.. _security_with_docker:

Docker Security
===============

|cp| supports cluster encryption and authentication, including a mix of authenticated and unauthenticated,
and encrypted and non-encrypted clients. Using security is optional. These security features are supported on the |cp| Docker images:

.. csv-table::
   :header: "Component", "Tests"
   :widths: 20, 20

   "Confluent Control Center", "HTTPS"
   "Kafka Connect", "None"
   "Kafka", "SASL, SSL"
   "REST Proxy", "HTTPS"
   "Schema Registry", "HTTPS"
   "ZooKeeper", "SASL"

Managing secrets
  When you enable security for the |cp|, you must pass secrets (e.g., credentials, certificates, keytabs,
  Kerberos config etc.) to the container. The images handle this by expecting the credentials to be available in the
  secrets directory. The containers specify a Docker volume for secrets and expect the admin to map it to a directory on the host
  which contains the required secrets.

For details on the available security features in |cp|, see the :ref:`Confluent Platform Security
Overview Documentation <security>`.

For tutorials on using SSL in the |cp|, see :ref:`cp-demo`.

Audit logging 
  For details about how to configure audit logging in Docker containers, refer 
  to :ref:`audit-logging-docker`.