Identity and Access Management

Platform Base includes a Keycloak instance for central identity and access management (IAM). The instance is managed by Kubernetes operators and is stateless to ensure the configuration in Keycloak will not diverge from the configuration in the operator manifests. Therefore the users and groups/roles have to be managed using a separate identity provider. Applications which are part of the platform like Argo CD and Grafana are pre-configured to use single sign-on (SSO) via Keycloak.

Identity Provider

Keycloak supports identity providers supporting the SAML v2.0, OpenID Connect v1.0 or OAuth v2.0 protocol. This includes providers like Auth0, GCP, AWS and also Microsoft Active Directory Federation Services and SAP Cloud Identity Services.

Even Gitlab.com can be used as an identity provider, but as everyone with a account at Gitlab.com can authenticate, rules must be added to authorize specific users or groups only.

Configuration

The Keycloak instance should be configured using the Kubernetes operators which are included in the platform.

warning

To ensure the configuration will survive restarts, the Keycloak instance should only be configured using the Kubernetes operators. Any manual change on the state of Keycloak will be lost after a restart of the Keycloak instance!

Currently the following Kubernetes operators are available.

• Official Keycloak Operator
• EPAM EDP Operator

In order to customize the Keycloak configuration, the Kubernetes custom resources of the EPAM EDP Operator should be used.

note

Once a single Kubernetes operator for Keycloak allows us to fully configure the Keycloak instance, a second operator will no longer be necessary and will be removed in future releases.