Skip to content

KafkaNativeACL

Usage example

Prerequisites

  • A Kubernetes cluster with the operator installed using helm, kubectl or kind (for local development).
  • A Kubernetes Secret with an Aiven authentication token.
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
apiVersion: aiven.io/v1alpha1
kind: Kafka
metadata:
  name: my-kafka
spec:
  authSecretRef:
    name: aiven-token
    key: token

  connInfoSecretTarget:
    name: kafka-secret

  project: my-aiven-project
  cloudName: google-europe-west1
  plan: startup-2

  maintenanceWindowDow: friday
  maintenanceWindowTime: 23:00:00

---

apiVersion: aiven.io/v1alpha1
kind: KafkaNativeACL
metadata:
  name: my-kafka-native-acl
spec:
  authSecretRef:
    name: aiven-token
    key: token

  project: my-aiven-project
  serviceName: my-kafka
  host: my-host
  operation: Create
  patternType: LITERAL
  permissionType: ALLOW
  principal: User:alice
  resourceName: my-kafka-topic
  resourceType: Topic

Apply the resource with:

kubectl apply -f example.yaml

Verify the newly created KafkaNativeACL:

kubectl get kafkanativeacls my-kafka-native-acl

The output is similar to the following: 

Name                   Service Name    Project             Host       Operation    PatternType    PermissionType    
my-kafka-native-acl    my-kafka        my-aiven-project    my-host    Create       LITERAL        ALLOW

KafkaNativeACL

KafkaNativeACL Creates and manages Kafka-native access control lists (ACLs) for an Aiven for Apache Kafka® service. ACLs control access to Kafka topics, consumer groups, clusters, and Schema Registry. Kafka-native ACLs provide advanced resource-level access control with fine-grained permissions, including ALLOW and DENY rules. For simplified topic-level control, you can use KafkaACL.

Required

  • apiVersion (string). Value aiven.io/v1alpha1.
  • kind (string). Value KafkaNativeACL.
  • metadata (object). Data that identifies the object, including a name string and optional namespace.
  • spec (object, Immutable). KafkaNativeACLSpec defines the desired state of KafkaNativeACL. See below for nested schema.

spec

Appears on KafkaNativeACL.

KafkaNativeACLSpec defines the desired state of KafkaNativeACL.

Required

  • operation (string, Enum: All, Alter, AlterConfigs, ClusterAction, Create, CreateTokens, Delete, Describe, DescribeConfigs, DescribeTokens, IdempotentWrite, Read, Write). Kafka ACL operation represents an operation which an ACL grants or denies permission to perform.
  • patternType (string, Enum: LITERAL, PREFIXED). Kafka ACL pattern type of resource name.
  • permissionType (string, Enum: ALLOW, DENY). Kafka ACL permission type.
  • principal (string, MaxLength: 256). Principal is in PrincipalType:name format.
  • project (string, Immutable, Pattern: ^[a-zA-Z0-9_-]+$, MaxLength: 63). Identifies the project this resource belongs to.
  • resourceName (string, MaxLength: 256). Resource pattern used to match specified resources.
  • resourceType (string, Enum: Cluster, DelegationToken, Group, Topic, TransactionalId, User). Kafka ACL resource type represents a type of resource which an ACL can be applied to.
  • serviceName (string, Immutable, Pattern: ^[a-z][-a-z0-9]+$, MaxLength: 63). Specifies the name of the service that this resource belongs to.

Optional

  • authSecretRef (object). Authentication reference to Aiven token in a secret. See below for nested schema.
  • host (string, MaxLength: 256, Default value: *). The host or * for all hosts.

authSecretRef

Appears on spec.

Authentication reference to Aiven token in a secret.

Required

  • key (string, MinLength: 1).
  • name (string, MinLength: 1).