Add description for anon token policy

pull/15311/head
Luke Kysow 2022-11-09 10:12:47 -08:00 committed by GitHub
parent b9a9e1219c
commit cf059b4e3c
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 45 additions and 0 deletions

View File

@ -258,6 +258,51 @@ You'll need:
}
}
```
1. If ACLs are enabled you'll also need to modify the [anonymous token](/consul/docs/security/acl/acl-tokens#anonymous-token) policy to have the following permissions:
```hcl
node_prefix "" {
policy = "read"
}
service_prefix "" {
policy = "read"
}
```
With Consul Enterprise, use:
```hcl
partition_prefix "" {
namespace_prefix "" {
node_prefix "" {
policy = "read"
}
service_prefix "" {
policy = "read"
}
}
}
```
These permissions are needed to allow cross-datacenter requests. To make a cross-dc request the sidecar proxy in the originating DC needs to know about the
services running in the remote DC. To do so, it needs an ACL token that allows it to look up the services in the remote DC. The way tokens are created in
Kubernetes, the sidecar proxies have local ACL tokensi.e tokens that are only valid in the local DC. When a request goes from one DC to another, if the
request has a local token, it is stripped from the request because the remote DC won't be able to validate it. When the request lands in the other DC,
it has no ACL token and so will be subject to the anonymous token policy. This is why the anonymous token policy must be configured to allow read access
to all services. When the Kubernetes DC is the primary, this is handled automatically, but when the primary DC is on VMs, this must be configured manually.
To configure the anonymous token policy, first create a policy with the above rules, then attach it to the anonymous token. For example using the CLI:
```sh
echo 'node_prefix "" {
policy = "read"
}
service_prefix "" {
policy = "read"
}' | consul acl policy create -name anonymous -rules -
consul acl token update -id 00000000-0000-0000-0000-000000000002 -policy-name anonymous
```
1. If gossip encryption is enabled, you'll need the key.