Configure Security using Confluent for Kubernetes Blueprints

Securing your Confluent deployment covers the following security dimensions in Confluent for Kubernetes (CFK) Blueprints:

  • Authentication
  • Authorization
  • Network Encryption

Confluent recommends the following security configuration for production deployments:

  • For authentication
    For Kafka client authentication, choose one of:
    • mTLS
    • SASL/PLAIN
  • For authorization
    Confluent Role-Based Access Control (RBAC) for authorization, with user/group identity coming from LDAP server
  • For network Encryption
    TLS for both internal (between Confluent components) and external (clients to Confluent components)

For a comprehensive tutorial scenario on configuring Confluent recommended security, see the CFK Blueprints Tutorials.

While the above is the recommended way to run Confluent Platform that is managed by CFK Blueprints, you do have the option to deploy and operate CFK Blueprints with different security configurations. Below is the outline of security configurations supported, with links to pages that cover concepts and instructions in detail:

  • Authentication
    • Kafka authentication
      • No authentication
      • SASL/PLAIN authentication (username/password)
      • mTLS authentication (certificate based)
    • ZooKeeper authentication
      • No authentication
      • Digest authentication
      • mTLS authentication
    • Confluent component authentication
      • No authentication
      • Basic authentication (username/password)
      • mTLS authentication
      • LDAP authentication (for Confluent Control Center only)
  • Authorization
    • No authorization
    • Confluent Role Based Access Control (RBAC) with a dependency on LDAP server
  • Network Encryption
    • No encryption
    • TLS encryption