mirror of https://github.com/hashicorp/consul
Add enterprise docs for deny action (#20654)
parent
2baf5e78a4
commit
f5c2b408f7
|
@ -24,6 +24,9 @@ const (
|
||||||
_ = protoimpl.EnforceVersion(protoimpl.MaxVersion - 20)
|
_ = protoimpl.EnforceVersion(protoimpl.MaxVersion - 20)
|
||||||
)
|
)
|
||||||
|
|
||||||
|
// Action specifies the behavior of a TrafficPermission.
|
||||||
|
// ACTION_DENY is only available in Consul enterprise.
|
||||||
|
//
|
||||||
// +kubebuilder:validation:Enum=ACTION_ALLOW;ACTION_DENY;ACTION_UNKNOWN
|
// +kubebuilder:validation:Enum=ACTION_ALLOW;ACTION_DENY;ACTION_UNKNOWN
|
||||||
// +kubebuilder:validation:Type=string
|
// +kubebuilder:validation:Type=string
|
||||||
type Action int32
|
type Action int32
|
||||||
|
@ -75,6 +78,7 @@ func (Action) EnumDescriptor() ([]byte, []int) {
|
||||||
return file_pbauth_v2beta1_traffic_permissions_proto_rawDescGZIP(), []int{0}
|
return file_pbauth_v2beta1_traffic_permissions_proto_rawDescGZIP(), []int{0}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// TrafficPermissions authorizes traffic between workloads in a Consul service mesh.
|
||||||
type TrafficPermissions struct {
|
type TrafficPermissions struct {
|
||||||
state protoimpl.MessageState
|
state protoimpl.MessageState
|
||||||
sizeCache protoimpl.SizeCache
|
sizeCache protoimpl.SizeCache
|
||||||
|
@ -84,6 +88,7 @@ type TrafficPermissions struct {
|
||||||
// where these traffic permissions should apply.
|
// where these traffic permissions should apply.
|
||||||
Destination *Destination `protobuf:"bytes,1,opt,name=destination,proto3" json:"destination,omitempty"`
|
Destination *Destination `protobuf:"bytes,1,opt,name=destination,proto3" json:"destination,omitempty"`
|
||||||
// Action can be either allow or deny for the entire object. It will default to allow.
|
// Action can be either allow or deny for the entire object. It will default to allow.
|
||||||
|
// Deny actions are available only in Consul Enterprise.
|
||||||
//
|
//
|
||||||
// If action is allow, we will allow the connection if one of the rules in Rules matches, in other words, we will deny
|
// If action is allow, we will allow the connection if one of the rules in Rules matches, in other words, we will deny
|
||||||
// all requests except for the ones that match Rules. If Consul is in default allow mode, then allow
|
// all requests except for the ones that match Rules. If Consul is in default allow mode, then allow
|
||||||
|
@ -152,6 +157,8 @@ func (x *TrafficPermissions) GetPermissions() []*Permission {
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// NamespaceTrafficPermissions represents traffic permissions that should
|
||||||
|
// apply to all destinations in a namespace.
|
||||||
type NamespaceTrafficPermissions struct {
|
type NamespaceTrafficPermissions struct {
|
||||||
state protoimpl.MessageState
|
state protoimpl.MessageState
|
||||||
sizeCache protoimpl.SizeCache
|
sizeCache protoimpl.SizeCache
|
||||||
|
@ -207,6 +214,8 @@ func (x *NamespaceTrafficPermissions) GetPermissions() []*Permission {
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// PartitionTrafficPermissions represents traffic permissions that should
|
||||||
|
// apply to all destinations in a partition.
|
||||||
type PartitionTrafficPermissions struct {
|
type PartitionTrafficPermissions struct {
|
||||||
state protoimpl.MessageState
|
state protoimpl.MessageState
|
||||||
sizeCache protoimpl.SizeCache
|
sizeCache protoimpl.SizeCache
|
||||||
|
|
|
@ -7,6 +7,7 @@ package hashicorp.consul.auth.v2beta1;
|
||||||
|
|
||||||
import "pbresource/annotations.proto";
|
import "pbresource/annotations.proto";
|
||||||
|
|
||||||
|
// TrafficPermissions authorizes traffic between workloads in a Consul service mesh.
|
||||||
message TrafficPermissions {
|
message TrafficPermissions {
|
||||||
option (hashicorp.consul.resource.spec) = {scope: SCOPE_NAMESPACE};
|
option (hashicorp.consul.resource.spec) = {scope: SCOPE_NAMESPACE};
|
||||||
|
|
||||||
|
@ -15,6 +16,7 @@ message TrafficPermissions {
|
||||||
Destination destination = 1;
|
Destination destination = 1;
|
||||||
|
|
||||||
// Action can be either allow or deny for the entire object. It will default to allow.
|
// Action can be either allow or deny for the entire object. It will default to allow.
|
||||||
|
// Deny actions are available only in Consul Enterprise.
|
||||||
//
|
//
|
||||||
// If action is allow, we will allow the connection if one of the rules in Rules matches, in other words, we will deny
|
// If action is allow, we will allow the connection if one of the rules in Rules matches, in other words, we will deny
|
||||||
// all requests except for the ones that match Rules. If Consul is in default allow mode, then allow
|
// all requests except for the ones that match Rules. If Consul is in default allow mode, then allow
|
||||||
|
@ -31,6 +33,8 @@ message TrafficPermissions {
|
||||||
repeated Permission permissions = 3;
|
repeated Permission permissions = 3;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// NamespaceTrafficPermissions represents traffic permissions that should
|
||||||
|
// apply to all destinations in a namespace.
