2018-10-07 23:30:07 -07:00
---
2020-04-07 14:55:19 -04:00
layout: docs
2020-09-09 10:07:20 -05:00
page_title: Service Mesh - Kubernetes
2020-04-07 14:55:19 -04:00
description: >-
Connect is a feature built into to Consul that enables automatic
service-to-service authorization and connection encryption across your Consul
services. Connect can be used with Kubernetes to secure pod communication with
other services.
2018-10-07 23:30:07 -07:00
---
2020-05-11 14:15:59 -07:00
# Connect Service Mesh on Kubernetes
2018-10-07 23:30:07 -07:00
2020-04-09 19:20:00 -04:00
[Connect](/docs/connect) is a feature built into to Consul that enables
2018-10-07 23:30:07 -07:00
automatic service-to-service authorization and connection encryption across
your Consul services. Connect can be used with Kubernetes to secure pod
2018-10-09 09:30:37 -07:00
communication with other pods and external Kubernetes services.
2018-10-07 23:30:07 -07:00
2018-10-09 09:30:37 -07:00
The Connect sidecar running Envoy can be automatically injected into pods in
your cluster, making configuration for Kubernetes automatic.
2018-10-07 23:30:07 -07:00
This functionality is provided by the
[consul-k8s project](https://github.com/hashicorp/consul-k8s) and can be
automatically installed and configured using the
2020-09-14 13:37:35 -04:00
[Consul Helm chart](/docs/k8s/installation/install).
2018-10-07 23:30:07 -07:00
## Usage
When the
2020-08-18 18:22:29 -04:00
[Connect injector is installed](/docs/k8s/connect#installation-and-configuration),
2020-05-20 12:40:24 +02:00
the Connect sidecar can be automatically added to all pods. This sidecar can both
2018-10-07 23:30:07 -07:00
accept and establish connections using Connect, enabling the pod to communicate
to clients and dependencies exclusively over authorized and encrypted
connections.
2021-04-16 12:49:02 -07:00
-> **Note:** The examples in this section are valid and use
2018-10-07 23:30:07 -07:00
publicly available images. If you've installed the Connect injector, feel free
2021-04-16 12:49:02 -07:00
to run the examples in this section to try Connect with Kubernetes.
2019-01-16 16:03:40 -06:00
Please note the documentation below this section on how to properly install
2018-10-09 09:30:37 -07:00
and configure the Connect injector.
2018-10-07 23:30:07 -07:00
### Accepting Inbound Connections
2021-04-16 12:49:02 -07:00
An example Deployment is shown below with Connect enabled to accept inbound
connections. Notice that the Deployment would still be fully functional without
Connect. Minimal to zero modifications are required to enable Connect in Kubernetes.
Notice also that even though we're using a Deployment here, the same configuration
would work on a Pod, a StatefulSet, or a DaemonSet.
2018-10-07 23:30:07 -07:00
2021-04-16 12:49:02 -07:00
This Deployment specification starts a server that responds to any
2018-10-07 23:30:07 -07:00
HTTP request with the static text "hello world".
2021-06-22 15:04:50 -07:00
-> **Note:** As of consul-k8s `v0.26.0` and Consul Helm `v0.32.0`, having a Kubernetes
2021-04-16 12:49:02 -07:00
service is **required** to run services on the Consul Service Mesh.
2018-10-07 23:30:07 -07:00
```yaml
apiVersion: v1
2021-04-16 12:49:02 -07:00
kind: Service
2019-11-29 09:17:56 -08:00
metadata:
2021-06-22 17:34:20 -06:00
# This name will be the service name in Consul.
2019-11-29 09:17:56 -08:00
name: static-server
2021-04-16 12:49:02 -07:00
spec:
selector:
app: static-server
ports:
- protocol: TCP
port: 80
targetPort: 8080
2019-11-29 09:17:56 -08:00
---
apiVersion: v1
2021-04-16 12:49:02 -07:00
kind: ServiceAccount
metadata:
name: static-server
---
apiVersion: apps/v1
kind: Deployment
2018-10-07 23:30:07 -07:00
metadata:
2018-10-08 08:24:25 -07:00
name: static-server
2018-10-07 23:30:07 -07:00
spec:
2021-04-16 12:49:02 -07:00
replicas: 1
selector:
matchLabels:
app: static-server
template:
metadata:
name: static-server
labels:
app: static-server
annotations:
'consul.hashicorp.com/connect-inject': 'true'
spec:
containers:
- name: static-server
image: hashicorp/http-echo:latest
args:
- -text="hello world"
- -listen=:8080
ports:
- containerPort: 8080
name: http
2021-06-22 17:34:20 -06:00
# If ACLs are enabled, the serviceAccountName must match the Consul service name.
2021-04-16 12:49:02 -07:00
serviceAccountName: static-server
2018-10-07 23:30:07 -07:00
```
The only change for Connect is the addition of the
`consul.hashicorp.com/connect-inject` annotation. This enables injection
2021-04-16 12:49:02 -07:00
for the Pod in this Deployment. The injector can also be
2020-08-18 18:22:29 -04:00
[configured](/docs/k8s/connect#installation-and-configuration)
2018-10-07 23:30:07 -07:00
to automatically inject unless explicitly disabled, but the default
installation requires opt-in using the annotation shown above.
2021-04-16 12:49:02 -07:00
~> **A common mistake** is to set the annotation on the Deployment or
other resource. Ensure that the injector annotations are specified on
the _pod specification template_ as shown above.
This will start a sidecar proxy that listens on port `20000` registered
2018-10-07 23:30:07 -07:00
with Consul and proxies valid inbound connections to port 8080 in the pod.
2018-10-09 09:30:37 -07:00
To establish a connection to the pod using Connect, a client must use another Connect
2018-10-07 23:30:07 -07:00
proxy. The client Connect proxy will use Consul service discovery to find
all available upstream proxies and their public ports.
2021-06-22 17:34:20 -06:00
In the example above, the server is listening on `:8080`.
By default, the Consul Service Mesh runs in [transparent proxy](/docs/connect/transparent-proxy) mode.
This means that even though the server binds to all interfaces,
the inbound and outbound connections will automatically go through to the sidecar proxy.
It also allows you to use Kubernetes DNS like you normally would without the
Consul Service Mesh.
2018-10-07 23:30:07 -07:00
2021-06-22 15:25:58 -07:00
-> **Note:** As of consul `v1.10.0`, consul-k8s `v0.26.0` and Consul Helm `v0.32.0`,
2021-04-16 12:49:02 -07:00
all Consul Service Mesh services will run with transparent proxy enabled by default. Running with transparent
proxy will enforce all inbound and outbound traffic to go through the Envoy proxy.
The service name registered in Consul will be set to the name of the Kubernetes service
associated with the Pod. This can be customized with the `consul.hashicorp.com/connect-service`
2019-10-24 16:51:51 -07:00
annotation. If using ACLs, this name must be the same as the Pod's `ServiceAccount` name.
2018-10-07 23:30:07 -07:00
### Connecting to Connect-Enabled Services
2021-04-16 12:49:02 -07:00
The example Deployment specification below configures a Deployment that is capable
2018-10-08 08:24:25 -07:00
of establishing connections to our previous example "static-server" service. The
connection to this static text service happens over an authorized and encrypted
2018-10-07 23:30:07 -07:00
connection via Connect.
2021-06-22 17:34:20 -06:00
-> **Note:** As of consul-k8s `v0.26.0` and Consul Helm `v0.32.0`, having a Kubernetes
2021-04-16 12:49:02 -07:00
Service is **required** to run services on the Consul Service Mesh.
