Configure Networking for RBAC

This topic describes additional networking configuration steps required when you set up external access to Confluent Platform with role-based access control (RBAC) enabled.

If you enable external access to MDS, one additional service of the specified type, load balancer, node port, or route, is created in Kubernetes.

If you want to support external access to Kafka Metadata Service (MDS), configure the following in the Kafka custom resource (CR).

External access to MDS using load balancer

spec
  services
    mds:
      externalAccess:
        type: loadBalancer
        loadBalancer:
          domain:    # Required. The domain name of the MDS cluster.
          port:      # The port to externally access MDS.
                     # If not set, the same internal/external port is
                     # configured.
          prefix:    # If set, the MDS endpoint is <prefix>.<domain>.
                     # If omitted, the MDS endpoint is <domain> by default.

The endpoint to externally access MDS is https://<prefix>.<domain>:<port>.

If spec.services.mds.externalAccess.loadBalancer.port is not set, the endpoint to externally access MDS will use the default ports as below:

• The endpoint to externally access MDS over HTTPS using load balancer is https://<prefix>.<domain>:443.
• The endpoint to externally access MDS over HTTP using load balancer is http://<prefix>.<domain>:80.

External access to MDS using node port

spec
  services
    mds:
      externalAccess:
        type: nodePort
        nodePort:
          externalTrafficPolicy: # Cluster or Local
          host:                  # Host name of the MDS
          nodePortOffset:        # Port number of the MDS. The value should
                                 # be between 30000 and 32767, inclusive.

For example:

spec
  services
    mds:
      externalAccess:
        type: nodePort
        nodePort:
          externalTrafficPolicy: Cluster
          host: example.com
          nodePortOffset: 30001

The endpoint to externally access MDS using node port is http(s)://<host>:<nodePortOffset>.

External access to MDS using route

spec
  services
    mds:
      externalAccess:
        type: route
        route:
          domain:    # Required. Domain name of the MDS cluster.
          prefix:    # If set, the MDS endpoint is <prefix>.<domain>.
                     # If omitted, the MDS endpoint is <domain> by default.

The endpoint to externally access MDS over HTTP using route is http://<domain>:80.

The endpoint to externally access MDS over HTTPS using route is https://<domain>:443.