Cloud Native ComputingContributory Expert VoicesDevelopersDevOpsKubernetesOpen Source

Keycloak, Cloud Native IAM For Cloud Native Applications, Joins The CNCF


Author: Karena Angell (LinkedIn)
Bio: Karena Angell is a Red Hat Senior Principal Product Manager focused on guiding upstream Red Hat community engagement within open source projects, including CNCF projects. She is also the lead for OpenShift Commons, Red Hat’s community for end user, partner and upstream engagement. She has a broad background within various disciplines including Product Management, Marketing, Enterprise Architecture, Enterprise Solution design and management as well as IT Service Management. She has also worked extensively within Commercial and Government enterprises.

In the computing world, there isn’t a single day that goes by without being asked for credentials, passwords, or authentication codes. On the other side of these requests is Identity Access Management (IAM), a pivotal component of any security infrastructure. Nowhere is there greater need than in containerized application stacks, where dozens to thousands of microservices all need to automatically confirm access and authorization for every user. Keycloak, which recently joined the Cloud Native Computing Foundation (CNCF) as an incubating project, supplies a cloud native way to support cloud native applications’ IAM needs.

Well before containers were mainstream, the Keycloak project was founded by Red Hat in 2014 to support users and customers with a robust, open source IAM solution. By 2020, recognizing that Kubernetes applications needed a truly cloud native IAM service, its developers refactored Keycloak to run on the Quarkus container-optimized Java runtime.

“Quarkus offers lower memory footprints, faster startup time, and simplified configuration. That allowed us to bring to the project all the capabilities for running the Keycloak server on Kubernetes and OpenShift,” said Stian Thorgensen, Red Hatter and Keycloak maintainer.

The current version is built as immutable container images, a much more cloud native approach than the older WildFly Java application server that they previously used.  By moving compiling, driver and plugin importing, and Java optimization to build time instead of run time, the maintainers reduced the boot time of Keycloak components by more than 50%.  Being able to spin up a full IAM stack in less than five seconds makes scaling up based on demand feasible.

Also, since it runs on containerized Java and offers a Kubernetes Operator, Keycloak can be installed and scaled together with the user’s other Kubernetes applications. While modernizing, the project has preserved the knowledge and user feedback from eight years of production use. This delivers the benefit of providing IAM support for both older vendor applications and brand-new cloud native applications. It also makes it possible for developers to create new applications and services without needing in-depth knowledge of security protocols and helps the overall hardening position of security systems.

Having become top-to-bottom cloud native, it was only natural that Keycloak would join the CNCF as an incubating project. Joining the foundation makes it an even more obvious solution for the IAM needs of CNCF’s over 150 projects.  Membership will also help to grow Keycloak’s open source contributor base.

Enterprise grade IAM in a cloud native environment

The project’s advantage for users is that it provides a full ready-to-run IAM stack in a single container. This means that not only does it offer user management, LDAP/Active Directory federation, authentication delegation, identity verification and other essential enterprise IAM features, it does so without burdening operations.

“A benefit to Keycloak is that it is a single lightweight container, where other alternatives require multiple containers, directory servers, etc. ,while Keycloak only requires a relational database,” said Thorgensen. “Essentially, it’s not just an authenticator container that starts in 5 seconds, it’s the full IAM stack with the exception of the database.”

Keycloak integrates with a variety of authentication and authorization protocols, such as OAuth2, OpenID Connect and SAML. It provides Single Sign-On (SSO) support, enabling users to authenticate once and have access to a wide range of applications and services without having to re-enter their credentials. It also offers a range of integration options, including SAML2, LDAP, Kerberos/SPNEGO and Active Directory, which makes it easy to integrate with existing systems. It is highly configurable to meet the specific needs of an organization.

Another Keycloak feature that is compelling for large enterprise adopters is Realms. These are isolated management spaces that each maintain a set of users, credentials, roles, and groups.  Realms allow complex organizations to implement independent clusters of Keycloak servers as they don’t share clients, users, or other identity and access data.

Now that Keycloak is officially a CNCF project, the maintainers look forward to increased usage and contributions from the broader cloud native ecosystem. IT staff looking for a mature IAM system integrated into their Kubernetes infrastructure can learn more at