consul/website/content/docs/connect/config-entries/service-intentions.mdx

1281 lines
46 KiB
Plaintext
Raw Normal View History

---
layout: docs
Backport of Docs/intentions refactor docs day 2022 into release/1.15.x (#16775) * backport of commit 945c13236db5b8d746116ace4468bc66e7a04af2 * backport of commit 4034c6f753a5023fdaacd28b67f86ffb52dc1206 * backport of commit 8c06a1883e2023a3e68ec10e2edd83b684acc9c0 * backport of commit 35757aa1f602018379dbc5fbf1e4c5ccfbce0624 * backport of commit 1204b419ac7d4a46d6ac4cad976d6992c46d3121 * Docs/intentions refactor docs day 2022 (#16758) * converted intentions conf entry to ref CT format * set up intentions nav * add page for intentions usage * final intentions usage page * final intentions overview page * fixed old relative links * updated diagram for overview * updated links to intentions content * fixed typo in updated links * rename intentions overview page file to index * rollback link updates to intentions overview * fixed nav * Updated custom HTML in API and CLI pages to MD * applied suggestions from review to index page * moved conf examples from usage to conf ref * missed custom HTML section * applied additional feedback * Apply suggestions from code review Co-authored-by: Tu Nguyen <im2nguyen@users.noreply.github.com> * updated headings in usage page * renamed files and udpated nav * updated links to new file names * added redirects and final tweaks * typo --------- Co-authored-by: Tu Nguyen <im2nguyen@users.noreply.github.com> * remove old files --------- Co-authored-by: trujillo-adam <ajosetru@gmail.com> Co-authored-by: trujillo-adam <47586768+trujillo-adam@users.noreply.github.com> Co-authored-by: Tu Nguyen <im2nguyen@users.noreply.github.com>
2023-03-24 23:15:54 +00:00
page_title: Service intentions configuration entry reference
description: >-
Backport of Docs/intentions refactor docs day 2022 into release/1.15.x (#16775) * backport of commit 945c13236db5b8d746116ace4468bc66e7a04af2 * backport of commit 4034c6f753a5023fdaacd28b67f86ffb52dc1206 * backport of commit 8c06a1883e2023a3e68ec10e2edd83b684acc9c0 * backport of commit 35757aa1f602018379dbc5fbf1e4c5ccfbce0624 * backport of commit 1204b419ac7d4a46d6ac4cad976d6992c46d3121 * Docs/intentions refactor docs day 2022 (#16758) * converted intentions conf entry to ref CT format * set up intentions nav * add page for intentions usage * final intentions usage page * final intentions overview page * fixed old relative links * updated diagram for overview * updated links to intentions content * fixed typo in updated links * rename intentions overview page file to index * rollback link updates to intentions overview * fixed nav * Updated custom HTML in API and CLI pages to MD * applied suggestions from review to index page * moved conf examples from usage to conf ref * missed custom HTML section * applied additional feedback * Apply suggestions from code review Co-authored-by: Tu Nguyen <im2nguyen@users.noreply.github.com> * updated headings in usage page * renamed files and udpated nav * updated links to new file names * added redirects and final tweaks * typo --------- Co-authored-by: Tu Nguyen <im2nguyen@users.noreply.github.com> * remove old files --------- Co-authored-by: trujillo-adam <ajosetru@gmail.com> Co-authored-by: trujillo-adam <47586768+trujillo-adam@users.noreply.github.com> Co-authored-by: Tu Nguyen <im2nguyen@users.noreply.github.com>
2023-03-24 23:15:54 +00:00
Use the service intentions configuration entry to allow or deny traffic to services in the mesh from specific sources. Learn how to configure `service-intention` config entries
---
Backport of Docs/intentions refactor docs day 2022 into release/1.15.x (#16775) * backport of commit 945c13236db5b8d746116ace4468bc66e7a04af2 * backport of commit 4034c6f753a5023fdaacd28b67f86ffb52dc1206 * backport of commit 8c06a1883e2023a3e68ec10e2edd83b684acc9c0 * backport of commit 35757aa1f602018379dbc5fbf1e4c5ccfbce0624 * backport of commit 1204b419ac7d4a46d6ac4cad976d6992c46d3121 * Docs/intentions refactor docs day 2022 (#16758) * converted intentions conf entry to ref CT format * set up intentions nav * add page for intentions usage * final intentions usage page * final intentions overview page * fixed old relative links * updated diagram for overview * updated links to intentions content * fixed typo in updated links * rename intentions overview page file to index * rollback link updates to intentions overview * fixed nav * Updated custom HTML in API and CLI pages to MD * applied suggestions from review to index page * moved conf examples from usage to conf ref * missed custom HTML section * applied additional feedback * Apply suggestions from code review Co-authored-by: Tu Nguyen <im2nguyen@users.noreply.github.com> * updated headings in usage page * renamed files and udpated nav * updated links to new file names * added redirects and final tweaks * typo --------- Co-authored-by: Tu Nguyen <im2nguyen@users.noreply.github.com> * remove old files --------- Co-authored-by: trujillo-adam <ajosetru@gmail.com> Co-authored-by: trujillo-adam <47586768+trujillo-adam@users.noreply.github.com> Co-authored-by: Tu Nguyen <im2nguyen@users.noreply.github.com>
2023-03-24 23:15:54 +00:00
# Service intentions configuration entry reference
Backport of Docs/intentions refactor docs day 2022 into release/1.15.x (#16775) * backport of commit 945c13236db5b8d746116ace4468bc66e7a04af2 * backport of commit 4034c6f753a5023fdaacd28b67f86ffb52dc1206 * backport of commit 8c06a1883e2023a3e68ec10e2edd83b684acc9c0 * backport of commit 35757aa1f602018379dbc5fbf1e4c5ccfbce0624 * backport of commit 1204b419ac7d4a46d6ac4cad976d6992c46d3121 * Docs/intentions refactor docs day 2022 (#16758) * converted intentions conf entry to ref CT format * set up intentions nav * add page for intentions usage * final intentions usage page * final intentions overview page * fixed old relative links * updated diagram for overview * updated links to intentions content * fixed typo in updated links * rename intentions overview page file to index * rollback link updates to intentions overview * fixed nav * Updated custom HTML in API and CLI pages to MD * applied suggestions from review to index page * moved conf examples from usage to conf ref * missed custom HTML section * applied additional feedback * Apply suggestions from code review Co-authored-by: Tu Nguyen <im2nguyen@users.noreply.github.com> * updated headings in usage page * renamed files and udpated nav * updated links to new file names * added redirects and final tweaks * typo --------- Co-authored-by: Tu Nguyen <im2nguyen@users.noreply.github.com> * remove old files --------- Co-authored-by: trujillo-adam <ajosetru@gmail.com> Co-authored-by: trujillo-adam <47586768+trujillo-adam@users.noreply.github.com> Co-authored-by: Tu Nguyen <im2nguyen@users.noreply.github.com>
2023-03-24 23:15:54 +00:00
This topic provides reference information for the service intentions configuration entry. Intentions are configurations for controlling access between services in the service mesh. A single service intentions configuration entry specifies one destination service and one or more L4 traffic sources, L7 traffic sources, or combination of traffic sources. Refer to [Service mesh intentions overview](/consul/docs/connect/intentions) for additional information.
Backport of Docs/intentions refactor docs day 2022 into release/1.15.x (#16775) * backport of commit 945c13236db5b8d746116ace4468bc66e7a04af2 * backport of commit 4034c6f753a5023fdaacd28b67f86ffb52dc1206 * backport of commit 8c06a1883e2023a3e68ec10e2edd83b684acc9c0 * backport of commit 35757aa1f602018379dbc5fbf1e4c5ccfbce0624 * backport of commit 1204b419ac7d4a46d6ac4cad976d6992c46d3121 * Docs/intentions refactor docs day 2022 (#16758) * converted intentions conf entry to ref CT format * set up intentions nav * add page for intentions usage * final intentions usage page * final intentions overview page * fixed old relative links * updated diagram for overview * updated links to intentions content * fixed typo in updated links * rename intentions overview page file to index * rollback link updates to intentions overview * fixed nav * Updated custom HTML in API and CLI pages to MD * applied suggestions from review to index page * moved conf examples from usage to conf ref * missed custom HTML section * applied additional feedback * Apply suggestions from code review Co-authored-by: Tu Nguyen <im2nguyen@users.noreply.github.com> * updated headings in usage page * renamed files and udpated nav * updated links to new file names * added redirects and final tweaks * typo --------- Co-authored-by: Tu Nguyen <im2nguyen@users.noreply.github.com> * remove old files --------- Co-authored-by: trujillo-adam <ajosetru@gmail.com> Co-authored-by: trujillo-adam <47586768+trujillo-adam@users.noreply.github.com> Co-authored-by: Tu Nguyen <im2nguyen@users.noreply.github.com>
2023-03-24 23:15:54 +00:00
## Configuration model
Backport of Docs/intentions refactor docs day 2022 into release/1.15.x (#16775) * backport of commit 945c13236db5b8d746116ace4468bc66e7a04af2 * backport of commit 4034c6f753a5023fdaacd28b67f86ffb52dc1206 * backport of commit 8c06a1883e2023a3e68ec10e2edd83b684acc9c0 * backport of commit 35757aa1f602018379dbc5fbf1e4c5ccfbce0624 * backport of commit 1204b419ac7d4a46d6ac4cad976d6992c46d3121 * Docs/intentions refactor docs day 2022 (#16758) * converted intentions conf entry to ref CT format * set up intentions nav * add page for intentions usage * final intentions usage page * final intentions overview page * fixed old relative links * updated diagram for overview * updated links to intentions content * fixed typo in updated links * rename intentions overview page file to index * rollback link updates to intentions overview * fixed nav * Updated custom HTML in API and CLI pages to MD * applied suggestions from review to index page * moved conf examples from usage to conf ref * missed custom HTML section * applied additional feedback * Apply suggestions from code review Co-authored-by: Tu Nguyen <im2nguyen@users.noreply.github.com> * updated headings in usage page * renamed files and udpated nav * updated links to new file names * added redirects and final tweaks * typo --------- Co-authored-by: Tu Nguyen <im2nguyen@users.noreply.github.com> * remove old files --------- Co-authored-by: trujillo-adam <ajosetru@gmail.com> Co-authored-by: trujillo-adam <47586768+trujillo-adam@users.noreply.github.com> Co-authored-by: Tu Nguyen <im2nguyen@users.noreply.github.com>
2023-03-24 23:15:54 +00:00
<Tabs>
Backport of Docs/intentions refactor docs day 2022 into release/1.15.x (#16775) * backport of commit 945c13236db5b8d746116ace4468bc66e7a04af2 * backport of commit 4034c6f753a5023fdaacd28b67f86ffb52dc1206 * backport of commit 8c06a1883e2023a3e68ec10e2edd83b684acc9c0 * backport of commit 35757aa1f602018379dbc5fbf1e4c5ccfbce0624 * backport of commit 1204b419ac7d4a46d6ac4cad976d6992c46d3121 * Docs/intentions refactor docs day 2022 (#16758) * converted intentions conf entry to ref CT format * set up intentions nav * add page for intentions usage * final intentions usage page * final intentions overview page * fixed old relative links * updated diagram for overview * updated links to intentions content * fixed typo in updated links * rename intentions overview page file to index * rollback link updates to intentions overview * fixed nav * Updated custom HTML in API and CLI pages to MD * applied suggestions from review to index page * moved conf examples from usage to conf ref * missed custom HTML section * applied additional feedback * Apply suggestions from code review Co-authored-by: Tu Nguyen <im2nguyen@users.noreply.github.com> * updated headings in usage page * renamed files and udpated nav * updated links to new file names * added redirects and final tweaks * typo --------- Co-authored-by: Tu Nguyen <im2nguyen@users.noreply.github.com> * remove old files --------- Co-authored-by: trujillo-adam <ajosetru@gmail.com> Co-authored-by: trujillo-adam <47586768+trujillo-adam@users.noreply.github.com> Co-authored-by: Tu Nguyen <im2nguyen@users.noreply.github.com>
2023-03-24 23:15:54 +00:00
<Tab heading="HCL and JSON" group="hcl">
Backport of Docs/intentions refactor docs day 2022 into release/1.15.x (#16775) * backport of commit 945c13236db5b8d746116ace4468bc66e7a04af2 * backport of commit 4034c6f753a5023fdaacd28b67f86ffb52dc1206 * backport of commit 8c06a1883e2023a3e68ec10e2edd83b684acc9c0 * backport of commit 35757aa1f602018379dbc5fbf1e4c5ccfbce0624 * backport of commit 1204b419ac7d4a46d6ac4cad976d6992c46d3121 * Docs/intentions refactor docs day 2022 (#16758) * converted intentions conf entry to ref CT format * set up intentions nav * add page for intentions usage * final intentions usage page * final intentions overview page * fixed old relative links * updated diagram for overview * updated links to intentions content * fixed typo in updated links * rename intentions overview page file to index * rollback link updates to intentions overview * fixed nav * Updated custom HTML in API and CLI pages to MD * applied suggestions from review to index page * moved conf examples from usage to conf ref * missed custom HTML section * applied additional feedback * Apply suggestions from code review Co-authored-by: Tu Nguyen <im2nguyen@users.noreply.github.com> * updated headings in usage page * renamed files and udpated nav * updated links to new file names * added redirects and final tweaks * typo --------- Co-authored-by: Tu Nguyen <im2nguyen@users.noreply.github.com> * remove old files --------- Co-authored-by: trujillo-adam <ajosetru@gmail.com> Co-authored-by: trujillo-adam <47586768+trujillo-adam@users.noreply.github.com> Co-authored-by: Tu Nguyen <im2nguyen@users.noreply.github.com>
2023-03-24 23:15:54 +00:00
- [`Kind`](#kind): string | required | must be set to `service-intentions`
- [`Name`](#name): string | required
- [`Namespace`](#namespace): string | `default` | <EnterpriseAlert inline/>
- [`Partition`](#partition): string | `default` | <EnterpriseAlert inline />
- [`Meta`](#meta): map | no default
- [`Sources`](#sources): list | no default
- [`Name`](#sources-name): string | no default
- [`Peer`](#sources-peer): string | no default
- [`Namespace`](#sources-namespace): string | no default | <EnterpriseAlert inline />
- [`Partition`](#sources-partition): string | no default | <EnterpriseAlert inline />
- [`Action`](#sources-action): string | no default | required for L4 intentions
- [`Permissions`](#sources-permissions): list | no default
- [`Action`](#sources-permissions-action): string | no default | required
- [`HTTP`](#sources-permissions-http): map | required
- [`PathExact`](#sources-permissions-http): string | no default
- [`PathPrefix`](#sources-permissions-http): string | no default
- [`PathRegex`](#sources-permissions-http): string | no default
- [`Methods`](#sources-permissions-http): list | no default
- [`Header`](#sources-permissions-http-header): list of maps |no default
- [`Name`](#sources-permissions-http-header): string | required
- [`Present`](#sources-permissions-http-header): boolean | `false`
- [`Exact`](#sources-permissions-http-header): string | no default
- [`Prefix`](#sources-permissions-http-header): string | no default
- [`Suffix`](#sources-permissions-http-header): string | no default
- [`Regex`](#sources-permissions-http-header): string | no default
- [`Invert`](#sources-permissions-http-header): boolean | `false`
- [`Precedence`](#sources-precedence): number | no default | _read-only_
- [`Type`](#sources-type): string | `consul`
- [`Description`](#sources-description): string
- [`LegacyID`](#sources-legacyid): string | no default | _read-only_
- [`LegacyMeta`](#sources-legacymeta): map | no default | _read-only_
- [`LegacyCreateTime`](#sources-legacycreatetime): string | no default | _read-only_
- [`LegacyUpdateTime`](#sources-legacyupdatetime): string | no default | _read-only_
Backport of Docs/intentions refactor docs day 2022 into release/1.15.x (#16775) * backport of commit 945c13236db5b8d746116ace4468bc66e7a04af2 * backport of commit 4034c6f753a5023fdaacd28b67f86ffb52dc1206 * backport of commit 8c06a1883e2023a3e68ec10e2edd83b684acc9c0 * backport of commit 35757aa1f602018379dbc5fbf1e4c5ccfbce0624 * backport of commit 1204b419ac7d4a46d6ac4cad976d6992c46d3121 * Docs/intentions refactor docs day 2022 (#16758) * converted intentions conf entry to ref CT format * set up intentions nav * add page for intentions usage * final intentions usage page * final intentions overview page * fixed old relative links * updated diagram for overview * updated links to intentions content * fixed typo in updated links * rename intentions overview page file to index * rollback link updates to intentions overview * fixed nav * Updated custom HTML in API and CLI pages to MD * applied suggestions from review to index page * moved conf examples from usage to conf ref * missed custom HTML section * applied additional feedback * Apply suggestions from code review Co-authored-by: Tu Nguyen <im2nguyen@users.noreply.github.com> * updated headings in usage page * renamed files and udpated nav * updated links to new file names * added redirects and final tweaks * typo --------- Co-authored-by: Tu Nguyen <im2nguyen@users.noreply.github.com> * remove old files --------- Co-authored-by: trujillo-adam <ajosetru@gmail.com> Co-authored-by: trujillo-adam <47586768+trujillo-adam@users.noreply.github.com> Co-authored-by: Tu Nguyen <im2nguyen@users.noreply.github.com>
2023-03-24 23:15:54 +00:00
</Tab>
<Tab heading="YAML" group="yaml">
Backport of Docs/intentions refactor docs day 2022 into release/1.15.x (#16775) * backport of commit 945c13236db5b8d746116ace4468bc66e7a04af2 * backport of commit 4034c6f753a5023fdaacd28b67f86ffb52dc1206 * backport of commit 8c06a1883e2023a3e68ec10e2edd83b684acc9c0 * backport of commit 35757aa1f602018379dbc5fbf1e4c5ccfbce0624 * backport of commit 1204b419ac7d4a46d6ac4cad976d6992c46d3121 * Docs/intentions refactor docs day 2022 (#16758) * converted intentions conf entry to ref CT format * set up intentions nav * add page for intentions usage * final intentions usage page * final intentions overview page * fixed old relative links * updated diagram for overview * updated links to intentions content * fixed typo in updated links * rename intentions overview page file to index * rollback link updates to intentions overview * fixed nav * Updated custom HTML in API and CLI pages to MD * applied suggestions from review to index page * moved conf examples from usage to conf ref * missed custom HTML section * applied additional feedback * Apply suggestions from code review Co-authored-by: Tu Nguyen <im2nguyen@users.noreply.github.com> * updated headings in usage page * renamed files and udpated nav * updated links to new file names * added redirects and final tweaks * typo --------- Co-authored-by: Tu Nguyen <im2nguyen@users.noreply.github.com> * remove old files --------- Co-authored-by: trujillo-adam <ajosetru@gmail.com> Co-authored-by: trujillo-adam <47586768+trujillo-adam@users.noreply.github.com> Co-authored-by: Tu Nguyen <im2nguyen@users.noreply.github.com>
2023-03-24 23:15:54 +00:00
- [`apiVersion`](#apiversion): string | must be set to `consul.hashicorp.com/v1alpha1`
- [`kind`](#kind): string | must be set to `ServiceIntentions`
- [`metadata`](#metadata): map | required
- [`name`](#metadata-name): string | required
- [`namespace`](#metadata-namespace): string | `default` | <EnterpriseAlert inline/>
- [`spec`](#spec): map | no default
- [`destination`](#spec-destination): map | no default
- [`name`](#spec-destination-name): string | required
- [`namespace`](#metadata-namespace): string | `default` | <EnterpriseAlert inline/>
- [`sources`](#spec-sources): list | no default
- [`name`](#spec-sources-name): string | no default
- [`peer`](#spec-sources-peer): string | no default
- [`namespace`](#spec-sources-namespace): string | no default | <EnterpriseAlert inline />
- [`partition`](#spec-sources-partition): string | no default | <EnterpriseAlert inline />
- [`action`](#spec-sources-action): string | no default | required for L4 intentions
- [`permissions`](#spec-sources-permissions): list | no default
- [`action`](#spec-sources-permissions-action): string | no default | required
- [`http`](#spec-sources-permissions-http): map | required
- [`pathExact`](#spec-sources-permissions-http): string | no default
- [`pathPrefix`](#spec-sources-permissions-http): string | no default
- [`pathRegex`](#spec-sources-permissions-http): string | no default
- [`methods`](#spec-sources-permissions-http): list | no default
- [`header`](#spec-sources-permissions-http-header): list of maps |no default
- [`name`](#spec-sources-permissions-http-header): string | required
- [`present`](#spec-sources-permissions-http-header): boolean | `false`
- [`exact`](#spec-sources-permissions-http-header): string | no default
- [`prefix`](#spec-sources-permissions-http-header): string | no default
- [`suffix`](#spec-sources-permissions-http-header): string | no default
- [`regex`](#spec-sources-permissions-http-header): string | no default
- [`invert`](#spec-sources-permissions-http-header): boolean | `false`
- [`type`](#spec-sources-type): string | `consul`
- [`description`](#spec-sources-description): string
Backport of Docs/intentions refactor docs day 2022 into release/1.15.x (#16775) * backport of commit 945c13236db5b8d746116ace4468bc66e7a04af2 * backport of commit 4034c6f753a5023fdaacd28b67f86ffb52dc1206 * backport of commit 8c06a1883e2023a3e68ec10e2edd83b684acc9c0 * backport of commit 35757aa1f602018379dbc5fbf1e4c5ccfbce0624 * backport of commit 1204b419ac7d4a46d6ac4cad976d6992c46d3121 * Docs/intentions refactor docs day 2022 (#16758) * converted intentions conf entry to ref CT format * set up intentions nav * add page for intentions usage * final intentions usage page * final intentions overview page * fixed old relative links * updated diagram for overview * updated links to intentions content * fixed typo in updated links * rename intentions overview page file to index * rollback link updates to intentions overview * fixed nav * Updated custom HTML in API and CLI pages to MD * applied suggestions from review to index page * moved conf examples from usage to conf ref * missed custom HTML section * applied additional feedback * Apply suggestions from code review Co-authored-by: Tu Nguyen <im2nguyen@users.noreply.github.com> * updated headings in usage page * renamed files and udpated nav * updated links to new file names * added redirects and final tweaks * typo --------- Co-authored-by: Tu Nguyen <im2nguyen@users.noreply.github.com> * remove old files --------- Co-authored-by: trujillo-adam <ajosetru@gmail.com> Co-authored-by: trujillo-adam <47586768+trujillo-adam@users.noreply.github.com> Co-authored-by: Tu Nguyen <im2nguyen@users.noreply.github.com>
2023-03-24 23:15:54 +00:00
</Tab>
</Tabs>
Backport of Docs/intentions refactor docs day 2022 into release/1.15.x (#16775) * backport of commit 945c13236db5b8d746116ace4468bc66e7a04af2 * backport of commit 4034c6f753a5023fdaacd28b67f86ffb52dc1206 * backport of commit 8c06a1883e2023a3e68ec10e2edd83b684acc9c0 * backport of commit 35757aa1f602018379dbc5fbf1e4c5ccfbce0624 * backport of commit 1204b419ac7d4a46d6ac4cad976d6992c46d3121 * Docs/intentions refactor docs day 2022 (#16758) * converted intentions conf entry to ref CT format * set up intentions nav * add page for intentions usage * final intentions usage page * final intentions overview page * fixed old relative links * updated diagram for overview * updated links to intentions content * fixed typo in updated links * rename intentions overview page file to index * rollback link updates to intentions overview * fixed nav * Updated custom HTML in API and CLI pages to MD * applied suggestions from review to index page * moved conf examples from usage to conf ref * missed custom HTML section * applied additional feedback * Apply suggestions from code review Co-authored-by: Tu Nguyen <im2nguyen@users.noreply.github.com> * updated headings in usage page * renamed files and udpated nav * updated links to new file names * added redirects and final tweaks * typo --------- Co-authored-by: Tu Nguyen <im2nguyen@users.noreply.github.com> * remove old files --------- Co-authored-by: trujillo-adam <ajosetru@gmail.com> Co-authored-by: trujillo-adam <47586768+trujillo-adam@users.noreply.github.com> Co-authored-by: Tu Nguyen <im2nguyen@users.noreply.github.com>
2023-03-24 23:15:54 +00:00
## Complete configuration
<Tabs>
<Tab heading="HCL" group="hcl">
```hcl
Kind = "service-intentions"
Name = "<name of destination service>"
Namespace = "<destination namespace>" # string
Partition = "<destination partition>" # string
Meta = {
"<key-1>" = "<value-1>"
"<key-2>" = "<value-2>"
}
Sources = [
{
Name = "<name of service sending traffic>" # string
Peer = "<name of cluster containing source service>" # string
Namespace = "<namespace containing source service>" # string
Partition = "<sources-partition>" # string
Action = "allow" or "deny" # string for L4 intentions
Permissions = [
{
Action = "allow" or "deny" # string for L7 intenions
HTTP = {
PathExact = "<exact path to match>" # string
PathPrefix = "<path prefix to match>" # string
PathRegex = "<regex pattern to match>" # string
Methods = [
"<fist http method to match>", # string
"<second http method to match>"
]
Header = [
{
Name = "<http header name>" # string
Present = <true or false> # boolean
},
{
Name = "<http header name>" # string
Exact = "<header-value>" # boolean
},
{
Name = "<http header name>" # string
Prefix = "<source header value prefix>" # string
},
{
Name = "<http header name>" # string
Suffix = "<source header value suffix>" # string
},
{
Name = "<http header name>" # string
Regex = "<regex pattern to match>" # string
Invert = <true or false> # boolean
}
]
}
}
]
Type = "consul" # string
Description = "<description for API responses>" # string
Precedence = <read-only> # number
LegacyID = <read-only> # string
LegacyMeta = <read-only> # string
LegacyCreateTime = <read-only> # string
LegacyUpdateTime = <read-only> # string
}
]
```
</Tab>
<Tab heading="YAML" group="yaml">
```yaml
apiVersion: consul.hashicorp.com/v1alpha1
kind: service-intentions
metadata:
name: <name of destination service>
namespace: <destination namespace>
spec:
destination:
destination:
name: <name of destination service>
namespace: <destination namespace>
sources:
name: <name of service sending traffic>
peer: <name of cluster containing source service>
namespace: <namespace containing source service>
partition: <sources-partition>
action: allow or deny
permissions:
- action: allow or deny
http:
pathExact: <exact path to match>
pathPrefix: <path prefix to match>
pathRegex: <regex pattern to match>
methods:
- <fist http method to match>
<second http method to match>
header:
- name: <http header name>
present: true
- name: <http header name>
exact: false
- name: <http header name>
prefix: <source header value prefix>
- name: <http header name>
suffix: <source header value suffix>
- name: <http header name>
regex: <regex pattern to match>
invert: false
type: consul
description: <description for API responses>
```
</Tab>
<Tab heading="JSON" group="hcl">
```json
{
"Kind":"service-intentions",
"Name":"<name of destination service>",
"Namespace":"<destination namespace>",
"Partition":"<destination partition>",
"Meta":{
"key-1":"<value-1>",
"key-2":"<value-2>"
},
"Sources":[
{
"Name":"<name of service sending traffic>",
"Peer":"<name of cluster containing source service>",
"Namespace":"<namespace containing source service>",
"Partition":"<sources-partition>",
"Action":"allow or deny",
"Permissions":[
{
"Action":"allow or deny",
"HTTP":{
"PathExact":"<exact path to match>",
"PathPrefix":"<path prefix to match>",
"PathRegex":"<regex pattern to match>",
"Methods":[
"<fist http method to match>",
"<second http method to match>"
],
"Header":[
{
"Name":"<http header name>",
"Present":true
},
{
"Name":"<http header name>",
"Exact":false
},
{
"Name":"<http header name>",
"Prefix":"<source header value prefix>"
},
{
"Name":"<http header name>",
"Suffix":"<source header value suffix>"
},
{
"Name":"<http header name>",
"Regex":"<regex pattern to match>",
"Invert":false
}
]
}
}
],
"Type":"consul",
"Description":"<description for API responses>",
"Precedence":"<read-only-number>",
"LegacyID":"<read-only-string>",
"LegacyMeta":"<read-only-string>",
"LegacyCreateTime":"<read-only-string>",
"LegacyUpdateTime":"<read-only-string>"
}
]
}
```
</Tab>
</Tabs>
## Specification
This section provides details about the fields you can configure in the service defaults configuration entry.
