KafkaNativeACL

Prerequisites¶

A Kubernetes cluster with the operator installed using helm, kubectl or kind (for local development).
A Kubernetes Secret with an Aiven authentication token.

Required permissions¶

To create and manage this resource, you must have the appropriate roles or permissions. See the Aiven documentation for details on managing permissions.

This resource uses the following API operations, and for each operation, any of the listed permissions is sufficient:

Operation	Permissions
ServiceGet	`project:services:read`
ServiceKafkaNativeAclAdd	`service:data:write`
ServiceKafkaNativeAclDelete	`service:data:write`
ServiceKafkaNativeAclGet	`service:data:write`

Usage example¶

apiVersion: aiven.io/v1alpha1
kind: Kafka
metadata:
  name: my-kafka
spec:
  authSecretRef:
    name: aiven-token
    key: token

  connInfoSecretTarget:
    name: kafka-secret

  project: my-aiven-project
  cloudName: google-europe-west1
  plan: startup-4

  maintenanceWindowDow: friday
  maintenanceWindowTime: 23:00:00

---

apiVersion: aiven.io/v1alpha1
kind: KafkaNativeACL
metadata:
  name: my-kafka-native-acl
spec:
  authSecretRef:
    name: aiven-token
    key: token

  project: my-aiven-project
  serviceName: my-kafka
  host: my-host
  operation: Create
  patternType: LITERAL
  permissionType: ALLOW
  principal: User:alice
  resourceName: my-kafka-topic
  resourceType: Topic

Apply the resource with:

kubectl apply -f example.yaml

Verify the newly created KafkaNativeACL:

kubectl get kafkanativeacls my-kafka-native-acl

The output is similar to the following:

Name                   Service Name    Project             Host       Operation    PatternType    PermissionType    
my-kafka-native-acl    my-kafka        my-aiven-project    my-host    Create       LITERAL        ALLOW

KafkaNativeACL¶

KafkaNativeACL Creates and manages Kafka-native access control lists (ACLs) for an Aiven for Apache Kafka® service. ACLs control access to Kafka topics, consumer groups, clusters, and Schema Registry. Kafka-native ACLs provide advanced resource-level access control with fine-grained permissions, including ALLOW and DENY rules. For simplified topic-level control, you can use KafkaACL.

Required

apiVersion (string). Value aiven.io/v1alpha1.
kind (string). Value KafkaNativeACL.
metadata (object). Data that identifies the object, including a name string and optional namespace.
spec (object, Immutable). KafkaNativeACLSpec defines the desired state of KafkaNativeACL. See below for nested schema.

spec¶

Appears on KafkaNativeACL.

KafkaNativeACLSpec defines the desired state of KafkaNativeACL.

Required

operation (string, Enum: All, Alter, AlterConfigs, ClusterAction, Create, CreateTokens, Delete, Describe, DescribeConfigs, DescribeTokens, IdempotentWrite, Read, Write). Kafka ACL operation represents an operation which an ACL grants or denies permission to perform.
patternType (string, Enum: LITERAL, PREFIXED). Kafka ACL pattern type of resource name.
permissionType (string, Enum: ALLOW, DENY). Kafka ACL permission type.
principal (string, MaxLength: 256). Principal is in PrincipalType:name format.
project (string, Immutable, Pattern: ^[a-zA-Z0-9_-]+$, MaxLength: 63). Identifies the project this resource belongs to.
resourceName (string, MaxLength: 256). Resource pattern used to match specified resources.
resourceType (string, Enum: Cluster, DelegationToken, Group, Topic, TransactionalId, User). Kafka ACL resource type represents a type of resource which an ACL can be applied to.
serviceName (string, Immutable, Pattern: ^[a-z][-a-z0-9]+$, MaxLength: 63). Specifies the name of the service that this resource belongs to.

Optional

authSecretRef (object). Authentication reference to Aiven token in a secret. See below for nested schema.
host (string, MaxLength: 256, Default value: *). The host or * for all hosts.

authSecretRef¶

Appears on spec.

Authentication reference to Aiven token in a secret.

Required

key (string, MinLength: 1).
name (string, MinLength: 1).