Configure Security with Confluent for Kubernetes
Confluent for Kubernetes takes an opinionated and automated approach of securing your Confluent deployment.
Securing your Confluent deployment covers the following security dimensions:
Authentication
Authorization
Network Encryption
Configuration Secrets
Confluent recommends the following security configuration for an automated, secured production deployment:
- For authentication
For Kafka client authentication, choose one of:
SASL/Plain
For SASL/Plain, the identity can come from LDAP server.
mTLS
- For authorization
Confluent Role-Based Access Control (RBAC) for authorization, with user/group identity coming from LDAP server
- For network Encryption
TLS for both internal (between Confluent components) and external (clients to Confluent components)
- For configuration secrets
Manage the lifecycle using Kubernetes Secrets or Vaults, and reference them in the Confluent component custom resources
For a comprehensive tutorial scenario on configuring Confluent recommended security, see the Security Tutorial.
While the above is the recommended way to run Confluent for Kubernetes in production, you do have the option to deploy and operate Confluent for Kubernetes with different security configurations. Below is the outline of security configurations supported, with links to pages that cover concepts and instructions in detail:
Authentication
Kafka authentication
No authentication
SASL/Plain authentication (username/password)
mTLS authentication (certificate based)
ZooKeeper authentication
No authentication
Confluent component authentication
No authentication
Basic authentication (username/password)
LDAP authentication (for Confluent Control Center (Legacy) only)
Authorization
No authorization
Confluent Role Based Access Control (RBAC) authorization, with a dependency on LDAP server
Network Encryption
No encryption