Security Review: Network Exposure Risk in docker-compose.yml #235
Description
👋 Hi Confluent team,
I've been reviewing your cp-all-in-one Docker Compose configuration and noticed some potential security considerations for production deployments.
Security Findings
P1: Network Exposure Risk
Location: cp-all-in-one/docker-compose.yml:28
KAFKA_LISTENERS: 'PLAINTEXT://broker:29092,CONTROLLER://broker:29093,PLAINTEXT_HOST://0.0.0.0:9092'Risk: The Kafka broker listens on all interfaces (0.0.0.0:9092), which could expose the service to external networks in production environments.
Suggested Fix: Bind to localhost for development use:
KAFKA_LISTENERS: 'PLAINTEXT://broker:29092,CONTROLLER://broker:29093,PLAINTEXT_HOST://127.0.0.1:9092'P2: Unencrypted Communication
The configuration uses PLAINTEXT protocols throughout, which is appropriate for development but could be misleading for production deployments.
Impact Assessment
- Scope: 1,075+ stars, widely used for Kafka evaluation
- Risk: Developers might deploy this configuration to production
- Benefit: Enhanced security guidance for the Kafka community
Offer
We specialize in configuration security reviews and would be happy to provide:
- Complete security analysis of all Docker Compose files
- Production-ready SSL/SASL configuration examples
- 24-hour turnaround professional security report
Would you be interested in a complimentary detailed security review?
Contact: [email protected]
Service: Configuration Risk Assessment
Best regards,
Configuration Security Review Team