DEV Community

Cover image for Securing Keycloak: Configuring Admin Access within Your Private Network
Mohammed Ammer
Mohammed Ammer

Posted on

Securing Keycloak: Configuring Admin Access within Your Private Network

When it comes to administrative capabilities, Keycloak boasts a wealth of features that empower users to efficiently manage their system. Alongside a user-friendly web admin tool, Keycloak offers a robust REST API, enabling seamless programmatic control.

In this article, I'll discuss on how to prevent the public access to Keycloak admin.

For this, you need to decide about the public and private host for Keycloak. For instance, ingress will look like:

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: keycloak-ingress
  namespace: your-namespace
spec:
  rules:
  - host: internal.example.com
    http:
      paths:
      - path: /keycloak
        pathType: Prefix
        backend:
          service:
            name: keycloak
            port:
              number: 8080
  - host: external.example.com
    http:
      paths:
      - path: /keycloak
        pathType: Prefix
        backend:
          service:
            name: keycloak
            port:
              number: 8080
Enter fullscreen mode Exit fullscreen mode

Then, in the deployment.yaml file, add environment variables as below:

      ...
      containers:
        - name: keycloak
          image: quay.io/keycloak/keycloak:24.0.2 # keycloak official docker image or your customised one
          env:
            - name: KC_HOSTNAME
              value: external.example.com
            - name: KC_HOSTNAME_ADMIN
              value: internal.example.com
Enter fullscreen mode Exit fullscreen mode

Now, after you deploy Keycloak. Navigating https://external.example.com/keycloak/admin/ will redirect you automatically to https://internal.example.com/keycloak/admin/

You can still use web-proxy to control access to Keycloak if you've such requirements. I prefer to have to have a context path for Keycloak to facilitate that work. To configure it, you need to add below environment variables in deployment.yaml:

  KC_HOSTNAME_PATH: keycloak
  KC_HTTP_RELATIVE_PATH: /keycloak
Enter fullscreen mode Exit fullscreen mode

That is all! I hope you find it useful.

Image of Timescale

🚀 pgai Vectorizer: SQLAlchemy and LiteLLM Make Vector Search Simple

We built pgai Vectorizer to simplify embedding management for AI applications—without needing a separate database or complex infrastructure. Since launch, developers have created over 3,000 vectorizers on Timescale Cloud, with many more self-hosted.

Read more

Top comments (0)

Image of Docusign

🛠️ Bring your solution into Docusign. Reach over 1.6M customers.

Docusign is now extensible. Overcome challenges with disconnected products and inaccessible data by bringing your solutions into Docusign and publishing to 1.6M customers in the App Center.

Learn more