Security hardening guide
This document provides guidance and instructions to achieve a secure deployment of Charmed Apache Kafka K8s, including setting up and managing a secure environment. The document is divided into the following sections:
- Environment, outlining the recommendation for deploying a secure environment
- Applications, outlining the product features that enable a secure deployment of a Apache Kafka cluster
- Additional resources, providing any further information about security and compliance
Environment
The environment where applications operate can be divided in two components:
- Kubernetes
- Juju
Kubernetes
Charmed Apache Kafka can be deployed on top of several Kubernetes distributions. The following table provides references for the security documentation for the main supported cloud platforms.
Cloud | Security guide |
---|---|
Charmed Kubernetes | Security in Charmed Kubernetes |
AWS EKS | Best Practices for Security, Identity and Compliance, AWS security credentials, Security in EKS |
Azure | Azure security best practices and patterns, Managed identities for Azure resource, Security in AKS |
Juju
Juju is the component responsible for orchestrating the entire lifecycle, from deployment to Day 2 operations, of all applications. Therefore, Juju must be set up securely. For more information, see the Juju security page and the How to harden your deployment guide.
Cloud credentials
When configuring the cloud credentials to be used with Juju, ensure that the users have the correct permissions to operate at the required level on the Kubernetes cluster. Juju superusers responsible for bootstrapping and managing controllers require elevated permissions to manage several kinds of resources. For this reason, the K8s user used for bootstrapping and managing the deployments should have full permissions, such as:
- create, delete, patch, and list:
- namespaces
- services
- deployments
- stateful sets
- pods
- PVCs
In general, it is common practice to run Juju using the admin role of K8s, to have full permissions on the Kubernetes cluster.
Juju users
It is very important that juju users are set up with minimal permissions depending on the scope of their operations. Please refer to the User access levels documentation for more information on the access level and corresponding abilities that the different users can be granted.
Juju user credentials must be stored securely and rotated regularly to limit the chances of unauthorized access due to credentials leakage.
Applications
In the following, we provide guidance on how to harden your deployment using:
- Base images
- Charmed operator security upgrades
- Encryption
- Authentication
- Monitoring and auditing
Base images
Charmed Apache Kafka K8s and Charmed Apache ZooKeeper K8s run on top of rockcraft-based image shipping the Apache Kafka and Apache ZooKeeper distribution binaries built by Canonical, and available in the Apache Kafka release page and Apache ZooKeeper release page, respectively. Both images are based on Ubuntu 22.04. The images that can be found in the Charmed Apache Kafka rock and Charmed Apache ZooKeeper rock Github repositories are used as the base images for the different pods providing Apache Kafka and Apache ZooKeeper services. The following table summarise the relation between the component and its underlying base image.
Component | Image |
---|---|
Charmed Apache Kafka | charmed-kafka |
Charmed Apache ZooKeeper | charmed-zookeeper |
New versions of Charmed Apache Kafka and Charmed Apache ZooKeeper images may be released to provide patching of vulnerabilities (CVEs).
Charmed operator security upgrades
Charmed Apache Kafka K8s and Charmed Apache ZooKeeper K8s operators install a pinned revision of the images outlined in the previous table to provide reproducible and secure environments. New versions of Charmed Apache Kafka K8s and Charmed Apache ZooKeeper K8s operators may therefore be released to provide patching of vulnerabilities (CVEs). It is important to refresh the charm regularly to make sure the workload is as secure as possible. For more information on how to refresh the charm, see the how-to refresh user guide.
Encryption
Charmed Apache Kafka K8s must be deployed with encryption enabled. To do that, you need to relate Apache Kafka and Apache ZooKeeper charms to one of the TLS certificate operator charms. Please refer to the Charming Security page for more information on how to select the right certificate provider for your use case.
For more information on encryption setup, see the How to enable encryption guide.
Authentication
Charmed Apache Kafka supports the following authentication layers:
- SCRAM-based SASL Authentication
- certificate-base Authentication (mTLS)
- OAuth Authentication using Hydra or Google
Each combination of authentication scheme and encryption is associated to the dedicated listener and it maps to a well-defined port. Please refer to the listener reference documentation for more information.
Monitoring and auditing
Charmed Apache Kafka provides native integration with the Canonical Observability Stack (COS). To reduce the blast radius of infrastructure disruptions, the general recommendation is to deploy COS and the observed application into separate environments, isolated one another. Refer to the COS production deployments best practices for more information.
Refer to How-To user guide for more information on:
- how to integrate the Charmed Apache Kafka deployment with COS
- how to customise the alerting rules and dashboards
External user access to Apache Kafka is logged to the kafka-authorizer.log
that is pushed to Loki endpoint and exposed via Grafana, both components being part of the COS stack.
Access denials are logged at the INFO
level, whereas allowed accesses are logged at the DEBUG
level. Depending on the auditing needs,
customize the logging level either for all logs via the log_level
config option or
only tune the logging level of the authorizerAppender
in the log4j.properties
file. Refer to the Reference documentation, for more information about
the file system paths.
Additional Resources
For more information and details on the security and cryptography used by Charmed Apache Kafka, see the Security Explanation page.