SlideShare a Scribd company logo

g4p-Kafka-SebastianZsolt.pdf

S
ssuser7ce810

How to use Kafka Mesh as Service Bus for Event-Driven Architecture

Data & Analytics
1 of 14
Download to read offline
Sebastian Toader & Zsolt Varga 2021-Feb-26 Apache Kafka with Istio on K8s
2 • Scalability • Resiliency • Security • Observability • Disaster recovery Production grade Apache Kafka on Kubernetes
3 • Secure communication using mTLS between all services • Configurable short-lived certificates • On the fly certificate renewals with no service downtime • Unified simplified configuration to enable mTLS for all services • Kubernetes service account based authn/authz • Secure cross-cluster interaction between client apps and Kafka Security goals
4 • Kafka brokers require private-key and certificate pairs • Private keys and certificates are stored in keystore and truststore files in JKS or PKCS12 or PEM format Challenges – Kafka broker SSL with client auth
5 • Certificate renewal requires keystore and truststore regeneration • Broker pods need restarting to pick up the modified keystore and truststore files • May cause service degradation Challenges – Certificate renewal
6 • Client certificates has be created for each separate client identity • Client certificates may take different formats (JKS, PEM, etc) • Client certificate renewal may require client application restarts Challenges – Client certificates
7 • mTLS provided by Istio • Server certificate provided by Istio Proxy sidecar container • Each Kafka client request gets a client certificate attached automatically by Istio Proxy sidecar container • Client certificate includes the K8s service account of the Kafka client application • SPIFE://<trust domain>/ns/<namespace>/sa/<service account name> • Configurable certificate expiration • On the fly certificate renewal • Kafka listeners configured in PLAINTEXT mode Security layer provided by Istio
8 Security layer provided by Istio
9 • Kafka does not process client certificate in PLAINTEXT mode • Envoy WASM filter extracts client identity from client certificate and passes it to Kafka Kafka client authentication with Istio
10 Kafka client authentication with Istio
11 Kafka client authentication with Istio
12 • Istio provides a security layer for workloads in a uniform way • Envoy WASM filters opens the gates for a whole array of useful features such as Kafka protocol level metrics, extended client throttling, audit logs to name a few Takeaway
13 Q&A
Thank you

Recommended

Securing Kafka
Securing Kafka Securing Kafka
Securing Kafka confluent
 
Kafka 2018 - Securing Kafka the Right Way
Kafka 2018 - Securing Kafka the Right WayKafka 2018 - Securing Kafka the Right Way
Kafka 2018 - Securing Kafka the Right WaySaylor Twift
 
MCSA 70-412 Chapter 06
MCSA 70-412 Chapter 06MCSA 70-412 Chapter 06
MCSA 70-412 Chapter 06Computer Networking
 
Securing kafka with 500 billion messages a day
Securing kafka with 500 billion messages a daySecuring kafka with 500 billion messages a day
Securing kafka with 500 billion messages a dayYanlin (Thomas) Zhou
 
IBM MQ Security Deep Dive
IBM MQ Security Deep DiveIBM MQ Security Deep Dive
IBM MQ Security Deep DiveIBM Systems UKI
 
Secure Kafka at scale in true multi-tenant environment ( Vishnu Balusu & Asho...
Secure Kafka at scale in true multi-tenant environment ( Vishnu Balusu & Asho...Secure Kafka at scale in true multi-tenant environment ( Vishnu Balusu & Asho...
Secure Kafka at scale in true multi-tenant environment ( Vishnu Balusu & Asho...confluent
 
The Future of PKI. Using automation tools and protocols to bootstrap trust in...
The Future of PKI. Using automation tools and protocols to bootstrap trust in...The Future of PKI. Using automation tools and protocols to bootstrap trust in...
The Future of PKI. Using automation tools and protocols to bootstrap trust in...DATA SECURITY SOLUTIONS
 
Aegis QC + Product Overview.pdf
Aegis QC + Product Overview.pdfAegis QC + Product Overview.pdf
Aegis QC + Product Overview.pdfnathan239786
 