2018-10-07 23:30:07 -07:00
```yaml
apiVersion: v1
2021-04-16 12:49:02 -07:00
kind: Service
2019-11-29 09:17:56 -08:00
metadata:
2021-06-22 17:34:20 -06:00
# This name will be the service name in Consul.
2019-11-29 09:17:56 -08:00
name: static-client
2021-04-16 12:49:02 -07:00
spec:
selector:
app: static-client
ports:
- port: 80
2019-11-29 09:17:56 -08:00
---
apiVersion: v1
2021-04-16 12:49:02 -07:00
kind: ServiceAccount
metadata:
name: static-client
---
apiVersion: apps/v1
kind: Deployment
2018-10-07 23:30:07 -07:00
metadata:
2018-10-08 08:24:25 -07:00
name: static-client
2018-10-07 23:30:07 -07:00
spec:
2021-04-16 12:49:02 -07:00
replicas: 1
selector:
matchLabels:
app: static-client
template:
metadata:
name: static-client
labels:
app: static-client
annotations:
'consul.hashicorp.com/connect-inject': 'true'
spec:
containers:
- name: static-client
2021-06-29 14:23:36 -06:00
image: curlimages/curl:latest
2021-04-16 12:49:02 -07:00
# Just spin & wait forever, we'll use `kubectl exec` to demo
command: ['/bin/sh', '-c', '--']
args: ['while true; do sleep 30; done;']
2021-06-22 17:34:20 -06:00
# If ACLs are enabled, the serviceAccountName must match the Consul service name.
2021-04-16 12:49:02 -07:00
serviceAccountName: static-client
2018-10-07 23:30:07 -07:00
```
2021-06-22 17:34:20 -06:00
By default when ACLs are enabled or when ACLs default policy is `allow`,
Consul will automatically configure proxies with all upstreams from the same datacenter.
When ACLs are enabled with default `deny` policy,
you must supply an [intention](/docs/connect/intentions) to tell Consul which upstream you need to talk to.
2018-10-08 09:55:55 -07:00
2021-06-22 17:34:20 -06:00
When upstreams are specified explicitly with the
[`consul.hashicorp.com/connect-service-upstreams` annotation](/docs/k8s/connect#consul-hashicorp-com-connect-service-upstreams),
the injector will also set environment variables `<NAME>_CONNECT_SERVICE_HOST`
2021-04-16 12:49:02 -07:00
and `<NAME>_CONNECT_SERVICE_PORT` in every container in the Pod for every defined
2018-10-09 09:30:37 -07:00
upstream. This is analogous to the standard Kubernetes service environment variables, but
2018-10-08 09:55:55 -07:00
point instead to the correct local proxy port to establish connections via
Connect.
2021-06-22 17:34:20 -06:00
We can verify access to the static text server using `kubectl exec`.
Because transparent proxy is enabled by default,
we use Kubernetes DNS to connect to our desired upstream.
2018-10-07 23:30:07 -07:00
2020-05-19 14:32:38 -04:00
```shell-session
2022-01-12 15:05:01 -08:00
$ kubectl exec deploy/static-client -- curl --silent http://static-server/
2018-10-07 23:30:07 -07:00
"hello world"
```
2020-04-09 19:46:54 -04:00
We can control access to the server using [intentions](/docs/connect/intentions).
2020-10-14 10:23:05 -05:00
If you use the Consul UI or [CLI](/commands/intention/create) to
2020-04-09 19:46:54 -04:00
create a deny [intention](/docs/connect/intentions) between
2018-10-08 08:24:25 -07:00
"static-client" and "static-server", connections are immediately rejected
2018-10-07 23:30:07 -07:00
without updating either of the running pods. You can then remove this
intention to allow connections again.
2020-05-19 14:32:38 -04:00
```shell-session
2022-01-12 15:05:01 -08:00
$ kubectl exec deploy/static-client -- curl --silent http://static-server/
2018-10-07 23:30:07 -07:00
command terminated with exit code 52
```
### Available Annotations
2021-04-16 12:49:02 -07:00
Pod annotations can be used to configure the injection behavior.
