Use Keycloak OIDC with K8Studio

Create a namespace for Keycloak

Install Keycloak in its own namespace so the identity provider is easy to remove when the lab is finished.

kubectl create namespace keycloak

Install Keycloak with Helm

Use the Bitnami chart for a quick lab install. This gives you Keycloak and a PostgreSQL dependency without writing all the manifests by hand.

helm repo add bitnami https://charts.bitnami.com/bitnami
helm repo update

helm install keycloak bitnami/keycloak \
  --namespace keycloak \
  --set auth.adminUser=admin \
  --set auth.adminPassword='ChangeMe123!'

Wait for Keycloak to become ready

The first startup can take a few minutes because the database and Keycloak pods need to initialize.

kubectl rollout status statefulset/keycloak -n keycloak
kubectl get pods -n keycloak

Open the Keycloak admin console

Port-forward the service and open the admin console in your browser. Login with the admin user and password from the Helm install command.

kubectl port-forward -n keycloak svc/keycloak 8080:80

# Browser:
# http://localhost:8080/admin

Create a Keycloak realm

Create a dedicated realm for Kubernetes access, for example k8studio-auth. Keeping the realm separate makes users, claims, and test clients easier to debug.

Create a K8Studio OIDC client

Create a client named k8studio. Use OpenID Connect, enable standard flow, and add the local redirect URI that K8Studio uses during browser login.

Client ID: k8studio
Client type: OpenID Connect
Client authentication: Off for a local public-client lab
Standard flow: On
Valid redirect URIs: http://localhost:*
Web origins: http://localhost:*

Create a test user and group

Create a user such as alice and put the user in a group such as k8studio-admins. That group claim is what you bind to Kubernetes RBAC.

User: alice
Temporary password: Password123!
Group: k8studio-admins

Add a groups claim to the token

Kubernetes RBAC needs the group claim in the token. Add a client scope or mapper that includes the user's groups in the ID token.

Mapper type: Group Membership
Token claim name: groups
Add to ID token: On
Add to access token: On
Full group path: Off

Configure the Kubernetes API server

For kubeadm or another self-managed control plane, configure the API server with the Keycloak issuer URL, client ID, username claim, and groups claim. The issuer URL must be reachable by the API server and must match the token exactly.

--oidc-issuer-url=https://keycloak.example.com/realms/k8studio-auth
--oidc-client-id=k8studio
--oidc-username-claim=email
--oidc-groups-claim=groups

Bind the OIDC group to Kubernetes RBAC

Create a RoleBinding or ClusterRoleBinding for the group claim. Use cluster-admin only in a disposable lab.

kubectl create clusterrolebinding k8studio-oidc-admins \
  --clusterrole=cluster-admin \
  --group=k8studio-admins

Create the kubeconfig user

Add an OIDC user entry to kubeconfig that points at the Keycloak issuer and K8Studio client.

users:
  - name: keycloak-oidc
    user:
      auth-provider:
        name: oidc
        config:
          idp-issuer-url: https://keycloak.example.com/realms/k8studio-auth
          client-id: k8studio
          client-secret: ""
          extra-scopes: profile,email,groups

Open the kubeconfig in K8Studio

Add the kubeconfig file in K8Studio, select the Keycloak-backed context, and connect. K8Studio should open the browser login and then show cluster resources.

Test the failure path

Expire the token or clear the login session and reconnect. K8Studio should show a clear authentication error instead of silently doing nothing.

Tear down the lab when finished

If this is only a test environment, uninstall Keycloak so the database pod and storage do not keep running.

helm uninstall keycloak -n keycloak
kubectl delete namespace keycloak