[25.3] Security report and other additions to What's New

[kbatuigas]

Description

Related (API docs) redpanda-data/api-docs#35

This pull request introduces documentation for a new Admin API endpoint, /v1/security/report, which generates a comprehensive security report for Redpanda clusters. The changes add usage instructions, output examples, and highlight the endpoint’s ability to report on TLS, authentication, authorization, and security alerts across all Redpanda interfaces. The updates are made across multiple documentation files to ensure users are aware of this feature and know how to use it for monitoring and auditing cluster security.

Security report endpoint documentation:

• Added instructions and examples for generating a cluster-wide security report using the /v1/security/report Admin API endpoint in various documentation sections, including production readiness, authentication, HTTP Proxy, and Schema Registry. [1] [2] [3] [4]
• Introduced a reusable partial, security-report.adoc, that provides a sample request and output for the security report endpoint, including details about interfaces and alerts for insecure configurations.
• Updated the release notes to announce the new security report feature, describing its coverage of all Redpanda interfaces (Kafka, RPC, Admin, Schema Registry, HTTP Proxy).
• Added a new section encouraging regular monitoring of security settings using the security report endpoint and guidance on investigating alerts.

Other documentation updates:

• Minor improvements to the security documentation structure and descriptions, such as removing outdated notes and clarifying scope.
• Small update to the compaction settings documentation to clarify how tombstone removal is coordinated across replicas.
• Removed a legacy comment from the Admin API usage documentation for clarity.

Resolves https://redpandadata.atlassian.net/browse/DOC-1763, https://redpandadata.atlassian.net/browse/DOC-1195, https://redpandadata.atlassian.net/browse/DOC-1594
Review deadline: 18 Nov

Page previews

Security Report:
Authentication > Generate security report
Use the Schema Registry API
Use Redpanda with HTTP Proxy API
Production Readiness Checklist (Level 1 and Level 3)

Security report, Topic IDs and Compaction in What's New: https://deploy-preview-1450--redpanda-docs-preview.netlify.app/25.3/get-started/release-notes/redpanda/#security-report

Updates to tombstone removal: https://deploy-preview-1450--redpanda-docs-preview.netlify.app/25.3/manage/cluster-maintenance/compaction-settings/#tombstone-record-removal

Checks

• New feature
• Content gap
• Support Follow-up
• Small fix (typos, links, copyedits, etc)

[coderabbitai]

Important

Review skipped

Auto reviews are disabled on base/target branches other than the default branch.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch DOC-1594-security-report

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[netlify]

✅ Deploy Preview for redpanda-docs-preview ready!

Name	Link
🔨 Latest commit	632074c
🔍 Latest deploy log	https://app.netlify.com/projects/redpanda-docs-preview/deploys/691d0ac894bef2000844c60f
😎 Deploy Preview	https://deploy-preview-1450--redpanda-docs-preview.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify project configuration.

[IoannisRP]

Apart from a minor comment, the security report sections look good 👍

[bashtanov]

Compaction improvement pushed out of 25.3.1, might be in future minor and Compaction improvement pushed out of 25.3.1, might be in future minor LGTM

[IoannisRP]

lgtm

[mattschumpert]

@kbatuigas I'm not sure this is accurate anymore technically since e.g. Schema Registry AuthZ isn't part of kafka and this whole section describes a bunch of stuff not part of kafka. I think we should just leave the second sentence and skip the first one.

[kbatuigas]

Removed first sentence from note

[mattschumpert]

@kbatuigas having this in the info box at the top of the security section seems noisy and distracting to me. This is a very minor thing only for very advanced users. We should mention it but not let it steal the show.

[kbatuigas]

Moved security report content out of note

[mattschumpert]

@kbatuigas this also feels out of place. this section is about the format and style of the admin API, not about one particular minor feature enabled through it.

I think the best place to introduce the security report API is probably at the bottom of the 'Authentication' section of Security docs (since its mostly reporting on the AUthN status of all the endpoints). It's fine to also included in the PP / SR pages as you have

[kbatuigas]

Moved security report content to Authentication

[Feediver1]

Not sure if this is awaiting another PR to merge or something else, but this link gives a page not found error.

[kbatuigas]

This link will work once redpanda-data/api-docs#35 is merged

[Feediver1]

Minor suggestions