Configure Security with Confluent for Kubernetes

Confluent for Kubernetes takes an opinionated and automated approach of securing your Confluent deployment.

Securing your Confluent deployment covers the following security dimensions:

  • Authentication
  • Authorization
  • Network Encryption
  • Configuration Secrets

Confluent recommends the following security configuration for an automated, secured production deployment:

  • For authentication

    For Kafka client authentication, choose one of:

    • SASL/Plain

      For SASL/Plain, the identity can come from LDAP server.

    • mTLS

  • For authorization

    Confluent Role-Based Access Control (RBAC) for authorization, with user/group identity coming from LDAP server

  • For network Encryption

    TLS for both internal (between Confluent components) and external (clients to Confluent components)

  • For configuration secrets

    Manage the lifecycle through Kubernetes Secrets, and reference them in Confluent component CustomResources

For a comprehensive tutorial scenario on configuring Confluent recommended security, see the secure tutorial.

While the above is the recommended way to run Confluent for Kubernetes in production, you do have the option to deploy and operate Confluent for Kubernetes with different security configurations. Below is the outline of security configurations supported, with links to pages that cover concepts and instructions in detail:

  • Authentication
    • Kafka client authentication
      • No authentication
      • SASL/Plain authentication (username/password)
      • mTLS authentication (certificate based)
    • Confluent component REST authentication
      • No authentication
      • Basic authentication (username/password)
    • Confluent Control Center authentication
      • No authentication
      • Basic authentication (username/password)
  • Authorization
    • No authorization
    • Confluent Role Based Access Control (RBAC) authorization, with a dependency on LDAP server
    • Kafka Access Control Lists
  • Network Encryption
    • No encryption
    • TLS encryption