Recommended

Securing Kafka
Securing Kafka Securing Kafka
Securing Kafka confluent
 
Kafka 2018 - Securing Kafka the Right Way
Kafka 2018 - Securing Kafka the Right WayKafka 2018 - Securing Kafka the Right Way
Kafka 2018 - Securing Kafka the Right WaySaylor Twift
 
MCSA 70-412 Chapter 06
MCSA 70-412 Chapter 06MCSA 70-412 Chapter 06
MCSA 70-412 Chapter 06Computer Networking
 
Securing kafka with 500 billion messages a day
Securing kafka with 500 billion messages a daySecuring kafka with 500 billion messages a day
Securing kafka with 500 billion messages a dayYanlin (Thomas) Zhou
 
IBM MQ Security Deep Dive
IBM MQ Security Deep DiveIBM MQ Security Deep Dive
IBM MQ Security Deep DiveIBM Systems UKI
 
Secure Kafka at scale in true multi-tenant environment ( Vishnu Balusu & Asho...
Secure Kafka at scale in true multi-tenant environment ( Vishnu Balusu & Asho...Secure Kafka at scale in true multi-tenant environment ( Vishnu Balusu & Asho...
Secure Kafka at scale in true multi-tenant environment ( Vishnu Balusu & Asho...confluent
 
The Future of PKI. Using automation tools and protocols to bootstrap trust in...
The Future of PKI. Using automation tools and protocols to bootstrap trust in...The Future of PKI. Using automation tools and protocols to bootstrap trust in...
The Future of PKI. Using automation tools and protocols to bootstrap trust in...DATA SECURITY SOLUTIONS
 
Aegis QC + Product Overview.pdf
Aegis QC + Product Overview.pdfAegis QC + Product Overview.pdf
Aegis QC + Product Overview.pdfnathan239786
 
How to Lock Down Apache Kafka and Keep Your Streams Safe
How to Lock Down Apache Kafka and Keep Your Streams SafeHow to Lock Down Apache Kafka and Keep Your Streams Safe
How to Lock Down Apache Kafka and Keep Your Streams Safeconfluent
 
Vault Digital Transformation
Vault Digital TransformationVault Digital Transformation
Vault Digital TransformationStenio Ferreira
 
IBM MQ V8 Security: Latest Features Deep-Dive
IBM MQ V8 Security: Latest Features Deep-DiveIBM MQ V8 Security: Latest Features Deep-Dive
IBM MQ V8 Security: Latest Features Deep-DiveMorag Hughson
 
IBM MQ V8 Security
IBM MQ V8 SecurityIBM MQ V8 Security
IBM MQ V8 SecurityMorag Hughson
 
Confluent Platform 5.4 + Apache Kafka 2.4 Overview (RBAC, Tiered Storage, Mul...
Confluent Platform 5.4 + Apache Kafka 2.4 Overview (RBAC, Tiered Storage, Mul...Confluent Platform 5.4 + Apache Kafka 2.4 Overview (RBAC, Tiered Storage, Mul...
Confluent Platform 5.4 + Apache Kafka 2.4 Overview (RBAC, Tiered Storage, Mul...Kai Wähner
 
Webservice security considerations and measures
Webservice security considerations and measuresWebservice security considerations and measures
Webservice security considerations and measuresMaarten Smeets
 
SSL deep dive vCenter Server 5.5
SSL deep dive vCenter Server 5.5SSL deep dive vCenter Server 5.5
SSL deep dive vCenter Server 5.5fbuechsel
 
Kerberos Survival Guide: SharePointalooza
Kerberos Survival Guide: SharePointaloozaKerberos Survival Guide: SharePointalooza
Kerberos Survival Guide: SharePointaloozaJ.D. Wade
 
Kerberos Survival Guide: Columbus 2015
Kerberos Survival Guide: Columbus 2015Kerberos Survival Guide: Columbus 2015
Kerberos Survival Guide: Columbus 2015J.D. Wade
 