<Tabs>
<Tab heading="HCL" group="hcl">
### `Kind`
Specifies the type of configuration entry to implement. Must be set to `service-intentions`.
#### Values
- Default: None
- This field is required.
- Data type: String value that must be set to `service-intentions`.
### `Name`
Specifies a name of the destination service for all intentions defined in the configuration entry.
#### Values
- Default: Defaults to the name of the node after writing the entry to the Consul server.
- This field is required.
- Data type: String
You can also specify a wildcard character (`*`) to match all services without intentions. Intentions that are applied with a wildcard, however, are not supported when defining L7 [`Permissions`](#sources-permissions).
### `Namespace` <EnterpriseAlert inline />
Specifies the [namespace](/consul/docs/enterprise/namespaces) that the configuration entry applies to. Services in the namespace are the traffic destinations that the intentions allow or deny traffic to.
#### Values
- Default: `default`
- Data type: String
You can also specify a wildcard character (`*`) to match all namespaces. Intentions that are applied with a wildcard, however, are not supported when defining L7 [`Permissions`](#sources-permissions).
### `Partition` <EnterpriseAlert inline />
Specifies the [admin partition](/consul/docs/enterprise/admin-partitions) to apply the configuration entry. Services in the specified partition are the traffic destinations that the intentions allow or deny traffic to.
#### Values
- Default: `default`
- Data type: String
### `Meta`
Specifies key-value pairs to add to the KV store when the configuration entry is evaluated.
#### Values
- Default: None
- Data type: Map of one or more key-value pairs
- keys: String
- values: String, integer, or float
### `Sources[]`
List of configurations that define intention sources and the authorization granted to the sources. You can specify source configurations in any order, but Consul stores and evaluates them in order of reverse precedence at runtime. Refer to [`Precedence`](#sources-precedence) for additional information.
#### Values
- Default: None
- List of objects that contain the following fields:
- `Name`
- `Peer`
- `Namespace` <EnterpriseAlert inline/>
- `Partition` <EnterpriseAlert inline/>
- `Action`
- `Permissions`
- `Precedence`
- `Type`
- `Description`
- `LegacyID`
- `LegacyMeta`
- `LegacyCreateTime`
- `LegacyUpdateTime`
### `Sources[].Name`
Specifies the name of the source that the intention allows or denies traffic from. If [`Type`](#sources-type) is set to `consul`, then the value refers to the name of a Consul service. The source is not required to be registered into the Consul catalog.
#### Values
- Default: None
- This field is required.
- Data type: String
### `Sources[].Peer`
Specifies the name of a peered Consul cluster that the intention allows or denies traffic from. Refer to [Cluster peering overview](/consul/docs/connect/cluster-peering) for additional information about peers.
The `Peer` and `Partition` fields are mutually exclusive.
#### Values
- Default: None
- Data type: String
### `Sources[].Namespace` <EnterpriseAlert inline />
Specifies the traffic source namespace that the intention allows or denies traffic from.
#### Values
- Default: If [`Peer`](#sources-peer) is unspecified, defaults to the destination [`Namespace`](#namespace).
- Data type: String
### `Sources[].Partition` <EnterpriseAlert inline />
Specifies the name of an admin partition that the intention allows or denies traffic from. Refer to [Admin Partitions](/consul/docs/enterprise/admin-partitions) for additional information about partitions.
The `Peer` and `Partition` fields are mutually exclusive.
#### Values
- Default: If [`Peer`](#sources-peer) is unspecified, defaults to the destination [`Partition`](#partition).
- Data type: string
### `Sources[].Action`
Specifies the action to take when the source sends traffic to the destination service. The value is either `allow` or `deny`. Do not configure this field to apply L7 intentions to the same source. Configure the [`Permissions`](#sources-permissions) field instead.
#### Values
- Default: None
- This field is required for L4 intentions.
- Data type: String value set to either `allow` or `deny`
Refer to the following examples for additional guidance:
- [L4 Intentions for specific sources and destinations](#l4-intentions-for-specific-sources-and-destinations)
- [L4 intentions for all destinations](#l4-intentions-for-all-destinations)
- [L4 intentions for all sources](#l4-intentions-for-all-sources)
- [L4 and L7](#l4-and-l7)
### `Sources[].Permissions[]`
Specifies a list of permissions for L7 traffic sources. The list contains one or more actions and a set of match criteria for each action.
Consul applies permissions in the order specified in the configuration. Beginning at the top of the list, Consul applies the first matching request and stops evaluating against the remaining configurations.
For requests that do not match any of the defined permissions, Consul applies the intention behavior defined in the [`acl_default_policy`](/consul/docs/agent/config/config-files#acl_default_policy) configuration.
Do not configure this field for L4 intentions. Use the [`Sources.Action`](#sources-action) parameter instead.
The `Permissions` only applies to services with a compatible protocol. `Permissions` are not supported when the [`Name`](#name) or [`Namespace`](#namespace) field is configured with a wildcard because service instances or services in a namespace may use different protocols.
#### Values
- Default: None
- List of objects that contain the following fields:
- `Action`
- `HTTP`
Refer to the following examples for additional guidance:
- [Rest access](#rest-access)
- [gRPC](#grpc)
- [Cluster peering](#cluster-peering)
- [L4 and L7](#l4-and-l7)
### `Sources[].Permissions[].Action`
Specifies the action to take when the source sends traffic to the destination service. The value is either `allow` or `deny`.
#### Values
- Default: None
- This field is required.
- Data type: String value set to either `allow` or `deny`.
### `Sources[].Permissions[].HTTP`
Specifies a set of HTTP-specific match criteria. Consul applies the action defined in the [`Action`](#sources-permissions-action) field to source traffic that matches the criteria.
#### Values
- Default: None
- This field is required.
- Data type: Map
The following table describes the parameters that the HTTP map may contain:
| Parameter | Description | Data type | Default |
| --- | --- | --- | --- |
| `PathExact` | Specifies an exact path to match on the HTTP request path. Do not specify `PathExact` if `PathPrefix` or `PathRegex` are configured in the same `HTTP` configuration. | string | none |
| `PathPrefix` | Specifies a path prefix to match on the HTTP request path. Do not specify `PathPrefix` if `PathExact` or `PathRegex` are configured in the same `HTTP` configuration. | string | none |
| `PathRegex` | Defines a regular expression to match on the HTTP request path. Do not specify `PathRegex` if `PathExact` or `PathPrefix` are configured in the same `HTTP` configuration. The regex syntax is proxy-specific. If using Envoy, refer to the [re2 documentation](https://github.com/google/re2/wiki/Syntax) for details. | string | none |
| `Methods` | Specifies a list of HTTP methods. Consul applies the permission if a request matches the `PathExact`, `PathPrefix`, `PathRegex`, or `Header`, and the source sent the request using one of the specified methods. Refer to the [Mozilla documentation](https://developer.mozilla.org/en-US/docs/Web/HTTP/Methods) for a list of supported request headers. | list | All request methods |
| `Header` | Specifies a header name and matching criteria for HTTP request headers. Refer to [`Sources[].Permissions[].HTTP[].Header`](#sources-permissions-http-header) for details. | list of maps | none |
### `Sources[].Permissions[].HTTP[].Header[]`
Specifies a header name and matching criteria for HTTP request headers. The request header must match all specified criteria for the permission to apply.
