In some cases, user might be interested in mixing the authenticated and unauthenticated interfaces. For example use anonymous connections to push collected logs into Kafka while using authenticated connections to process them. That usually requires setting up ACLs for the User:ANONYMOUS which used for the unauthenticated connections.

One of the options would be to allow the anonymous user to be created as KafkaUser. But because it is in uppercase, this is complicated. My suggestion would be to just let the users setup the rules manually and make sure User Operator will ignore them / not overwrite them.

This was raised by different users (and customers). GitHub issue Strimzi#1371