Kafka supports SASL (PLAIN, SCRAM-SHA-256, GSSAPI/Kerberos, OAUTHBEARER) for authentication and TLS for encryption in transit. Kafka ACLs (via kafka-acls.sh) control which principals can produce/consume which topics. Role-based access control is managed through Confluent RBAC or external systems. Always encrypt in transit with TLS and authenticate with at minimum SASL/SCRAM in production.
Key configuration
# Client SSL config:
ssl.truststore.location=/certs/kafka.truststore.jks
ssl.keystore.location=/certs/kafka.keystore.jks
security.protocol=SASL_SSL
sasl.mechanism=SCRAM-SHA-256