Inter-broker and metadata store security
Learn about security for inter-broker and broker to controller communications.
Inter-broker security
Kafka exposes ports 9090 and 9091 for inter-broker communication as well as communication with Cruise Control and the operators. These listeners are not configurable and use mTLS authentication by default. As a result, only clients that have access to the certificate secrets can access Kafka through these listeners. To protect these secrets, it is possible to further limit access to the cluster by using RBAC authorization to restrict namespace access to specific users.
By separating internal and external listeners, internal listener configurations can be simplified and kept secure when opening the cluster for access to external clients.
Broker to controller security
Kafka uses KRaft controllers (nodes with the controller role) to store and manage metadata. As with inter-broker communication, brokers talk to controllers over non‑configurable listeners secured with mTLS authentication. This means the communication is encrypted by default.
If the Kafka resource is configured with the simple authorization plugin that is built into Kafka, then org.apache.kafka.metadata.authorizer.StandardAuthorizer is used.
To enable simple authorization, set the spec.kafka.authorization.type
property to simple, and configure a list of super users. Super users are always
allowed without querying Access Control List (ACL) rules. ACLs allow you to define which users
have access to which resources at a granular level. Access rules can be specified for the
KafkaUser.
#...
kind: Kafka
spec:
kafka:
authorization:
type: simple
superUsers:
- CN=user-1
- user-2
- CN=user-3