#### Values
- Default: None
- Data type: list of objects
Each member of the `Header` list is a map that contains a `Name` field and at least one match criterion. The following table describes the parameters that each member of the `Header` list may contain:
| Parameter | Description | Data type | Required |
| --- | --- | --- | --- |
| `Name` | Specifies the name of the header to match. | string | required |
| `Present` | Enables a match if the header configured in the `Name` field appears in the request. Consul matches on any value as long as the header key appears in the request. Do not specify `Present` if `Exact`, `Prefix`, `Suffix`, or `Regex` are configured in the same `Header` configuration. | boolean | optional |
| `Exact` | Specifies a value for the header key set in the `Name` field. If the request header value matches the `Exact` value, Consul applies the permission. Do not specify `Exact` if `Present`, `Prefix`, `Suffix`, or `Regex` are configured in the same `Header` configuration. | string | optional |
| `Prefix` | Specifies a prefix value for the header key set in the `Name` field. If the request header value starts with the `Prefix` value, Consul applies the permission. Do not specify `Prefix` if `Present`, `Exact`, `Suffix`, or `Regex` are configured in the same `Header` configuration. | string | optional |
| `Suffix` | Specifies a suffix value for the header key set in the `Name` field. If the request header value ends with the `Suffix` value, Consul applies the permission. Do not specify `Suffix` if `Present`, `Exact`, `Prefix`, or `Regex` are configured in the same `Header` configuration. | string | optional |
| `Regex` | Specifies a regular expression pattern as the value for the header key set in the `Name` field. If the request header value matches the regex, Consul applies the permission. Do not specify `Regex` if `Present`, `Exact`, `Prefix`, or `Suffix` are configured in the same `Header` configuration. The regex syntax is proxy-specific. If using Envoy, refer to the [re2 documentation](https://github.com/google/re2/wiki/Syntax) for details. | string | optional |
| `Invert` | Inverts the matching logic configured in the `Header`. Default is `false`. | boolean | optional |
### `Sources[].Precedence`
The `Precedence` field contains a read-only integer. Consul generates the value based on name configurations for the source and destination services. Refer to [Precedence and matching order](/consul/docs/connect/intentions/create-manage-intentions#precedence-and-matching-order) for additional information.
### `Sources[].Type`
Specifies the type of destination service that the configuration entry applies to. The only value supported is `consul`.
#### Values
- Default: `consul`
- Data type: String
### `Sources[].Description`
Specifies a description of the intention. Consul presents the description in API responses to assist other tools integrated into the network.
#### Values
- Default: None
- Data type: String
### `Sources[].LegacyID`
Read-only unique user ID (UUID) for the intention in the system. Consul generates the value and exposes it in the configuration entry so that legacy API endpoints continue to function. Refer to [Read Specific Intention by ID](/consul/api-docs/connect/intentions#read-specific-intention-by-id) for additional information.
### `Sources[].LegacyMeta`
Read-only set of arbitrary key-value pairs to attach to the intention. Consul generates the metadata and exposes it in the configuration entry so that legacy intention API endpoints continue to function. Refer to [Read Specific Intention by ID](/consul/api-docs/connect/intentions#read-specific-intention-by-id) for additional information.
### `Sources[].CreateTime`
Read-only timestamp for the intention creation. Consul exposes the timestamp in the configuration entry to allow legacy intention API endpoints to continue functioning. Refer to [Read Specific Intention by ID](/consul/api-docs/connect/intentions#read-specific-intention-by-id) for additional information.
### `Sources[].LegacyUpdateTime`
Read-only timestamp marking the most recent intention update. Consul exposes the timestamp in the configuration entry to allow legacy intention API endpoints to continue functioning. Refer to [Read Specific Intention by ID](/consul/api-docs/connect/intentions#read-specific-intention-by-id) for additional information.
</Tab>
<Tab heading="Kubernetes YAML" group="yaml">
### `apiVersion`
Specifies the version of the Consul API for integrating with Kubernetes. The value must be `consul.hashicorp.com/v1alpha1`.
#### Values
- Default: None
- This field is required.
- String value that must be set to `consul.hashicorp.com/v1alpha1`.
### `kind`
Specifies the type of configuration entry to implement. Must be set to `ServiceIntentions`.
#### Values
- Default: None
- This field is required.
- Data type: String value that must be set to `ServiceIntentions`.
### `metadata`
Map that contains an arbitrary name for the configuration entry and the namespace it applies to.
#### Values
- Default: None
- Data type: Map
### `metadata.name`
Specifies an arbitrary name for the configuration entry. Note that in other configuration entries, the `metadata.name` field specifies the name of the service that the settings apply to. For service intentions, the service that accepts the configurations is the _destination_ and is specified in the [`spec.destination.name`](#spec-destination-name) field. Refer to the following topics for additional information:
- [ServiceIntentions Special Case (OSS)](/consul/docs/k8s/crds#serviceintentions-special-case)
- [ServiceIntentions Special Case (Enterprise)](/consul/docs/k8s/crds#serviceintentions-special-case-enterprise)
#### Values
- Default: None
- Data type: String
### `metadata.namespace` <EnterpriseAlert inline />
Specifies the [namespace](/consul/docs/enterprise/namespaces) that the configuration entry applies to. Refer to [Consul Enterprise](/consul/docs/k8s/crds#consul-enterprise) for information about how Consul namespaces map to Kubernetes Namespaces. Open source Consul distributions (Consul OSS) ignore the `metadata.namespace` configuration.
#### Values
- Default: `default`
- Data type: String
### `spec`
Map that contains the details about the `ServiceIntentions` configuration entry. The `apiVersion`, `kind`, and `metadata` fields are siblings of the spec field. All other configurations are children.
#### Values
- Default: None
- This field is required.
- Data type: Map
### `spec.destination`
Map that identifies the destination name and destination namespace that source services are allowed or denied access to.
#### Values
- Default: None
- This field is required.
- Data type: Map
### `spec.destination.name`
Specifies the name of the destination service in the mesh that the intentions apply to.
You can also specify a wildcard character (`*`) to match all services that are missing intention settings. Intentions that are applied with a wildcard, however, are not supported when defining L7 [`permissions`](#spec-sources-permissions).
#### Values
- Default: None
- This field is required.
- Data type: String
### `spec.metadata.namespace` <EnterpriseAlert inline />
Specifies the [namespace](/consul/docs/enterprise/namespaces) that the configuration entry applies to. You can also specify a wildcard character (`*`) to match all namespaces. Intentions that are applied with a wildcard, however, are not supported when defining L7 [`permissions`](#spec-sources-permissions).
Refer to [Consul Enterprise](/consul/docs/k8s/crds#consul-enterprise) for information about how Consul namespaces map to Kubernetes Namespaces. Open source Consul distributions (Consul OSS) ignore the `metadata.namespace` configuration.
#### Values
- Default: If not set, destination service namespace is inherited from the `connectInject.consulNamespaces` configuration. Refer to [ServiceIntentions Special Case (Enterprise)](/consul/docs/k8s/crds#serviceintentions-special-case-enterprise) for details.
- Data type: String
### `spec.sources[]`
List of configurations that define intention sources and the authorization granted to the sources. You can specify source configurations in any order, but Consul stores and evaluates them in order of reverse precedence at runtime.
#### Values
- Default: None
- List of objects that contain the following fields:
- `name`
- `peer`
- `namespace` <EnterpriseAlert inline/>
- `partition` <EnterpriseAlert inline/>
- `Action`
- `permissions`
- `type`
- `description`
### `spec.sources[].name`
Specifies the name of the source that the intention allows or denies traffic from. If [`type`](#sources-type) is set to `consul`, then the value refers to the name of a Consul service. The source is not required to be registered into the Consul catalog.
#### Values
- Default: None
- This field is required.
- Data type: String
### `spec.sources[].peer`
Specifies the name of a peered Consul cluster that the intention allows or denies traffic from. Refer to [Cluster peering overview](/consul/docs/connect/cluster-peering) for additional information about peers. The `peer` and `partition` fields are mutually exclusive.
#### Values
- Default: None
- Data type: String
### `spec.sources[].namespace` <EnterpriseAlert inline />
Specifies the traffic source namespace that the intention allows or denies traffic from.
#### Values
- Default: If [`peer`](#spec-sources-peer) is unspecified, defaults to the namespace specified in the [`spec.destination.namespace`](#spec-destination-namespace) field.
- Data type: String
### `spec.sources[].partition` <EnterpriseAlert inline />
Specifies the name of an admin partition that the intention allows or denies traffic from. Refer to [Admin Partitions](/consul/docs/enterprise/admin-partitions) for additional information about partitions. The `peer` and `partition` fields are mutually exclusive.
#### Values
- Default: If [`peer`](#sources-peer) is unspecified, defaults to the partition specified in [`spec.destination.partition`](#spec-destination-partition).
- Data type: String
### `spec.sources[].action`
Specifies the action to take when the source sends traffic to the destination service. The value is either `allow` or `deny`. Do not configure this field for L7 intentions. Configure the [`spec.sources.permissions`](#spec-sources-permissions) field instead.
#### Values
- Default: None
- This field is required for L4 intentions.
- Data type: String value set to either `allow` or `deny`
### `spec.sources[].permissions[]`
Specifies a list of permissions for L7 traffic sources. The list contains one or more actions and a set of match criteria for each action.
Consul applies permissions in the order specified in the configuration. Starting at the beginning of the list, Consul applies the first matching request and stops evaluating against the remaining configurations.
For requests that do not match any of the defined permissions, Consul applies the intention behavior defined in the [`acl_default_policy`](/consul/docs/agent/config/config-files#acl_default_policy) configuration.
Do not configure this field for L4 intentions. Use the [`spec.sources.action`](#sources-action) parameter instead.
`permissions` configurations only apply to services with a compatible protocol. As a result, they are not supported when the [`spec.destination.name`](#spec-destination-name) or [`spec.destination.namespace`](#spec-destination-namespace) field is configured with a wildcard because service instances or services in a namespace may use different protocols.
