dev-resources.site
for different kinds of informations.
Securing Keycloak: Configuring Admin Access within Your Private Network
When it comes to administrative capabilities, Keycloak boasts a wealth of features that empower users to efficiently manage their system. Alongside a user-friendly web admin tool, Keycloak offers a robust REST API, enabling seamless programmatic control.
In this article, I'll discuss on how to prevent the public access to Keycloak admin.
For this, you need to decide about the public and private host for Keycloak. For instance, ingress will look like:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: keycloak-ingress
namespace: your-namespace
spec:
rules:
- host: internal.example.com
http:
paths:
- path: /keycloak
pathType: Prefix
backend:
service:
name: keycloak
port:
number: 8080
- host: external.example.com
http:
paths:
- path: /keycloak
pathType: Prefix
backend:
service:
name: keycloak
port:
number: 8080
Then, in the deployment.yaml
file, add environment variables as below:
...
containers:
- name: keycloak
image: quay.io/keycloak/keycloak:24.0.2 # keycloak official docker image or your customised one
env:
- name: KC_HOSTNAME
value: external.example.com
- name: KC_HOSTNAME_ADMIN
value: internal.example.com
Now, after you deploy Keycloak. Navigating https://external.example.com/keycloak/admin/ will redirect you automatically to https://internal.example.com/keycloak/admin/
You can still use
web-proxy
to control access to Keycloak if you've such requirements. I prefer to have to have a context path for Keycloak to facilitate that work. To configure it, you need to add below environment variables indeployment.yaml
:
KC_HOSTNAME_PATH: keycloak
KC_HTTP_RELATIVE_PATH: /keycloak
That is all! I hope you find it useful.
Featured ones: