Installation Guide

This guide provides comprehensive installation instructions for KafkaGuard on all supported platforms and deployment scenarios.

Supported Kafka Versions

Version Range	Mode	Notes
2.x – 3.8.x	ZooKeeper	Full control suite
3.9.x	ZK or KRaft	Auto-detected
4.x	KRaft	Full KRaft control suite; ZK controls auto-skip
Confluent Platform 7.x – 8.x	KRaft	CP version validation included

Kafka 4.x (KRaft) supported — KafkaGuard auto-detects KRaft mode. No additional configuration required. Confluent Platform 7.x–8.x also supported.

---

Table of Contents

• Prerequisites
• Binary Installation
  • Linux (Ubuntu/Debian)
  • Linux (RHEL/CentOS)
  • macOS (Intel)
  • macOS (Apple Silicon)
• Docker Installation
• Build from Source
• Air-Gapped Installation
• Installation Verification
• Platform-Specific Requirements
• Troubleshooting Installation

---

Prerequisites

Before installing KafkaGuard, ensure you have:

For Binary Installation (Recommended)

• Operating System: Linux (Ubuntu 20.04+, RHEL 7+, Debian 10+) or macOS 12+
• Architecture: x86_64 (amd64) or ARM64 (arm64)
• Network Access: Ability to download from GitHub Releases (for binary installation)
• Disk Space: ~100MB for binary and temporary reports

For Docker Installation

• Docker: Version 20.10+ with multi-architecture support
• Network Access: Ability to pull from Docker Hub (docker.io)
• Disk Space: ~60MB for Docker image

For Building from Source

• Go: Version 1.22.0 or higher
• Git: For cloning the repository
• Make: GNU Make (optional, but recommended)
• Network Access: For downloading Go dependencies
• Disk Space: ~500MB for source code and build artifacts

For Running Scans

• Kafka Access: Network connectivity to Kafka brokers (default port 9092)
• Credentials: SASL/SSL credentials if your cluster requires authentication
• Permissions: Read-only access to Kafka cluster metadata (no write permissions needed)

---

Binary Installation

Binary installation is the fastest and easiest method. Pre-built binaries are available for Linux and macOS on both x86_64 and ARM64 architectures.

Linux (Ubuntu/Debian)

Method 1: Download and Install to /usr/local/bin (Recommended)

# Download latest release (amd64)
curl -LO https://github.com/KafkaGuard/kafkaguard-releases/releases/latest/download/kafkaguard_Linux_x86_64.tar.gz && tar -xzf kafkaguard_Linux_x86_64.tar.gz

# Or for ARM64
# curl -LO https://github.com/KafkaGuard/kafkaguard-releases/releases/latest/download/kafkaguard_Linux_arm64.tar.gz && tar -xzf kafkaguard_Linux_arm64.tar.gz

# Make executable
chmod +x kafkaguard

# Move to system path
sudo mv kafkaguard /usr/local/bin/kafkaguard

# Verify installation
kafkaguard version

Method 2: Download to Local Directory

# Create local bin directory (if it doesn't exist)
mkdir -p ~/bin

# Download latest release
curl -LO https://github.com/KafkaGuard/kafkaguard-releases/releases/latest/download/kafkaguard_Linux_x86_64.tar.gz && tar -xzf kafkaguard_Linux_x86_64.tar.gz

# Make executable
chmod +x kafkaguard

# Move to local bin
mv kafkaguard ~/bin/kafkaguard

# Add to PATH (add this to ~/.bashrc or ~/.zshrc)
export PATH="$HOME/bin:$PATH"

# Reload shell configuration
source ~/.bashrc  # or source ~/.zshrc

# Verify installation
kafkaguard version

Method 3: Checksum Verification (Recommended for Production)

# Download binary and checksum file
curl -LO https://github.com/KafkaGuard/kafkaguard-releases/releases/latest/download/kafkaguard_Linux_x86_64.tar.gz && tar -xzf kafkaguard_Linux_x86_64.tar.gz
curl -LO https://github.com/KafkaGuard/kafkaguard-releases/releases/latest/download/kafkaguard_Linux_x86_64.tar.gz && tar -xzf kafkaguard_Linux_x86_64.tar.gz.sha256

# Verify checksum
sha256sum -c kafkaguard.sha256

# Expected output: "kafkaguard: OK"

# Make executable and install
chmod +x kafkaguard
sudo mv kafkaguard /usr/local/bin/kafkaguard

# Verify installation
kafkaguard version

---

Linux (RHEL/CentOS)

Method 1: Download and Install to /usr/local/bin

# Download latest release (amd64)
curl -LO https://github.com/KafkaGuard/kafkaguard-releases/releases/latest/download/kafkaguard_Linux_x86_64.tar.gz && tar -xzf kafkaguard_Linux_x86_64.tar.gz

# Or for ARM64
# curl -LO https://github.com/KafkaGuard/kafkaguard-releases/releases/latest/download/kafkaguard_Linux_arm64.tar.gz && tar -xzf kafkaguard_Linux_arm64.tar.gz

# Make executable
chmod +x kafkaguard

# Move to system path
sudo mv kafkaguard /usr/local/bin/kafkaguard

# Verify installation
kafkaguard version

Method 2: Create RPM Package (Advanced)

# Download binary
curl -LO https://github.com/KafkaGuard/kafkaguard-releases/releases/latest/download/kafkaguard_Linux_x86_64.tar.gz && tar -xzf kafkaguard_Linux_x86_64.tar.gz

# Create RPM build directory
mkdir -p ~/rpmbuild/{BUILD,RPMS,SOURCES,SPECS,SRPMS}

# Create RPM spec file (example)
cat > ~/rpmbuild/SPECS/kafkaguard.spec <<EOF
Name:           kafkaguard
Version:        2.3.0
Release:        1%{?dist}
Summary:        Kafka Compliance Scanner
License:        Proprietary
URL:            https://github.com/KafkaGuard/kafkaguardmain
BuildArch:      x86_64

%description
KafkaGuard is a Kafka compliance scanner for security and operational auditing.

%install
mkdir -p %{buildroot}/usr/local/bin
install -m 755 kafkaguard %{buildroot}/usr/local/bin/kafkaguard

%files
/usr/local/bin/kafkaguard

%changelog
* $(date +'%a %b %d %Y') System Administrator
- Initial RPM build
EOF

# Build RPM
rpmbuild -bb ~/rpmbuild/SPECS/kafkaguard.spec

# Install RPM
sudo rpm -ivh ~/rpmbuild/RPMS/x86_64/kafkaguard-2.3.0-1.*.rpm

# Verify installation
kafkaguard version

---

macOS (Intel)

Method 1: Download and Install to /usr/local/bin

# Download latest release (Intel x86_64)
curl -LO https://github.com/KafkaGuard/kafkaguard-releases/releases/latest/download/kafkaguard_Darwin_x86_64.tar.gz && tar -xzf kafkaguard_Darwin_x86_64.tar.gz

# Make executable
chmod +x kafkaguard

# Move to system path
sudo mv kafkaguard /usr/local/bin/kafkaguard

# On first run, you may need to allow the binary in System Preferences → Security & Privacy
# Or remove the quarantine attribute:
xattr -d com.apple.quarantine /usr/local/bin/kafkaguard

# Verify installation
kafkaguard version

Method 2: Install to User bin Directory

# Create local bin directory
mkdir -p ~/bin

# Download latest release
curl -LO https://github.com/KafkaGuard/kafkaguard-releases/releases/latest/download/kafkaguard_Darwin_x86_64.tar.gz && tar -xzf kafkaguard_Darwin_x86_64.tar.gz

# Make executable
chmod +x kafkaguard

# Move to local bin
mv kafkaguard ~/bin/kafkaguard

# Remove quarantine attribute
xattr -d com.apple.quarantine ~/bin/kafkaguard 2>/dev/null || true

# Add to PATH (add this to ~/.zshrc)
export PATH="$HOME/bin:$PATH"

# Reload shell configuration
source ~/.zshrc

# Verify installation
kafkaguard version

---

macOS (Apple Silicon)

Method 1: Download and Install to /usr/local/bin

# Download latest release (ARM64)
curl -LO https://github.com/KafkaGuard/kafkaguard-releases/releases/latest/download/kafkaguard_Darwin_arm64.tar.gz && tar -xzf kafkaguard_Darwin_arm64.tar.gz

# Make executable
chmod +x kafkaguard

# Move to system path
sudo mv kafkaguard /usr/local/bin/kafkaguard

# Remove quarantine attribute (prevents "unidentified developer" warning)
xattr -d com.apple.quarantine /usr/local/bin/kafkaguard

# Verify installation
kafkaguard version

Note for macOS Users:

On first run, macOS may display a security warning about an "unidentified developer." You can:

1. Remove the quarantine attribute (recommended):

   xattr -d com.apple.quarantine /usr/local/bin/kafkaguard
   

2. Or manually allow in System Preferences:

   • Go to System Preferences → Security & Privacy → General
   • Click "Open Anyway" after the first blocked attempt

---

Docker Installation

Docker provides the easiest cross-platform installation with no dependencies.

