Inter-broker and ZooKeeper security

Inter-broker security

Kafka exposes ports 9090 and 9091 for inter-broker communication as well as communication with Cruise Control and the operators. These listeners are not configurable and use mTLS authentication by default. As a result, only clients that have access to the certificate secrets can access Kafka through these listeners. To protect these secrets, it is possible to further limit access to the cluster by using RBAC authorization to restrict namespace access to specific users.

By separating internal and external listeners, internal listener configurations can be simplified and kept secure when opening the cluster for access to external clients.

ZooKeeper security

Communication between the ZooKeeper servers on all ports, as well as between clients and ZooKeeper, is encrypted using TLS. Communication between Kafka brokers and ZooKeeper servers is also encrypted.

When both a keystore and a truststore are configured for both Kafka and ZooKeeper, both components use mTLS. There is no separate flag or configuration property you can use. This is enabled by default.

ZooKeeper uses ACLs to restrict access to Znodes. The ACL usage (zookeeper.set.acl) is not configurable, as it is managed by the Strimzi Cluster Operator itself.