|
||||||
message NamespaceTrafficPermissions {
|
message NamespaceTrafficPermissions {
|
||||||
option (hashicorp.consul.resource.spec) = {scope: SCOPE_NAMESPACE};
|
option (hashicorp.consul.resource.spec) = {scope: SCOPE_NAMESPACE};
|
||||||
|
|
||||||
|
@ -38,6 +42,8 @@ message NamespaceTrafficPermissions {
|
||||||
repeated Permission permissions = 2;
|
repeated Permission permissions = 2;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// PartitionTrafficPermissions represents traffic permissions that should
|
||||||
|
// apply to all destinations in a partition.
|
||||||
message PartitionTrafficPermissions {
|
message PartitionTrafficPermissions {
|
||||||
option (hashicorp.consul.resource.spec) = {scope: SCOPE_PARTITION};
|
option (hashicorp.consul.resource.spec) = {scope: SCOPE_PARTITION};
|
||||||
|
|
||||||
|
@ -51,6 +57,9 @@ message Destination {
|
||||||
string identity_name = 1;
|
string identity_name = 1;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// Action specifies the behavior of a TrafficPermission.
|
||||||
|
// ACTION_DENY is only available in Consul enterprise.
|
||||||
|
//
|
||||||
// +kubebuilder:validation:Enum=ACTION_ALLOW;ACTION_DENY;ACTION_UNKNOWN
|
// +kubebuilder:validation:Enum=ACTION_ALLOW;ACTION_DENY;ACTION_UNKNOWN
|
||||||
// +kubebuilder:validation:Type=string
|
// +kubebuilder:validation:Type=string
|
||||||
enum Action {
|
enum Action {
|
||||||
|
|
|
@ -45,7 +45,7 @@ spec:
|
||||||
action: allow
|
action: allow
|
||||||
permissions:
|
permissions:
|
||||||
- sources:
|
- sources:
|
||||||
- identityName: <sourceWorkloadIdentity>
|
- identityName: <sourceWorkloadIdentity>
|
||||||
destinationRules:
|
destinationRules:
|
||||||
- portNames:
|
- portNames:
|
||||||
- <servicePortName>
|
- <servicePortName>
|
||||||
|
@ -135,6 +135,8 @@ Specifies the Workload identity for a service. The permissions you configure in
|
||||||
|
|
||||||
Specifies whether the proxy should _allow traffic_ or _deny traffic_ between the destination in [`spec.destination`](#spec-destination) and the sources in [`spec.permissions.sources`](#spec-permissions-sources).
|
Specifies whether the proxy should _allow traffic_ or _deny traffic_ between the destination in [`spec.destination`](#spec-destination) and the sources in [`spec.permissions.sources`](#spec-permissions-sources).
|
||||||
|
|
||||||
|
`ACTION_DENY` is a governance feature available in Consul Enterprise that cannot be overridden by another `ACTION_ALLOW`.
|
||||||
|
|
||||||
By default, Consul allows traffic between all services. When the Helm value `global.acls.manageSystemACLs` is set to `true`, then Consul operates in "default-deny" mode. In this mode, `TrafficPermissions` CRDs that allow traffic between services are required for service-to-service traffic.
|
By default, Consul allows traffic between all services. When the Helm value `global.acls.manageSystemACLs` is set to `true`, then Consul operates in "default-deny" mode. In this mode, `TrafficPermissions` CRDs that allow traffic between services are required for service-to-service traffic.
|
||||||
|
|
||||||
#### Values
|
#### Values
|
||||||
|
@ -143,7 +145,7 @@ By default, Consul allows traffic between all services. When the Helm value `glo
|
||||||
- Data type: String that must contain one of the following values:
|
- Data type: String that must contain one of the following values:
|
||||||
|
|
||||||
- `ACTION_ALLOW`
|
- `ACTION_ALLOW`
|
||||||
- `ACTION_DENY`
|
- `ACTION_DENY` <EnterpriseAlert inline />
|
||||||
|
|
||||||
### `spec.permissions`
|
### `spec.permissions`
|
||||||
|
|
||||||
|
@ -221,9 +223,10 @@ spec:
|
||||||
|
|
||||||
```
|
```
|
||||||
|
|
||||||
### Deny traffic between a service and a specific port
|
### Deny traffic between a service and a specific port <EnterpriseAlert inline />
|
||||||
|
|
||||||
The following example configures traffic permissions to deny traffic when the `web` service makes a request to the `api` service on the `admin` port.
|
The following example configures traffic permissions to deny traffic when the `web` service makes a request to the `api` service on the `admin` port.
|
||||||
|
This `ACTION_DENY` cannot be overridden by another `ACTION_ALLOW`.
|
||||||
|
|
||||||
```yaml
|
```yaml
|
||||||
apiVersion: auth.consul.hashicorp.com/v2beta1
|
apiVersion: auth.consul.hashicorp.com/v2beta1
|
||||||
|
|
Loading…
Reference in New Issue