Pull from Docker Hub

# Pull latest image (multi-architecture)
docker pull KafkaGuard/kafkaguardmain:latest

# Verify installation
docker run --rm KafkaGuard/kafkaguardmain:latest version

Expected Output:

KafkaGuard v2.3.0
Commit: 1158328
Built: 2026-04-10T12:00:00Z
Go: go1.22.0 linux/amd64

Run Basic Scan

# Create directories for policies and reports
mkdir -p policies reports

# Copy policy files to policies directory
cp /path/to/policies/*.yaml policies/

# Run scan against Kafka cluster
docker run --rm \
  -v $(pwd)/policies:/policies:ro \
  -v $(pwd)/reports:/reports \
  KafkaGuard/kafkaguardmain:latest scan \
    --bootstrap kafka.example.com:9092 \
    --policy /policies/baseline-dev.yaml \
    --format html,json \
    --out /reports

Docker Compose Example

Create docker-compose.yml:

version: '3.8'

services:
  kafkaguard:
    image: KafkaGuard/kafkaguardmain:latest
    volumes:
      - ./policies:/policies:ro
      - ./reports:/reports
      - ./certs:/certs:ro
    environment:
      KAFKAGUARD_SASL_USERNAME: ${KAFKA_USERNAME}
      KAFKAGUARD_SASL_PASSWORD: ${KAFKA_PASSWORD}
    command: >
      scan
      --bootstrap ${KAFKA_BROKER}
      --security-protocol SASL_SSL
      --sasl-mechanism SCRAM-SHA-512
      --tls-ca-cert /certs/ca-cert.pem
      --policy /policies/enterprise-default.yaml
      --format json,html,pdf
      --out /reports

Run with Docker Compose:

# Set environment variables
export KAFKA_BROKER="kafka.prod.example.com:9095"
export KAFKA_USERNAME="admin"
export KAFKA_PASSWORD="secret"

# Run scan
docker-compose run --rm kafkaguard

# View reports
ls -lh reports/

For more Docker usage examples, see Docker Usage Guide.

---

Build from Source

Building from source gives you the latest features and allows for customization.

Prerequisites

• Go 1.22.0+ - Install Go
• Git - For cloning the repository
• Make - For using Makefile targets (optional)

Build Steps

# 1. Clone the repository
git clone https://github.com/KafkaGuard/kafkaguardmain.git
cd kafkaguard

# 2. Download dependencies
go mod download

# 3. Build the binary
make build

# Or build without Make:
go build -o kafkaguard \
  -ldflags="-s -w -X main.version=dev -X main.commit=$(git rev-parse HEAD) -X main.date=$(date -u +%Y-%m-%dT%H:%M:%SZ)" \
  .

# 4. Verify build
./kafkaguard version

# 5. (Optional) Install to system path
sudo mv kafkaguard /usr/local/bin/

# Or install to user bin
mv kafkaguard ~/bin/

Build for Multiple Platforms

# Build for all target platforms
make build-all

# This creates binaries in dist/:
# - kafkaguard
# - kafkaguard-linux-arm64
# - kafkaguard
# - kafkaguard

Run Tests

# Run all tests
make test

# Run tests with coverage
make test-coverage

# Run linters
make lint

For detailed development instructions, see the Installation Guide.

---

Air-Gapped Installation

Air-gapped environments (no internet access) require bundling KafkaGuard and dependencies before transfer.

Step 1: Create Air-Gapped Bundle (Internet-Connected System)

# Create bundle directory
mkdir -p kafkaguard-bundle
cd kafkaguard-bundle

# Download KafkaGuard binary (choose your platform)
curl -LO https://github.com/KafkaGuard/kafkaguard-releases/releases/latest/download/kafkaguard_Linux_x86_64.tar.gz && tar -xzf kafkaguard_Linux_x86_64.tar.gz

# Or build from source
git clone https://github.com/KafkaGuard/kafkaguardmain.git
cd kafkaguard
make build
cp kafkaguard ../kafkaguard-bundle/

