Add enterprise docs for deny action (#20654)

pull/20670/head
Chris S. Kim 2024-02-16 10:17:21 -05:00 committed by GitHub
parent 2baf5e78a4
commit f5c2b408f7
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
3 changed files with 24 additions and 3 deletions

View File

@ -24,6 +24,9 @@ const (
_ = protoimpl.EnforceVersion(protoimpl.MaxVersion - 20) _ = protoimpl.EnforceVersion(protoimpl.MaxVersion - 20)
) )
// Action specifies the behavior of a TrafficPermission.
// ACTION_DENY is only available in Consul enterprise.
//
// +kubebuilder:validation:Enum=ACTION_ALLOW;ACTION_DENY;ACTION_UNKNOWN // +kubebuilder:validation:Enum=ACTION_ALLOW;ACTION_DENY;ACTION_UNKNOWN
// +kubebuilder:validation:Type=string // +kubebuilder:validation:Type=string
type Action int32 type Action int32
@ -75,6 +78,7 @@ func (Action) EnumDescriptor() ([]byte, []int) {
return file_pbauth_v2beta1_traffic_permissions_proto_rawDescGZIP(), []int{0} return file_pbauth_v2beta1_traffic_permissions_proto_rawDescGZIP(), []int{0}
} }
// TrafficPermissions authorizes traffic between workloads in a Consul service mesh.
type TrafficPermissions struct { type TrafficPermissions struct {
state protoimpl.MessageState state protoimpl.MessageState
sizeCache protoimpl.SizeCache sizeCache protoimpl.SizeCache
@ -84,6 +88,7 @@ type TrafficPermissions struct {
// where these traffic permissions should apply. // where these traffic permissions should apply.
Destination *Destination `protobuf:"bytes,1,opt,name=destination,proto3" json:"destination,omitempty"` Destination *Destination `protobuf:"bytes,1,opt,name=destination,proto3" json:"destination,omitempty"`
// Action can be either allow or deny for the entire object. It will default to allow. // Action can be either allow or deny for the entire object. It will default to allow.
// Deny actions are available only in Consul Enterprise.
// //
// If action is allow, we will allow the connection if one of the rules in Rules matches, in other words, we will deny // If action is allow, we will allow the connection if one of the rules in Rules matches, in other words, we will deny
// all requests except for the ones that match Rules. If Consul is in default allow mode, then allow // all requests except for the ones that match Rules. If Consul is in default allow mode, then allow
@ -152,6 +157,8 @@ func (x *TrafficPermissions) GetPermissions() []*Permission {
return nil return nil
} }
// NamespaceTrafficPermissions represents traffic permissions that should
// apply to all destinations in a namespace.
type NamespaceTrafficPermissions struct { type NamespaceTrafficPermissions struct {
state protoimpl.MessageState state protoimpl.MessageState
sizeCache protoimpl.SizeCache sizeCache protoimpl.SizeCache
@ -207,6 +214,8 @@ func (x *NamespaceTrafficPermissions) GetPermissions() []*Permission {
return nil return nil
} }
// PartitionTrafficPermissions represents traffic permissions that should
// apply to all destinations in a partition.
type PartitionTrafficPermissions struct { type PartitionTrafficPermissions struct {
state protoimpl.MessageState state protoimpl.MessageState
sizeCache protoimpl.SizeCache sizeCache protoimpl.SizeCache

