Data Criticality Label Required

Every topic must carry a data-criticality label (C0/C1/C2/C3) so encryption, retention, and access policies can target it.

“If you want to build a new data policy that incorporates all the PII or all the HIPAA information, you can create a data policy that applies to users with access to that kind of healthcare information.”

Rationale

Field-level encryption, masking, and access reviews only work when each topic is classified. Without a mandatory criticality label, audit teams cannot prove PII/PHI topics get stricter controls under HIPAA, PCI-DSS, or GDPR. Most regulated firms gate their field-level encryption rollouts on this taxonomy existing first.

Pattern

metadata.labels["data-criticality"] in ["C0","C1","C2","C3"]

Examples

Parameters

Implementation

Drop this YAML into Conduktor Console as a ResourcePolicy, then link it from an ApplicationInstance, Application, or KafkaCluster.

# Conduktor self-service ResourcePolicy
# Schema: https://docs.conduktor.io/platform/reference/resource-reference/self-service/#resourcepolicy
# Link via Application(Instance).spec.policyRef or KafkaCluster.spec.policiesRef.
---
apiVersion: self-serve/v1
kind: ResourcePolicy
metadata:
  name: data-criticality-label-required
spec:
  targetKind: Topic
  description: Every topic must declare metadata.labels.data-criticality in [C0,C1,C2,C3]
  rules:
    - condition: 'has(metadata.labels) && "data-criticality" in metadata.labels && metadata.labels["data-criticality"] in ["C0","C1","C2","C3"]'
      errorMessage: "Topic must set metadata.labels.data-criticality to one of C0, C1, C2, C3 (C0=public, C3=PHI/PCI)"

Related policies

• Topic Must Declare owner and data-criticality Labels
• Topic Name Must Include Declared domain Label as Prefix
• Data Residency Label Required
• Cost-Center Label Required (Chargeback)
• Topic Owner Label Must Be a Team Slug