Backport of docs: Remove ACLs section from k8s cluster peering page into release/1.17.x (#20198)

* backport of commit ce0c9be799

* backport of commit 98bb280eac

---------

Co-authored-by: boruszak <jeffrey.boruszak@hashicorp.com>
pull/20223/head
hc-github-team-consul-core 2024-01-16 10:29:29 -06:00 committed by GitHub
parent 0b4f4fd703
commit 9a36b73e1b
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 2 additions and 25 deletions

View File

@ -158,12 +158,4 @@ To learn how to change the mesh gateway mode to `local` on your Kubernetes deplo
The `exported-services` CRD is required in order for services to communicate across partitions with cluster peering connections. Basic guidance on using the `exported-services` configuration entry is included in [Establish cluster peering connections](/consul/docs/k8s/connect/cluster-peering/usage/establish-peering#export-services-between-clusters). The `exported-services` CRD is required in order for services to communicate across partitions with cluster peering connections. Basic guidance on using the `exported-services` configuration entry is included in [Establish cluster peering connections](/consul/docs/k8s/connect/cluster-peering/usage/establish-peering#export-services-between-clusters).
Refer to [`exported-services` configuration entry](/consul/docs/connect/config-entries/exported-services) for more information. Refer to [`exported-services` configuration entry](/consul/docs/connect/config-entries/exported-services) for more information.
## ACL specifications
If ACLs are enabled, you must add tokens to grant the following permissions:
- Grant `service:write` permissions to services that define mesh gateways in their server definition.
- Grant `service:read` permissions for all services on the partition.
- Grant `mesh:write` permissions to the mesh gateways that participate in cluster peering connections. This permission allows a leaf certificate to be issued for mesh gateways to terminate TLS sessions for HTTP requests.

View File

@ -439,19 +439,4 @@ Before you can call services from peered clusters, you must set service intentio
} }
``` ```
</CodeBlockConfig> </CodeBlockConfig>
### Authorize service reads with ACLs
If ACLs are enabled on a Consul cluster, sidecar proxies that access exported services as an upstream must have an ACL token that grants read access.
Read access to all imported services is granted using either of the following rules associated with an ACL token:
- `service:write` permissions for any service in the sidecar's partition.
- `service:read` and `node:read` for all services and nodes, respectively, in sidecar's namespace and partition.
For Consul Enterprise, the permissions apply to all imported services in the service's partition. These permissions are satisfied when using a [service identity](/consul/docs/security/acl/acl-roles#service-identities).
Refer to [Reading servers](/consul/docs/connect/config-entries/exported-services#reading-services) in the `exported-services` configuration entry documentation for example rules.
For additional information about how to configure and use ACLs, refer to [ACLs system overview](/consul/docs/security/acl).