Open andrebriggs opened 5 years ago
Additional scenario we could show guidance for:
Provide an example of how to achieve RBAC that limits access to the Kafka namespace from processes within Kubernetes. Effectively viewing the Kubernetes API as an attack surface for Kafka.
cc @sayar
Adding details to @andrebriggs's previous comment. Ideally, RBAC should be enabled in the cluster and a ClusterRole specified that can access the Kafka Resources in the Kafka Namespace. Any application (such as Prometheus) that uses the Kubernetes API to discover/access resources in a specific namespace should have a ServiceAccount that is bound to the previously specified ClusterRole. This will ensure that only applications that should know about the Kafka Kubernetes resources have access to them.
Application Security
Infrastructure Security
Additional "bring your own certificate" needs: