Securing Keycloak: Configuring Admin Access within Your Private Network

When it comes to administrative capabilities, Keycloak boasts a wealth of features that empower users to efficiently manage their system. Alongside a user-friendly web admin tool, Keycloak offers a robust REST API, enabling seamless programmatic control.

In this article, I'll discuss on how to prevent the public access to Keycloak admin.

For this, you need to decide about the public and private host for Keycloak. For instance, ingress will look like:

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: keycloak-ingress
  namespace: your-namespace
spec:
  rules:
  - host: internal.example.com
    http:
      paths:
      - path: /keycloak
        pathType: Prefix
        backend:
          service:
            name: keycloak
            port:
              number: 8080
  - host: external.example.com
    http:
      paths:
      - path: /keycloak
        pathType: Prefix
        backend:
          service:
            name: keycloak
            port:
              number: 8080

Then, in the deployment.yaml file, add environment variables as below:

      ...
      containers:
        - name: keycloak
          image: quay.io/keycloak/keycloak:24.0.2 # keycloak official docker image or your customised one
          env:
            - name: KC_HOSTNAME
              value: external.example.com
            - name: KC_HOSTNAME_ADMIN
              value: internal.example.com

Now, after you deploy Keycloak. Navigating https://external.example.com/keycloak/admin/ will redirect you automatically to https://internal.example.com/keycloak/admin/

You can still use web-proxy to control access to Keycloak if you've such requirements. I prefer to have to have a context path for Keycloak to facilitate that work. To configure it, you need to add below environment variables in deployment.yaml:

  KC_HOSTNAME_PATH: keycloak
  KC_HTTP_RELATIVE_PATH: /keycloak

That is all! I hope you find it useful.