Short answer: None, if you need to ask this you should not install a security component.
Longer answer: keycloak is a security critical componet in your setup, so you should answer some questions for your scenario:
- how do I protect my setup?
- how do I deploy the rest of my applications?
- how large is my deployment (user, realms etc.)?
- can I accept downtimes?
Once your security design is done you will probably have the answer.
another short answer:
docker/podman if you want it for local testing, k8s or openshift if you already deploy your app (that you want to ptotect with keycloak) there.
baremetal if you know what you are doing...