Sign in Subscribe
Concepts

Keycloak Kubernetes Access: Secure Cluster Authentication with OIDC

Andrios Robert

1 min read

Keycloak Kubernetes access is the bridge between a live cluster and a secure identity layer. Without it, your workloads have no trust boundary. With it, you have single sign-on, centralized role mapping, and audit trails across every service. The setup is direct when you know the parts: Keycloak, Kubernetes API, and an OIDC integration that binds them into one access flow.

To integrate Keycloak with Kubernetes, start by deploying Keycloak into the cluster or linking to an existing Keycloak instance. Expose it through an ingress with TLS. Configure a Kubernetes API server with the --oidc-issuer-url, --oidc-client-id, and --oidc-username-claim flags that point to your Keycloak realm and client. This ensures all authentication requests go through Keycloak’s token endpoint.

In Keycloak, create a new client for Kubernetes. Enable “confidential” access, set valid redirect URIs to match the Kubernetes API server, and generate client secrets. Map user groups in Keycloak to Kubernetes RBAC roles by embedding them in the groups claim of the ID token. This claim tells Kubernetes which ClusterRoles and RoleBindings to apply when a user logs in with kubectl.

Testing the workflow is simple:

  1. kubectl login using the OIDC plugin or an access token retrieved from Keycloak.
  2. Run kubectl get pods.
  3. Verify that permissions match the RBAC rules defined for the Keycloak group.

For production, enable token refresh, rotate secrets, and enforce multi-factor authentication in Keycloak. Use namespaces and fine-grained RBAC policies to limit blast radius. All access should be logged through both Keycloak’s admin console and Kubernetes audit logs to track every cluster interaction.

Keycloak Kubernetes access is not just about authentication. It’s a consistent, scalable way to manage developer and service access without scattering credentials. Set it up once, audit it regularly, and it will outlast ephemeral clusters and short-lived projects.

Want to skip the manual setup and see secure Keycloak Kubernetes access working in minutes? Try it now at hoop.dev and watch it live.