mirror of https://github.com/hashicorp/consul
Backport of docs: Remove ACLs section from k8s cluster peering page into release/1.17.x (#20198)
* backport of commitpull/20223/headce0c9be799
* backport of commit98bb280eac
--------- Co-authored-by: boruszak <jeffrey.boruszak@hashicorp.com>
parent
0b4f4fd703
commit
9a36b73e1b
|
@ -158,12 +158,4 @@ To learn how to change the mesh gateway mode to `local` on your Kubernetes deplo
|
||||||
|
|
||||||
The `exported-services` CRD is required in order for services to communicate across partitions with cluster peering connections. Basic guidance on using the `exported-services` configuration entry is included in [Establish cluster peering connections](/consul/docs/k8s/connect/cluster-peering/usage/establish-peering#export-services-between-clusters).
|
The `exported-services` CRD is required in order for services to communicate across partitions with cluster peering connections. Basic guidance on using the `exported-services` configuration entry is included in [Establish cluster peering connections](/consul/docs/k8s/connect/cluster-peering/usage/establish-peering#export-services-between-clusters).
|
||||||
|
|
||||||
Refer to [`exported-services` configuration entry](/consul/docs/connect/config-entries/exported-services) for more information.
|
Refer to [`exported-services` configuration entry](/consul/docs/connect/config-entries/exported-services) for more information.
|
||||||
|
|
||||||
## ACL specifications
|
|
||||||
|
|
||||||
If ACLs are enabled, you must add tokens to grant the following permissions:
|
|
||||||
|
|
||||||
- Grant `service:write` permissions to services that define mesh gateways in their server definition.
|
|
||||||
- Grant `service:read` permissions for all services on the partition.
|
|
||||||
- Grant `mesh:write` permissions to the mesh gateways that participate in cluster peering connections. This permission allows a leaf certificate to be issued for mesh gateways to terminate TLS sessions for HTTP requests.
|
|
|
@ -439,19 +439,4 @@ Before you can call services from peered clusters, you must set service intentio
|
||||||
}
|
}
|
||||||
```
|
```
|
||||||
|
|
||||||
</CodeBlockConfig>
|
</CodeBlockConfig>
|
||||||
|
|
||||||
### Authorize service reads with ACLs
|
|
||||||
|
|
||||||
If ACLs are enabled on a Consul cluster, sidecar proxies that access exported services as an upstream must have an ACL token that grants read access.
|
|
||||||
|
|
||||||
Read access to all imported services is granted using either of the following rules associated with an ACL token:
|
|
||||||
|
|
||||||
- `service:write` permissions for any service in the sidecar's partition.
|
|
||||||
- `service:read` and `node:read` for all services and nodes, respectively, in sidecar's namespace and partition.
|
|
||||||
|
|
||||||
For Consul Enterprise, the permissions apply to all imported services in the service's partition. These permissions are satisfied when using a [service identity](/consul/docs/security/acl/acl-roles#service-identities).
|
|
||||||
|
|
||||||
Refer to [Reading servers](/consul/docs/connect/config-entries/exported-services#reading-services) in the `exported-services` configuration entry documentation for example rules.
|
|
||||||
|
|
||||||
For additional information about how to configure and use ACLs, refer to [ACLs system overview](/consul/docs/security/acl).
|
|
Loading…
Reference in New Issue