Mirantis Container Cloud (MCC) becomes part of Mirantis OpenStack for Kubernetes (MOSK)!

Now, the MOSK documentation set covers all product layers, including MOSK management (formerly Container Cloud). This means everything you need is in one place. Some legacy names may remain in the code and documentation and will be updated in future releases. The separate Container Cloud documentation site will be retired, so please update your bookmarks for continued easy access to the latest content.

Integration with Enterprise Identity Directory (LDAP/AD)

This reference architecture blueprint defines a standardized model for integrating Mirantis OpenStack for Kubernetes (MOSK) with an external enterprise directory that supports the Lightweight Directory Access Protocol (LDAP) protocol, specifically Microsoft Active Directory (AD), through MOSK centralized Identity and Access Management (IAM) system — Keycloak. The purpose of this blueprint is to establish a scalable, secure, and automated foundation for user authentication and authorization across all OpenStack services.

The blueprint delivers guidance on how to model LDAP entities, configure Keycloak for federated synchronization, and align resources in Keystone to achieve a seamless, policy-driven access model. Adopting this architecture reduces maintenance effort, strengthens security posture, and ensures identity consistency across the entire MOSK environment.

By centralizing authentication in Keycloak and leveraging LDAP as the single source of truth for users and groups, MOSK eliminates the need for local or direct LDAP authentication in Keystone. Access provisioning and lifecycle management are fully automated through the external onboarding system, ensuring that projects, groups, and role assignments remain synchronized across all layers — from directory to cloud.

Key advantages of federated authentication:

• Security: Centralized enforcement of corporate MFA, SSO, and password policies

• Scalability: No per-tenant configuration or manual user management in Keystone

• Compliance: Consistent, auditable identity and access policies across enterprise systems

• Operational efficiency: Reduced administrative effort through API-driven automation and automatic synchronization

Together, these mechanisms enable a streamlined, standards-based IAM integration pattern suitable for large-scale, multi-cluster MOSK deployments.

The resulting architecture delivers a federated, policy-driven, and fully automated identity model that simplifies operations while maintaining enterprise-grade security and compliance.

• Architecture overview
  • Major components and interactions
  • Data entities
• Configuration
  • MOSK central IAM (Keycloak)
  • MOSK Identity service (OpenStack Keystone)
• Workflows
  • Onboarding workflow
  • Authentication workflow