SPS Ozarks 2012: Kerberos Survival Guide
SPS Ozarks 2012: Kerberos Survival GuideSPS Ozarks 2012: Kerberos Survival Guide
SPS Ozarks 2012: Kerberos Survival GuideJ.D. Wade
 
What's Coming In CloudStack 4.18
What's Coming In CloudStack 4.18What's Coming In CloudStack 4.18
What's Coming In CloudStack 4.18ShapeBlue
 
Kafka Security
Kafka SecurityKafka Security
Kafka SecurityDataWorks Summit/Hadoop Summit
 
Unit 4 (Part II) - Authentication Framework for PKC.pptx
Unit 4 (Part II) - Authentication Framework for PKC.pptxUnit 4 (Part II) - Authentication Framework for PKC.pptx
Unit 4 (Part II) - Authentication Framework for PKC.pptxRAMESHMRA21130030110
 
Flexible Authentication Strategies with SASL/OAUTHBEARER (Michael Kaminski, T...
Flexible Authentication Strategies with SASL/OAUTHBEARER (Michael Kaminski, T...Flexible Authentication Strategies with SASL/OAUTHBEARER (Michael Kaminski, T...
Flexible Authentication Strategies with SASL/OAUTHBEARER (Michael Kaminski, T...confluent
 
Kerberos Survival Guide: SharePoint Saturday Nashville 2015
Kerberos Survival Guide: SharePoint Saturday Nashville 2015Kerberos Survival Guide: SharePoint Saturday Nashville 2015
Kerberos Survival Guide: SharePoint Saturday Nashville 2015J.D. Wade
 
Container security within Cisco Container Platform
Container security within Cisco Container PlatformContainer security within Cisco Container Platform
Container security within Cisco Container PlatformSanjeev Rampal
 
Microservices Security landscape
Microservices Security landscapeMicroservices Security landscape
Microservices Security landscapeSagara Gunathunga
 
Kerberos case study
Kerberos case studyKerberos case study
Kerberos case studyMayuri Patil
 
SSL Everywhere!
SSL Everywhere!SSL Everywhere!
SSL Everywhere!Simon Haslam
 
Deep Dive In To Kerberos
Deep Dive In To KerberosDeep Dive In To Kerberos
Deep Dive In To KerberosIshan A B Ambanwela
 
VidaXL dropshipping via API with DroFx.pptx
VidaXL dropshipping via API with DroFx.pptxVidaXL dropshipping via API with DroFx.pptx
VidaXL dropshipping via API with DroFx.pptxolyaivanovalion
 
Data-Analysis for Chicago Crime Data 2023
Data-Analysis for Chicago Crime Data 2023Data-Analysis for Chicago Crime Data 2023
Data-Analysis for Chicago Crime Data 2023ymrp368
 

More Related Content

Similar to g4p-Kafka-SebastianZsolt.pdf

How to Lock Down Apache Kafka and Keep Your Streams Safe
How to Lock Down Apache Kafka and Keep Your Streams SafeHow to Lock Down Apache Kafka and Keep Your Streams Safe
How to Lock Down Apache Kafka and Keep Your Streams Safeconfluent
 
Vault Digital Transformation
Vault Digital TransformationVault Digital Transformation
Vault Digital TransformationStenio Ferreira
 
IBM MQ V8 Security: Latest Features Deep-Dive
IBM MQ V8 Security: Latest Features Deep-DiveIBM MQ V8 Security: Latest Features Deep-Dive
IBM MQ V8 Security: Latest Features Deep-DiveMorag Hughson
 
Confluent Platform 5.4 + Apache Kafka 2.4 Overview (RBAC, Tiered Storage, Mul...
Confluent Platform 5.4 + Apache Kafka 2.4 Overview (RBAC, Tiered Storage, Mul...Confluent Platform 5.4 + Apache Kafka 2.4 Overview (RBAC, Tiered Storage, Mul...
Confluent Platform 5.4 + Apache Kafka 2.4 Overview (RBAC, Tiered Storage, Mul...Kai Wähner
 
