Kafka Configs Kafka Protocol Wire Format API Versions KIPs Errors Kafka Upgrade Config Advisor Policy Pack
Debezium
Config Matrix Event Envelope Snapshot Modes Error Reference
Flink SQL
conduktor.io ↗

Consumer Group Prefix

Consumer group IDs must be prefixed by their owning team.

Rationale

Prefixing consumer groups by team lets you scope RBAC and quotas, and makes lag dashboards readable. Anonymous group IDs (UUIDs, `console-consumer-12345`) hide ownership and accumulate as zombies.

Pattern

^[a-z][a-z0-9-]+\.[a-z0-9-]+\.cg$

Examples

orders.fraud-detector.cg
payments.ledger-sync.cg
console-consumer-12345
0e94ad7e-...
fraud-detector

Parameters

NameDefaultDescription
pattern "^[a-z][a-z0-9-]+\\.[a-z0-9-]+\\.cg$" Regex group IDs must match.

Governs

This policy relates to the following Kafka configuration keys:

Implementation

Drop this YAML into Conduktor Console as a ResourcePolicy, then link it from an ApplicationInstance, Application, or KafkaCluster.

Conduktor ResourcePolicy
# Conduktor self-service ResourcePolicy
# Schema: https://docs.conduktor.io/platform/reference/resource-reference/self-service/#resourcepolicy
# ResourcePolicy targetKind values are Topic | Connector | Subject | ApplicationGroup.
# There is no first-class ConsumerGroup target — we enforce the naming
# convention on ApplicationGroup names, which back the consumer-group
# permissions handed to applications.
---
apiVersion: self-serve/v1
kind: ResourcePolicy
metadata:
  name: consumer-group-prefix
spec:
  targetKind: ApplicationGroup
  description: Consumer-group / ApplicationGroup names must be <team>.<app>.cg
  rules:
    - condition: metadata.name.matches("^[a-z][a-z0-9-]+\\.[a-z0-9-]+\\.cg$")
      errorMessage: "Consumer group must be <team>.<app>.cg (e.g. orders.fraud-detector.cg)"

Related policies

Try Conduktor Console

Enforce policies like this across your team — central audit history, pre-commit guardrails, ApplicationInstance bindings. 5-min Docker install.

Get Started →