#### Values
- Default: None
- List of objects that contain the following fields:
- `action`
- `http`
### `spec.sources[].permissions[].action`
Specifies the action to take when the source sends traffic to the destination service. The value is either `allow` or `deny`.
#### Values
- Default: None
- This field is required.
- Data type: String value set to either `allow` or `deny`
### `spec.sources[].permissions[].http`
Specifies a set of HTTP-specific match criteria. Consul applies the action defined in the [`spec.sources.permissions.action`](#spec-sources-permissions-action) field to source traffic that matches the criteria.
#### Values
- Default: None
- This field is required.
- Data type: Map
The following table describes the parameters that the HTTP map may contain:
| Parameter | Description | Data type | Default |
| --- | --- | --- | --- |
| `pathExact` | Specifies an exact path to match on the HTTP request path. Do not specify `pathExact` if `pathPrefix` or `pathRegex` are configured in the same `http` configuration. | string | none |
| `pathPrefix` | Specifies a path prefix to match on the HTTP request path. Do not specify `pathPrefix` if `pathExact` or `pathRegex` are configured in the same `http` configuration. | string | none |
| `pathRegex` | Defines a regular expression to match on the HTTP request path. Do not specify `pathRegex` if `pathExact` or `pathPrefix` are configured in the same `http` configuration. The regex syntax is proxy-specific. If using Envoy, refer to the [re2 documentation](https://github.com/google/re2/wiki/Syntax) for details. | string | none |
| `methods` | Specifies a list of HTTP methods. Consul applies the permission if a request matches the `pathExact`, `pathPrefix`, `pathRegex`, or `header`, and the source sent the request using one of the specified methods. Refer to the [Mozilla documentation](https://developer.mozilla.org/en-US/docs/Web/HTTP/Methods) for a list of supported request headers. | list | All request methods |
| `header` | Specifies a header name and matching criteria for HTTP request headers. Refer to [`spec.sources[].permissions[].http[].header`](#spec-sources-permissions-http-header) for details. | list of maps | none |
### `spec.sources[].permissions[].http[].header`
Specifies a set of criteria for matching HTTP request headers. The request header must match all specified criteria for the permission to apply.
#### Values
- Default: None
- Data type: List of maps
Each member of the `header` list is a map that contains a `name` field and at least one match criterion. The following table describes the parameters that each member of the `header` list may contain:
| Parameter | Description | Data type | Required |
| --- | --- | --- | --- |
| `name` | Specifies the name of the header to match. | string | required |
| `present` | Enables a match if the header configured in the `name` field appears in the request. Consul matches on any value as long as the header key appears in the request. Do not specify `present` if `exact`, `prefix`, `suffix`, or `regex` are configured in the same `header` configuration. | boolean | optional |
| `Exact` | Specifies a value for the header key set in the `Name` field. If the request header value matches the `exact` value, Consul applies the permission. Do not specify `exact` if `present`, `prefix`, `suffix`, or `regex` are configured in the same `header` configuration. | string | optional |
| `prefix` | Specifies a prefix value for the header key set in the `name` field. If the request header value starts with the `prefix` value, Consul applies the permission. Do not specify `prefix` if `present`, `exact`, `suffix`, or `regex` are configured in the same `header` configuration. | string | optional |
| `suffix` | Specifies a suffix value for the header key set in the `name` field. If the request header value ends with the `suffix` value, Consul applies the permission. Do not specify `suffix` if `present`, `exact`, `prefix`, or `regex` are configured in the same `header` configuration. | string | optional |
| `regex` | Specifies a regular expression pattern as the value for the header key set in the `name` field. If the request header value matches the regex, Consul applies the permission. Do not specify `regex` if `present`, `exact`, `prefix`, or `suffix` are configured in the same `header` configuration. The regex syntax is proxy-specific. If using Envoy, refer to the [re2 documentation](https://github.com/google/re2/wiki/Syntax) for details. | string | optional |
| `invert` | Inverts the matching logic configured in the `header`. Default is `false`. | boolean | optional |
### `spec.sources[].type`
Specifies the type of destination service that the configuration entry applies to. The only value supported is `consul`.
#### Values
- Default: `consul`
- Data type: String
### `spec.sources[].description`
Specifies a description of the intention. Consul presents the description in API responses to assist other tools integrated into the network.
#### Values
- Default: None
- Data type: String
</Tab>
</Tabs>
## Examples
The following examples demonstrate potential use-cases for the service intentions configuration entry.
### L4 Intentions for specific sources and destinations
The following example configuration entry specifies an L4 intention that denies traffic from `web` to `db` service instances, but allows traffic from `api` to `db`.
<CodeTabs tabs={[ "HCL", "Kubernetes YAML", "JSON" ]}>
```hcl
Kind = "service-intentions"
Name = "db"
Sources = [
{
Name = "web"
Action = "deny"
},
{
Name = "api"
Action = "allow"
}
]
```
```yaml
apiVersion: consul.hashicorp.com/v1alpha1
kind: ServiceIntentions
spec:
destination:
name: db
sources:
- name: web
action: deny
- name: api
action: allow
```
```json
{
"Kind": "service-intentions",
"Name": "db",
"Sources": [
{
"Action": "deny",
"Name": "web"
},
{
"Action": "allow",
"Name": "api"
}
]
}
```
</CodeTabs>
### L4 intentions for all destinations
In the following L4 example, the destination is configured with a `*` wildcard. As a result, traffic from `web` service instances is denied for any service in the datacenter.
<CodeTabs tabs={[ "HCL", "Kubernetes YAML", "JSON" ]}>
```hcl
Kind = "service-intentions"
Name = "*"
Sources = [
{
Name = "web"
Action = "deny"
}
]
```
```yaml
apiVersion: consul.hashicorp.com/v1alpha1
kind: ServiceIntentions
spec:
destination:
name: *
sources:
- name: web
action: deny
```
```json
{
"Kind": "service-intentions",
"Name": "*",
"Sources": [
{
"Action": "deny",
"Name": "web"
}
]
}
```
</CodeTabs>
### L4 intentions for all sources
In the following L4 example, the source is configured with a `*` wildcard. As a result, traffic from any service is denied to `db` service instances.
<CodeTabs tabs={[ "HCL", "Kubernetes YAML", "JSON" ]}>
```hcl
Kind = "service-intentions"
Name = "db"
Sources = [
{
Name = "*"
Action = "deny"
}
]
```
```yaml
apiVersion: consul.hashicorp.com/v1alpha1
kind: ServiceIntentions
spec:
destination:
name: db
sources:
- name: *
action: deny
```
```json
{
"Kind": "service-intentions",
"Name": "db",
"Sources": [
{
"Action": "deny",
"Name": "*"
}
]
}
```
</CodeTabs>
### REST access
In the following example, the `admin-dashboard` and `report-generator` services have different levels of access when making REST calls:
<CodeTabs tabs={[ "HCL", "Kubernetes YAML", "JSON" ]}>
```hcl
Kind = "service-intentions"
Name = "api"
Sources = [
{
Name = "admin-dashboard"
Permissions = [
{
Action = "allow"
HTTP {
PathPrefix = "/v2"
Methods = ["GET", "PUT", "POST", "DELETE", "HEAD"]
}
}
]
},
{
Name = "report-generator"
Permissions = [
{
Action = "allow"
HTTP {
PathPrefix = "/v2/widgets"
Methods = ["GET"]
}
}
]
}
# NOTE: a default catch-all based on the default ACL policy will apply to
# unmatched connections and requests. Typically this will be DENY.
]
```
```yaml
apiVersion: consul.hashicorp.com/v1alpha1
kind: ServiceIntentions
metadata:
name: api
spec:
destination:
name: api
sources:
- name: admin-dashboard
permissions:
- action: allow
http:
pathPrefix: /v2
methods: ['GET', 'PUT', 'POST', 'DELETE', 'HEAD']
- name: report-generator
permissions:
- action: allow
http:
pathPrefix: /v2/widgets
methods: ['GET']
# NOTE: a default catch-all based on the default ACL policy will apply to
# unmatched connections and requests. Typically this will be DENY.
```
```json
{
"Kind": "service-intentions",
"Name": "api",
"Sources": [
{
"Name": "admin-dashboard",
"Permissions": [
{
"Action": "allow",
"HTTP": {
"PathPrefix": "/v2",
"Methods": ["GET", "PUT", "POST", "DELETE", "HEAD"]
}
}
]
},
{
"Name": "report-generator",
"Permissions": [
{
"Action": "allow",
"HTTP": {
"PathPrefix": "/v2/widgets",
"Methods": ["GET"]
}
}
]
}
]
}
```
</CodeTabs>
### gRPC
Backport of Docs/intentions refactor docs day 2022 into release/1.15.x (#16775) * backport of commit 945c13236db5b8d746116ace4468bc66e7a04af2 * backport of commit 4034c6f753a5023fdaacd28b67f86ffb52dc1206 * backport of commit 8c06a1883e2023a3e68ec10e2edd83b684acc9c0 * backport of commit 35757aa1f602018379dbc5fbf1e4c5ccfbce0624 * backport of commit 1204b419ac7d4a46d6ac4cad976d6992c46d3121 * Docs/intentions refactor docs day 2022 (#16758) * converted intentions conf entry to ref CT format * set up intentions nav * add page for intentions usage * final intentions usage page * final intentions overview page * fixed old relative links * updated diagram for overview * updated links to intentions content * fixed typo in updated links * rename intentions overview page file to index * rollback link updates to intentions overview * fixed nav * Updated custom HTML in API and CLI pages to MD * applied suggestions from review to index page * moved conf examples from usage to conf ref * missed custom HTML section * applied additional feedback * Apply suggestions from code review Co-authored-by: Tu Nguyen <im2nguyen@users.noreply.github.com> * updated headings in usage page * renamed files and udpated nav * updated links to new file names * added redirects and final tweaks * typo --------- Co-authored-by: Tu Nguyen <im2nguyen@users.noreply.github.com> * remove old files --------- Co-authored-by: trujillo-adam <ajosetru@gmail.com> Co-authored-by: trujillo-adam <47586768+trujillo-adam@users.noreply.github.com> Co-authored-by: Tu Nguyen <im2nguyen@users.noreply.github.com>
2023-03-24 23:15:54 +00:00
In the following example, Consul denies requests from `frontend-web` to the `IssueRefund` gRPC service.
