Defining networkPolicyPeers in Kafka resource

[berndkuennen]

Hi everybody,,

we've installed Strimzi 0.20.0 via helm chart and it's running fine so far. Now we'd like to manage topics etc. with lenses.io which is deployed to an own namespace. Lenses is able to connect to all services except the Zookeeper. As we found out, access to ZK is disabled for pods outside the Strimzi namespace.

Manipulating the network policy manually does work, just for a couple of seconds, of course, by adding a namespace selector:

    - namespaceSelector:
        matchLabels:
          name: my-lenses-namespace

We now tried to permanently enable access for pods from the lenses namespace by adding an entry to the ZK network policy via the kafka resource. Unfortunately, we did only find documentation about doing so for Kafka itself, so we tried the same pattern on Zookeeper - which fails:

  zookeeper:
    listeners:
    - name: plain
      networkPolicyPeers:
      - namespaceSelector:
          matchLabels:
            name: lenses
      port: 2181
      tls: false
      type: internal

This does not add an entry to the Zookeeper network policy.

How is an additional entry to be defined in the Kafka resource?

[scholzj]

ZooKeeper is locked down intentionally. ZooKeeper is hard to secure and it will be soon removed from Kafka. So any tools which still require it might not be future proof. If you really want to access it, the network policies are not the only obstacle because it is also secured by TLS authentication. You can use this project to open it up: https://github.com/scholzj/zoo-entrance (not part of the Strimzi project, use at your own risk as it it completely opens up ZooKeeper without any security.)

As for the changes, you tried to do in the Kafka CR -> please keep in mind that you need to follow the documentation and cannot add you own fields to the custom resources. They will not be used by the operator. The Operator can use only the fields which they understand (i.e. what is described int he API reference).

[berndkuennen]

Thank you for pointing out that Zookeeper is planned to be removed. That'll shift our priorities a bit.

Just out of curiosity and beside the TLS auth problematic: Is there a way to influence the Zookeeper network policy like it's possible for the Kafka brokers? my initial thought was that the way to do it was the same but yet undocumented.

(I remember your zoo-entrance project. Tried it about a year ago when we started with Strimzi, for a test on a different topic. Worked fine, but like you say, it opens ZK totally, so I didn't want to use it this time.)

[scholzj]

Just out of curiosity and beside the TLS auth problematic: Is there a way to influence the Zookeeper network policy like it's possible for the Kafka brokers? my initial thought was that the way to do it was the same but yet undocumented.

No. But you can simply add additional network policies to enable some specific pods. Just use the your own name - the zoo-entrance does that as well. The way Kubernetes works is that if any network policy allows the access, it will be allowed.

(I remember your zoo-entrance project. Tried it about a year ago when we started with Strimzi, for a test on a different topic. Worked fine, but like you say, it opens ZK totally, so I didn't want to use it this time.)

Well, you can use network policies again to secure the zoo-entrance. The problem with Zookeeper is that until recently, it did not had much security to speak about. So that is why we more or less locked it down. Now it is a bit better, but it is being removed from Kafka, so it does not seem like an investment worth the time anymore.