HI Team, we have deployed Kafka within a service mesh (Istio) . We want to enable topic ACLs, I was wondering if anyone has experience implementing the same or can point me to the correct docs.
FYI - One of the solution I got was to configure WASM filter within the Envoy proxy, but we want to explore something which is already been tested by the community rather than building our own. Thanks
Any reason not to really on the acl’s from Kafka itself? https://docs.confluent.io/platform/current/kafka/authorization.html
Since the Kafka is deployed in the service mesh, the clients talk to Envoy proxy sitting infront of broker. Envoy proxy talks to actual kakfa broker which is over PLAINTEXT protocol
Which means that inbound and outbound broker traffic is unencrypted, and the client application is authenticated as an ANONYMOUS
Kafka principal. When a client is identified as ANONYMOUS
, Kafka cannot enforce any ACLs; i
True, interesting use case. There might be different options, like configure Envoy to use tcp proxy and do use encryption? That’s what I recently used to enable PostgreSQL access through Envoy. But that was without Kubernetes.
Ah… I see. Yeah the Envoy WASM filters does the similar thing, but it’s just that the impact of implementing will cause too much disruption, so I was looking for any alternate simple approach without making any changes to mesh components
Probably use OPA (Open Policy Agent) with Envoy to delegate authorization decisions to OPA. OPA can be configured as a side car with grpc support