Related problem
KafkaUser CRs manage credentials (SCRAM-SHA-512, TLS) and ACL rules via the Strimzi User Operator. Customers need visibility into who has access to what, and an audit-security prompt to review security posture.
Suggested solution
New Tools
list_kafka_users
- Parameters:
namespace (optional), clusterName (optional — filter by strimzi.io/cluster label)
- Returns: List of users: name, namespace, cluster, authentication type (scram-sha-512/tls/tls-external), ACL count, quota summary, status conditions
- K8s CRD:
kafkausers.kafka.strimzi.io
get_kafka_user
- Parameters:
namespace (optional), userName (required)
- Returns: Detailed user: authentication type, ACL rules (resource type, resource name, operation, type allow/deny), quotas (producerByteRate, consumerByteRate, requestPercentage, mutationRate), secret reference (name only — never secret data), status conditions
- Note: Never exposes secret data (passwords, certificates). Only secret name and type.
New Prompt
audit-security
- Parameters:
cluster_name, namespace (optional)
- Workflow:
- List all KafkaUsers for the cluster → summarize auth types
- For each user, get ACL rules → identify overly permissive ACLs (e.g., wildcard resources, ALL operations)
- Get cluster certificates → check expiry dates
- Get cluster listeners → identify authentication config per listener
- Summarize: users without ACLs, users with admin-level access, listeners without auth, certs expiring soon
New Files
KafkaUserService.java — @ApplicationScoped, queries KafkaUser CRDsKafkaUserTools.java — @Singleton, @Guarded, @WrapBusinessErrorKafkaUserSummary.java / KafkaUserDetail.java — DTOsAuditSecurityPrompt.java — prompt templateKafkaUserServiceTest.java, KafkaUserToolsTest.java- Update
McpDiscoveryTest.java, PromptCompletions.java
RBAC
Already covered — kafkausers is in the kafka.strimzi.io API group, already in 003-ClusterRole.yaml.
Security
- Critical: Never expose KafkaUser secret data. Only reference the secret name.
- ACL rules are safe to expose — they describe permissions, not credentials.
- Quotas are safe to expose.
Verification
mvn clean test — new tests pass- Create KafkaUsers with various auth types and ACLs on dev cluster
- Invoke
list_kafka_users and get_kafka_user — verify responses
- Test
audit-security prompt — verify it identifies overly permissive ACLs
Related problem
KafkaUser CRs manage credentials (SCRAM-SHA-512, TLS) and ACL rules via the Strimzi User Operator. Customers need visibility into who has access to what, and an
audit-securityprompt to review security posture.Suggested solution
New Tools
list_kafka_usersnamespace(optional),clusterName(optional — filter bystrimzi.io/clusterlabel)kafkausers.kafka.strimzi.ioget_kafka_usernamespace(optional),userName(required)New Prompt
audit-securitycluster_name,namespace(optional)New Files
KafkaUserService.java—@ApplicationScoped, queries KafkaUser CRDsKafkaUserTools.java—@Singleton,@Guarded,@WrapBusinessErrorKafkaUserSummary.java/KafkaUserDetail.java— DTOsAuditSecurityPrompt.java— prompt templateKafkaUserServiceTest.java,KafkaUserToolsTest.javaMcpDiscoveryTest.java,PromptCompletions.javaRBAC
Already covered —
kafkausersis in thekafka.strimzi.ioAPI group, already in003-ClusterRole.yaml.Security
Verification
mvn clean test— new tests passlist_kafka_usersandget_kafka_user— verify responsesaudit-securityprompt — verify it identifies overly permissive ACLs