Securing Jaeger Installation
This page documents the existing security mechanisms in Jaeger, organized by the pairwise connections between Jaeger components. We ask for community help with implementing additional security measures (see issue-1718 ).
SDK to Agent
jaeger-agent is
deprecated
. The OpenTelemetry data can be sent from the OpenTelemetry SDKs (equipped with OTLP exporters) directly to jaeger-collector. Alternatively, use the OpenTelemetry Collector as a local agent.
Deployments that involve jaeger-agent are meant for trusted environments where the agent is run as a sidecar within the container’s network namespace, or as a host agent. Therefore, there is currently no support for traffic encryption between clients and agents.
- ❌ Sending trace data over UDP - no TLS/authentication.
- ❌ Retrieving sampling configuration via HTTP - no TLS/authentication.
SDK to Collector
OpenTelemetry SDKs can be configured to communicate directly with jaeger-collector via gRPC or HTTP, with optional TLS enabled.
- ✅ HTTP - TLS with mTLS (client cert authentication) supported.
- ✅
gRPC - TLS with mTLS (client cert authentication) supported.
- Covers both span export and sampling configuration querying.
Agent to Collector
jaeger-agent is
deprecated
.
- ✅ gRPC - TLS with client cert authentication supported.
Collector/Ingester/Query-Service to Storage
- ✅ Cassandra - TLS with mTLS (client cert authentication) supported.
- ✅ Elasticsearch - TLS with mTLS (client cert authentication) supported; bearer token propagation.
- ✅ Kafka - TLS with various authentication mechanisms supported (mTLS, Kerberos, plaintext).
Browser to UI
- ❌ HTTP - no TLS; bearer token authentication (pass-through to storage).
Consumers to Query Service
- ✅ HTTP - TLS with mTLS (client cert authentication) supported.
- ✅ gRPC - TLS with mTLS (client cert authentication) supported.