Kafka Configs Kafka Protocol Wire Format API Versions KIPs Errors Kafka Upgrade Config Advisor Policy Pack
Debezium
Config Matrix Event Envelope Snapshot Modes Error Reference
Flink SQL
conduktor.io ↗

Producer Must Use acks=all + enable.idempotence=true (Gateway)

Every produce request must use acks=-1 (acks=all) and be from an idempotent producer. Enforced at the Gateway.

Rationale

acks=1 and acks=0 look fine in throughput dashboards but silently lose data on a leader failover (the follower never sees the record). enable.idempotence=true is the price of safe retries — without it, the default retry loop can write duplicates on transient broker errors. These two settings live in the producer client, so the only way to actually enforce them across hundreds of producers is at the wire, via Gateway. The interceptor reads the produce request header (which carries the acks value and the idempotent-producer flag) and rejects anything weaker than acks=all+idempotence.

Pattern

produce.acks in {-1} AND produce.idempotenceRequired == true

Examples

acks=-1 (acks=all) + enable.idempotence=true → accepted
Transactional producer (idempotence is implied) → accepted
acks=1 → INVALID_RECORD (acks weaker than required)
acks=0 → INVALID_RECORD
acks=-1 + enable.idempotence=false → INVALID_RECORD (no idempotence guarantee)

Parameters

NameDefaultDescription
allowed_acks [-1] Acceptable acks values. -1 == "all".
idempotence_required true When true, rejects non-idempotent producers.
action "BLOCK" BLOCK rejects; INFO audits only; THROTTLE delays.

Governs

This policy relates to the following Kafka configuration keys:

Implementation

Drop this YAML into Conduktor Console as a ResourcePolicy, then link it from an ApplicationInstance, Application, or KafkaCluster.

Conduktor ResourcePolicy
# Conduktor Gateway Interceptor — wire-layer enforcement.
# Plugin: io.conduktor.gateway.interceptor.safeguard.ProducePolicyPlugin
# Docs:   https://docs.conduktor.io/guide/use-cases/apply-traffic-control-policies
# Pairs with min-insync-replicas-bound (>=2): acks=all is only meaningful when
# the topic has min.insync.replicas >= 2.
---
apiVersion: gateway/v2
kind: Interceptor
metadata:
  name: producer-idempotence-acks-all
  scope:
    vCluster: passthrough
spec:
  pluginClass: io.conduktor.gateway.interceptor.safeguard.ProducePolicyPlugin
  priority: 100
  config:
    topic: ".*"
    acks:
      value:
        - -1
      action: BLOCK
    idempotenceRequired:
      value: true
      action: BLOCK

Related policies

Try Conduktor Console

Enforce policies like this across your team — central audit history, pre-commit guardrails, ApplicationInstance bindings. 5-min Docker install.

Get Started →