Webservice security considerations and measures
Webservice security considerations and measuresWebservice security considerations and measures
Webservice security considerations and measuresMaarten Smeets
 
SSL deep dive vCenter Server 5.5
SSL deep dive vCenter Server 5.5SSL deep dive vCenter Server 5.5
SSL deep dive vCenter Server 5.5fbuechsel
 
Kerberos Survival Guide: SharePointalooza
Kerberos Survival Guide: SharePointaloozaKerberos Survival Guide: SharePointalooza
Kerberos Survival Guide: SharePointaloozaJ.D. Wade
 
Kerberos Survival Guide: Columbus 2015
Kerberos Survival Guide: Columbus 2015Kerberos Survival Guide: Columbus 2015
Kerberos Survival Guide: Columbus 2015J.D. Wade
 
SPS Ozarks 2012: Kerberos Survival Guide
SPS Ozarks 2012: Kerberos Survival GuideSPS Ozarks 2012: Kerberos Survival Guide
SPS Ozarks 2012: Kerberos Survival GuideJ.D. Wade
 
What's Coming In CloudStack 4.18
What's Coming In CloudStack 4.18What's Coming In CloudStack 4.18
What's Coming In CloudStack 4.18ShapeBlue
 
Unit 4 (Part II) - Authentication Framework for PKC.pptx
Unit 4 (Part II) - Authentication Framework for PKC.pptxUnit 4 (Part II) - Authentication Framework for PKC.pptx
Unit 4 (Part II) - Authentication Framework for PKC.pptxRAMESHMRA21130030110
 
Flexible Authentication Strategies with SASL/OAUTHBEARER (Michael Kaminski, T...
Flexible Authentication Strategies with SASL/OAUTHBEARER (Michael Kaminski, T...Flexible Authentication Strategies with SASL/OAUTHBEARER (Michael Kaminski, T...
Flexible Authentication Strategies with SASL/OAUTHBEARER (Michael Kaminski, T...confluent
 
Kerberos Survival Guide: SharePoint Saturday Nashville 2015
Kerberos Survival Guide: SharePoint Saturday Nashville 2015Kerberos Survival Guide: SharePoint Saturday Nashville 2015
Kerberos Survival Guide: SharePoint Saturday Nashville 2015J.D. Wade
 
Container security within Cisco Container Platform
Container security within Cisco Container PlatformContainer security within Cisco Container Platform
Container security within Cisco Container PlatformSanjeev Rampal
 
Microservices Security landscape
Microservices Security landscapeMicroservices Security landscape
Microservices Security landscapeSagara Gunathunga
 
Kerberos case study
Kerberos case studyKerberos case study
Kerberos case studyMayuri Patil
 

Similar to g4p-Kafka-SebastianZsolt.pdf (20)

How to Lock Down Apache Kafka and Keep Your Streams Safe
How to Lock Down Apache Kafka and Keep Your Streams SafeHow to Lock Down Apache Kafka and Keep Your Streams Safe
How to Lock Down Apache Kafka and Keep Your Streams Safe
 
Vault Digital Transformation
Vault Digital TransformationVault Digital Transformation
Vault Digital Transformation
 
IBM MQ V8 Security: Latest Features Deep-Dive
IBM MQ V8 Security: Latest Features Deep-DiveIBM MQ V8 Security: Latest Features Deep-Dive
IBM MQ V8 Security: Latest Features Deep-Dive
 
IBM MQ V8 Security
IBM MQ V8 SecurityIBM MQ V8 Security
IBM MQ V8 Security
 
Confluent Platform 5.4 + Apache Kafka 2.4 Overview (RBAC, Tiered Storage, Mul...
Confluent Platform 5.4 + Apache Kafka 2.4 Overview (RBAC, Tiered Storage, Mul...Confluent Platform 5.4 + Apache Kafka 2.4 Overview (RBAC, Tiered Storage, Mul...
Confluent Platform 5.4 + Apache Kafka 2.4 Overview (RBAC, Tiered Storage, Mul...
 