# Download policies
mkdir -p policies
cp -r kafkaguard/policies/*.yaml policies/

# Download documentation (optional)
mkdir -p docs
cp -r kafkaguard/docs/user-guide docs/

# Create bundle README
cat > README.txt <<EOF
KafkaGuard Air-Gapped Bundle
============================

Version: 2.3.0
Created: $(date)
Platform: linux-amd64

Installation:
1. Extract bundle: tar -xzf kafkaguard-bundle.tar.gz
2. Install binary: sudo mv kafkaguard /usr/local/bin/
3. Verify: kafkaguard version
4. Run scan: kafkaguard scan --bootstrap <kafka-broker> --policy policies/baseline-dev.yaml

EOF

# Create tarball
cd ..
tar -czf kafkaguard-bundle.tar.gz kafkaguard-bundle/

# Verify bundle
tar -tzf kafkaguard-bundle.tar.gz
ls -lh kafkaguard-bundle.tar.gz

Step 2: Transfer to Air-Gapped Environment

Transfer the kafkaguard-bundle.tar.gz file using:

• USB drive (most common)
• Secure file transfer (if available)
• Physical media (CD/DVD for highly restricted environments)

Step 3: Install on Air-Gapped System

# Extract bundle
tar -xzf kafkaguard-bundle.tar.gz
cd kafkaguard-bundle

# Make binary executable
chmod +x kafkaguard

# Install to system path
sudo mv kafkaguard /usr/local/bin/

# Verify installation
kafkaguard version

# Create directories for policies and reports
sudo mkdir -p /opt/kafkaguard/policies
sudo mkdir -p /var/reports/kafkaguard

# Copy policies
sudo cp policies/*.yaml /opt/kafkaguard/policies/

# Test scan
kafkaguard scan \
  --bootstrap kafka-internal:9092 \
  --policy /opt/kafkaguard/policies/baseline-dev.yaml \
  --format json,html \
  --out /var/reports/kafkaguard

Docker Air-Gapped Installation

# On internet-connected system: Save Docker image
docker pull KafkaGuard/kafkaguardmain:2.3.0
docker save KafkaGuard/kafkaguardmain:2.3.0 | gzip > kafkaguard-docker-2.3.0.tar.gz

# Transfer to air-gapped environment

# On air-gapped system: Load Docker image
docker load < kafkaguard-docker-2.3.0.tar.gz

# Verify
docker images | grep kafkaguard

# Run scan
docker run --rm \
  -v /opt/policies:/policies:ro \
  -v /var/reports:/reports \
  KafkaGuard/kafkaguardmain:2.3.0 scan \
    --bootstrap kafka-internal:9092 \
    --policy /policies/baseline-dev.yaml \
    --out /reports

---

Installation Verification

After installing KafkaGuard, verify the installation is working correctly.

Basic Verification

# 1. Check version
kafkaguard version

# Expected output:
# KafkaGuard v2.3.0
# Commit: a1b2c3d
# Built: 2025-11-15T12:00:00Z
# Go: go1.22.0 linux/amd64

# 2. Check help
kafkaguard --help

# Expected output: List of available commands

# 3. List available controls
kafkaguard list-controls --policy policies/baseline-dev.yaml

# Expected output: List of 21 controls from baseline-dev policy

# 4. Validate a policy file
kafkaguard validate-policy --policy policies/baseline-dev.yaml

# Expected output: "✅ Policy validation successful"

Full Verification (Requires Kafka Access)

# Run a scan against your Kafka cluster
kafkaguard scan \
  --bootstrap YOUR_KAFKA_BROKER:9092 \
  --policy policies/baseline-dev.yaml \
  --format json \
  --out ./reports

# Expected results:
# - Scan completes without errors
# - Report generated in ./reports/
# - Exit code 0 or 1 (0=no findings, 1=findings detected, 2=error)

# Check exit code
echo $?

# View generated report
ls -lh reports/scan-*.json
cat reports/scan-*.json | jq '.summary'

Verification Checklist

• kafkaguard version displays version information
• kafkaguard --help shows command list
• kafkaguard list-controls displays controls (requires policy file)
• kafkaguard validate-policy validates policy files
• kafkaguard scan runs successfully against test cluster
• Reports are generated in specified output directory
• Binary is in PATH and accessible from any directory

---

Platform-Specific Requirements

Linux Requirements

Operating Systems:

• Ubuntu 20.04+ (LTS)
• Debian 10+ (Buster)
• RHEL 7+ / CentOS 7+
• Amazon Linux 2
• Other modern Linux distributions with glibc 2.28+

Architecture:

