Kafka Design > Ressources Isolation in Strimzi

[oesebus]

HI All,

Context

We have a Kubernetes infrastructure with a single cluster.

I would like to isolate ressources by namespaces .

Several environments (.NET services etc...) are deployed on this cluster delimited by namespaces.

Currently, only one Operator Cluster is installed on namespace called "A". In this namespace, there is also the Entity Operator. (Topic & User Operator).
I then created a KafkaUser for each of the namespaces (B, C and D) to set up a certain isolation of resources (MultiTenancy?) .

However, since topics are strongly coupled to an environment and therefore to a namespace, I wonder if topics should not be installed on namespace B , c or D directly rather than in Namespace A (where the operators etc are located).

For now, the Operator only monitors a single namespace. So this implies that all resources are installed under the same namespace.
So i had to add a clusterRoleBinding to allow services from another namespace to create KafkaTopic resources in namespace A.

What do you think of this approach? Is this a good design or are there any points of attention to be aware of?

Another solution that I imagined is to be able to install KafkaTopic resources in each dedicated environment and ensure that the EntityOperator can monitor those namespaces.

Last question, regarding resource isolation. (Groups & Topics), do you see other measures to put in place to make this isolation more robust?

Thanks for your precious help / advice

Ismael

[scholzj]

The Topic and User Operator always watch only one namespace. So if you want to use them, you need to eventually get the KafkaTapic or KafkaUser resources into the namespace they watch. You can create them there directly or you can for example use some tool to sync them from other namespaces. It is also quite common that the users and topics are managed through some GitOps process, so it is more a question of where to open the PR rather then of creating it directly in the Kube API.

[oesebus]

Thanks for your quick feedback .

Last questions if you don't mind . What would be your approach to isolate kafka ressources (topics , groups) per namespace ?

Conduktor provides multi tenancy features . Does something similar exist in Strimzi ?

Thanks

Ismael

[scholzj]

Apache Kafka does not have any multi-tenancy. Typically, if you want to emulate it somehow, you would for example prefix the names of topics, users or groups. But there is not isolation between such tenants. It more a naming schema and nothing else.