Kafka Configs Kafka Protocol Wire Format API Versions KIPs Errors Kafka Upgrade Config Advisor Policy Pack
Debezium
Config Matrix Event Envelope Snapshot Modes Error Reference
Flink SQL
conduktor.io ↗

Tenant Label Must Match Topic Prefix

metadata.labels.tenant-id is mandatory and must equal the tenant segment embedded in the topic name.

“So if I help him architect the way I want him to architect, then there's 26 independent tenant clusters because you don't co-mingle anybody's data.”

Rationale

Labels and names drift apart over time. Forcing the label to equal the name prefix makes audit, chargeback joins, and policy targeting deterministic: one source of truth, not two systems that can disagree. Without this, a mislabeled topic bills the wrong tenant.

Pattern

metadata.labels["tenant-id"] == regex_extract(metadata.name, "^t-([a-z0-9]{6})\\.")

Examples

name: t-ab12cd.prod.orders.placed.v1 + labels.tenant-id: t-ab12cd
name: t-ab12cd.prod.orders.placed.v1 + labels.tenant-id: t-zzzzzz (mismatch)
name: t-ab12cd.prod.orders.placed.v1 + no tenant-id label

Parameters

NameDefaultDescription
tenant_id_label "tenant-id" Label key carrying the canonical tenant identifier.
tenant_prefix_pattern "t-[a-z0-9]{6}" Pattern of the tenant segment embedded at the start of the topic name.

Implementation

Drop this YAML into Conduktor Console as a ResourcePolicy, then link it from an ApplicationInstance, Application, or KafkaCluster.

Conduktor ResourcePolicy
# Conduktor self-service ResourcePolicy
# Schema: https://docs.conduktor.io/platform/reference/resource-reference/self-service/#resourcepolicy
# CEL has no regex-capture; we string-compare the first 8 characters ("t-" + 6 chars)
# of the topic name against the tenant-id label value. Pair with tenant-id-topic-prefix
# which guarantees the name starts with that 8-char pattern.
---
apiVersion: self-serve/v1
kind: ResourcePolicy
metadata:
  name: tenant-label-consistency
spec:
  targetKind: Topic
  description: metadata.labels.tenant-id must equal the topic's t-<id> prefix
  rules:
    - condition: '"tenant-id" in metadata.labels && size(metadata.labels["tenant-id"]) == 8 && metadata.name.startsWith(metadata.labels["tenant-id"] + ".")'
      errorMessage: "metadata.labels.tenant-id must be set and equal the tenant prefix of the topic name (e.g. labels.tenant-id=t-ab12cd for topic t-ab12cd.prod.orders.placed.v1)"

Related policies

Try Conduktor Console

Enforce policies like this across your team — central audit history, pre-commit guardrails, ApplicationInstance bindings. 5-min Docker install.

Get Started →