Webservice security considerations and measures
Webservice security considerations and measuresWebservice security considerations and measures
Webservice security considerations and measures
 
SSL deep dive vCenter Server 5.5
SSL deep dive vCenter Server 5.5SSL deep dive vCenter Server 5.5
SSL deep dive vCenter Server 5.5
 
Kerberos Survival Guide: SharePointalooza
Kerberos Survival Guide: SharePointaloozaKerberos Survival Guide: SharePointalooza
Kerberos Survival Guide: SharePointalooza
 
Kerberos Survival Guide: Columbus 2015
Kerberos Survival Guide: Columbus 2015Kerberos Survival Guide: Columbus 2015
Kerberos Survival Guide: Columbus 2015
 
SPS Ozarks 2012: Kerberos Survival Guide
SPS Ozarks 2012: Kerberos Survival GuideSPS Ozarks 2012: Kerberos Survival Guide
SPS Ozarks 2012: Kerberos Survival Guide
 
What's Coming In CloudStack 4.18
What's Coming In CloudStack 4.18What's Coming In CloudStack 4.18
What's Coming In CloudStack 4.18
 
Kafka Security
Kafka SecurityKafka Security
Kafka Security
 
Unit 4 (Part II) - Authentication Framework for PKC.pptx
Unit 4 (Part II) - Authentication Framework for PKC.pptxUnit 4 (Part II) - Authentication Framework for PKC.pptx
Unit 4 (Part II) - Authentication Framework for PKC.pptx
 
Flexible Authentication Strategies with SASL/OAUTHBEARER (Michael Kaminski, T...
Flexible Authentication Strategies with SASL/OAUTHBEARER (Michael Kaminski, T...Flexible Authentication Strategies with SASL/OAUTHBEARER (Michael Kaminski, T...
Flexible Authentication Strategies with SASL/OAUTHBEARER (Michael Kaminski, T...
 
Kerberos Survival Guide: SharePoint Saturday Nashville 2015
Kerberos Survival Guide: SharePoint Saturday Nashville 2015Kerberos Survival Guide: SharePoint Saturday Nashville 2015
Kerberos Survival Guide: SharePoint Saturday Nashville 2015
 
Container security within Cisco Container Platform
Container security within Cisco Container PlatformContainer security within Cisco Container Platform
Container security within Cisco Container Platform
 
Microservices Security landscape
Microservices Security landscapeMicroservices Security landscape
Microservices Security landscape
 
Kerberos case study
Kerberos case studyKerberos case study
Kerberos case study
 
SSL Everywhere!
SSL Everywhere!SSL Everywhere!
SSL Everywhere!
 
Deep Dive In To Kerberos
Deep Dive In To KerberosDeep Dive In To Kerberos
Deep Dive In To Kerberos
 

Recently uploaded

VidaXL dropshipping via API with DroFx.pptx
VidaXL dropshipping via API with DroFx.pptxVidaXL dropshipping via API with DroFx.pptx
VidaXL dropshipping via API with DroFx.pptxolyaivanovalion
 
Data-Analysis for Chicago Crime Data 2023
Data-Analysis for Chicago Crime Data 2023Data-Analysis for Chicago Crime Data 2023
Data-Analysis for Chicago Crime Data 2023ymrp368
 
VIP Call Girls in Amravati Aarohi 8250192130 Independent Escort Service Amravati
VIP Call Girls in Amravati Aarohi 8250192130 Independent Escort Service AmravatiVIP Call Girls in Amravati Aarohi 8250192130 Independent Escort Service Amravati
VIP Call Girls in Amravati Aarohi 8250192130 Independent Escort Service AmravatiSuhani Kapoor
 
Ravak dropshipping via API with DroFx.pptx
Ravak dropshipping via API with DroFx.pptxRavak dropshipping via API with DroFx.pptx
Ravak dropshipping via API with DroFx.pptxolyaivanovalion
 
Carero dropshipping via API with DroFx.pptx
Carero dropshipping via API with DroFx.pptxCarero dropshipping via API with DroFx.pptx
Carero dropshipping via API with DroFx.pptxolyaivanovalion
 