View File

@ -7,6 +7,7 @@ package hashicorp.consul.auth.v2beta1;
import "pbresource/annotations.proto"; import "pbresource/annotations.proto";
// TrafficPermissions authorizes traffic between workloads in a Consul service mesh.
message TrafficPermissions { message TrafficPermissions {
option (hashicorp.consul.resource.spec) = {scope: SCOPE_NAMESPACE}; option (hashicorp.consul.resource.spec) = {scope: SCOPE_NAMESPACE};
@ -15,6 +16,7 @@ message TrafficPermissions {
Destination destination = 1; Destination destination = 1;
// Action can be either allow or deny for the entire object. It will default to allow. // Action can be either allow or deny for the entire object. It will default to allow.
// Deny actions are available only in Consul Enterprise.
// //
// If action is allow, we will allow the connection if one of the rules in Rules matches, in other words, we will deny // If action is allow, we will allow the connection if one of the rules in Rules matches, in other words, we will deny
// all requests except for the ones that match Rules. If Consul is in default allow mode, then allow // all requests except for the ones that match Rules. If Consul is in default allow mode, then allow
@ -31,6 +33,8 @@ message TrafficPermissions {
repeated Permission permissions = 3; repeated Permission permissions = 3;
} }
// NamespaceTrafficPermissions represents traffic permissions that should
// apply to all destinations in a namespace.
message NamespaceTrafficPermissions { message NamespaceTrafficPermissions {
option (hashicorp.consul.resource.spec) = {scope: SCOPE_NAMESPACE}; option (hashicorp.consul.resource.spec) = {scope: SCOPE_NAMESPACE};
@ -38,6 +42,8 @@ message NamespaceTrafficPermissions {
repeated Permission permissions = 2; repeated Permission permissions = 2;
} }
// PartitionTrafficPermissions represents traffic permissions that should
// apply to all destinations in a partition.
message PartitionTrafficPermissions { message PartitionTrafficPermissions {
option (hashicorp.consul.resource.spec) = {scope: SCOPE_PARTITION}; option (hashicorp.consul.resource.spec) = {scope: SCOPE_PARTITION};
@ -51,6 +57,9 @@ message Destination {
string identity_name = 1; string identity_name = 1;
} }
// Action specifies the behavior of a TrafficPermission.
// ACTION_DENY is only available in Consul enterprise.
//
// +kubebuilder:validation:Enum=ACTION_ALLOW;ACTION_DENY;ACTION_UNKNOWN // +kubebuilder:validation:Enum=ACTION_ALLOW;ACTION_DENY;ACTION_UNKNOWN
// +kubebuilder:validation:Type=string // +kubebuilder:validation:Type=string
enum Action { enum Action {

View File

@ -45,7 +45,7 @@ spec:
action: allow action: allow
permissions: permissions:
- sources: - sources:
- identityName: <sourceWorkloadIdentity> - identityName: <sourceWorkloadIdentity>
destinationRules: destinationRules:
- portNames: - portNames:
- <servicePortName> - <servicePortName>
@ -135,6 +135,8 @@ Specifies the Workload identity for a service. The permissions you configure in
Specifies whether the proxy should _allow traffic_ or _deny traffic_ between the destination in [`spec.destination`](#spec-destination) and the sources in [`spec.permissions.sources`](#spec-permissions-sources). Specifies whether the proxy should _allow traffic_ or _deny traffic_ between the destination in [`spec.destination`](#spec-destination) and the sources in [`spec.permissions.sources`](#spec-permissions-sources).
`ACTION_DENY` is a governance feature available in Consul Enterprise that cannot be overridden by another `ACTION_ALLOW`.
By default, Consul allows traffic between all services. When the Helm value `global.acls.manageSystemACLs` is set to `true`, then Consul operates in "default-deny" mode. In this mode, `TrafficPermissions` CRDs that allow traffic between services are required for service-to-service traffic. By default, Consul allows traffic between all services. When the Helm value `global.acls.manageSystemACLs` is set to `true`, then Consul operates in "default-deny" mode. In this mode, `TrafficPermissions` CRDs that allow traffic between services are required for service-to-service traffic.
#### Values #### Values
@ -143,7 +145,7 @@ By default, Consul allows traffic between all services. When the Helm value `glo
- Data type: String that must contain one of the following values: - Data type: String that must contain one of the following values:
- `ACTION_ALLOW` - `ACTION_ALLOW`
- `ACTION_DENY` - `ACTION_DENY` <EnterpriseAlert inline />
### `spec.permissions` ### `spec.permissions`
@ -221,9 +223,10 @@ spec:
``` ```
### Deny traffic between a service and a specific port ### Deny traffic between a service and a specific port <EnterpriseAlert inline />
The following example configures traffic permissions to deny traffic when the `web` service makes a request to the `api` service on the `admin` port. The following example configures traffic permissions to deny traffic when the `web` service makes a request to the `api` service on the `admin` port.
This `ACTION_DENY` cannot be overridden by another `ACTION_ALLOW`.
```yaml ```yaml
apiVersion: auth.consul.hashicorp.com/v2beta1 apiVersion: auth.consul.hashicorp.com/v2beta1