Confluent for Kubernetes Release Notes

Confluent for Kubernetes (CFK) provides a declarative API-driven control plane to deploy and manage Confluent Platform on Kubernetes.

The following sections summarize the technical details of the CFK 2.9 releases.

Confluent for Kubernetes 2.9.3 Release Notes

Confluent for Kubernetes (CFK) 2.9.3 allows you to deploy and manage Confluent Platform versions from 7.0.x to 7.7.x on Kubernetes versions 1.25 - 1.30 (OpenShift 4.11 - 4.16).

The images released in CFK 2.9.3 are:

  • confluentinc/confluent-operator:0.1033.33
  • confluentinc/confluent-init-container:2.9.3
  • confluentinc/<CP component images>:7.7.1

For a full list of Confluent Platform images and tags, see Confluent Platform versions.

For details on installing CFK and Confluent Platform using the above images, see Deploy Confluent for Kubernetes and Deploy Confluent Platform using Confluent for Kubernetes.

Notable fixes

  • Internal issues were resolved, including critical security and vulnerability issues.

Confluent for Kubernetes 2.9.2 Release Notes

Confluent for Kubernetes (CFK) 2.9.2 allows you to deploy and manage Confluent Platform versions from 7.0.x to 7.7.x on Kubernetes versions 1.25 - 1.30 (OpenShift 4.11 - 4.16).

The images released in CFK 2.9.2 are:

  • confluentinc/confluent-operator:0.1033.22
  • confluentinc/confluent-init-container:2.9.2
  • confluentinc/<CP component images>:7.7.0

For a full list of Confluent Platform images and tags, see Confluent Platform versions.

For details on installing CFK and Confluent Platform using the above images, see Deploy Confluent for Kubernetes and Deploy Confluent Platform using Confluent for Kubernetes.

Notable fixes

  • Fixed the rollback workflow for KRaft migration jobs.
  • Fixed critical internal issues.

Upgrade notes

  • Update Confluent Platform CRDs to 2.9.2.
  • Update the CFK init-container to 2.9.2.

Confluent for Kubernetes 2.9.1 Release Notes

Confluent for Kubernetes (CFK) 2.9.1 allows you to deploy and manage Confluent Platform versions from 7.0.x to 7.7.x on Kubernetes versions 1.25 - 1.30 (OpenShift 4.11 - 4.16).

The images released in CFK 2.9.1 are:

  • confluentinc/confluent-operator:0.1033.10
  • confluentinc/confluent-init-container:2.9.1
  • confluentinc/<CP component images>:7.7.0

For a full list of Confluent Platform images and tags, see Confluent Platform versions.

For details on installing CFK and Confluent Platform using the above images, see Deploy Confluent for Kubernetes and Deploy Confluent Platform using Confluent for Kubernetes.

Notable fixes

  • Fixed Connect OAuth properties for RBAC.
  • Fixed an upgrade issue when upgrading to CFK 2.9.0 with Control Center single sign-on (SSO) enabled.
  • Fixed issues in the CFK API Reference Guide.

Confluent for Kubernetes 2.9.0 Release Notes

Confluent for Kubernetes (CFK) 2.9.0 allows you to deploy and manage Confluent Platform versions from 7.0.x to 7.7.x on Kubernetes versions 1.25 - 1.30 (OpenShift 4.11 - 4.16).

The images released in CFK 2.9.0 are:

  • confluentinc/confluent-operator:0.1033.3
  • confluentinc/confluent-init-container:2.9.0
  • confluentinc/<CP component images>:7.7.0

For a full list of Confluent Platform images and tags, see Confluent Platform versions.

For details on installing CFK and Confluent Platform using the above images, see Deploy Confluent for Kubernetes and Deploy Confluent Platform using Confluent for Kubernetes.

New features

OAuth 2.0 support

You can configure and use the OAuth mechanism on Apache Kafka®, KRaft, Schema Registry, Kafka Connect, REST Proxy, and Confluent Control Center for authentication and authorization.

See OAuth for Kafka and OAuth for other components.

You can configure CFK Day 2 application resources to use OAuth to get access to Confluent Platform components.

Multi-region cluster deployment with KRaft

You can configure and deploy KRaft clusters in multiple regions to form a logical cluster of KRaft controllers across Kubernetes region clusters.

See Configure KRaft in a multi-region cluster.

Multi-region cluster deployment with Connect

You can configure and deploy Connect in one Kubernetes region cluster and utilize the stretched Kafka.

See Configure Connect in a multi-region cluster.

Federal Information Processing Standards (FIPS)
  • FIPS can be enabled for the Kafka, Connect, ksqlDB, and Schema Registry clusters.

    See Security Compliance in Confluent for Kubernetes.

  • CFK now can be set up running in the FIPS mode using the Helm argument –set fipsmode=”true”.

Configurable Pod Disruption Budget

Now you can set or disable the pod disruption budget for all Confluent Platform components, namely, Apache Kafka®, ZooKeeper, KRaft, Connect, ksqlDB, and Schema Registry.

See Advanced Configuration Options in Confluent for Kubernetes.

Notable enhancements and updates

  • The location to download the CFK bundle has changed to the following:

    https://packages.confluent.io/bundle/cfk/confluent-for-kubernetes-2.9.3.tar.gz
    
  • Confluent-operator now uses UBI-micro base image which leads to reduced size and reduced security vulnerabilities.

