Kafka Configs Kafka Protocol Wire Format API Versions KIPs Errors Kafka Upgrade Config Advisor Policy Pack
Debezium
Config Matrix Event Envelope Snapshot Modes Error Reference
Flink SQL
conduktor.io ↗

Production ApplicationGroups Must Sync from SSO

For groups targeting prod instances, forbid spec.members and require externalGroups/externalGroupRegex.

Rationale

Hand-rolled member lists rot the moment someone leaves the company. Their access lingers until the next audit. SSO-group sync deprovisions leavers automatically on the next login. SOC2 / ISO 27001 control that platform teams keep asking for ("we want to ban manual user lists in prod").

Pattern

permissions[].appInstance matches *-prod|*-prd → members empty AND (externalGroups OR externalGroupRegex) non-empty

Examples

prod instance + externalGroups=[GP-PAYMENTS-PROD] + members=[]
dev instance + members=[alice@...] (rule skipped)
prod instance + members=[alice@..., bob@...]

Parameters

NameDefaultDescription
prod_pattern ".*-(prod|prd)$" Regex identifying production appInstances.

Implementation

Drop this YAML into Conduktor Console as a ResourcePolicy, then link it from an ApplicationInstance, Application, or KafkaCluster.

Conduktor ResourcePolicy
# Conduktor self-service ResourcePolicy
# externalGroups / externalGroupRegex are Option-wrapped — guard with has(...)
# before calling size() so a missing field does not blow up the CEL eval.
---
apiVersion: self-serve/v1
kind: ResourcePolicy
metadata:
  name: applicationgroup-prod-requires-external-group
spec:
  targetKind: ApplicationGroup
  description: production ApplicationGroups must use externalGroups/externalGroupRegex (SSO sync)
  rules:
    - condition: '!spec.permissions.exists(p, p.appInstance.matches(".*-(prod|prd)$")) || (size(spec.members) == 0 && ((has(spec.externalGroups) && size(spec.externalGroups) > 0) || (has(spec.externalGroupRegex) && size(spec.externalGroupRegex) > 0)))'
      errorMessage: "production ApplicationGroups must use externalGroups/externalGroupRegex (SSO sync) — manual spec.members lists rot when staff leave"

Related policies

Try Conduktor Console

Enforce policies like this across your team — central audit history, pre-commit guardrails, ApplicationInstance bindings. 5-min Docker install.

Get Started →