Tenant separation

[DavidMachacek]

I have one cluster-wide strimzi kafka cluster in its own namespace (infra-strimzi) in Openshift.

I have couple of business namespaces (i.e. project-A, project-B). I want to preferably use TLS auth with simple authorization.

I want to allow each project to manage its own KafkaUsers and KafkaTopics. But I need to prevent them from accessing resources (i.e. topics) that belong in other project. I.e. so KafkaUser from project-A cannot set itself ACLs to access KafkaTopics created from project-B.

I though of using some sort of prefixes, i.e. project-A.myTopic, but how could I enforce them? Writing my own validationWebhook just seems like a bit of overkill as I expect my setup to be a pretty common one.

How can I achieve that? What is the best practice for tenant separtion inside one cluster?

[scholzj]

Strimzi does not really handle this. It currently focuses mainly on the layer below and that is managing the Kafka cluster and its aspects rather than doing the data management etc.

One of the common ways to work around it is using GitOps:

• Users in a self-service fashion open PRs with User / Topic changes
• This PR is reviewed by a responsible person/automation (e.g. if the author of the Pr is a member of group X, his/her PR can grant someone rights to topics belonging to group X etc.)
• GitOps tool such as Argo or Flux applies the changes to the correct namespace in the Kubernetes cluster where Strimzi picks it up.