Expose Keycloak on an additional MetalLB address pool

TechPreview

In the default configuration of the management cluster, Keycloak is located on an isolated network. But you can expose Keycloak on an additional MetalLB address pool for cloud end users to access IAM services from an external network.

Exposing Keycloak on a dedicated address pool does not mean exposing the entire management cluster. Only the Keycloak service is published on the external network and it is separated from other MOSK services, such as the artifacts cache, Kubernetes API, or the management console, which remain on the isolated management network. This design limits the attack surface to a single, purpose-built endpoint while keeping operator-only services private, addressing security concerns for MOSK users who require Keycloak-based authentication.

See also

Federation

Prerequisites for using Keycloak on an additional pool

• Configure the external network for the management cluster as described in Management cluster networking and Kubernetes external network for a management cluster.

• If your management cluster does not have a connected external network, add it and apply the necessary changes to the L2Template object as described in Modify network configuration on an existing machine.

Expose Keycloak on an additional pool

1. In the MetalLBConfig object, add the ipAddressPools section with the new address pool:

   spec:
     ipAddressPools:
     - name: external-net
       spec:
         addresses:
         - 172.16.20.101-172.16.20.140
         autoAssign: true
         avoidBuggyIPs: false
     l2Advertisements:
     - name: ext
       spec:
         interfaces:
         - k8s-ext
         ipAddressPools:
         - external-net
   

2. Verify that the new pool is available:

   kubectl -n metallb-system get ipaddresspools,l2advertisements
   

   Example of a positive system response:

   NAME                                    AUTO ASSIGN   AVOID BUGGY IPS   ADDRESSES
   ipaddresspool.metallb.io/default        true          false             ["192.168.9.61-192.168.9.99"]
   ipaddresspool.metallb.io/services-pxe   false         false             ["10.0.1.21-10.0.1.40"]
   ipaddresspool.metallb.io/external-net   true          false             ["172.16.20.101-172.16.20.140"]
   

3. In the kaas section of the Cluster object, add the externalServiceIPAddressPool parameter with the name of the new address pool:

   kaas:
     management:
     ...
       - name: iam
         values:
           keycloak:
             keycloak:
               pvc:
                 enabled: false
             externalServiceIPAddressPool: external-net
   

4. Verify that the service is available in the external network:

   kubectl -n kaas get services |grep keyc
   

   Example of a positive system response:

   NAME                        TYPE           CLUSTER-IP     EXTERNAL-IP   PORT(S)        AGE
   iam-keycloak-headless        ClusterIP      None            <none>        80/TCP
   iam-keycloak-http            LoadBalancer   10.233.41.97    10.0.40.103   443:30163/TCP
   iam-keycloak-http-external   LoadBalancer   10.233.10.116   172.16.20.101 443:32183/TCP