[keycloak-user] Best Practices for running Keycloak and Kubernetes

[Daniel Lohin]

I am very new to Keycloak/Oauth concents and trying to wrap my head around all of this.  I am working with a number of web applications that I want to have a single sign on provider for that is locally hosted.  Keycloak seems perfect and I have gotten it working, but I am mostly trying to understand what is the best way to do things inside of the Kubernetes in relation to the Keycloak proxy.

Originally, my thought was to use the concept of sidecar containers and place Keycloak-proxy in the same pod as the web application.  Essentially this meant that traffic went like this:


Ingress -> Web Service IP -> Keycloak Proxy -> Web service listening on localhost inside of the pod.

This means that Keycloak Proxy and Web service are in the same Pod.

I liked this set up for a few reasons:
- My unprotected web service is now only listening on Localhost which means other pods in the cluster can’t directly hit it
- Keycloak Proxy now scales with the web service

This works when I have one Pod in my cluster, but when I scale the pods to two or more, it seems like it only works when I get randomly load balanced to the original Pod.  This of course doesn’t work, though I could possibly mess with some of the session stickiness options in the Ingress controller to make this work.


My next option:

Ingress -> Keycloak Service IP -> Keycloak Proxy -> Web Service IP -> Web service listening on the same pod

This works, but my issue here is that Keycloak Proxy now becomes a failure point and doesn’t scale with the pods.  It also creates more network hops inside of the cluster.

What are the best practices for using Keycloak Proxy inside of Kubernetes?