2018-10-07 23:30:07 -07:00
2020-04-06 16:27:35 -04:00
- `consul.hashicorp.com/connect-inject` - If this is "true" then injection
2018-10-07 23:30:07 -07:00
is enabled. If this is "false" then injection is explicitly disabled.
2018-10-09 09:30:37 -07:00
The default injector behavior requires pods to opt-in to injection by
specifying this value as "true". This default can be changed in the
injector's configuration if desired.
2018-10-07 23:30:07 -07:00
2021-06-22 17:34:20 -06:00
- `consul.hashicorp.com/transparent-proxy` - If this is "true", this Pod
2022-01-28 21:44:42 -08:00
will run with transparent proxy enabled. This means you can use Kubernetes
DNS to access upstream services and all inbound and outbound traffic within
the pod is redirected to go through the proxy.
2021-06-22 17:34:20 -06:00
- `consul.hashicorp.com/transparent-proxy-overwrite-probes` - If this is "true"
2022-01-28 21:44:42 -08:00
and transparent proxy is enabled, the Connect injector will overwrite Kubernetes
HTTP probes to point to the Envoy proxy.
2021-06-22 17:34:20 -06:00
- `consul.hashicorp.com/transparent-proxy-exclude-inbound-ports` - A comma-separated
2022-01-28 21:44:42 -08:00
list of inbound ports to exclude from traffic redirection when running in transparent proxy
mode.
2021-06-22 17:34:20 -06:00
2021-07-01 11:24:27 -05:00
- `consul.hashicorp.com/transparent-proxy-exclude-outbound-cidrs` - A comma-separated
2022-01-28 21:44:42 -08:00
list of outbound CIDRs to exclude from traffic redirection when running in transparent proxy
mode.
2021-06-22 17:34:20 -06:00
- `consul.hashicorp.com/transparent-proxy-exclude-outbound-ports` - A comma-separated
2022-01-28 21:44:42 -08:00
list of outbound ports to exclude from traffic redirection when running in transparent proxy
mode.
2021-06-22 17:34:20 -06:00
- `consul.hashicorp.com/transparent-proxy-exclude-uids` - A comma-separated
2022-01-28 21:44:42 -08:00
list of additional user IDs to exclude from traffic redirection when running in transparent proxy
mode.
2021-04-16 12:49:02 -07:00
2020-04-06 16:27:35 -04:00
- `consul.hashicorp.com/connect-service` - For pods that accept inbound
2018-10-07 23:30:07 -07:00
connections, this specifies the name of the service that is being
2021-06-22 17:34:20 -06:00
served. This defaults to the name of the Kubernetes service associated with the pod.
2018-10-07 23:30:07 -07:00
2019-10-24 16:51:51 -07:00
If using ACLs, this must be the same name as the Pod's `ServiceAccount`.
2020-04-06 16:27:35 -04:00
- `consul.hashicorp.com/connect-service-port` - For pods that accept inbound
2018-10-07 23:30:07 -07:00
connections, this specifies the port to route inbound connections to. This
2018-10-09 09:30:37 -07:00
is the port that the service is listening on. The service port defaults to
the first exposed port on any container in the pod. If specified, the value
can be the _name_ of a configured port, such as "http" or it can be a direct
port value such as "8080". This is the port of the _service_, the proxy
public listener will listen on a dynamic port.
2018-10-07 23:30:07 -07:00
2020-04-06 16:27:35 -04:00
- `consul.hashicorp.com/connect-service-upstreams` - The list of upstream
2018-10-07 23:30:07 -07:00
services that this pod needs to connect to via Connect along with a static
2021-06-22 17:34:20 -06:00
local port to listen for those connections. When transparent proxy is enabled,
this annotation is optional.
2019-06-20 14:18:34 -05:00
2020-04-06 16:27:35 -04:00
- Services
2019-06-20 14:18:34 -05:00
2020-04-06 16:27:35 -04:00
The name of the service is the name of the service registered with Consul. You can optionally specify datacenters with this annotation.
