conduktor.io ↗

No Wildcard ACLs in Production

Production ACLs must not grant `*` principal or `*` resource pattern — regardless of patternType.

Rationale

A wildcard principal (`User:*`) on a production topic is a credential bypass. A wildcard resource (`Topic:*`) is cluster-wide access — and that is true whether the permission is registered as LITERAL `*` or as PREFIXED `*` (which behaves the same way: every resource matches the empty prefix). The previous version of this policy only rejected LITERAL `*` and silently let PREFIXED `*` through. Both are now rejected.

Pattern

principal != "User:*" AND permission.name != "*" (any patternType)

Examples

User:orders-svc on Topic:prod.orders.* (PREFIXED "prod.orders.")
User:* on Topic:prod.orders.placed.v1
name="*" patternType=LITERAL
name="*" patternType=PREFIXED

Parameters

NameDefaultDescription
env_prefix "prod." Topic name prefix considered production.

Implementation

Drop this YAML into Conduktor Console as a ResourcePolicy, then link it from an ApplicationInstance, Application, or KafkaCluster.

Conduktor ResourcePolicy
# Conduktor self-service ResourcePolicy
# Schema: https://docs.conduktor.io/platform/reference/resource-reference/self-service/#resourcepolicy
# Conduktor exposes ACL surfaces through ApplicationGroup (which carries
# permissions handed to a ServiceAccount). Wildcard name=="*" is rejected
# regardless of patternType — PREFIXED "*" matches the same set of resources
# as LITERAL "*".
---
apiVersion: self-serve/v1
kind: ResourcePolicy
metadata:
  name: no-wildcard-acl-prod
spec:
  targetKind: ApplicationGroup
  description: ApplicationGroups cannot grant wildcard resource permissions (name="*") regardless of patternType
  rules:
    - condition: 'spec.permissions.all(p, p.name != "*")'
      errorMessage: "Wildcard resource name=\"*\" is not allowed (LITERAL or PREFIXED) — scope by an explicit prefix instead"

Related policies

Try Conduktor Console

Enforce policies like this across your team — central audit history, pre-commit guardrails, ApplicationInstance bindings. 5-min Docker install.

Get Started →