꧁❤ Greater Noida Call Girls Delhi ❤꧂ 9711199171 ☎️ Hard And Sexy Vip Call
꧁❤ Greater Noida Call Girls Delhi ❤꧂ 9711199171 ☎️ Hard And Sexy Vip Call꧁❤ Greater Noida Call Girls Delhi ❤꧂ 9711199171 ☎️ Hard And Sexy Vip Call
꧁❤ Greater Noida Call Girls Delhi ❤꧂ 9711199171 ☎️ Hard And Sexy Vip Callshivangimorya083
 
Call Girls in Sarai Kale Khan Delhi 💯 Call Us 🔝9205541914 🔝( Delhi) Escorts S...
Call Girls in Sarai Kale Khan Delhi 💯 Call Us 🔝9205541914 🔝( Delhi) Escorts S...Call Girls in Sarai Kale Khan Delhi 💯 Call Us 🔝9205541914 🔝( Delhi) Escorts S...
Call Girls in Sarai Kale Khan Delhi 💯 Call Us 🔝9205541914 🔝( Delhi) Escorts S...Delhi Call girls
 
(PARI) Call Girls Wanowrie ( 7001035870 ) HI-Fi Pune Escorts Service
(PARI) Call Girls Wanowrie ( 7001035870 ) HI-Fi Pune Escorts Service(PARI) Call Girls Wanowrie ( 7001035870 ) HI-Fi Pune Escorts Service
(PARI) Call Girls Wanowrie ( 7001035870 ) HI-Fi Pune Escorts Serviceranjana rawat
 
Delhi Call Girls CP 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Call
Delhi Call Girls CP 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip CallDelhi Call Girls CP 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Call
Delhi Call Girls CP 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Callshivangimorya083
 
Unveiling Insights: The Role of a Data Analyst
Unveiling Insights: The Role of a Data AnalystUnveiling Insights: The Role of a Data Analyst
Unveiling Insights: The Role of a Data AnalystSamantha Rae Coolbeth
 
Halmar dropshipping via API with DroFx
Halmar dropshipping via API with DroFxHalmar dropshipping via API with DroFx
Halmar dropshipping via API with DroFxolyaivanovalion
 
VIP Call Girls Service Miyapur Hyderabad Call +91-8250192130
VIP Call Girls Service Miyapur Hyderabad Call +91-8250192130VIP Call Girls Service Miyapur Hyderabad Call +91-8250192130
VIP Call Girls Service Miyapur Hyderabad Call +91-8250192130Suhani Kapoor
 
Schema on read is obsolete. Welcome metaprogramming..pdf
Schema on read is obsolete. Welcome metaprogramming..pdfSchema on read is obsolete. Welcome metaprogramming..pdf
Schema on read is obsolete. Welcome metaprogramming..pdfLars Albertsson
 
Week-01-2.ppt BBB human Computer interaction
Week-01-2.ppt BBB human Computer interactionWeek-01-2.ppt BBB human Computer interaction
Week-01-2.ppt BBB human Computer interactionfulawalesam
 
100-Concepts-of-AI by Anupama Kate .pptx
100-Concepts-of-AI by Anupama Kate .pptx100-Concepts-of-AI by Anupama Kate .pptx
100-Concepts-of-AI by Anupama Kate .pptxAnupama Kate
 
BabyOno dropshipping via API with DroFx.pptx
BabyOno dropshipping via API with DroFx.pptxBabyOno dropshipping via API with DroFx.pptx
BabyOno dropshipping via API with DroFx.pptxolyaivanovalion
 
BPAC WITH UFSBI GENERAL PRESENTATION 18_05_2017-1.pptx
BPAC WITH UFSBI GENERAL PRESENTATION 18_05_2017-1.pptxBPAC WITH UFSBI GENERAL PRESENTATION 18_05_2017-1.pptx
BPAC WITH UFSBI GENERAL PRESENTATION 18_05_2017-1.pptxMohammedJunaid861692
 

Recently uploaded (20)