• x86_64 (amd64) - Intel/AMD 64-bit
• ARM64 (aarch64) - ARM 64-bit (AWS Graviton, Raspberry Pi 4)

Disk Space:

• Binary: ~40MB
• Reports: ~1MB per scan (varies by cluster size and report formats)
• Recommended: 100MB free space

Network:

• Kafka broker connectivity (port 9092-9095 typically)
• DNS resolution for broker hostnames

---

macOS Requirements

Operating Systems:

• macOS 12 (Monterey) or higher
• macOS 13 (Ventura) - Recommended
• macOS 14 (Sonoma) - Supported

Architecture:

• Intel (x86_64) - Intel Macs
• Apple Silicon (ARM64) - M1, M2, M3 Macs

Disk Space:

• Binary: ~40MB
• Reports: ~1MB per scan
• Recommended: 100MB free space

Security:

• Gatekeeper may block unsigned binaries (use xattr -d to remove quarantine)
• No additional permissions required (runs as user)

---

Docker Requirements

Docker Version:

• Docker 20.10+ (with multi-architecture support)
• Docker Compose 1.29+ (optional, for compose workflows)

Supported Platforms:

• Linux: x86_64, ARM64
• macOS: Intel, Apple Silicon
• Windows: WSL2 with Docker Desktop

Disk Space:

• Docker image: ~60MB
• Container runtime: ~50MB memory

Network:

• Docker Hub access for pulling images (or air-gapped Docker image load)
• Kafka broker connectivity from container network

---

Troubleshooting Installation

Binary Not Found After Installation

Problem: bash: kafkaguard: command not found

Cause: Binary not in PATH.

Fix:

# Check if binary exists
ls -l /usr/local/bin/kafkaguard

# If not in /usr/local/bin, add to PATH
export PATH="$HOME/bin:$PATH"

# Add to shell profile for persistence
echo 'export PATH="$HOME/bin:$PATH"' >> ~/.bashrc  # or ~/.zshrc
source ~/.bashrc

---

Permission Denied

Problem: bash: ./kafkaguard: Permission denied

Cause: Binary not executable.

Fix:

# Make binary executable
chmod +x kafkaguard

# Or if installed to /usr/local/bin
sudo chmod +x /usr/local/bin/kafkaguard

---

macOS Security Warning

Problem: "kafkaguard" cannot be opened because the developer cannot be verified.

Cause: macOS Gatekeeper blocks unsigned binaries.

Fix:

# Remove quarantine attribute
xattr -d com.apple.quarantine /usr/local/bin/kafkaguard

# Or manually allow in System Preferences
# System Preferences → Security & Privacy → General → "Open Anyway"

---

Checksum Verification Failed

Problem: Checksum doesn't match downloaded binary.

Cause: Incomplete download or corrupted file.

Fix:

# Delete and re-download
rm kafkaguard
curl -LO https://github.com/KafkaGuard/kafkaguard-releases/releases/latest/download/kafkaguard_Linux_x86_64.tar.gz && tar -xzf kafkaguard_Linux_x86_64.tar.gz

# Verify checksum again
sha256sum -c kafkaguard.sha256

---

Docker Pull Failures

Problem: Error response from daemon: pull access denied

Cause: Network issues or Docker Hub authentication required.

Fix:

# Verify Docker is running
docker ps

# Try pulling again
docker pull KafkaGuard/kafkaguardmain:latest

# If authentication required, login to Docker Hub
docker login

# For air-gapped environments, load from tarball
docker load < kafkaguard-docker-2.3.0.tar.gz

---

Build from Source Fails

Problem: go: cannot find module providing package

Cause: Go modules not downloaded or Go version too old.

Fix:

# Check Go version (must be 1.22.0+)
go version

# Upgrade Go if needed
# Download from: https://golang.org/dl/

# Clear Go module cache
go clean -modcache

# Re-download dependencies
go mod download

# Try build again
make build

---

Next Steps

After installing KafkaGuard:

1. Run Your First Scan - Follow the Quick Start Guide
2. Learn CLI Commands - Review the CLI Reference
3. Configure Security - Set up Security & Authentication
4. Explore Workflows - Check out Usage Patterns

---

Need Help?

• Troubleshooting Guide - Resolve common issues
• GitHub Issues - Report bugs or request features

---

Document Information

• Last Updated: 2026-04-25
• Applies to Version: KafkaGuard 2.3.0+
• License: Proprietary
• Feedback: Open an issue if you find errors or have suggestions