766 words
4 minutes
Secure Kafka UI Helm Configuration for Kubernetes
Anubhav Gain
2025-01-28
2025-06-28
Secure Kafka UI Helm Configuration for Kubernetes
This guide provides a production-ready Helm values configuration for Kafka UI with enhanced security settings, network policies, and best practices for Kubernetes deployment.
Configuration File
replicaCount: 1image: registry: docker.io repository: provectuslabs/kafka-ui pullPolicy: IfNotPresent tag: "v0.7.1" # Pinned to a specific version for securityimagePullSecrets: []nameOverride: ""fullnameOverride: "kafka-ui"serviceAccount: create: true annotations: {} name: "kafka-ui"
# Configure Kafka connection and security settingsyamlApplicationConfig: kafka: clusters: - name: Yc8CaFhBkszRek42s5EIvf bootstrapServers: kafka.mukti.svc.cluster.local:9092 properties: security.protocol: SASL_PLAINTEXT sasl.mechanism: SCRAM-SHA-512 # Reference environment variables instead of hardcoded credentials sasl.jaas.config: org.apache.kafka.common.security.scram.ScramLoginModule required username="${KAFKA_USERNAME}" password="${KAFKA_PASSWORD}"; schemaRegistry: enabled: false metrics: enabled: false auth: type: basic # Enabled for production security basicAuth: username: "${ADMIN_USERNAME}" password: "${ADMIN_PASSWORD}" management: health: ldap: enabled: false server: servlet: context-path: / port: 8080
# Use environment variables for sensitive data# Fixed structure for secrets (direct format instead of nested map)envs: secret: # Direct string values that will be read from secrets KAFKA_USERNAME: user1 KAFKA_PASSWORD: ohXVKqI5Ld ADMIN_USERNAME: admin ADMIN_PASSWORD: securePassword123
# Network policy to allow communication with KafkanetworkPolicy: enabled: true egressRules: customRules: - to: - podSelector: matchLabels: app.kubernetes.io/name: kafka app.kubernetes.io/part-of: kafka namespaceSelector: matchLabels: kubernetes.io/metadata.name: mukti ports: - port: 9092 protocol: TCP ingressRules: customRules: []
# Enhanced security annotationspodAnnotations: seccomp.security.alpha.kubernetes.io/pod: runtime/default
# Add labels to identify this applicationpodLabels: app.kubernetes.io/name: kafka-ui app.kubernetes.io/part-of: kafka
# Enhanced security context for the podpodSecurityContext: fsGroup: 1000 runAsNonRoot: true runAsUser: 1000 runAsGroup: 1000
# Container security contextsecurityContext: capabilities: drop: - ALL readOnlyRootFilesystem: true runAsNonRoot: true runAsUser: 1000 allowPrivilegeEscalation: false
# Service configurationservice: type: ClusterIP port: 80 targetPort: 8080
# Ingress configuration - disabled by defaultingress: enabled: false annotations: kubernetes.io/ingress.class: nginx # Consider adding security headers for ingress nginx.ingress.kubernetes.io/ssl-redirect: "true" nginx.ingress.kubernetes.io/proxy-body-size: "10m" nginx.ingress.kubernetes.io/configuration-snippet: | more_set_headers "X-Frame-Options: DENY"; more_set_headers "X-Content-Type-Options: nosniff"; more_set_headers "X-XSS-Protection: 1; mode=block"; path: / host: kafka-ui.example.com tls: enabled: false
# Resource limits to prevent resource exhaustionresources: limits: cpu: 300m memory: 512Mi requests: cpu: 100m memory: 256Mi
autoscaling: enabled: false minReplicas: 1 maxReplicas: 2 targetCPUUtilizationPercentage: 80
nodeSelector: {}tolerations: []affinity: {}
# Probes for health monitoringlivenessProbe: httpGet: path: /actuator/health port: 8080 initialDelaySeconds: 30 periodSeconds: 10 failureThreshold: 3
readinessProbe: httpGet: path: /actuator/health port: 8080 initialDelaySeconds: 30 periodSeconds: 10 failureThreshold: 3Key Security Features
1. Authentication & Authorization
- Basic Authentication: Enabled for UI access
- SASL/SCRAM: Secure authentication for Kafka cluster
- Environment Variables: Credentials stored as environment variables, not hardcoded
2. Network Security
- Network Policies: Restrict egress to only Kafka cluster
