From f5c2b408f7eee5eb4dfb2fae2f96a6c25141e6a5 Mon Sep 17 00:00:00 2001 From: "Chris S. Kim" Date: Fri, 16 Feb 2024 10:17:21 -0500 Subject: [PATCH] Add enterprise docs for deny action (#20654) --- proto-public/pbauth/v2beta1/traffic_permissions.pb.go | 9 +++++++++ proto-public/pbauth/v2beta1/traffic_permissions.proto | 9 +++++++++ .../docs/k8s/multiport/reference/trafficpermissions.mdx | 9 ++++++--- 3 files changed, 24 insertions(+), 3 deletions(-) diff --git a/proto-public/pbauth/v2beta1/traffic_permissions.pb.go b/proto-public/pbauth/v2beta1/traffic_permissions.pb.go index c1d489c114..018cb0aa7a 100644 --- a/proto-public/pbauth/v2beta1/traffic_permissions.pb.go +++ b/proto-public/pbauth/v2beta1/traffic_permissions.pb.go @@ -24,6 +24,9 @@ const ( _ = protoimpl.EnforceVersion(protoimpl.MaxVersion - 20) ) +// Action specifies the behavior of a TrafficPermission. +// ACTION_DENY is only available in Consul enterprise. +// // +kubebuilder:validation:Enum=ACTION_ALLOW;ACTION_DENY;ACTION_UNKNOWN // +kubebuilder:validation:Type=string type Action int32 @@ -75,6 +78,7 @@ func (Action) EnumDescriptor() ([]byte, []int) { return file_pbauth_v2beta1_traffic_permissions_proto_rawDescGZIP(), []int{0} } +// TrafficPermissions authorizes traffic between workloads in a Consul service mesh. type TrafficPermissions struct { state protoimpl.MessageState sizeCache protoimpl.SizeCache @@ -84,6 +88,7 @@ type TrafficPermissions struct { // where these traffic permissions should apply. Destination *Destination `protobuf:"bytes,1,opt,name=destination,proto3" json:"destination,omitempty"` // Action can be either allow or deny for the entire object. It will default to allow. + // Deny actions are available only in Consul Enterprise. // // If action is allow, we will allow the connection if one of the rules in Rules matches, in other words, we will deny // all requests except for the ones that match Rules. If Consul is in default allow mode, then allow @@ -152,6 +157,8 @@ func (x *TrafficPermissions) GetPermissions() []*Permission { return nil } +// NamespaceTrafficPermissions represents traffic permissions that should +// apply to all destinations in a namespace. type NamespaceTrafficPermissions struct { state protoimpl.MessageState sizeCache protoimpl.SizeCache @@ -207,6 +214,8 @@ func (x *NamespaceTrafficPermissions) GetPermissions() []*Permission { return nil } +// PartitionTrafficPermissions represents traffic permissions that should +// apply to all destinations in a partition. type PartitionTrafficPermissions struct { state protoimpl.MessageState sizeCache protoimpl.SizeCache diff --git a/proto-public/pbauth/v2beta1/traffic_permissions.proto b/proto-public/pbauth/v2beta1/traffic_permissions.proto index 3b6ba61dbd..fa56fdd14d 100644 --- a/proto-public/pbauth/v2beta1/traffic_permissions.proto +++ b/proto-public/pbauth/v2beta1/traffic_permissions.proto @@ -7,6 +7,7 @@ package hashicorp.consul.auth.v2beta1; import "pbresource/annotations.proto"; +// TrafficPermissions authorizes traffic between workloads in a Consul service mesh. message TrafficPermissions { option (hashicorp.consul.resource.spec) = {scope: SCOPE_NAMESPACE}; @@ -15,6 +16,7 @@ message TrafficPermissions { Destination destination = 1; // Action can be either allow or deny for the entire object. It will default to allow. + // Deny actions are available only in Consul Enterprise. // // If action is allow, we will allow the connection if one of the rules in Rules matches, in other words, we will deny // all requests except for the ones that match Rules. If Consul is in default allow mode, then allow @@ -31,6 +33,8 @@ message TrafficPermissions { repeated Permission permissions = 3; } +// NamespaceTrafficPermissions represents traffic permissions that should +// apply to all destinations in a namespace. message NamespaceTrafficPermissions { option (hashicorp.consul.resource.spec) = {scope: SCOPE_NAMESPACE}; @@ -38,6 +42,8 @@ message NamespaceTrafficPermissions { repeated Permission permissions = 2; } +// PartitionTrafficPermissions represents traffic permissions that should +// apply to all destinations in a partition. message PartitionTrafficPermissions { option (hashicorp.consul.resource.spec) = {scope: SCOPE_PARTITION}; @@ -51,6 +57,9 @@ message Destination { string identity_name = 1; } +// Action specifies the behavior of a TrafficPermission. +// ACTION_DENY is only available in Consul enterprise. +// // +kubebuilder:validation:Enum=ACTION_ALLOW;ACTION_DENY;ACTION_UNKNOWN // +kubebuilder:validation:Type=string enum Action { diff --git a/website/content/docs/k8s/multiport/reference/trafficpermissions.mdx b/website/content/docs/k8s/multiport/reference/trafficpermissions.mdx index 19e8a20ace..2db89b310c 100644 --- a/website/content/docs/k8s/multiport/reference/trafficpermissions.mdx +++ b/website/content/docs/k8s/multiport/reference/trafficpermissions.mdx @@ -45,7 +45,7 @@ spec: action: allow permissions: - sources: - - identityName: + - identityName: destinationRules: - portNames: - @@ -135,6 +135,8 @@ Specifies the Workload identity for a service. The permissions you configure in Specifies whether the proxy should _allow traffic_ or _deny traffic_ between the destination in [`spec.destination`](#spec-destination) and the sources in [`spec.permissions.sources`](#spec-permissions-sources). +`ACTION_DENY` is a governance feature available in Consul Enterprise that cannot be overridden by another `ACTION_ALLOW`. + By default, Consul allows traffic between all services. When the Helm value `global.acls.manageSystemACLs` is set to `true`, then Consul operates in "default-deny" mode. In this mode, `TrafficPermissions` CRDs that allow traffic between services are required for service-to-service traffic. #### Values @@ -143,7 +145,7 @@ By default, Consul allows traffic between all services. When the Helm value `glo - Data type: String that must contain one of the following values: - `ACTION_ALLOW` - - `ACTION_DENY` + - `ACTION_DENY` ### `spec.permissions` @@ -221,9 +223,10 @@ spec: ``` -### Deny traffic between a service and a specific port +### Deny traffic between a service and a specific port The following example configures traffic permissions to deny traffic when the `web` service makes a request to the `api` service on the `admin` port. +This `ACTION_DENY` cannot be overridden by another `ACTION_ALLOW`. ```yaml apiVersion: auth.consul.hashicorp.com/v2beta1