Only Allow Vetted connector.class Plugins
Reject any connector whose connector.class is not on the platform allowlist.
Rationale
Kafka Connect loads any class on the classpath, including community connectors with arbitrary RCE in transforms (eg unsafe SMTs). Locking down `connector.class` is the only way to make Connect multi-tenant safe. Regulated industries (banking, healthcare) need this for SOC2/PCI scope reduction.
Pattern
spec.config["connector.class"] in <allowlist>Examples
io.confluent.connect.jdbc.JdbcSinkConnector
io.debezium.connector.postgresql.PostgresConnector
com.random.github.UnvettedConnector
Parameters
| Name | Default | Description |
|---|---|---|
allowlist |
["JDBC","Debezium PG/MySQL","S3 sink","MirrorMaker2","Elasticsearch sink"] |
Default vetted plugin set. |
Implementation
Drop this YAML into Conduktor Console as a ResourcePolicy, then link it from an ApplicationInstance, Application, or KafkaCluster.
Conduktor ResourcePolicy
# Conduktor self-service ResourcePolicy # Connector exposes spec.config (singular). All values are strings. --- apiVersion: self-serve/v1 kind: ResourcePolicy metadata: name: connector-class-allowlist spec: targetKind: Connector description: connector.class must be on the vetted allowlist rules: - condition: | spec.config["connector.class"] in [ "io.confluent.connect.jdbc.JdbcSinkConnector", "io.confluent.connect.jdbc.JdbcSourceConnector", "io.debezium.connector.postgresql.PostgresConnector", "io.debezium.connector.mysql.MySqlConnector", "io.confluent.connect.s3.S3SinkConnector", "org.apache.kafka.connect.mirror.MirrorSourceConnector", "io.confluent.connect.elasticsearch.ElasticsearchSinkConnector" ] errorMessage: "connector.class is not on the vetted allowlist — ask the platform team to certify the plugin first"
Related policies
Try Conduktor Console
Enforce policies like this across your team — central audit history, pre-commit guardrails, ApplicationInstance bindings. 5-min Docker install.
Get Started →