top of page

Designing Financial-Grade Identity: High-Availability Patterns for Keycloak on Kubernetes

  • Writer: Ajit Gupta
    Ajit Gupta
  • 2 days ago
  • 4 min read

Primary Audience: Platform Engineers

CNCF Alignment: Kubernetes, HA, Multi-Region

Abstract

In regulated financial environments, identity systems must meet stringent availability and resilience requirements. While Keycloak offers flexibility and extensibility, it does not abstract the complexity of distributed system design. This article presents production-proven patterns for building highly available Keycloak deployments on Kubernetes, focusing on cache topology, multi-region design, and operational resilience.


1. Identity as Critical Infrastructure

Authentication systems in financial services are treated as critical infrastructure. Availability requirements typically exceed 99.95 percent, and downtime windows are tightly controlled. However, systems should be designed with the goal of achieving zero downtime and availability of 99.99 percent or higher.

Unlike proprietary identity platforms that hide operational complexity, Keycloak requires explicit decisions about clustering, session replication, and failover. These decisions directly impact system reliability and must be made before production deployment.


2. The Default Model and Why It Fails at Scale

Keycloak’s default clustering model uses an embedded Infinispan cache. In this model, session data is stored inside the Keycloak nodes themselves.


Keycloak - Infinispan Embedded Mode
Keycloak - Infinispan Embedded Mode

This design introduces several limitations at scale:

  • Session state is tightly coupled to the lifecycle of Keycloak pods

  • Pod restarts trigger cluster topology changes that must stabilize before traffic can be served

  • Under high concurrency, these stabilization windows lead to session validation failures

  • Cross-region deployments introduce latency and consistency challenges

The embedded model does not support reliable session continuity across regions, making it unsuitable for active-active deployments in regulated environments.


3. Decoupling State: External Cache Topology

A more reliable pattern separates the cache layer from the application layer.

The diagram illustrates this model, where Infinispan runs as a standalone cluster and Keycloak connects to it as a remote cache store.


Remote Cache Mode
Remote Cache Mode

This separation introduces several important advantages:

Independent Scaling

Cache capacity can scale based on session volume, while Keycloak scales based on request throughput.

Isolation of Resource Pressure

Memory usage from sessions does not affect Keycloak pod resources.

Operational Flexibility

The cache cluster can be upgraded, scaled, or failed over independently of the application layer.

Predictable Replication

Cross-region replication uses Infinispan’s native mechanisms, which are more predictable and easier to monitor.

A typical sizing example shows that a three-node Infinispan cluster per region, with 16 GB RAM and 4 vCPU per node, can support approximately 10 million active sessions with a 30-minute idle timeout.


4. Multi-Region Architecture

High availability across regions requires explicit design decisions.

The diagram shows a multi-region deployment with separate clusters and a shared cache replication strategy.


High Availability
High Availability

Session Ownership Model

A stable pattern includes:

  • Session creation routed to a primary region using global load balancing

  • The primary region holding the authoritative session state

  • Asynchronous replication of session data to a secondary region

  • Replication lag monitored as a production metric

Failover Behavior

During a regional failure:

  • The secondary region promotes its cache to authoritative

  • Sessions that have not yet replicated are invalidated

  • Users are required to re-authenticate

Synchronous replication is avoided because it introduces latency that is unacceptable for authentication flows.

Database Layer

A read replica in the secondary region ensures that user data and configuration remain available without cross-region database calls after failover.


5. Zero-Downtime Deployment Strategy

To avoid service interruption, deployments follow a blue-green model.

Two identical environments are maintained. One serves traffic while the other receives updates. After validation, traffic is switched to the updated environment.

This approach requires:

  • Database schema changes that remain compatible with previous versions

  • Shared session state across environments, which is enabled by external cache

  • Coordination between configuration updates and application changes


6. Kubernetes-Level Availability Controls

Kubernetes introduces its own failure modes, particularly during maintenance operations.

One of the most important controls is the Pod Disruption Budget.

Without this control, operations such as node draining or autoscaling can terminate multiple pods at once, reducing a healthy cluster to a single instance or causing a full outage.

For a three-node deployment, setting a minimum of two available pods ensures that the system continues to serve traffic during voluntary disruptions.

This principle also applies to the cache cluster. Loss of quorum in the cache layer results in authentication failures even if Keycloak itself remains healthy.

Many production outages originate from infrastructure operations rather than application faults, making these controls essential.


7. Observability

High availability depends on visibility into system behavior.

Key metrics include:

  • Cache replication lag

  • Database connection pool utilization

  • Token issuance and validation latency

  • Authentication success and failure rates

Critical failure scenarios include cache inconsistencies, replication delays, and database lag. These conditions must be detected and addressed before they impact users.


8. Architectural Decisions That Cannot Be Reversed

Some decisions must be made before production deployment because they are difficult to change later.

Cache topology is one such decision. Moving from embedded cache to an external cache model after go-live requires downtime and migration planning.

Choosing the correct architecture early avoids significant operational risk.


9. Conclusion

Keycloak can support the demands of regulated financial systems when deployed with the right architectural patterns.

Separating the cache layer from the application layer enables:

  • Resilient multi-region deployments

  • Predictable failover behavior

  • Zero downtime operations

Successful deployments treat identity not as a simple service, but as a distributed system that requires careful design from the beginning.

Writer's Overview

Mayank Soni – DevSecOps Specialist  

Mayank leads DevSecOps initiatives at Midships, driving platform-level automation, CI/CD pipeline optimization, and secure infrastructure delivery. With a dual role as contributor and team lead, he focuses on scalable deployment strategies, cost-efficient infrastructure, and faster feedback loops across cloud environments. His hands-on experience spans infrastructure, security, and application layers—including building and deploying full-stack services using modern cloud-native architectures.

Short bio: Mayank is a DevSecOps expert with 6+ years of experience across AWS, Azure, and GCP. He specializes in infrastructure automation, secure CI/CD pipelines, and observability systems. With a strong foundation in both cloud engineering and application development, he supports Midships’ cloud transformation across Southeast Asia.

 
 
 

Comments

Stronger Identity, Happier Customers.

Ready to modernize your identity infrastructure?

Let's secure your growth together.

Explore more resources
bottom of page