In this article I will tell you how to install and configure:

  • Keycloak is an open source project. Which provides a single entry point for applications. It works with many protocols, including the LDAP and OpenID that interest us.
  • Keycloak gatekeeper – reverse proxy application that allows you to integrate authorization through Keycloak.
  • Gangway – the application that generates a config for kubectl with which you can log in and use OpenID to connect to the Kubernetes API.

How work rights in Kubernetes

We can manage user / group rights using RBAC, a lot of articles have already been created about this, I will not dwell on this in detail. The problem is that you can use RBAC to restrict user rights, but Kubernetes doesn’t know anything about users. It turns out that you need a user delivery mechanism in Kubernetes. To do this, we will add an OpenID provider to Kuberntes, which will say that such a user really exists, and Kubernetes itself will give rights to it.


  • You will need a Kubernetes cluster or minikube
  • Active Directory
  • Domains:, kubernetes-dashboard.example.or,
  • Certificate for domains or self-signed certificate

I will not dwell on how to create a self-signed certificate, you need to create 2 certificates, this is the root (Certificate Authority) and wildcard client for the * domain

After you receive / write out the certificates, the client must be added to Kubernetes, for this we create a secret for it:

Next we will use it for our Ingress controller

Install Keycloak

I decided that the easiest way to use ready-made solutions for this, namely helm chart-s.

Install the repository and update it:

Create the keycloak.yml file with the following contents:

Federation setup

Next, go to the web interface

In the left corner, click Add realm

Disable verification of user email confirmation:

Client scopes -> Email -> Mappers -> Email verified (Delete)

We are setting up a federation for importing users from ActiveDirectory.

User federation -> Add provider … -> ldap

If all is well, then after clicking the Synchronize all users button, you will receive a message about the successful import of users.

Next, we need to map our groups

User federation -> ldap_localhost -> Mappers -> Create

Client setup

It is necessary to create a client, in terms of Keycloak it is an application that will be authorized by it. I will highlight the important points in the screenshot in red.

Clients -> Create

Create a scoupe for the groups:

Client Scopes -> Create

And configure mapper for them:

Client Scopes -> groups -> Mappers -> Create

Add the mapping of our groups to Default Client Scopes:

Clients -> kubernetes -> Client Scopes -> Default Client Scopes

Select groups in Available Client Scopes, click Add selected

We get the secret (and write it to the thread) that we will use for authorization in Keycloak:

Clients -> kubernetes -> Credentials -> Secret

This is the end of the setup.

Configure Kubernetes

We need to indicate where our root certificate from the site is, and where the OIDC provider is located.

To do this, edit the file /etc/kubernetes/manifests/kube-apiserver.yaml

Update kubeadm config in the cluster:

Configure auth-proxy

You can use keycloak gatekeeper to protect your web application. In addition to the fact that this reverse proxy will authorize the user before showing the page, so it will also transmit information about you in the headers to the final application. Thus, if your application supports OpenID, then the user immediately logs in. Let’s look at the example of Kubernetes Dashboard

Install Kubernetes Dashboard

Setting permissions:

Create a ClusterRoleBinding that will give cluster admin rights (standard ClusterRole cluster-admin) for users in the DataOPS group.

Install keycloak gatekeeper:

After that, when you try to go to, you will be redirected to Keycloak and, if authorization is successful, we will already be logged into Dashboard.

Gangway installation

For convenience, you can add gangway which will generate a config file for kubectl, with which we will already get into Kubernetes under our user.

This allows you to immediately download the config file and create it using a set of commands.