Get more from the streaming platform you already run.
Conduktor is a Kafka Operations Platform to bring governance, security, and self-service to the clusters you already run, for every team and AI agent. One Kafka proxy. One Console.
Benchmark your Kafka › Install ConsoleFree Kafka UI for developers and platform teams. Install GatewayFree Kafka proxy for cross-network reachability.
Trusted by
One control layer between your infrastructure and the teams that build on it.
Conduktor sits in front of the infrastructure you already run, so every event is governed, secured, and validated before anything downstream uses it. It adds control without replacing what you have.
How Conduktor Does It
Conduktor delivers that control layer through two products: Console gives developers visibility and velocity, Gateway gives platform teams control on the wire, across any Kafka provider and infrastructure.
Conduktor Console
Give developers and platform engineers a stable, guided way to build and run streaming apps at scale.
Enterprise UI to manage hundreds of clusters. Topics, schemas, connectors, producers, and consumers across Confluent, AWS MSK, Redpanda, or self-managed.
Browse, filter, and replay messages in real-time. Troubleshoot and auto-decode Avro, Protobuf, and JSON Schema.
Track hot topics, fan-out, dead streams, and consumer lag. Alerts to Slack, PagerDuty, Prometheus, and webhooks.
SSO (OIDC-based and LDAP), granular RBAC, role-based access, PII masking, and audit trails.
Health optimization for partitions, replication, naming, and configs. Cost attribution, data quality, and team accountability.
Terraform provider, REST API, GitOps workflows, and CI/CD integration.
terraform {
required_providers {
conduktor = {
source = "conduktor/conduktor"
version = "~> 1.0"
}
}
}
provider "conduktor" {
console_url = "http://localhost:8080"
api_token = var.conduktor_api_token
}
resource "conduktor_group" "project_a" {
name = "project-a"
display_name = "Project A"
permissions {
resource_type = "TOPIC"
name = "project-a-*"
pattern_type = "PREFIXED"
permissions = ["topicConsume", "topicProduce"]
}
}Conduktor Gateway
Extend Kafka with protocol-level controls to absorb the complexity of your infrastructure.
Centralize identity with OIDC across all clusters. Route clients transparently without changing application code.
Switch clusters, failover traffic, and inject chaos, all at the proxy layer. Zero client changes required.
Virtual clusters, topic concentration, and aliasing. Isolate teams and workloads on shared infrastructure.
SQL queries on topics, message caching, and large payload offloading. Handle load without over-provisioning.
Config guardrails, rate limiting, and schema validation. Enforce standards before bad data hits Kafka.
Field-level encryption, key management, and partner tenants. Protect data while enabling controlled access.
# Gateway Configuration
gateway:
environment:
GATEWAY_SECURITY_MODE: GATEWAY_MANAGED
GATEWAY_SECURITY_PROTOCOL: SASL_PLAINTEXT
GATEWAY_OAUTH_JWKS_URL: "https://your-idp.com/.well-known/jwks.json"
GATEWAY_OAUTH_EXPECTED_ISSUER: "https://your-idp.com"
# Map OIDC identities to Service Accounts
apiVersion: gateway/v2
kind: GatewayServiceAccount
metadata:
name: my-application
spec:
type: EXTERNAL
externalNames:
- "oauth-subject-id-from-token"# Gateway cluster configuration
config:
main:
bootstrap.servers: kafka-primary:9092
security.protocol: SASL_SSL
sasl.mechanism: PLAIN
failover:
bootstrap.servers: kafka-secondary:9092
gateway.roles: failover
# Switch from main → failover
curl -X POST 'http://localhost:8888/gateway/v2/cluster-switching' \
-H 'Content-Type: application/json' \
-d '{"fromPhysicalCluster": "main", "toPhysicalCluster": "failover"}'apiVersion: gateway/v2
kind: VirtualCluster
metadata:
name: payments-team
spec:
type: Standard
aclEnabled: true
superUsers:
- payments-admin
---
apiVersion: gateway/v2
