JDBC Connector Host Allowlist
JDBC source/sink connectors may only target hosts under an approved internal domain. No public DBs, no shadow-IT endpoints.
“It's basically a way to make sure that data isn't fanning out to places that compliance hasn't approved — the connector layer is where it leaks.”
Rationale
JdbcSinkConnector is the most common egress path out of a Kafka cluster into a database. Without a host allowlist, anyone with self-service connector permission can fan PII into a personal RDS instance, a contractor's database, or a SaaS endpoint, none of which appear in the data-flow diagrams compliance signed off on. Pinning connection.url to an internal-DNS regex moves this from 'discovered by a quarterly review' to 'rejected at admission'.
Pattern
connector.class contains 'Jdbc' -> connection.url host matches *.db.internal.<corp>Examples
connector.class: io.confluent.connect.jdbc.JdbcSinkConnector, connection.url: jdbc:postgresql://payments-prod.db.internal.bank/payments
connector.class: org.apache.kafka.connect.file.FileStreamSinkConnector (rule does not apply)
connection.url: jdbc:postgresql://my-personal-rds.us-east-1.rds.amazonaws.com:5432/test
connection.url: jdbc:mysql://192.168.1.42/data
connection.url: jdbc:postgresql://db.contractor-saas.com/exports
Parameters
| Name | Default | Description |
|---|---|---|
allowed_url_pattern |
"^jdbc:[a-z]+://[a-z0-9-]+\\.db\\.internal\\.[a-z]+(:[0-9]+)?/.*$" |
Regex the JDBC connection.url must match. Default forces *.db.internal.<corp>. |
connector_class_match |
"Jdbc" |
Substring that identifies JDBC connectors. |
Implementation
Drop this YAML into Conduktor Console as a ResourcePolicy, then link it from an ApplicationInstance, Application, or KafkaCluster.
# Conduktor self-service ResourcePolicy # Schema: https://docs.conduktor.io/platform/reference/resource-reference/self-service/#resourcepolicy # Only fires when the connector class contains 'Jdbc'. Update allowed_url_pattern for your internal DNS scheme. --- apiVersion: self-serve/v1 kind: ResourcePolicy metadata: name: connector-jdbc-host-allowlist spec: targetKind: Connector description: JDBC connectors may only target hosts under the approved internal DNS rules: - condition: '!("connector.class" in spec.config && spec.config["connector.class"].contains("Jdbc")) || ("connection.url" in spec.config && spec.config["connection.url"].matches("^jdbc:[a-z]+://[a-z0-9-]+\\.db\\.internal\\.[a-z]+(:[0-9]+)?/.*$"))' errorMessage: "JDBC connector connection.url must target *.db.internal.<corp> — public DBs and shadow-IT endpoints are not allowed"
Related policies
Try Conduktor Console
Enforce policies like this across your team — central audit history, pre-commit guardrails, ApplicationInstance bindings. 5-min Docker install.
Get Started →