2020-02-04 12:05:25 -07:00
2020-04-06 16:27:35 -04:00
```yaml
annotations:
"consul.hashicorp.com/connect-service-upstreams":"[service-name]:[port]:[optional datacenter]"
```
2019-06-20 14:18:34 -05:00
2020-04-06 16:27:35 -04:00
- Consul Enterprise Namespaces
2019-06-20 14:18:34 -05:00
2020-04-06 16:27:35 -04:00
If running Consul Enterprise 1.7+, your upstream services may be running in different
namespaces. The upstream namespace can be specified after the service name
as `[service-name].[namespace]`. See [Consul Enterprise Namespaces](#consul-enterprise-namespaces)
below for more details on configuring the injector.
2019-06-20 14:18:34 -05:00
2020-04-06 16:27:35 -04:00
```yaml
annotations:
"consul.hashicorp.com/connect-service-upstreams":"[service-name].[service-namespace]:[port]:[optional datacenter]"
```
2019-06-20 14:18:34 -05:00
2020-04-06 16:27:35 -04:00
-> **NOTE:** If the namespace is not specified it will default to the namespace
of the source service.
2019-06-20 14:18:34 -05:00
2020-04-06 16:27:35 -04:00
~> **WARNING:** Setting a namespace when not using Consul Enterprise or using a version < 1.7
is not supported. It will be treated as part of the service name.
2019-06-20 14:18:34 -05:00
2020-04-13 17:24:10 -04:00
- [Prepared Query](/docs/connect/proxies#dynamic-upstreams-require-native-integration)
2020-04-06 16:27:35 -04:00
```yaml
annotations:
'consul.hashicorp.com/connect-service-upstreams': 'prepared_query:[query name]:[port]'
```
- Multiple Upstreams
If you would like to specify multiple services or upstreams, delimit them with commas
```yaml
annotations:
"consul.hashicorp.com/connect-service-upstreams":"[service-name]:[port]:[optional datacenter],[service-name]:[port]:[optional datacenter]"
```
```yaml
annotations:
"consul.hashicorp.com/connect-service-upstreams":"[service-name]:[port]:[optional datacenter],prepared_query:[query name]:[port]"
```
2018-10-07 23:30:07 -07:00
2020-11-18 15:40:39 -08:00
- `consul.hashicorp.com/envoy-extra-args` - A space-separated list of [arguments](https://www.envoyproxy.io/docs/envoy/latest/operations/cli)
to be passed to the injected envoy binary.
```yaml
annotations:
2020-12-08 18:24:36 -05:00
consul.hashicorp.com/envoy-extra-args: '--log-level debug --disable-hot-restart'
2020-11-18 15:40:39 -08:00
```
2020-04-06 16:27:35 -04:00
- `consul.hashicorp.com/service-tags` - A comma separated list of tags that will
2019-10-04 15:31:24 -07:00
be applied to the Consul service and its sidecar.
2020-04-06 16:27:35 -04:00
```yaml
annotations:
consul.hashicorp.com/service-tags: foo,bar,baz
```
2022-01-28 21:44:42 -08:00
If you need your tag to have a comma in it you can escape the comma with `\,`. For example,
`consul.hashicorp.com/service-tags: foo\,bar\,baz` will become the single tag `foo,bar,baz`.
2020-04-06 16:27:35 -04:00
- `consul.hashicorp.com/service-meta-<YOUR_KEY>` - Set Consul meta key/value
pairs that will be applied to the Consul service and its sidecar.
The key will be what comes after `consul.hashicorp.com/service-meta-`, e.g.
`consul.hashicorp.com/service-meta-foo: bar` will result in `foo: bar`.
```yaml
annotations:
consul.hashicorp.com/service-meta-foo: baz
consul.hashicorp.com/service-meta-bar: baz
```
2019-05-09 15:00:30 -07:00
2021-03-18 17:20:54 -07:00
- `consul.hashicorp.com/sidecar-proxy-` - Override default resource settings for
2020-08-12 16:34:17 -07:00
the sidecar proxy container.