  • Improved the support bundle diagnostics to now include Pod Disruption Budgets, Persistent Volumes, Persistent Volume Claims, Pod Specs, and kernel parameters.

  • CFK support bundle now can capture large logs even when debug/trace logging is enabled. Specify the duration (in seconds) you want to follow the pod logs using the new follow-logs-duration option.

    See Troubleshoot Confluent for Kubernetes.

Notable fixes

  • Fixed an issue that caused the Schema Registry endpoint to be empty when doing self-discovery with external access enabled.
  • To prevent a possible data loss, you cannot change the Kafka cluster used by that Topic Custom Resource (CR) after you create a topic using the Topic CR.
  • Removed the one-minute context timeout in the Clusterlink Reconcile loop in the ClusterLink CR. The timeout caused problems when there were many topics.
  • Added configuration to increase the number of workers in Day 2 resources.
  • Fixed an issue in KRaftMigrationJob rollback to ZooKeeper for mTLS-enabled clusters.
  • Fixed a race condition during the support bundle report command.
  • CFK allows zip files with query parameters as valid connector plugin URLs.
  • Fixed broker ID calculation for the cluster shrink workflow in multi-region clusters (MRC).
  • Internal issues were resolved, including critical security and vulnerability issues.

Known issues

  • When deploying CFK to Red Hat OpenShift with Red Hat’s Operator Lifecycle Manager (that is, using the OperatorHub), you must use OpenShift version 4.9 or higher.

    This OpenShift version restriction does not apply when deploying CFK to Red Hat OpenShift in the standard way without using the Red Hat Operator Lifecycle Manager.

  • If the ksqlDB REST endpoint is using the auto-generated certificates, the ksqlDB deployment that points to Confluent Cloud requires trusting the Let’s Encrypt CA.

    For this to work, you must provide a CA bundle through cacerts.pem that contains both (1) the Confluent Cloud CA and (2) the self-signed CA to the ksqlDB CR.

  • When TLS is enabled, and when Confluent Control Center uses a different TLS certificate to communicate with MDS or Confluent Cloud Schema Registry, Control Center cannot use an auto-generated TLS certificate to connect to MDS or Confluent Cloud Schema Registry. See Troubleshooting Guide for a workaround.

  • When deploying the Schema Registry and Kafka CRs simultaneously, Schema Registry could fail because it cannot create topics with a replication factor of 3. It is because the Kafka brokers have not fully started.

    The workaround is to delete the Schema Registry deployment and re-deploy once Kafka is fully up.

  • When deploying an RBAC-enabled Kafka cluster in centralized mode, where another “secondary” Kafka is being used to store RBAC metadata, an error, “License Topic could not be created”, may return on the secondary Kafka cluster.

  • A periodic Kubernetes TCP probe on ZooKeeper causes frequent warning messages “client has closed socket” when warning logs are enabled.

  • REST Proxy configured with monitoring interceptors is missing the callback handler properties when RBAC is enabled. Interceptor would not work, and you would see an error message in the KafkaRestProxy log.

    As a workaround, manually add configuration overrides as shown in the following KafkaRestProxy CR:

    configOverrides:
      server:
        - confluent.monitoring.interceptor.sasl.login.callback.handler.class=io.confluent.kafka.clients.plugins.auth.token.TokenUserLoginCallbackHandler
        - consumer.confluent.monitoring.interceptor.sasl.login.callback.handler.class=io.confluent.kafka.clients.plugins.auth.token.TokenUserLoginCallbackHandler
        - producer.confluent.monitoring.interceptor.sasl.login.callback.handler.class=io.confluent.kafka.clients.plugins.auth.token.TokenUserLoginCallbackHandler
    
  • When configuring source-initiated cluster links with CFK where the source cluster has TLS enabled, do not set spec.tls, and do not set spec.authentication in the ClusterLink CR on the destination cluster if the source cluster has mTLS authentication.

    Instead, in the Destination mode ClusterLink CR, under the spec.configs section, set:

    • local.security.protocol: SSL for mTLS.
    • local.security.protocol: SASL_SSL for SASL authentication with TLS.

    For details about configuring the destination cluster for source-initiated Cluster Linking, see Configure the source-initiated cluster link on the destination cluster.

  • The CFK support bundle plugin on Windows systems does not capture all the logs.

    As a workaround, specify the --out-dir flag in the kubectl confluent support-bundle command to provide the output location for the support bundle.

  • You cannot upgrade to CFK 2.9.0 if you have a Confluent Platform deployment that is configured with Control Center single sign-on (SSO).

    The issue is fixed in the CFK 2.9.1 release.

Known gaps from Confluent Platform 7.7

CFK 2.9 does not support the following Confluent Platform 7.7 functionality:

  • Kafka authentication mechanisms: Kerberos and SASL/Scram

Known gaps in CFK Blueprints

CFK Blueprints 2.9 does not support the following CFK functionality:

  • Internal listener authentication change on the running cluster
  • A central Confluent Platform cluster serving as the RBAC metadata store for multiple Confluent Platform clusters
  • The StaticPortBasedRouting and NodePort external access methods
  • Monitoring multiple Kafka clusters in Confluent Control Center
  • Configuring and managing KRaft-based clusters
  • Using OpenID Connect (OIDC) for authentication