TL;DR: Kafka security can be improved by assigning SPIFFE workload identities at the kernel layer, transparently upgrading plaintext traffic to mTLS, and injecting credentials on the wire so secrets stay out of configs and apps, according to Riptides. The real shift is that workload identity, not scattered credentials, becomes the control point for Kafka governance.
NHIMG editorial — based on content published by Riptides: Supercharge Kafka security with Riptides
By the numbers:
- Only 38% have automated certificate lifecycle management in place.
- 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools.
- 69% of organisations now have more machine identities than human ones.
Questions worth separating out
Q: How should teams remove secrets from Kafka and related workloads?
A: Start by identifying where credentials appear in configs, scripts, health checks, and environment variables, then replace those paths with workload identity or on-wire secret injection.
Q: Why do static secrets create so much risk in workload communications?
A: Static secrets persist across deployments, are copied into multiple systems, and often remain valid long after the workload changes.
Q: What breaks when workload identity is not used for service-to-service traffic?
A: Teams end up trusting network location, shared credentials, or application-level configuration to prove identity.
Practitioner guidance
- Map every Kafka-adjacent process to a workload identity Include health checks, init containers, setup scripts, brokers, clients, and directory services in the identity inventory so policy covers every network-speaking process.
- Eliminate embedded credentials from runtime paths Remove usernames, passwords, keystores, truststores, and token strings from configs, command lines, and environment variables before tuning any rotation schedule.
- Use identity policy to govern plaintext upgrades Document which legacy services can be transparently moved to mTLS and which flows still need explicit migration work, then enforce allowlists at the workload layer.
What's in the full article
Riptides' full post covers the operational detail this post intentionally leaves for the source:
- Exact Kubernetes and Kafka configuration snippets for assigning workload identities to brokers, LDAP, and Streams components
- The step-by-step kernel-layer mechanism used to upgrade plaintext LDAP traffic to mTLS without application code changes
- Detailed examples of pass-through mode for workloads that already use TLS or mTLS
- The full keystore and truststore handling pattern, including how files are dynamically generated and locked to server workloads
👉 Read Riptides' post on Kafka security with workload identity and secretless enforcement →
Kafka workload identity security: what changes for IAM teams?
Explore further
Identity-first Kafka security is really workload governance, not transport hardening. The article is not mainly about encrypting Kafka traffic more elegantly. It is about making each process prove who it is before it can talk, which is the foundation of workload identity governance in NHI programmes. When identity is bound to the process and enforcement happens at the kernel layer, the control surface shifts away from application teams juggling certificates and toward a policy model that can actually be audited.
A few things that frame the scale:
- 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools, according to Ultimate Guide to NHIs.
- Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.
A question worth separating out:
Q: How do security teams decide where to apply transparent mTLS first?
A: Prioritise flows that still use plaintext, carry directory or control-plane trust, or depend on embedded credentials for health and service checks. Those paths usually expose the highest governance debt because they combine sensitive authentication with manual handling. Start where the identity gap and operational risk overlap most clearly.
👉 Read our full editorial: Kafka security with workload identity and secretless enforcement