-
Notifications
You must be signed in to change notification settings - Fork 27
Description
Hello,
creating KafkaAccess in any namespace is a great feature.
I was thinking about the problem of whether to allow certain destination namespaces.
Here is a way to allow a KafkaAccess from a KafkaUser, using a ReferenceGrant object.
This is the approach used with cross-namespace storage data sources or with gateway api.
For example, in my-beloved-kafka-namespace, you have your cluster, node pool and everything, and you create a KafkaUser albundy83-kafkauser:
apiVersion: kafka.strimzi.io/v1beta2
kind: KafkaUser
metadata:
name: albundy83-kafkauser
namespace: my-beloved-kafka-namespace
labels:
strimzi.io/cluster: my-beloved-kafka-cluster
spec:
authentication:
type: tls
authorization:
type: simple
acls:
- resource:
type: cluster
operations:
- Create
- Describe
- DescribeConfigs
host: '*'
- resource:
type: topic
name: '*'
patternType: literal
operations:
- Describe
- Read
- DescribeConfigs
host: '*'
- resource:
type: group
name: albundy83-group
patternType: literal
operations:
- Read
- Describe
host: '*'
- resource:
type: topic
name: albundy83-topic
patternType: literal
operations:
- Create
- Describe
- Read
- Write
- DescribeConfigs
host: '*'You want a KafkaAccess in my-secure-namespace, so it could look like this:
apiVersion: access.strimzi.io/v1alpha1
kind: KafkaAccess
metadata:
name: albundy83-kafkaaccess
namespace: my-secure-namespace
spec:
kafka:
name: my-beloved-kafka-cluster
namespace: my-beloved-kafka-namespace
listener: external
user:
apiGroup: kafka.strimzi.io
kind: KafkaUser
name: albundy83-kafkauser
namespace: my-beloved-kafka-namespaceTo ensure that your KafkaAccess can only be created in my-secure-namespace, you also need to create a ReferenceGrant in the source namespace my-beloved-kafka-namespace:
apiVersion: gateway.networking.k8s.io/v1beta1
kind: ReferenceGrant
metadata:
name: allow-to-create-albundy83-kafkaaccess
namespace: my-beloved-kafka-namespace
spec:
from:
- group: access.strimzi.io
kind: KafkaAccess
namespace: my-secure-namespace
to:
- group: kafka.strimzi.io
kind: KafkaUser
name: albundy83-kafkauserOf course, it's just an idea, but I found some similarities.