kind: VirtualCluster
metadata:
name: orders-team
spec:
type: Standard
aclEnabled: true
superUsers:
- orders-adminapiVersion: gateway/v2
kind: Interceptor
metadata:
name: sql-filter-adults
spec:
pluginClass: io.conduktor.gateway.interceptor.VirtualSqlTopicPlugin
priority: 100
config:
virtualTopic: customers-adult
statement: |
SELECT firstName, lastName, email
FROM customers
WHERE age >= 18 AND country = 'US'
apiVersion: gateway/v2
kind: Interceptor
metadata:
name: encrypt-pii-fields
spec:
pluginClass: io.conduktor.gateway.interceptor.EncryptPlugin
priority: 100
config:
topic: "customers.*"
schemaRegistryConfig:
host: http://schema-registry:8081
kmsConfig:
vault:
uri: http://vault:8200
token: ${VAULT_TOKEN}
recordValue:
fields:
- fieldName: ssn
keySecretId: vault-kms://vault:8200/transit/keys/pii-key
algorithm: AES256_GCM
- fieldName: email
keySecretId: vault-kms://vault:8200/transit/keys/email-key
algorithm: AES256_GCMWhat you have. What Conduktor adds.
Your provider gives you Kafka to stream data. Conduktor adds what you need to maximize your platform: a set of controls across all of them, enforced on the wire.
What you already run
Your streaming platform
Confluent, Amazon MSK, Aiven, or open-source Kafka: the transport and the security basics you've already invested in.
- Kafka protocolStart producing and consuming in seconds with standard clients.
- Availability SLAThe uptime guarantee your provider commits to and operates for you.
- Kafka ecosystemConnectors, Schema Registry, stream processing, and replication.
- RBAC & logsThe access control and audit logs your provider ships, scoped to that one platform.
- Encryption in transit & at restTLS on the wire and disk encryption your provider manages for you.
- Your operational expertiseThe runbooks, SLAs, and provider relationship your team already owns and knows.
What Conduktor adds, on top
The cross-provider control layer
A control plane and a proxy in front of your existing clusters. Nothing to migrate, no client changes, but you now have control over the wire:
- One layer across every providerUnify authentication, authorization, and controls over Confluent, MSK, Aiven, Redpanda, and open-source: one model to manage, not a different one per cluster.
- Encryption & masking on the wirePayload and field-level encryption with your own KMS keys, enforced at the proxy with no client changes and nothing to bypass.
- Guardrails for self-serviceLet teams provision on their own, within the limits you set: config, naming, and data-quality rules that catch misconfigured topics and bad data while reducing cost.
- Many tenants on one clusterVirtual clusters isolate teams and workloads on the infrastructure you already run, so you add tenants instead of clusters and the cost that comes with them.
- Governed access for AIAI, agents, and MCP discover and query every Kafka cluster the same way, each inheriting the user's exact RBAC.
Now Point AI at Your Kafka
Smarter AI, because you hold the context. Safer AI, because you hold the permissions. AI on Kafka is only useful if it's smart and only adoptable if it's safe. Conduktor is the self-hosted layer that delivers both, without ever taking ownership of your data.
Explore How Conduktor Helps Your Industry
Platform teams use Conduktor to streamline Kafka operations and accelerate delivery. Explore our customer stories or dive into the blog.
Bitvavo achieved DORA, MiCA, and GDPR compliance for 1.5M+ users with Conduktor’s RBAC, data masking, and audit trails.
Swiss Post scaled Kafka to 800+ users and 5× more applications with governance, RBAC, and self-service.
70% faster provisioning with Conduktor and Amazon MSK for IoT smart farming at scale.
See what your existing Kafka can do with Conduktor on top
Bring the platform you already run. We'll show you the governance, security, and AI-readiness you can unlock on top of it — without re-platforming a thing.