- Namespace Isolation: Traffic limited to specific namespaces
- ClusterIP Service: Internal-only access by default
3. Pod Security
- Non-root User: Runs as UID 1000
- Read-only Root Filesystem: Prevents runtime modifications
- Dropped Capabilities: All Linux capabilities dropped
- Seccomp Profile: Runtime/default security profile
4. Resource Management
- Resource Limits: Prevents resource exhaustion
- Health Probes: Ensures pod health and availability
- Auto-scaling: Disabled by default for predictable resource usage
Deployment Instructions
1. Create Kubernetes Secret
First, create a secret for sensitive credentials:
kubectl create secret generic kafka-ui-secrets \ --from-literal=KAFKA_USERNAME=user1 \ --from-literal=KAFKA_PASSWORD=ohXVKqI5Ld \ --from-literal=ADMIN_USERNAME=admin \ --from-literal=ADMIN_PASSWORD=securePassword123 \ -n mukti2. Update Values File
Modify the envs.secret section to reference the Kubernetes secret:
envs: existingSecret: kafka-ui-secrets3. Deploy with Helm
# Add the Kafka UI Helm repositoryhelm repo add kafka-ui https://provectuslabs.github.io/kafka-ui-chartshelm repo update
# Install with custom valueshelm install kafka-ui kafka-ui/kafka-ui \ -f kafka-ui-values.yaml \ -n mukti4. Enable Ingress (Optional)
For external access, update the ingress configuration:
ingress: enabled: true annotations: cert-manager.io/cluster-issuer: letsencrypt-prod nginx.ingress.kubernetes.io/backend-protocol: "HTTP" host: kafka-ui.your-domain.com tls: enabled: true secretName: kafka-ui-tlsSecurity Best Practices
1. Secrets Management
- Use Kubernetes secrets or external secret managers
- Rotate credentials regularly
- Implement RBAC for secret access
2. Network Isolation
- Deploy in a dedicated namespace
- Use network policies to restrict traffic
- Consider service mesh for additional security
3. Monitoring & Auditing
- Enable audit logging
- Monitor access patterns
- Set up alerts for suspicious activities
4. Updates & Patches
- Regularly update Kafka UI image
- Monitor security advisories
- Test updates in staging environment
Troubleshooting
Common Issues
-
Connection to Kafka Failed
- Verify network policy allows traffic
- Check SASL credentials
- Ensure Kafka service is accessible
-
Authentication Issues
- Verify environment variables are set
- Check secret mounting
- Review pod logs for errors
-
Resource Constraints
- Monitor memory usage
- Adjust resource limits if needed
- Check for memory leaks
Debug Commands
# Check pod statuskubectl get pods -n mukti -l app.kubernetes.io/name=kafka-ui
# View pod logskubectl logs -n mukti -l app.kubernetes.io/name=kafka-ui
# Describe pod for eventskubectl describe pod -n mukti -l app.kubernetes.io/name=kafka-ui
# Test connectivity to Kafkakubectl exec -it -n mukti deployment/kafka-ui -- nc -zv kafka.mukti.svc.cluster.local 9092Advanced Configuration
Multi-Cluster Support
Add multiple Kafka clusters:
yamlApplicationConfig: kafka: clusters: - name: production bootstrapServers: kafka-prod.mukti.svc.cluster.local:9092 properties: security.protocol: SASL_SSL # Additional properties - name: staging bootstrapServers: kafka-staging.mukti.svc.cluster.local:9092 properties: security.protocol: SASL_PLAINTEXTSchema Registry Integration
Enable schema registry support:
schemaRegistry: enabled: true url: http://schema-registry.mukti.svc.cluster.local:8081 auth: username: "${SR_USERNAME}" password: "${SR_PASSWORD}"Metrics & Monitoring
Enable JMX metrics collection:
metrics: enabled: true type: JMX port: 9999 ssl: falseConclusion
This configuration provides a secure, production-ready deployment of Kafka UI on Kubernetes. By following these security best practices and configurations, you can safely expose Kafka cluster management capabilities while maintaining strict security controls.
Secure Kafka UI Helm Configuration for Kubernetes
https://mranv.pages.dev/posts/kafka-ui-helm-secure-configuration/