Migrate from ZooKeeper mode to KRaft mode for Kafka¶
This guide outlines the steps to migrate Kafka from ZooKeeper mode to KRaft mode. KRaft (Kafka Raft) is Apache Kafka's consensus protocol that removes the dependency on ZooKeeper for metadata management.
Supported Kafka Modes¶
The following table defines the supported metadata modes based on your Privacera Platform version:
| Privacera Version | Supported Mode(s) |
|---|---|
| Earlier than 9.0.32.1 | ZooKeeper Mode only |
| 9.0.32.1 to 9.2.18.1 | ZooKeeper Mode & KRaft Mode |
| 9.2.19.1 and Later | KRaft Mode only (ZooKeeper removed) |
Before proceeding, review the Breaking change and Known limitations sections below to confirm the steps that apply to your version.
ZooKeeper removal (9.2.19.1 and later)
Starting with version 9.2.19.1, Privacera Platform uses Apache Kafka 4.x, which removes support for ZooKeeper mode. As a result, only KRaft mode is supported. See the 9.2.19.1 release notes for specific impact and required upgrade actions.
Limitations
In versions 9.2.2.1 through 9.2.10.1, Kafka KRaft mode fails to operate correctly. If you are within this version range, you must upgrade to 9.2.11.1 or later to ensure KRaft stability.
Note
Estimated Downtime: This migration will require downtime for Kafka and associated Discovery services. The duration depends on the completion of any active Discovery scans and the time needed to perform the upgrade steps, typically ranging from 20 minutes to 1 hour. Plan accordingly, and ensure that any critical Discovery tasks are paused or completed prior to the migration window.
Migration Steps¶
Step 1: Stop Active Discovery Scans¶
a. Stop existing offline Discovery scans:
- Log in to the Privacera Platform portal
- Navigate to Discovery Menu -> Scan Status.
- Stop, kill, or cancel any existing offline Discovery scans that are currently running, listing, or pending
Note
If you do not wish to cancel any existing offline scans, wait until they have completed before proceeding with the upgrade.
b. Stop the PKafka Pod to temporarily pause Real-Time Scans:
| Bash | |
|---|---|
Tip
Replace with your Kubernetes namespace. This is usually set using the DEPLOYMENT_ENV_NAME environment variable.
Step 2: Wait for Active Scans to Complete¶
- Run the following command periodically and monitor its output. An output value of zero signifies that there are no active discovery scan executor pods remaining.
| Bash | |
|---|---|
- Wait until the output of the command is 0 before proceeding to the next step.
Optional: See Kafka backlog before you scale Kafka down¶
Use this step to verify whether any consumers still have unread messages before shutting down Kafka.
When to run: After Step 2 (active scans complete), before Step 3 (Kafka must still be running).
Run this command to check whether any consumer groups have unprocessed messages on the cluster:
Replace <name-space> with your Kubernetes namespace.
| Bash | |
|---|---|
What you see: Each line shows a topic name and its LAG value — the number of messages waiting to be read by consumer groups. A LAG of 0 means that consumer group is fully caught up on that partition.
Note
This command reports consumer backlog only, not total disk usage. Kafka may still retain older messages until the retention policy deletes them.
If the command fails, try these fixes in order:
| Symptom | Fix |
|---|---|
| Wrong pod name | Run kubectl -n <name-space> get pods, filter with grep kafka, and use the broker pod name (often kafka-0). |
| Multiple containers in the pod | Add -c <container-name> to the kubectl exec command (typically k8skafka). |
| Wrong bootstrap host | Run kubectl -n <name-space> get svc, filter with grep kafka, and use the returned service name with port 9092 (for example, kafka:9092 instead of kafka-ha:9092). |
| Script not found | Inside the pod, try /usr/lib/kafka/bin/kafka-consumer-groups.sh instead of kafka-consumer-groups.sh. |
Step 3: Scale Down Privacera Services¶
Scale down the following services before proceeding with the upgrade:
-
Discovery Service:
Bash -
Discovery Consumer:
Bash -
Kafka Pod:
Bash
Step 4: Delete Existing Kafka StatefulSet¶
Once all services are scaled down, delete the existing Kafka StatefulSet.
| Bash | |
|---|---|
Step 5: Clean Up Existing Storage¶
Delete the existing PVC (Persistent Volume Claim):
Note
Run kubectl -n <name-space> get pvc | grep datadir-kafka to list all Kafka PVCs. If your Kafka cluster has multiple replicas, you must delete each PVC.
| Bash | |
|---|---|
Step 6: Enable KRaft Mode (9.0.32.1 through 9.2.18.1 only)¶
Privacera 9.2.19.1 and later
On 9.2.19.1 and later, KRaft is the only supported mode — this step is not required. If KAFKA_ENABLE_KRAFT_MODE is still present in vars.kafka.yml from an earlier installation, you may safely remove it; it has no effect in 9.2.19.1 and later.
For 9.0.32.1 through 9.2.18.1 only:
-
Edit the Kafka configuration file:
-
Add the KRaft mode property:
Step 7: Restart Privacera Services¶
Restart services and post install:
Run the following command to run the post install steps:
Step 8: Verify Kafka Migration¶
Check Kafka pods are running:
| Bash | |
|---|---|
Post-Migration Verification¶
Test Discovery functionality:
- Run a Discovery scan to confirm that Discovery works as expected.
- If Discovery functionality is not working, use the Privacera diagnostic tool for debugging and log analysis.
- Prev Advanced Configuration
- Next Troubleshooting