Configuring Kafka to advertise inter broker listener for client access explained

Hy all, i’m experimenting with Kafka and i successfully made a cluster in docker (Kraft mode, 3 controller, 3 broker). Also manage to produce/consume internal/external. One configuration requirement seems fishy to me: i have to advertise the inter broker listener. why should i expose it to every clients?

Inter broker listener is for well broker to broker communication. Think replication and control messages. It does not need to be advertised to clients

the container exits if i don’t add it to the advertised listeners.
Exception in thread "main" java.lang.IllegalArgumentException: requirement failed: inter.broker.listener.name must be a listener name defined in advertised.listeners. The valid options based on currently configured listeners are INTERNAL,EXTERNAL at scala.Predef$.require(Predef.scala:337) at kafka.server.KafkaConfig.validateValues(KafkaConfig.scala:2315) at kafka.server.KafkaConfig.<init>(KafkaConfig.scala:2160) at kafka.server.KafkaConfig.<init>(KafkaConfig.scala:1568) at kafka.tools.StorageTool$.$anonfun$main$1(StorageTool.scala:50) at scala.Option.flatMap(Option.scala:283) at kafka.tools.StorageTool$.main(StorageTool.scala:50) at kafka.tools.StorageTool.main(StorageTool.scala)

Correct. The container needs it for the broker. Not the clients

exactly. that’s why i don’t understand that why do i have to add it to the advertised listeners

It’s not really exposed to everyone by being put in the advertised listeners. It has to be advertised so that the brokers know where each other are talking

I moved towards and apply some auth. config. Right now the security protocol for inter broker listener (named BROKER) is PLAINTEXT (no auth), the channel for internal apps (INTERNAL) is SASL_PLAINTEXT (jaas auth). My problem is that i can use a producer/consumer app using the BROKER without any auth. so right there is no option to hide the BROKER channel from the clients (the CONTROLLER listener can be hided, so the inter.broker.listener meta could be shared there). btw thanks for the replies