Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Kafka authentication/encryption #273

Closed
renehonig opened this issue Sep 1, 2021 · 19 comments · Fixed by #385
Closed

Kafka authentication/encryption #273

renehonig opened this issue Sep 1, 2021 · 19 comments · Fixed by #385
Assignees
@cpanato
Labels
kind/feature New feature or request lifecycle/rotten

Comments

@renehonig
Copy link

Motivation

I would like to use the Falcosidekick Kafka output to communicate with a public Kafka endpoint. This does require authentication and encryption to secure the connection between Falcosidekick and the Kafka endpoint.

Feature
Enable authentication and encryption for Kafka in Falcosidekick. Mutual TLS seems to be a good choice, as it has already been implemented for many Falcosidekick outputs and is supported by Kafka.

Alternatives

An alternative is to create a private tunnel between the nodes running Falcosidekick and Kafka. This adds additional complexity and is not a preferred solution.
@renehonig renehonig added the kind/feature New feature or request label Sep 1, 2021
@Issif Issif added this to the 2.25.0 milestone Sep 1, 2021
@Issif
Copy link
Member

Issif commented Sep 1, 2021

@cpanato as you integrated the Kafka output, do you want/can to work on that? 🙏

@cpanato
Copy link
Member

cpanato commented Sep 2, 2021

@Issif yes i can take care
just need to read something about kafka auth and encrypt. @renehonig do you have any handy docs? :)

@cpanato cpanato self-assigned this Sep 2, 2021
@renehonig
Copy link
Author

@cpanato , thanks for your quick response and help!

Here are some links that should get you started on Kafka security. Given that many other Falcosidekick outputs support mTLS, that might be a good place to start:

Hope this helps, please let me know if you need more.

@cpanato
Copy link
Member

cpanato commented Sep 2, 2021

thank you @renehonig

@dirien
Copy link
Contributor

dirien commented Sep 10, 2021

@cpanato, we could make also a little session togther. We use, for example most of the time SASL or client cert.

@WaldoFR
Copy link

WaldoFR commented Sep 22, 2021

Hi, I did not see this issue but I had the same problem.

I did implement SASL + TLS here : https://github.com/WaldoFR/falcosidekick however it seems that the project kafka-go is not very resilient, I got two major issues :

I'd like to reimplement the client to use confluent-kafka-go instead wich seem more reliable. If everyone is ok I'll reimplement this part to use confluent's module and realize a PR.

Regards,

@Issif
Copy link
Member

Issif commented Sep 22, 2021

@WaldoFR first implementation of kafka output by @cpanato used confluent-kafka-go but we switched to current library because we had trouble with the C libraries dependency. See #139

@dirien
Copy link
Contributor

dirien commented Sep 22, 2021
edited
Loading

@WaldoFR, Question would be, if confluent-kafka-go is compatible with other kafka services too? Like Strimzi or Aiven...

@renehonig
Copy link
Author

@dirien, @WaldoFR , Thanks for your work on this issue. I think it is compatible with other Kafka distributions too. The readme says:

Is it based on librdkafka, which is a generic Kafka library.

@WaldoFR
Copy link

WaldoFR commented Sep 24, 2021

There is a PR segmentio/kafka-go#700 in kafka-go module, it's not merged yet but it might solves both issues mentioned in my last post. I'm going to verify that today, if it solve both issues the best might be to keep this module to avoid new unexpected problems from an other module.

@cpanato
Copy link
Member

cpanato commented Oct 16, 2021

@WaldoFR are you working on this? i did not have much time :( but if you handling this that will be awesome, let me know if you need any help

@poiana
Copy link

poiana commented Jan 14, 2022

Issues go stale after 90d of inactivity.

Mark the issue as fresh with /remove-lifecycle stale.

Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Provide feedback via https://github.com/falcosecurity/community.

/lifecycle stale

@poiana
Copy link

poiana commented Feb 13, 2022

Stale issues rot after 30d of inactivity.

Mark the issue as fresh with /remove-lifecycle rotten.

Rotten issues close after an additional 30d of inactivity.

If this issue is safe to close now please do so with /close.

Provide feedback via https://github.com/falcosecurity/community.

/lifecycle rotten

@poiana
Copy link

poiana commented Mar 15, 2022

Rotten issues close after 30d of inactivity.

Reopen the issue with /reopen.

Mark the issue as fresh with /remove-lifecycle rotten.

Provide feedback via https://github.com/falcosecurity/community.
/close

@poiana
Copy link

poiana commented Mar 15, 2022

@poiana: Closing this issue.

In response to this:

Rotten issues close after 30d of inactivity.

Reopen the issue with /reopen.

Mark the issue as fresh with /remove-lifecycle rotten.

Provide feedback via https://github.com/falcosecurity/community.
/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@poiana poiana closed this as completed Mar 15, 2022
@Issif Issif removed this from the 2.25.0 milestone Apr 26, 2022
@Issif Issif reopened this Apr 26, 2022
@Issif Issif added this to the 2.26.0 milestone Apr 26, 2022
@Issif Issif removed this from the 2.26.0 milestone Jun 17, 2022
@Issif Issif moved this to To do in Falcosidekick 2.x Aug 25, 2022
@poiana
Copy link

poiana commented Sep 15, 2022

Issues go stale after 90d of inactivity.

Mark the issue as fresh with /remove-lifecycle stale.

Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Provide feedback via https://github.com/falcosecurity/community.

/lifecycle stale

@poiana
Copy link

poiana commented Oct 15, 2022

Stale issues rot after 30d of inactivity.

Mark the issue as fresh with /remove-lifecycle rotten.

Rotten issues close after an additional 30d of inactivity.

If this issue is safe to close now please do so with /close.

Provide feedback via https://github.com/falcosecurity/community.

/lifecycle rotten

@lyoung-confluent lyoung-confluent mentioned this issue Nov 9, 2022
Closed
@poiana
Copy link

poiana commented Nov 14, 2022

Rotten issues close after 30d of inactivity.

Reopen the issue with /reopen.

Mark the issue as fresh with /remove-lifecycle rotten.

Provide feedback via https://github.com/falcosecurity/community.
/close

@poiana
Copy link

poiana commented Nov 14, 2022

@poiana: Closing this issue.

In response to this:

Rotten issues close after 30d of inactivity.

Reopen the issue with /reopen.

Mark the issue as fresh with /remove-lifecycle rotten.

Provide feedback via https://github.com/falcosecurity/community.
/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@poiana poiana closed this as completed Nov 14, 2022
Repository owner moved this from To do to Done in Falcosidekick 2.x Nov 14, 2022
@Lowaiz Lowaiz mentioned this issue Nov 18, 2022
Closed
@Lowaiz Lowaiz mentioned this issue Nov 28, 2022
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@cpanato cpanato

Labels
kind/feature New feature or request lifecycle/rotten
Projects
Falcosidekick 2.x
Status: Done
Milestone
No milestone
6 participants
@cpanato @Issif @renehonig @WaldoFR @dirien @poiana