Security Compliance in Confluent for Kubernetes

This topic describes the support and configuration details for the Federal Information Processing Standard (FIPS) compliance in Confluent Platform deployed by Confluent for Kubernetes (CFK).

Federal Information Processing Standard (FIPS) 140-2

The Federal Information Processing Standard (FIPS) 140-2 defines the security requirements for cryptography used in the US Federal Government systems.

While Confluent Platform is not FIPS-certified, it provides FIPS-compliant cipher enforcement at the component level. For details, see Confluent Platform FIPS 140-2.

Confluent Server (Confluent Kafka), KRaft, Schema Registry, Connect, and ksqlDB can be configured to use FIPS-compliant ciphers on its TLS connections. This requires that all TLS enabled components use the FIPS-compliant Java KeyStore type, Bouncy Castle. These TLS configurations also include those for the listeners, the MDS, Kafka REST class, and schema validation.

Bouncy Castle type keystores cannot be used to configure ZooKeeper TLS.

You can use regular keystores to connect non-FIPS compliant components to the FIPS enabled listeners.

Deploy CFK in the FIPS mode

  1. (Optional) To enable the validating webhooks for CFK in the FIPS mode, you need to provide TLS keys and certificates in Java KeyStore format. In FIPS mode, the webhook server requires trustrsore.jks, keystore.jks, jksPassword.txt.

  2. Install CFK in the FIPS mode.

    • From the Confluent Helm repository, using the Helm argument, –set fipsmode=”true”:

      helm upgrade --install confluent-operator \
        confluentinc/confluent-for-kubernetes \
        --set fipsmode=true \
        --namespace <namespace>
      

      For details of using a Helm argument, see Deploy customized CFK.

    • Set the following property in the configuration values file.

      fipsmode: true
      

      For details about using the configuration file, see Deploy customized CFK.

Note

Upgrading a FIPS-enabled cluster from the ZooKeeper mode to KRaft mode is not currently supported.

As a workaround, turn off the FIPS mode for CFK, migrate to the KRaft mode, and turn on the FIPS mode on the CFK.

Deploy Confluent Platform in the FIPS mode

To enable FIPS for Confluent Platform:

  1. Create a secret with the FIPS-compliant keystores and truststores.
  2. Reference the above secret in the component custom resources (CRs).

Create FIPS-compliant keystores

To enable FIPS in Confluent Platform, the following keys and files are required:

  • Bouncy Castle keystore (truststore.bcfks) and truststore (truststore.bcfks)
  • JKS keystore (keystore.jks) and truststore (truststore.jks) if there is a TLS connection between Kafka and ZooKeeper
  • JKS password (jksPassword.txt)

The steps in this section use the commands with example use cases. Replace the file locations and other parameters in the examples with those for your environment.

  1. To create Bouncy Castle type keystores, download the Bouncy Castle JAR:

    curl https://repo1.maven.org/maven2/org/bouncycastle/bc-fips/1.0.2.3/bc-fips-1.0.2.3.jar \
      -o /tmp/bc-fips-1.0.2.3.jar
    
  2. Create all the keystores required for deployment.

    1. Create the certificate chain as described in Provide TLS keys and certificates in PEM format:

      cat ca.pem server.pem > server-chain.pem
      
    2. Create the Bouncy Castle truststore using the JAR you downloaded in Step #1:

      keytool -noprompt -keystore truststore.bcfks \
          -storetype BCFKS \
          -alias CARoot \
          -import -file ca.pem \
          -storepass password \
          -keypass password \
          -providerclass org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider \
          -providerpath /tmp/bc-fips-1.0.2.3.jar
      
    3. Add the server certificate and the key into a PKCS12 file:

      openssl pkcs12 -export \
          -in server-chain.pem \
          -inkey server-key.pem \
          -out server.p12 \
          -name localhost \
          -passout pass:mykeypassword
      
    4. Create the Bouncy Castle keystore out of the PKCS12 created in the previous step:

      keytool -importkeystore \
          -srckeystore keystores/server.p12 \
          -srcstoretype pkcs12 \
          -srcstorepass mykeypassword \
          -destkeystore keystore.bcfks \
          -deststorepass password \
          -destkeypass password \
          -deststoretype BCFKS \
          -providername BCFIPS \
          -providerclass org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider \
          -providerpath /tmp/bc-fips-1.0.2.3.jar
      
    5. Import the certificate authority (CA) into the keystore:

      keytool -noprompt -keystore keystore.bcfks \
          -storetype BCFKS \
          -alias CARoot \
          -import -file ca.pem \
          -storepass password \
          -keypass password \
          -providerclass org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider \
          -providerpath /tmp/bc-fips-1.0.2.3.jar
      
    6. Inspect the keystore contents:

      keytool -list -keystore keystore.bcfks \
          -storepass password -v \
          -keypass password \
          -storetype BCFKS \
          -providerclass org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider \
          -providerpath /tmp/bc-fips-1.0.2.3.jar
      
  3. Because the TLS connection between Kafka and ZooKeeper cannot use Bouncy Castle keystores, you must also create a PKCS12 keystore for those connections.

    1. Create the truststore:

      keytool -noprompt -keystore truststore.jks \
          -storetype pkcs12 \
          -alias CARoot \
          -import -file ca.pem \
          -storepass password \
          -keypass password
      
    2. Create the keystore out of the PKCS12 created in the previous step:

      keytool -importkeystore \
          -srckeystore server.p12 \
          -srcstoretype pkcs12 \
          -srcstorepass mykeypassword \
          -deststoretype pkcs12 \
          -destkeystore keystore.jks \
          -deststorepass password \
          -destkeypass password
      
    3. Import the certificate authority (CA) into the keystore:

      keytool -noprompt -keystore keystore.jks \
          -alias CARoot \
          -storetype pkcs12 \
          -import -file ca.pem \
          -storepass password \
          -keypass password
      
    4. Inspect the keystore content:

      keytool -list -keystore keystore.jks \
          -storepass password -v \
          -keypass password
      
  4. Create the Kubernetes secret with the keystores:

    kubectl create secret generic fips-tls \
        --from-file=keystore.bcfks=keystore.bcfks \
        --from-file=truststore.bcfks=truststore.bcfks \
        --from-file=keystore.jks=keystore.jks \
        --from-file=truststore.jks=truststore.jks \
        --from-literal=jksPassword.txt=jksPassword=password
    

Configure FIPS-enabled Confluent Platform

To enable FIPS for Kafka, KRaft, Schema Registry, Connect, and ksqlDB, add the following settings in each component custom resource (CR):

kind: <component>
spec:
  tls:
    fips:
       enabled: true   --- [1]
    secretRef:         --- [2]

Note

The Kafka API to enable FIPS in CFK 2.5 through 2.8 is still supported for Kafka in this release of CFK.