Because gRPC method calls use the [HTTP/2 protocol](https://github.com/grpc/grpc/blob/master/doc/PROTOCOL-HTTP2.md), you can apply an HTTP path-matching rule to control traffic:
<CodeTabs tabs={[ "HCL", "Kubernetes YAML", "JSON" ]}>
```hcl
Kind = "service-intentions"
Name = "billing"
Sources = [
{
Name = "frontend-web"
Permissions = [
# The frontend website can execute all billing service methods except
# issuing refunds.
{
Action = "deny"
HTTP {
PathExact = "/mycompany.BillingService/IssueRefund"
}
},
{
Action = "allow"
HTTP {
PathPrefix = "/mycompany.BillingService/"
}
}
]
},
{
Name = "support-portal"
Permissions = [
# But the support team portal page can execute all methods.
{
Action = "allow"
HTTP {
PathPrefix = "/mycompany.BillingService/"
}
}
]
}
Backport of Docs/intentions refactor docs day 2022 into release/1.15.x (#16775) * backport of commit 945c13236db5b8d746116ace4468bc66e7a04af2 * backport of commit 4034c6f753a5023fdaacd28b67f86ffb52dc1206 * backport of commit 8c06a1883e2023a3e68ec10e2edd83b684acc9c0 * backport of commit 35757aa1f602018379dbc5fbf1e4c5ccfbce0624 * backport of commit 1204b419ac7d4a46d6ac4cad976d6992c46d3121 * Docs/intentions refactor docs day 2022 (#16758) * converted intentions conf entry to ref CT format * set up intentions nav * add page for intentions usage * final intentions usage page * final intentions overview page * fixed old relative links * updated diagram for overview * updated links to intentions content * fixed typo in updated links * rename intentions overview page file to index * rollback link updates to intentions overview * fixed nav * Updated custom HTML in API and CLI pages to MD * applied suggestions from review to index page * moved conf examples from usage to conf ref * missed custom HTML section * applied additional feedback * Apply suggestions from code review Co-authored-by: Tu Nguyen <im2nguyen@users.noreply.github.com> * updated headings in usage page * renamed files and udpated nav * updated links to new file names * added redirects and final tweaks * typo --------- Co-authored-by: Tu Nguyen <im2nguyen@users.noreply.github.com> * remove old files --------- Co-authored-by: trujillo-adam <ajosetru@gmail.com> Co-authored-by: trujillo-adam <47586768+trujillo-adam@users.noreply.github.com> Co-authored-by: Tu Nguyen <im2nguyen@users.noreply.github.com>
2023-03-24 23:15:54 +00:00
# A default catch-all based on the default ACL policy applies to
# unmatched connections and requests. This is typically DENY.
]
```
```yaml
apiVersion: consul.hashicorp.com/v1alpha1
kind: ServiceIntentions
metadata:
name: billing
spec:
destination:
name: billing
sources:
# The frontend website can execute all billing service methods except
# issuing refunds.
- name: frontend-web
permissions:
- action: deny
http:
pathExact: /mycompany.BillingService/IssueRefund
- action: allow
http:
pathPrefix: '/mycompany.BillingService/'
- name: support-protocol
# But the support team portal page can execute all methods.
permissions:
- action: allow
http:
pathPrefix: '/mycompany.BillingService/'
Backport of Docs/intentions refactor docs day 2022 into release/1.15.x (#16775) * backport of commit 945c13236db5b8d746116ace4468bc66e7a04af2 * backport of commit 4034c6f753a5023fdaacd28b67f86ffb52dc1206 * backport of commit 8c06a1883e2023a3e68ec10e2edd83b684acc9c0 * backport of commit 35757aa1f602018379dbc5fbf1e4c5ccfbce0624 * backport of commit 1204b419ac7d4a46d6ac4cad976d6992c46d3121 * Docs/intentions refactor docs day 2022 (#16758) * converted intentions conf entry to ref CT format * set up intentions nav * add page for intentions usage * final intentions usage page * final intentions overview page * fixed old relative links * updated diagram for overview * updated links to intentions content * fixed typo in updated links * rename intentions overview page file to index * rollback link updates to intentions overview * fixed nav * Updated custom HTML in API and CLI pages to MD * applied suggestions from review to index page * moved conf examples from usage to conf ref * missed custom HTML section * applied additional feedback * Apply suggestions from code review Co-authored-by: Tu Nguyen <im2nguyen@users.noreply.github.com> * updated headings in usage page * renamed files and udpated nav * updated links to new file names * added redirects and final tweaks * typo --------- Co-authored-by: Tu Nguyen <im2nguyen@users.noreply.github.com> * remove old files --------- Co-authored-by: trujillo-adam <ajosetru@gmail.com> Co-authored-by: trujillo-adam <47586768+trujillo-adam@users.noreply.github.com> Co-authored-by: Tu Nguyen <im2nguyen@users.noreply.github.com>
2023-03-24 23:15:54 +00:00
# A default catch-all based on the default ACL policy applies to
# unmatched connections and requests. This is typically DENY.
```
```json
{
"Kind": "service-intentions",
"Name": "billing",
"Sources": [
{
"Name": "frontend-web",
"Permissions": [
{
"Action": "deny",
"HTTP": {
"PathExact": "/mycompany.BillingService/IssueRefund"
}
},
{
"Action": "allow",
"HTTP": {
"PathPrefix": "/mycompany.BillingService/"
}
}
]
},
{
"Name": "support-portal",
"Permissions": [
{
"Action": "allow",
"HTTP": {
"PathPrefix": "/mycompany.BillingService/"
}
}
]
}
]
}
```
</CodeTabs>
### L4 and L7
Backport of Docs/intentions refactor docs day 2022 into release/1.15.x (#16775) * backport of commit 945c13236db5b8d746116ace4468bc66e7a04af2 * backport of commit 4034c6f753a5023fdaacd28b67f86ffb52dc1206 * backport of commit 8c06a1883e2023a3e68ec10e2edd83b684acc9c0 * backport of commit 35757aa1f602018379dbc5fbf1e4c5ccfbce0624 * backport of commit 1204b419ac7d4a46d6ac4cad976d6992c46d3121 * Docs/intentions refactor docs day 2022 (#16758) * converted intentions conf entry to ref CT format * set up intentions nav * add page for intentions usage * final intentions usage page * final intentions overview page * fixed old relative links * updated diagram for overview * updated links to intentions content * fixed typo in updated links * rename intentions overview page file to index * rollback link updates to intentions overview * fixed nav * Updated custom HTML in API and CLI pages to MD * applied suggestions from review to index page * moved conf examples from usage to conf ref * missed custom HTML section * applied additional feedback * Apply suggestions from code review Co-authored-by: Tu Nguyen <im2nguyen@users.noreply.github.com> * updated headings in usage page * renamed files and udpated nav * updated links to new file names * added redirects and final tweaks * typo --------- Co-authored-by: Tu Nguyen <im2nguyen@users.noreply.github.com> * remove old files --------- Co-authored-by: trujillo-adam <ajosetru@gmail.com> Co-authored-by: trujillo-adam <47586768+trujillo-adam@users.noreply.github.com> Co-authored-by: Tu Nguyen <im2nguyen@users.noreply.github.com>
2023-03-24 23:15:54 +00:00
In the following example, Consul enforces application layer intentions that deny requests to `api` from `hackathon-project` but allow requests from `web`. In the same configuration entry, Consul enforces network layer intentions that allow requests from `nightly-reconciler` that send `POST` requests to the `/v1/reconcile-data` HTTP endpoint:
<CodeTabs tabs={[ "HCL", "Kubernetes YAML", "JSON" ]}>
```hcl
Kind = "service-intentions"
Name = "api"
Sources = [
{
Name = "hackathon-project"
Action = "deny"
},
{
Name = "web"
Action = "allow"
},
{
Name = "nightly-reconciler"
Permissions = [
{
Action = "allow"
HTTP {
PathExact = "/v1/reconcile-data"
Methods = ["POST"]
}
}
]
},
Backport of Docs/intentions refactor docs day 2022 into release/1.15.x (#16775) * backport of commit 945c13236db5b8d746116ace4468bc66e7a04af2 * backport of commit 4034c6f753a5023fdaacd28b67f86ffb52dc1206 * backport of commit 8c06a1883e2023a3e68ec10e2edd83b684acc9c0 * backport of commit 35757aa1f602018379dbc5fbf1e4c5ccfbce0624 * backport of commit 1204b419ac7d4a46d6ac4cad976d6992c46d3121 * Docs/intentions refactor docs day 2022 (#16758) * converted intentions conf entry to ref CT format * set up intentions nav * add page for intentions usage * final intentions usage page * final intentions overview page * fixed old relative links * updated diagram for overview * updated links to intentions content * fixed typo in updated links * rename intentions overview page file to index * rollback link updates to intentions overview * fixed nav * Updated custom HTML in API and CLI pages to MD * applied suggestions from review to index page * moved conf examples from usage to conf ref * missed custom HTML section * applied additional feedback * Apply suggestions from code review Co-authored-by: Tu Nguyen <im2nguyen@users.noreply.github.com> * updated headings in usage page * renamed files and udpated nav * updated links to new file names * added redirects and final tweaks * typo --------- Co-authored-by: Tu Nguyen <im2nguyen@users.noreply.github.com> * remove old files --------- Co-authored-by: trujillo-adam <ajosetru@gmail.com> Co-authored-by: trujillo-adam <47586768+trujillo-adam@users.noreply.github.com> Co-authored-by: Tu Nguyen <im2nguyen@users.noreply.github.com>
