Configuring Redpanda SASL on Kubernetes
|The Cluster and Console resources are deprecated. For details, see the deprecation notice. To migrate to the Redpanda resource, see Migrate from Cluster and Console Custom Resources|
The Simple Authentication and Security Layer (SASL) is a method for adding authentication support to connection-based protocols. When using the Redpanda Operator, SASL provides authentication between the server and client. To encrypt communication, use TLS encryption. You must use TLS encryption to have secure authentication using SASL.
For general security information, see Redpanda Security on Kubernetes.
Configure the kubectl context.
Install cert-manager. Although SASL authentication doesn’t use certificates, the Redpanda operator requires that cert-manager is installed.
Install the Redpanda operator.
If you haven’t completed these tasks, follow one of the Install Redpanda guides for Kubernetes to get set up before you configure TLS. Just stop before you install and connect to the Redpanda cluster.
The Redpanda GitHub repository contains a
sasl.yaml sample configuration file you can use to enable SASL authentication.
|To modify the sample file, save it locally and make the required changes.|
The following text is the Redpanda
sasl.yaml file with the relevant sections highlighted:
apiVersion: redpanda.vectorized.io/v1alpha1 kind: Cluster metadata: name: cluster-sample-sasl spec: image: "redpandadata/redpanda" version: "latest" replicas: 1 enableSasl: true superUsers: - username: admin resources: requests: cpu: 1 memory: 1.2G limits: cpu: 1 memory: 1.2G configuration: rpcServer: port: 33145 kafkaApi: - port: 9092 pandaproxyApi: - port: 8082 adminApi: - port: 9644 developerMode: true
Complete these steps to configure the cluster specification file. The steps reference the highlighted lines in the file above:
Configure the cluster name. The following property in the file above specifies the name of the cluster. Change this value to the name of your cluster:
Enable SASL for the cluster. You must include the following property to your configuration file to enable SASL authentication for the cluster:
Specify a superuser. You must specify a superuser with this property:
superUsers: - username: admin
The example allows a user with the name
adminfull access to the cluster. However, this does not create the user. Next you create this user through the Admin API. You can change the username to any string, but when you create the superuser, you must use the name that you specify here.
Verify the Admin API port. If you’re using the default Redpanda ports, you do not need to change this. However, users are created through the Admin API and in the steps, the commands you use to create users reference the port specified here. If you edit this port, then edit it in the other commands as well:
adminApi: - port: 9644
If you modified the
sasl.yamlfile, save it locally. You can also add TLS encryption before you save the file.
You can find additional sample configuration files at redpanda-examples/docs/example-config/kubernetes.
Optionally, you can use SASL authentication with TLS encryption for the Kafka API. To do that, enable TLS for the Kafka API by adding the highlighted lines below to the
kafkaApi property in the configuration file:
kafkaApi: - port: 9092 tls: enabled: true
After you configure the cluster specification file, you must run the
kubectl apply command to create the cluster. You can run the command using a path to the cluster specification file on your local machine or you can use the URL to the
sasl.yaml file above.
If you modified the file in the previous step, you have the file saved locally. To create the Redpanda cluster, run:
kubectl apply -f <cluster_specification.yaml>
If you did not modify the example file, you can use the URL to the example file in GitHub to create the cluster:
kubectl apply -f https://raw.githubusercontent.com/redpanda-data/redpanda-examples/main/docs/example-config/kubernetes/sasl.yaml
You must create the superuser through the Admin API. This user has ALL permissions on the cluster and is the user that grants permissions to new users. Without a superuser, you can create other users, but you will not be able to grant them permissions to the cluster.
|Passwords are in single quotes to avoid conflicts with special characters. Ensure that all values entered are properly enclosed in quotes and escaped as necessary.|
To create the superuser and specify a password for the user, run:
kubectl exec -c redpanda <cluster_name>-0 -- rpk acl user create <super_user_username> \ -p '<superuser_password>'
-0 in this command refers to the first node of the cluster. You can change this integer to specify a different node in the cluster.
super_user_username is the superuser that you defined in the cluster specification file.
If you changed the Admin API port from the default, you must add the following line to each command that creates a new user, in this step and the next step:
This command executes the
rpk command from within a Redpanda cluster container, using the local host. To run the command from another pod, you must include the broker location with the command. The text below shows the full command with the broker location highlighted:
kubectl exec -c redpanda <cluster_name>-0 -- rpk acl user create <super_user_username> \ -p '<superuser_password>' \ -X admin.hosts=localhost:<port> \ -X brokers=<cluster_name>-0.<cluster_name>.default.svc.cluster.local:<port>
The same command that you used to create the superuser also creates additional users and sets the passwords for the new users. By default, these users don’t have any permissions on the cluster.
|As a security best practice, you don’t want to use the superuser to run commands on the cluster. You can use these additional users to interact with the cluster.|
For each user that you want to create, run:
kubectl exec -c redpanda external-connectivity-0 -- rpk acl user create <username> \ -p <password> \
The superuser can grant permissions to additional users through access control lists (ACLs). For details on how ACLs function in Redpanda, see the rpk acl documentation.
Use the superuser to grant
describepermissions to another user for the cluster. You can edit the
rpk acl createcommand to grant permissions to specific users or groups:
kubectl exec -c redpanda <cluster_name>-0 -- rpk acl create --allow-principal User:<username> --operation create,describe --cluster \ --user <superuser_username> \ --password '<superuser_password>' \ --sasl-mechanism SCRAM-SHA-256
Optionally, you can use the superuser to grant permissions to a new user for a topic within the cluster. The following command grants
describeprivileges to a topic that doesn’t exist yet. In the next step, you create the topic that you reference in this command.
kubectl exec -c redpanda <cluster_name>-0 -- rpk acl create --allow-principal User:<username> --operation describe --topic <topic_name> \ --user <superuser_username> \ --password '<superuser_password>' \ --sasl-mechanism SCRAM-SHA-256
Now you can connect to Redpanda with the additional (non-superuser) user and start working with the cluster.
To create a topic, run:
kubectl exec -c redpanda <cluster_name>-0 -- rpk topic create <topic_name> \ --user <username> \ --password '<user_password>' \ --sasl-mechanism SCRAM-SHA-256
To describe the topic, run:
kubectl exec -c redpanda <cluster_name>-0 -- rpk topic describe <topic_name> \ --user <username> \ --password '<user_password>' \ --sasl-mechanism SCRAM-SHA-256
Now that you have your superuser and additional users that can interact with the cluster, use the rpk reference documentation to experiment with the
rpk commands and create additional users and ACLs.
When you’re ready, to delete the cluster, run:
kubectl delete -f <cluster_specification.yaml>