Add enterprise docs for deny action (#20654)

9 months ago · f5c2b408f7
3 changed files with 24 additions and 3 deletions
--- a/proto-public/pbauth/v2beta1/traffic_permissions.pb.go
+++ b/proto-public/pbauth/v2beta1/traffic_permissions.pb.go
@ -24,6 +24,9 @@ const (
 	_ = protoimpl.EnforceVersion(protoimpl.MaxVersion - 20)
 )

+// Action specifies the behavior of a TrafficPermission.
+// ACTION_DENY is only available in Consul enterprise.
+//
 // +kubebuilder:validation:Enum=ACTION_ALLOW;ACTION_DENY;ACTION_UNKNOWN
 // +kubebuilder:validation:Type=string
 type Action int32
@ -75,6 +78,7 @@ func (Action) EnumDescriptor() ([]byte, []int) {
 	return file_pbauth_v2beta1_traffic_permissions_proto_rawDescGZIP(), []int{0}
 }

+// TrafficPermissions authorizes traffic between workloads in a Consul service mesh.
 type TrafficPermissions struct {
 	state         protoimpl.MessageState
 	sizeCache     protoimpl.SizeCache
@ -84,6 +88,7 @@ type TrafficPermissions struct {
 	// where these traffic permissions should apply.
 	Destination *Destination `protobuf:"bytes,1,opt,name=destination,proto3" json:"destination,omitempty"`
 	// Action can be either allow or deny for the entire object. It will default to allow.
+	// Deny actions are available only in Consul Enterprise.
 	//
 	// If action is allow, we will allow the connection if one of the rules in Rules matches, in other words, we will deny
 	// all requests except for the ones that match Rules. If Consul is in default allow mode, then allow
@ -152,6 +157,8 @@ func (x *TrafficPermissions) GetPermissions() []*Permission {
 	return nil
 }

+// NamespaceTrafficPermissions represents traffic permissions that should
+// apply to all destinations in a namespace.
 type NamespaceTrafficPermissions struct {
 	state         protoimpl.MessageState
 	sizeCache     protoimpl.SizeCache
@ -207,6 +214,8 @@ func (x *NamespaceTrafficPermissions) GetPermissions() []*Permission {
 	return nil
 }

+// PartitionTrafficPermissions represents traffic permissions that should
+// apply to all destinations in a partition.
 type PartitionTrafficPermissions struct {
 	state         protoimpl.MessageState
 	sizeCache     protoimpl.SizeCache
--- a/proto-public/pbauth/v2beta1/traffic_permissions.proto
+++ b/proto-public/pbauth/v2beta1/traffic_permissions.proto
@ -7,6 +7,7 @@ package hashicorp.consul.auth.v2beta1;

 import "pbresource/annotations.proto";

+// TrafficPermissions authorizes traffic between workloads in a Consul service mesh.
 message TrafficPermissions {
  option (hashicorp.consul.resource.spec) = {scope: SCOPE_NAMESPACE};

@ -15,6 +16,7 @@ message TrafficPermissions {
  Destination destination = 1;

  // Action can be either allow or deny for the entire object. It will default to allow.
+  // Deny actions are available only in Consul Enterprise.
  //
  // If action is allow, we will allow the connection if one of the rules in Rules matches, in other words, we will deny
  // all requests except for the ones that match Rules. If Consul is in default allow mode, then allow
@ -31,6 +33,8 @@ message TrafficPermissions {
  repeated Permission permissions = 3;
 }

+// NamespaceTrafficPermissions represents traffic permissions that should
+// apply to all destinations in a namespace.
 message NamespaceTrafficPermissions {
  option (hashicorp.consul.resource.spec) = {scope: SCOPE_NAMESPACE};

@ -38,6 +42,8 @@ message NamespaceTrafficPermissions {
  repeated Permission permissions = 2;
 }

+// PartitionTrafficPermissions represents traffic permissions that should
+// apply to all destinations in a partition.
 message PartitionTrafficPermissions {
  option (hashicorp.consul.resource.spec) = {scope: SCOPE_PARTITION};

@ -51,6 +57,9 @@ message Destination {
  string identity_name = 1;
 }

+// Action specifies the behavior of a TrafficPermission.
+// ACTION_DENY is only available in Consul enterprise.
+//
 // +kubebuilder:validation:Enum=ACTION_ALLOW;ACTION_DENY;ACTION_UNKNOWN
 // +kubebuilder:validation:Type=string
 enum Action {
--- a/website/content/docs/k8s/multiport/reference/trafficpermissions.mdx
+++ b/website/content/docs/k8s/multiport/reference/trafficpermissions.mdx
@ -45,7 +45,7 @@ spec:
  action: allow
  permissions:
    - sources:
-        - identityName: <sourceWorkloadIdentity> 
+        - identityName: <sourceWorkloadIdentity>
      destinationRules:
        - portNames:
            - <servicePortName>
@ -135,6 +135,8 @@ Specifies the Workload identity for a service. The permissions you configure in

 Specifies whether the proxy should _allow traffic_ or _deny traffic_ between the destination in [`spec.destination`](#spec-destination) and the sources in [`spec.permissions.sources`](#spec-permissions-sources).

+`ACTION_DENY` is a governance feature available in Consul Enterprise that cannot be overridden by another `ACTION_ALLOW`.
+
 By default, Consul allows traffic between all services. When the Helm value `global.acls.manageSystemACLs` is set to `true`, then Consul operates in "default-deny" mode. In this mode, `TrafficPermissions` CRDs that allow traffic between services are required for service-to-service traffic.

 #### Values
@ -143,7 +145,7 @@ By default, Consul allows traffic between all services. When the Helm value `glo
 - Data type: String that must contain one of the following values:

  - `ACTION_ALLOW`
-  - `ACTION_DENY`
+  - `ACTION_DENY` <EnterpriseAlert inline />

 ### `spec.permissions`

@ -221,9 +223,10 @@ spec:

 ```

-### Deny traffic between a service and a specific port
+### Deny traffic between a service and a specific port <EnterpriseAlert inline />

 The following example configures traffic permissions to deny traffic when the `web` service makes a request to the `api` service on the `admin` port.
+This `ACTION_DENY` cannot be overridden by another `ACTION_ALLOW`.

 ```yaml
 apiVersion: auth.consul.hashicorp.com/v2beta1