Designing Secure Microservices on Kubernetes: An Architectural Deep Dive into OAuth2, PKCE, Keycloak, Vault, and LDAP

The article examines an architectural model for securing microservice systems in a Kubernetes environment, integrating mechanisms for federated authentication, secrets management, network isolation, and secure data evolution, leveraging OAuth 2.1, PKCE, Keycloak, Vault, and LDAP. This is motivated by the increasing attack surface of cloud‑native environments, exacerbated by container ephemerality, flat cluster networking, and fragmented access domains. In such environments, a compromised container can attack other services, steal credentials, and intercept traffic․ The paper thus seeks to develop and validate an integrated architectural approach to secure the Kubernetes microservice ecosystem under the Zero Trust security model․ The main contribution of the article is formalizing an end-to-end security pattern for the IAM domain․ This pattern is formed by combining several technologies (PKCE, mTLS‚ Vault PKI‚ External Secrets Operator‚ and Liquibase) into a single model․ It is concluded that the combination of an API Gateway, Keycloak with LDAP, short-lived secrets, and separated privileges for applications and migrations reduces the risk of token interception, secret leakage, and lateral movement within the cluster at an acceptable infrastructure cost. The article will be useful for IT architects, DevSecOps engineers, information security specialists, and cloud platform developers.

microservice security, Kubernetes, OAuth 2.1, PKCE, Keycloak, Vault, LDAP, Zero Trust, mTLS.

Cesarano, C., & Natella, R. (2025). KubeFence: Security Hardening of the Kubernetes Attack Surface. ArXiv, 497–510. https://doi.org/10.1109/dsn64029.2025.00054

Chen, Q., Liu, Y., Tan, R., Jin, Z., Xiao, J., Wang, X., Zhang, F., & Liu, Q. (2025). Shadowkube: enhancing Kubernetes security with behavioral monitoring and honeypot integration. Cybersecurity, 8(1). https://doi.org/10.1186/s42400-025-00372-7

Chmelev, A. (2025). Evolution of User Session Security Using OAuth 2.1 and Openid Connect: 2025 Practices. Universum:Technical Sciences, 134(5). https://doi.org/10.32743/unitech.2025.134.5.20012

Ebad, S. A., & Amara, M. (2026). The Principle of Least Privilege in Microservices: A Systematic Mapping Study. Applied Sciences, 16(3), 1495. https://doi.org/10.3390/app16031495

Faustino, D., Gonçalves, N., Portela, M., & Rito Silva, A. (2024). Stepwise migration of a monolith to a microservice architecture: Performance and migration effort evaluation. Performance Evaluation, 164, 102411. https://doi.org/10.1016/j.peva.2024.102411

Hardt, D., Parecki, A., & Torsten Lodderstedt. (2024, January 9). The OAuth 2.1 Authorization Framework. IETF Datatracker. https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-10

Hussain, A., Aziz, A., Syed, H. J., & Raza, S. (2025). Preventing IP Spoofing in Kubernetes Using eBPF. Computers, Materials & Continua, 84(2), 3105–3124. https://doi.org/10.32604/cmc.2025.062628

Laigner, R., Zhou, Y., Salles, M. A. V., Liu, Y., & Kalinowski, M. (2021). Data Management in Microservices: State of the Practice, Challenges, and Research Directions. ArXiv. https://doi.org/10.48550/arXiv.2103.00170

Lublinsky, B., Jennings, E., & Spišaková, V. (2022). A Kubernetes Bridge operator between cloud and external resources. ArXiv. https://arxiv.org/abs/2207.02531

Malhotra, A., Elsayed, A., Torres, R., & Venkatraman, S. (2024). Evaluate Canary Deployment Techniques using Kubernetes, Istio and Liquibase for Cloud Native Enterprise Applications to Achieve Zero Downtime for Continuous Deployments. IEEE Access, 99. https://doi.org/10.1109/access.2024.3416087

Meka, J. (2025). Financial Services Cloud Transformation: Securing Sensitive Data in Kafka Event Streams. Journal of Computer Science and Technology Studies, 7(4), 1023–1028. https://doi.org/10.32996/jcsts.2025.7.4.115

Nascimento, B., Santos, R., Henriques, J., Bernardo, M. V., & Caldeira, F. (2024). Availability, Scalability, and Security in the Migration from Container-Based to Cloud-Native Applications. Computers, 13(8), 192. https://doi.org/10.3390/computers13080192

Rahat, T. A., Feng, Y., & Tian, Y. (2022). Cerberus. Proceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security. https://doi.org/10.1145/3548606.3559381

Saleh, S. M., Madhavji, N. H., & Steinbacher, J. (2025). Systematic Review of Identity-Centric Security in Cloud-Native CI/CD Pipelines. Proceedings of the 2025 10th International Conference on Cloud Computing and Internet of Things, 23–32. https://doi.org/10.1145/3785520.3785525

Singh, J., & Chaudhary, N. K. (2023). Unified Singular Protocol Flow for OAuth (USPFO) Ecosystem. ArXiv. https://doi.org/10.48550/arXiv.2301.12496

Song, E., Song, Y., Lu, C., Pan, T., Zhang, S., Lu, J., Zhao, J., Wang, X., Wu, X., Gao, M., Li, Z., Fang, Z., Lyu, B., Zhang, P., Wen, R., Yi, L., Zong, Z., & Zhu, S. (2024). Canal Mesh: A Cloud-Scale Sidecar-Free Multi-Tenant Service Mesh Architecture. Proceedings of the ACM SIGCOMM 2024 Conference, 860–875. https://doi.org/10.1145/3651890.3672221

Xi, N., Liu, J., Li, Y., & Qin, B. (2023). Decentralized access control for secure microservices cooperation with blockchain. ISA Transactions, 141, 44–51. https://doi.org/10.1016/j.isatra.2023.07.018