From 9a36b73e1b8bb0deb560e21903937491589c1e45 Mon Sep 17 00:00:00 2001 From: hc-github-team-consul-core Date: Tue, 16 Jan 2024 10:29:29 -0600 Subject: [PATCH] Backport of docs: Remove ACLs section from k8s cluster peering page into release/1.17.x (#20198) * backport of commit ce0c9be7995e8ddd624ba9e87d1698f922febcf3 * backport of commit 98bb280eac6aabeee1e6fa7fcba9db6714848141 --------- Co-authored-by: boruszak --- .../k8s/connect/cluster-peering/tech-specs.mdx | 10 +--------- .../cluster-peering/usage/establish-peering.mdx | 17 +---------------- 2 files changed, 2 insertions(+), 25 deletions(-) diff --git a/website/content/docs/k8s/connect/cluster-peering/tech-specs.mdx b/website/content/docs/k8s/connect/cluster-peering/tech-specs.mdx index 2d27a4f369..f6c0ae0316 100644 --- a/website/content/docs/k8s/connect/cluster-peering/tech-specs.mdx +++ b/website/content/docs/k8s/connect/cluster-peering/tech-specs.mdx @@ -158,12 +158,4 @@ To learn how to change the mesh gateway mode to `local` on your Kubernetes deplo The `exported-services` CRD is required in order for services to communicate across partitions with cluster peering connections. Basic guidance on using the `exported-services` configuration entry is included in [Establish cluster peering connections](/consul/docs/k8s/connect/cluster-peering/usage/establish-peering#export-services-between-clusters). -Refer to [`exported-services` configuration entry](/consul/docs/connect/config-entries/exported-services) for more information. - -## ACL specifications - -If ACLs are enabled, you must add tokens to grant the following permissions: - -- Grant `service:write` permissions to services that define mesh gateways in their server definition. -- Grant `service:read` permissions for all services on the partition. -- Grant `mesh:write` permissions to the mesh gateways that participate in cluster peering connections. This permission allows a leaf certificate to be issued for mesh gateways to terminate TLS sessions for HTTP requests. +Refer to [`exported-services` configuration entry](/consul/docs/connect/config-entries/exported-services) for more information. \ No newline at end of file diff --git a/website/content/docs/k8s/connect/cluster-peering/usage/establish-peering.mdx b/website/content/docs/k8s/connect/cluster-peering/usage/establish-peering.mdx index c784b57047..bc82be872a 100644 --- a/website/content/docs/k8s/connect/cluster-peering/usage/establish-peering.mdx +++ b/website/content/docs/k8s/connect/cluster-peering/usage/establish-peering.mdx @@ -439,19 +439,4 @@ Before you can call services from peered clusters, you must set service intentio } ``` - - -### Authorize service reads with ACLs - -If ACLs are enabled on a Consul cluster, sidecar proxies that access exported services as an upstream must have an ACL token that grants read access. - -Read access to all imported services is granted using either of the following rules associated with an ACL token: - -- `service:write` permissions for any service in the sidecar's partition. -- `service:read` and `node:read` for all services and nodes, respectively, in sidecar's namespace and partition. - -For Consul Enterprise, the permissions apply to all imported services in the service's partition. These permissions are satisfied when using a [service identity](/consul/docs/security/acl/acl-roles#service-identities). - -Refer to [Reading servers](/consul/docs/connect/config-entries/exported-services#reading-services) in the `exported-services` configuration entry documentation for example rules. - -For additional information about how to configure and use ACLs, refer to [ACLs system overview](/consul/docs/security/acl). + \ No newline at end of file