VidaXL dropshipping via API with DroFx.pptx
VidaXL dropshipping via API with DroFx.pptxVidaXL dropshipping via API with DroFx.pptx
VidaXL dropshipping via API with DroFx.pptx
 
Data-Analysis for Chicago Crime Data 2023
Data-Analysis for Chicago Crime Data 2023Data-Analysis for Chicago Crime Data 2023
Data-Analysis for Chicago Crime Data 2023
 
VIP Call Girls in Amravati Aarohi 8250192130 Independent Escort Service Amravati
VIP Call Girls in Amravati Aarohi 8250192130 Independent Escort Service AmravatiVIP Call Girls in Amravati Aarohi 8250192130 Independent Escort Service Amravati
VIP Call Girls in Amravati Aarohi 8250192130 Independent Escort Service Amravati
 
Ravak dropshipping via API with DroFx.pptx
Ravak dropshipping via API with DroFx.pptxRavak dropshipping via API with DroFx.pptx
Ravak dropshipping via API with DroFx.pptx
 
Carero dropshipping via API with DroFx.pptx
Carero dropshipping via API with DroFx.pptxCarero dropshipping via API with DroFx.pptx
Carero dropshipping via API with DroFx.pptx
 
꧁❤ Greater Noida Call Girls Delhi ❤꧂ 9711199171 ☎️ Hard And Sexy Vip Call
꧁❤ Greater Noida Call Girls Delhi ❤꧂ 9711199171 ☎️ Hard And Sexy Vip Call꧁❤ Greater Noida Call Girls Delhi ❤꧂ 9711199171 ☎️ Hard And Sexy Vip Call
꧁❤ Greater Noida Call Girls Delhi ❤꧂ 9711199171 ☎️ Hard And Sexy Vip Call
 
Call Girls in Sarai Kale Khan Delhi 💯 Call Us 🔝9205541914 🔝( Delhi) Escorts S...
Call Girls in Sarai Kale Khan Delhi 💯 Call Us 🔝9205541914 🔝( Delhi) Escorts S...Call Girls in Sarai Kale Khan Delhi 💯 Call Us 🔝9205541914 🔝( Delhi) Escorts S...
Call Girls in Sarai Kale Khan Delhi 💯 Call Us 🔝9205541914 🔝( Delhi) Escorts S...
 
Sampling (random) method and Non random.ppt
Sampling (random) method and Non random.pptSampling (random) method and Non random.ppt
Sampling (random) method and Non random.ppt
 
(PARI) Call Girls Wanowrie ( 7001035870 ) HI-Fi Pune Escorts Service
(PARI) Call Girls Wanowrie ( 7001035870 ) HI-Fi Pune Escorts Service(PARI) Call Girls Wanowrie ( 7001035870 ) HI-Fi Pune Escorts Service
(PARI) Call Girls Wanowrie ( 7001035870 ) HI-Fi Pune Escorts Service
 
꧁❤ Aerocity Call Girls Service Aerocity Delhi ❤꧂ 9999965857 ☎️ Hard And Sexy ...
꧁❤ Aerocity Call Girls Service Aerocity Delhi ❤꧂ 9999965857 ☎️ Hard And Sexy ...꧁❤ Aerocity Call Girls Service Aerocity Delhi ❤꧂ 9999965857 ☎️ Hard And Sexy ...
꧁❤ Aerocity Call Girls Service Aerocity Delhi ❤꧂ 9999965857 ☎️ Hard And Sexy ...
 
