github
/
consul
mirror of https://github.com/hashicorp/consul
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Backport of Add docs for default_intention_policy into release/1.18.x (#20892)

pull/20895/head
hc-github-team-consul-core 2024-03-25 13:16:58 -04:00 committed by GitHub
parent bf51d89ac4
commit 59482554a8
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
2 changed files with 16 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
website/content/docs/agent/config/config-files.mdx
View File

@ -447,6 +447,10 @@ Refer to the [formatting specification](https://golang.org/pkg/time/#ParseDurati
- `data_dir` Equivalent to the [`-data-dir` command-line flag](/consul/docs/agent/config/cli-flags#_data_dir).
- `default_intention_policy` Controls how service-to-service traffic is authorized
in the absence of specific intentions.
Can be set to `allow`, `deny`, or left empty to default to [`acl.default_policy`](#acl_default_policy).
- `disable_anonymous_signature` Disables providing an anonymous
signature for de-duplication with the update check. See [`disable_update_check`](#disable_update_check).

16
website/content/docs/connect/security.mdx
View File

@ -26,12 +26,20 @@ of Consul.
## Checklist
### Default Intention Policy Set
Consul should be configured with a default deny intention policy. This forces
all service-to-service communication to be explicitly
allowed via an allow [intention](/consul/docs/connect/intentions).
In the absence of `default_intention_policy` Consul will fall back to the ACL
default policy when determining whether to allow or deny communications without
an explicit intention.
### ACLs Enabled with Default Deny
Consul must be configured to use ACLs with a default deny policy. This forces
all requests to have explicit anonymous access or provide an ACL token. The
configuration also forces all service-to-service communication to be explicitly
allowed via an allow [intention](/consul/docs/connect/intentions).
all requests to have explicit anonymous access or provide an ACL token.
To learn how to enable ACLs, please see the
[tutorial on ACLs](/consul/tutorials/security/access-control-setup-production).
@ -100,7 +108,7 @@ will not be encrypted or authorized via service mesh.
Envoy exposes an **unauthenticated**
[administration interface](https://www.envoyproxy.io/docs/envoy/latest/operations/admin)
that can be used to query and modify the proxy. This interface
that can be used to query and modify the proxy. This interface
allows potentially sensitive information to be retrieved, such as:
* Envoy configuration