2023-03-24 23:15:54 +00:00
# A default catch-all based on the default ACL policy applies to
# unmatched connections and requests. This is typically DENY.
]
```
```yaml
apiVersion: consul.hashicorp.com/v1alpha1
kind: ServiceIntentions
metadata:
name: api
spec:
destination:
name: api
sources:
- name: hackathon-project
action: deny
- name: web
action: allow
- name: nightly-reconciler
permissions:
- action: allow
http:
pathExact: /v1/reconcile-data
methods: ['POST']
Backport of Docs/intentions refactor docs day 2022 into release/1.15.x (#16775) * backport of commit 945c13236db5b8d746116ace4468bc66e7a04af2 * backport of commit 4034c6f753a5023fdaacd28b67f86ffb52dc1206 * backport of commit 8c06a1883e2023a3e68ec10e2edd83b684acc9c0 * backport of commit 35757aa1f602018379dbc5fbf1e4c5ccfbce0624 * backport of commit 1204b419ac7d4a46d6ac4cad976d6992c46d3121 * Docs/intentions refactor docs day 2022 (#16758) * converted intentions conf entry to ref CT format * set up intentions nav * add page for intentions usage * final intentions usage page * final intentions overview page * fixed old relative links * updated diagram for overview * updated links to intentions content * fixed typo in updated links * rename intentions overview page file to index * rollback link updates to intentions overview * fixed nav * Updated custom HTML in API and CLI pages to MD * applied suggestions from review to index page * moved conf examples from usage to conf ref * missed custom HTML section * applied additional feedback * Apply suggestions from code review Co-authored-by: Tu Nguyen <im2nguyen@users.noreply.github.com> * updated headings in usage page * renamed files and udpated nav * updated links to new file names * added redirects and final tweaks * typo --------- Co-authored-by: Tu Nguyen <im2nguyen@users.noreply.github.com> * remove old files --------- Co-authored-by: trujillo-adam <ajosetru@gmail.com> Co-authored-by: trujillo-adam <47586768+trujillo-adam@users.noreply.github.com> Co-authored-by: Tu Nguyen <im2nguyen@users.noreply.github.com>
2023-03-24 23:15:54 +00:00
# A default catch-all based on the default ACL policy applies to
# unmatched connections and requests. This is typically DENY.
```
```json
{
"Kind": "service-intentions",
"Name": "api",
"Sources": [
{
"Name": "hackathon-project",
"Action": "deny"
},
{
"Name": "web",
"Action": "allow"
},
{
"Name": "nightly-reconciler",
"Permissions": [
{
"Action": "allow",
"HTTP": {
"PathExact": "/v1/reconcile-data",
"Methods": ["POST"]
}
}
]
}
]
}
```
</CodeTabs>
Backport of Docs/cluster peering 1.15 updates into release/1.15.x (#16398) * backport of commit e878d2d3e435a724e26789ab6fda84d009961495 * Docs/cluster peering 1.15 updates (#16291) * initial commit * initial commit * Overview updates * Overview page improvements * More Overview improvements * improvements * Small fixes/updates * Updates * Overview updates * Nav data * More nav updates * Fix * updates * Updates + tip test * Directory test * refining * Create restructure w/ k8s * Single usage page * Technical Specification * k8s pages * typo * L7 traffic management * Manage connections * k8s page fix * Create page tab corrections * link to k8s * intentions * corrections * Add-on intention descriptions * adjustments * Missing </CodeTabs> * Diagram improvements * Final diagram update * Apply suggestions from code review Co-authored-by: trujillo-adam <47586768+trujillo-adam@users.noreply.github.com> Co-authored-by: Tu Nguyen <im2nguyen@users.noreply.github.com> Co-authored-by: David Yu <dyu@hashicorp.com> * diagram name fix * Fixes * Updates to index.mdx * Tech specs page corrections * Tech specs page rename * update link to tech specs * K8s - new pages + tech specs * k8s - manage peering connections * k8s L7 traffic management * Separated establish connection pages * Directory fixes * Usage clean up * k8s docs edits * Updated nav data * CodeBlock Component fix * filename * CodeBlockConfig removal * Redirects * Update k8s filenames * Reshuffle k8s tech specs for clarity, fmt yaml files * Update general cluster peering docs, reorder CLI > API > UI, cross link to kubernetes * Fix config rendering in k8s usage docs, cross link to general usage from k8s docs * fix legacy link * update k8s docs * fix nested list rendering * redirect fix * page error --------- Co-authored-by: trujillo-adam <47586768+trujillo-adam@users.noreply.github.com> Co-authored-by: Tu Nguyen <im2nguyen@users.noreply.github.com> Co-authored-by: David Yu <dyu@hashicorp.com> Co-authored-by: Tu Nguyen <im2nguyen@gmail.com> --------- Co-authored-by: boruszak <jeffrey.boruszak@hashicorp.com> Co-authored-by: Jeff Boruszak <104028618+boruszak@users.noreply.github.com> Co-authored-by: trujillo-adam <47586768+trujillo-adam@users.noreply.github.com> Co-authored-by: Tu Nguyen <im2nguyen@users.noreply.github.com> Co-authored-by: David Yu <dyu@hashicorp.com> Co-authored-by: Tu Nguyen <im2nguyen@gmail.com>
2023-02-23 18:45:37 +00:00
### Cluster peering
When using cluster peering connections, intentions secure your deployments with authorized service-to-service communication between remote datacenters. In the following example, the service intentions configuration entry authorizes the `backend-service` to communicate with the `frontend-service` that is hosted on remote peer `cluster-02`:
<CodeTabs tabs={[ "HCL", "Kubernetes YAML", "JSON" ]}>
```hcl
Kind = "service-intentions"
Name = "backend-service"
Sources = [
{
Name = "frontend-service"
Peer = "cluster-02"
Action = "allow"
}
]
```
```yaml
```yaml
apiVersion: consul.hashicorp.com/v1alpha1
kind: ServiceIntentions
metadata:
name: backend-deny
spec:
destination:
name: backend
sources:
- name: "*"
action: deny
- name: frontend
action: allow
peer: cluster-01 ## The peer of the source service
```
```json
{
"Kind": "service-intentions",
"Name": "backend-service",
"Sources": [
{
"Name": "frontend-service",
"Peer": "cluster-02",
"Action": "allow"
}
]
}
```
Backport of Docs/intentions refactor docs day 2022 into release/1.15.x (#16775) * backport of commit 945c13236db5b8d746116ace4468bc66e7a04af2 * backport of commit 4034c6f753a5023fdaacd28b67f86ffb52dc1206 * backport of commit 8c06a1883e2023a3e68ec10e2edd83b684acc9c0 * backport of commit 35757aa1f602018379dbc5fbf1e4c5ccfbce0624 * backport of commit 1204b419ac7d4a46d6ac4cad976d6992c46d3121 * Docs/intentions refactor docs day 2022 (#16758) * converted intentions conf entry to ref CT format * set up intentions nav * add page for intentions usage * final intentions usage page * final intentions overview page * fixed old relative links * updated diagram for overview * updated links to intentions content * fixed typo in updated links * rename intentions overview page file to index * rollback link updates to intentions overview * fixed nav * Updated custom HTML in API and CLI pages to MD * applied suggestions from review to index page * moved conf examples from usage to conf ref * missed custom HTML section * applied additional feedback * Apply suggestions from code review Co-authored-by: Tu Nguyen <im2nguyen@users.noreply.github.com> * updated headings in usage page * renamed files and udpated nav * updated links to new file names * added redirects and final tweaks * typo --------- Co-authored-by: Tu Nguyen <im2nguyen@users.noreply.github.com> * remove old files --------- Co-authored-by: trujillo-adam <ajosetru@gmail.com> Co-authored-by: trujillo-adam <47586768+trujillo-adam@users.noreply.github.com> Co-authored-by: Tu Nguyen <im2nguyen@users.noreply.github.com>
2023-03-24 23:15:54 +00:00
</CodeTabs>