Keycloak security

Namespace access

By default, Keycloak can be accessed only from the namespace it was issued. To access Keycloak from other namespaces the service must be configured.

apiVersion: vshn.appcat.vshn.io/v1
kind: VSHNKeycloak
metadata:
  name: keycloak-app1-prod
  namespace: prod-app
spec:
  parameters:
    security:
      allowedNamespaces:
        - keycloak-prod (1)
      allowAllNamespaces: false (2)
  writeConnectionSecretToRef:
    name: keycloak-creds-connection

1	List of namespaces to be allowed to access Keycloak
2	Allows access to Keycloak from any namespace in the cluster. Supersedes `allowedNamespaces` if true.

Namespace RBAC

On APPUiO Cloud, every member of the same organization to which the claim namespace belongs to has limited access to the namespace for debugging and port-fowarding.

On APPUiO Managed, we don’t have this construct and no RBAC rules are deployed by default.

However, it is possible to specify a list of Groups or Users that should have that limited access to the namespace. This can be done using the two fields allowedGroups and allowedUsers:

apiVersion: vshn.appcat.vshn.io/v1
kind: VSHNKeycloak
metadata:
  name: keycloak-app1-prod
  namespace: prod-app
spec:
  parameters:
    security:
      allowedGroups:  (1)
        - my-dev-engineers
        - my-support-engineers
      allowedUsers:  (2)
        - my-special-user
  writeConnectionSecretToRef:
    name: keycloak-creds-connection

1	List of groups to be allowed limited access to the Keycloak namespace
2	List of users to be allowed limited access to the Keycloak namespace