Delhi Call Girls CP 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Call
Delhi Call Girls CP 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip CallDelhi Call Girls CP 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Call
Delhi Call Girls CP 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Call
 
Delhi 99530 vip 56974 Genuine Escort Service Call Girls in Kishangarh
Delhi 99530 vip 56974 Genuine Escort Service Call Girls in KishangarhDelhi 99530 vip 56974 Genuine Escort Service Call Girls in Kishangarh
Delhi 99530 vip 56974 Genuine Escort Service Call Girls in Kishangarh
 
Unveiling Insights: The Role of a Data Analyst
Unveiling Insights: The Role of a Data AnalystUnveiling Insights: The Role of a Data Analyst
Unveiling Insights: The Role of a Data Analyst
 
Halmar dropshipping via API with DroFx
Halmar dropshipping via API with DroFxHalmar dropshipping via API with DroFx
Halmar dropshipping via API with DroFx
 
VIP Call Girls Service Miyapur Hyderabad Call +91-8250192130
VIP Call Girls Service Miyapur Hyderabad Call +91-8250192130VIP Call Girls Service Miyapur Hyderabad Call +91-8250192130
VIP Call Girls Service Miyapur Hyderabad Call +91-8250192130
 
Schema on read is obsolete. Welcome metaprogramming..pdf
Schema on read is obsolete. Welcome metaprogramming..pdfSchema on read is obsolete. Welcome metaprogramming..pdf
Schema on read is obsolete. Welcome metaprogramming..pdf
 
Week-01-2.ppt BBB human Computer interaction
Week-01-2.ppt BBB human Computer interactionWeek-01-2.ppt BBB human Computer interaction
Week-01-2.ppt BBB human Computer interaction
 
100-Concepts-of-AI by Anupama Kate .pptx
100-Concepts-of-AI by Anupama Kate .pptx100-Concepts-of-AI by Anupama Kate .pptx
100-Concepts-of-AI by Anupama Kate .pptx
 
BabyOno dropshipping via API with DroFx.pptx
BabyOno dropshipping via API with DroFx.pptxBabyOno dropshipping via API with DroFx.pptx
BabyOno dropshipping via API with DroFx.pptx
 
BPAC WITH UFSBI GENERAL PRESENTATION 18_05_2017-1.pptx
BPAC WITH UFSBI GENERAL PRESENTATION 18_05_2017-1.pptxBPAC WITH UFSBI GENERAL PRESENTATION 18_05_2017-1.pptx
BPAC WITH UFSBI GENERAL PRESENTATION 18_05_2017-1.pptx
 

g4p-Kafka-SebastianZsolt.pdf

  • 1. Sebastian Toader & Zsolt Varga 2021-Feb-26 Apache Kafka with Istio on K8s
  • 2. 2 • Scalability • Resiliency • Security • Observability • Disaster recovery Production grade Apache Kafka on Kubernetes
  • 3. 3 • Secure communication using mTLS between all services • Configurable short-lived certificates • On the fly certificate renewals with no service downtime • Unified simplified configuration to enable mTLS for all services • Kubernetes service account based authn/authz • Secure cross-cluster interaction between client apps and Kafka Security goals
  • 4. 4 • Kafka brokers require private-key and certificate pairs • Private keys and certificates are stored in keystore and truststore files in JKS or PKCS12 or PEM format Challenges – Kafka broker SSL with client auth
  • 5. 5 • Certificate renewal requires keystore and truststore regeneration • Broker pods need restarting to pick up the modified keystore and truststore files • May cause service degradation Challenges – Certificate renewal
  • 6. 6 • Client certificates has be created for each separate client identity • Client certificates may take different formats (JKS, PEM, etc) • Client certificate renewal may require client application restarts Challenges – Client certificates
  • 7. 7 • mTLS provided by Istio • Server certificate provided by Istio Proxy sidecar container • Each Kafka client request gets a client certificate attached automatically by Istio Proxy sidecar container • Client certificate includes the K8s service account of the Kafka client application • SPIFE://<trust domain>/ns/<namespace>/sa/<service account name> • Configurable certificate expiration • On the fly certificate renewal • Kafka listeners configured in PLAINTEXT mode Security layer provided by Istio
  • 9. 9 • Kafka does not process client certificate in PLAINTEXT mode • Envoy WASM filter extracts client identity from client certificate and passes it to Kafka Kafka client authentication with Istio
  • 12. 12 • Istio provides a security layer for workloads in a uniform way • Envoy WASM filters opens the gates for a whole array of useful features such as Kafka protocol level metrics, extended client throttling, audit logs to name a few Takeaway