seamless Kubernetes Access

K9s is the command-line lens into your Kubernetes clusters. Keycloak is the fortress standing guard over your authentication and identity. Put them together, and you get speed with security—if you configure them right. That’s the trick: right means no secret files floating around, no manual token juggling, no “why is this failing after 10 minutes?” moments. K9s and Keycloak integrate cleanly when token-based authentication flows match Kubernetes’ expectations. Start with an OpenID Connect clien

Free White Paper

Keycloak + VNC Secure Access: The Complete Guide

Architecture patterns, implementation strategies, and security best practices. Delivered to your inbox.

Free. No spam. Unsubscribe anytime.
Andrios Robert

K9s is the command-line lens into your Kubernetes clusters. Keycloak is the fortress standing guard over your authentication and identity. Put them together, and you get speed with security—if you configure them right. That’s the trick: right means no secret files floating around, no manual token juggling, no “why is this failing after 10 minutes?” moments.

K9s and Keycloak integrate cleanly when token-based authentication flows match Kubernetes’ expectations. Start with an OpenID Connect client in Keycloak. Give it the scopes Kubernetes needs: openid, profile, and email. Enable "service accounts"only if machine-to-machine access is part of your plan. Point Kubernetes’ API server to Keycloak’s discovery endpoint. Store your CA certificates in a secure location. Make sure kubectl works with your Keycloak user before even launching K9s.

The short path:

  1. Create a public client in Keycloak for CLI access.
  2. Map roles in Keycloak to Kubernetes RBAC groups.
  3. Use an OIDC plugin for kubectl to retrieve tokens.
  4. Launch K9s and watch it respect your Keycloak-backed session.

Session lifetimes are your bottleneck. Keycloak defaults will expire a token before a long troubleshooting session finishes. Adjust realm token lifespans to match operational needs, or enable refresh tokens that actually refresh without a full re-login.

Continue reading? Get the full guide.

Keycloak + VNC Secure Access: Architecture Patterns & Best Practices

Free. No spam. Unsubscribe anytime.

Debugging is straightforward if you keep the logs visible. Test your OIDC plugin standalone. Check group claims in the decoded JWT. If Kubernetes RBAC says “Forbidden,” it’s almost always a claim mismatch or role binding issue.

Once you have K9s and Keycloak talking, you get continuous, secure cluster exploration without the tedium of copying tokens or embedding secrets. Your CLI can move as fast as your brain does, without shortcuts that open security holes.

This setup scales. Teams can standardize on one identity provider, one set of RBAC rules, and the same CLI experience across clusters. You can onboard people in minutes without handing out raw kubeconfigs.

If you want to see this working live without spending hours in configs, try it now on hoop.dev. You’ll have K9s and Keycloak running together against a real cluster in minutes, and you won’t guess whether your setup is secure—you’ll know.

Get started

See hoop.dev in action

One gateway for every database, container, and AI agent. Deploy in minutes.

Get a demoMore posts