OSSEVA FOR APACHE KAFKA
Real Apache Kafka. Patched. Operated. No per-core surprise.
CVE patches for Kafka 2.8 through 3.x, reference architectures for high-throughput clusters, and 24/7 managed operations — without Confluent's $50K+ annual floor.
Why now
Confluent pricing: $50K–$500K+ annually
Confluent Cloud and Confluent Platform are priced for platform vendor margins. Customers running real Apache Kafka workloads pay for features they don't use. OSSeva lets you keep the runtime you have at a fraction of the cost.
Kafka 2.8.x: past community maintenance window
Kafka 2.8.x and earlier are outside the community support window. CVEs accumulate. OSSeva ships patches for versions your team is actually running.
Compliance requires a patched runtime
Financial Services, Healthcare, and Public Sector all require evidence that your event streaming runtime receives security patches. An unsupported Kafka version fails that evidence test.
Versions covered
All versions below receive active CVE patches from OSSeva. Version numbers in monospace are exact release identifiers.
| Version | Status | Active CVEs |
|---|---|---|
| 2.8.x | Extended | Clean |
| 3.0.x | Extended | Clean |
| 3.3.x | Extended | Clean |
| 3.6.x | Current | Clean |
| 3.7.x | Current | Clean |
What you get
Three tiers — pick the level of engagement that matches your team's operational needs and compliance requirements.
OSSeva Patch
CVE remediation for the Kafka version you're actually running.
- Quarterly CVE patches for covered versions
- Signed artifacts via OSSeva registry
- Broker & client library patches
- Vulnerability disclosure notifications
- Architecture review
- 24/7 managed operations
OSSeva Assure
Patch plus architecture review and compliance documentation.
- Everything in Patch
- Cluster configuration audit
- Throughput & latency review
- Compliance attestation package
- Migration design from Confluent Platform
- 24/7 managed operations
OSSeva Operate
Full MSP: broker fleet monitoring, incident response, named SREs.
- Everything in Assure
- 24/7 broker & consumer-lag monitoring
- 15-minute P1 incident response SLA
- Capacity planning & scaling operations
- Kafka Streams / Connect operational support
- Quarterly architecture reviews
All tiers priced per cluster/application — not per core. Contact for pricing →
How it installs
OSSeva artifacts arrive via your existing package infrastructure. Pull the patched version the same way you pull upstream today — just from the OSSeva registry.
helm repo add osseva https://charts.osseva.io
helm install kafka osseva/kafka \
--version 3.6.2-osseva-1 \
--namespace streaming \
--set replicaCount=3 \
--set zookeeper.enabled=false \
--set kraft.enabled=trueMigrate from Confluent Platform / Confluent Cloud
Confluent adds a proprietary layer (Schema Registry, ksqlDB, Control Center) on top of Apache Kafka. If you're not using those Confluent-specific features, you're paying for them anyway. OSSeva migrates you back to upstream Apache Kafka with no data loss and full CVE coverage.
Pricing model
OSSeva for Kafka is priced per cluster, not per broker, partition, or throughput tier.
Compliance library
Frequently asked questions
Do you support KRaft mode (no ZooKeeper)?↓
Yes. OSSeva covers both ZooKeeper-mode and KRaft-mode deployments. KRaft is the recommended path for all new deployments and all migrations from Confluent.
What about Kafka Connect and Kafka Streams?↓
OSSeva Patch covers the core Kafka broker and client libraries. Kafka Connect and Streams patches are included in Assure and Operate tiers, where we also validate connector compatibility with patched broker versions.
Ready to get Apache Kafka patched and supported?
Start with a 45-minute discovery call. We confirm your version coverage, scope the engagement, and have you onboarded within your first quarter.