Kafka Configs Kafka Protocol Wire Format API Versions KIPs Errors Kafka Upgrade Config Advisor Policy Pack
Debezium
Config Matrix Event Envelope Snapshot Modes Error Reference
Flink SQL
conduktor.io ↗

min.insync.replicas Floor for Regulated Topics

Topics labeled data-criticality C2/C3 must set min.insync.replicas >= 3 and replicationFactor >= 5.

“Shield is designed for multi-region failover, field-level encryption of PII, everything to do with resiliency and security and data privacy.”

Rationale

The generic production-hardening floor (RF=3, ISR=2) is not enough for PII/PHI/PCI workloads where data loss is a regulatory event, not just an outage. C2/C3 topics need RF>=5 and ISR>=3 so two simultaneous broker failures still leave a quorum that acknowledges writes. The encryption layer above doesn't help if writes silently disappear, which is why regulated-grade resiliency profiles need this at the broker layer.

Pattern

label.data-criticality in [C2,C3] -> replicationFactor >= 5 AND min.insync.replicas >= 3

Examples

data-criticality: C3, replicationFactor: 5, min.insync.replicas: 3
data-criticality: C0, replicationFactor: 3, min.insync.replicas: 2 (rule does not apply)
data-criticality: C2, replicationFactor: 3, min.insync.replicas: 2
data-criticality: C3, replicationFactor: 5, min.insync.replicas: 2

Parameters

NameDefaultDescription
regulated_tiers ["C2","C3"] Criticality tiers this floor applies to.
min_rf 5 Minimum replicationFactor for regulated topics.
min_isr 3 Minimum min.insync.replicas for regulated topics.

Governs

This policy relates to the following Kafka configuration keys:

Implementation

Drop this YAML into Conduktor Console as a ResourcePolicy, then link it from an ApplicationInstance, Application, or KafkaCluster.

Conduktor ResourcePolicy
# Conduktor self-service ResourcePolicy
# Schema: https://docs.conduktor.io/platform/reference/resource-reference/self-service/#resourcepolicy
# This policy only fires for topics tagged data-criticality in [C2,C3].
---
apiVersion: self-serve/v1
kind: ResourcePolicy
metadata:
  name: min-isr-regulated-floor
spec:
  targetKind: Topic
  description: C2/C3 topics need replicationFactor>=5 and min.insync.replicas>=3
  rules:
    - condition: '!(has(metadata.labels) && "data-criticality" in metadata.labels && metadata.labels["data-criticality"] in ["C2","C3"]) || spec.replicationFactor >= 5'
      errorMessage: "Topics with data-criticality C2/C3 require replicationFactor >= 5"
    - condition: '!(has(metadata.labels) && "data-criticality" in metadata.labels && metadata.labels["data-criticality"] in ["C2","C3"]) || ("min.insync.replicas" in spec.configs && int(string(spec.configs["min.insync.replicas"])) >= 3)'
      errorMessage: "Topics with data-criticality C2/C3 require min.insync.replicas >= 3"

Related policies

Try Conduktor Console

Enforce policies like this across your team — central audit history, pre-commit guardrails, ApplicationInstance bindings. 5-min Docker install.

Get Started →