Kafka Configs Kafka Protocol Wire Format API Versions KIPs Errors Kafka Upgrade Config Advisor Policy Pack
Debezium
Config Matrix Event Envelope Snapshot Modes Error Reference
Flink SQL
conduktor.io ↗

Connector Topics Must Match Owning Tenant

Connector's spec.config["topics"] / ["topics.regex"] must be confined to the connector's own tenant prefix.

“You don't co-mingle anybody's data regardless whether pre-encrypted or not.”

Rationale

A connector with topics.regex=.* run by tenant-A and pointing at tenant-B's topics is a cross-tenant exfiltration path that bypasses topic-level RBAC. Forcing the topic list to start with (or the regex to be anchored on) the connector's labels.tenant-id closes the most common SaaS Kafka data-leakage path.

Pattern

config.topics startsWith labels.tenant-id+'.' AND config.topics.regex starts with '^'+labels.tenant-id+'\\.'

Examples

labels.tenant-id: t-ab12cd + config.topics: t-ab12cd.prod.orders.placed.v1
labels.tenant-id: t-ab12cd + config.topics.regex: ^t-ab12cd\.prod\.orders\..*
labels.tenant-id: t-ab12cd + config.topics: t-zzzzzz.prod.payments.v1
labels.tenant-id: t-ab12cd + config.topics.regex: .*
no labels.tenant-id

Parameters

NameDefaultDescription
tenant_id_label "tenant-id" Label key on the Connector carrying its owning tenant id.

Implementation

Drop this YAML into Conduktor Console as a ResourcePolicy, then link it from an ApplicationInstance, Application, or KafkaCluster.

Conduktor ResourcePolicy
# Conduktor self-service ResourcePolicy
# Schema: https://docs.conduktor.io/platform/reference/resource-reference/self-service/#resourcepolicy
# Connectors expose spec.config (singular) with all string values. Bracket access
# is mandatory because keys contain dots. Accept either topics (we string-check
# the start) or topics.regex (must be anchored ^t-<id>\.).
---
apiVersion: self-serve/v1
kind: ResourcePolicy
metadata:
  name: tenant-connector-topic-scope
spec:
  targetKind: Connector
  description: Connector's topics / topics.regex must be confined to its own tenant prefix
  rules:
    - condition: '"tenant-id" in metadata.labels && size(metadata.labels["tenant-id"]) == 8 && metadata.labels["tenant-id"].matches("^t-[a-z0-9]{6}$")'
      errorMessage: "Connector must carry metadata.labels.tenant-id matching t-<6 alphanum>"
    - condition: '("topics" in spec.config && spec.config["topics"].startsWith(metadata.labels["tenant-id"] + ".")) || ("topics.regex" in spec.config && spec.config["topics.regex"].startsWith("^" + metadata.labels["tenant-id"] + "\\."))'
      errorMessage: "Connector spec.config.topics must start with <tenant-id>. or spec.config.topics.regex must be anchored ^<tenant-id>\\."

Related policies

Try Conduktor Console

Enforce policies like this across your team — central audit history, pre-commit guardrails, ApplicationInstance bindings. 5-min Docker install.

Get Started →