Sign in Subscribe
Concepts

K9S with Keycloak: Securing Kubernetes CLI Access

Andrios Robert

1 min read

Smoke curled from the terminal, figuratively, as logs scrolled faster than your eyes could track. You needed control. You needed K9S with Keycloak, and you needed them working together without delay.

K9S is the command-line interface that gives you real-time visibility into your Kubernetes clusters. It lets you navigate workloads, pods, deployments, and services without touching the Kubernetes dashboard. With speed and precision, you can inspect resources, stream logs, and execute commands, all from one terminal window.

Keycloak handles authentication and authorization for modern applications. It supports single sign-on, identity brokering, and fine-grained role control. Integrating Keycloak into your Kubernetes workflows secures your environment without building a new auth layer from scratch.

Pairing K9S with Keycloak means you keep the operational power of K9S while applying centralized identity and access policies. This is not a default feature — it requires configuration. You set up Keycloak as your OpenID Connect (OIDC) provider, then configure Kubernetes API server flags to use it for authentication. Once Kubernetes trusts Keycloak, every K9S session is gated by secure tokens.

To do this, you:

  1. Create a new client in Keycloak with access type set to confidential.
  2. Configure valid redirect URIs for the Kubernetes API server.
  3. Enable service accounts if you’re automating sessions.
  4. Update your kubeconfig to include the Keycloak token.

Update Kubernetes API server flags:

--oidc-issuer-url=https://<keycloak-domain>/auth/realms/<realm>
--oidc-client-id=<client-id>
--oidc-username-claim=preferred_username
--oidc-groups-claim=groups

From here, K9S respects Kubernetes RBAC. Your Keycloak roles map into Kubernetes groups, and each command in K9S runs under those permissions. This delivers consistent access control and eliminates shared static credentials.

The main advantage is unifying security policy. You don’t maintain separate user lists for K9S or Kubernetes. Keycloak is the single source of truth. Session expiry and token rotation happen automatically. Revoking access is instant.

Using K9S with Keycloak at scale removes friction between operators and security teams. It also makes audits simpler. Every action is tied to a verified identity from Keycloak, visible in Kubernetes API server logs.

There is no reason to delay. You can set up a live, secured K9S environment with Keycloak in minutes. See it in action with a free trial at hoop.dev and start running it now.