The defaults are set in Helm config via the [`connectInject.sidecarProxy.resources`](/docs/k8s/helm#v-connectinject-sidecarproxy-resources) key.
- `consul.hashicorp.com/sidecar-proxy-cpu-limit` - Override the default CPU limit.
- `consul.hashicorp.com/sidecar-proxy-cpu-request` - Override the default CPU request.
- `consul.hashicorp.com/sidecar-proxy-memory-limit` - Override the default memory limit.
- `consul.hashicorp.com/sidecar-proxy-memory-request` - Override the default memory request.
2022-01-27 14:25:06 -07:00
- `consul.hashicorp.com/consul-sidecar-` - Override default resource settings for
the `consul-sidecar` container.
The defaults are set in Helm config via the [`global.consulSidecarContainer.resources`](/docs/k8s/helm#v-global-consulsidecarcontainer) key.
- `consul.hashicorp.com/consul-sidecar-cpu-limit` - Override the default CPU limit.
- `consul.hashicorp.com/consul-sidecar-cpu-request` - Override the default CPU request.
- `consul.hashicorp.com/consul-sidecar-memory-limit` - Override the default memory limit.
- `consul.hashicorp.com/consul-sidecar-memory-request` - Override the default memory request.
2021-03-18 17:20:54 -07:00
- `consul.hashicorp.com/enable-metrics` - Override the default Helm value [`connectInject.metrics.defaultEnabled`](/docs/k8s/helm#v-connectinject-metrics-defaultenabled).
- `consul.hashicorp.com/enable-metrics-merging` - Override the default Helm value [`connectInject.metrics.defaultEnableMerging`](/docs/k8s/helm#v-connectinject-metrics-defaultenablemerging).
- `consul.hashicorp.com/merged-metrics-port` - Override the default Helm value [`connectInject.metrics.defaultMergedMetricsPort`](/docs/k8s/helm#v-connectinject-metrics-defaultmergedmetricsport).
- `consul.hashicorp.com/prometheus-scrape-port` - Override the default Helm value [`connectInject.metrics.defaultPrometheusScrapePort`](/docs/k8s/helm#v-connectinject-metrics-defaultprometheusscrapeport).
- `consul.hashicorp.com/prometheus-scrape-path` - Override the default Helm value [`connectInject.metrics.defaultPrometheusScrapePath`](/docs/k8s/helm#v-connectinject-metrics-defaultprometheusscrapepath).
- `consul.hashicorp.com/service-metrics-port` - Set the port where the Connect service exposes metrics.
- `consul.hashicorp.com/service-metrics-path` - Set the path where the Connect service exposes metrics.
2018-10-07 23:30:07 -07:00
## Installation and Configuration
The Connect sidecar proxy is injected via a
[mutating admission webhook](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#admission-webhooks)
provided by the
[consul-k8s project](https://github.com/hashicorp/consul-k8s).
This enables the automatic pod mutation shown in the usage section above.
Installation of the mutating admission webhook is automated using the
2020-09-14 13:37:35 -04:00
[Helm chart](/docs/k8s/installation/install).
2018-10-07 23:30:07 -07:00
To install the Connect injector, enable the Connect injection feature using
2020-05-11 14:15:59 -07:00
[Helm values](/docs/k8s/helm#configuration-values) and
2018-10-07 23:30:07 -07:00
upgrade the installation using `helm upgrade` for existing installs or
2021-02-17 11:01:52 -08:00
`helm install` for a fresh install.
2018-10-07 23:30:07 -07:00
```yaml
connectInject:
enabled: true
2021-02-17 11:01:52 -08:00
controller:
2018-10-07 23:30:07 -07:00
enabled: true
```
This will configure the injector to inject when the
2020-02-04 12:05:25 -07:00
[injection annotation](#consul-hashicorp-com-connect-inject)
is set to `true`. Other values in the Helm chart can be used to limit the namespaces
2018-10-07 23:30:07 -07:00
the injector runs in, enable injection by default, and more.
2020-02-04 12:05:25 -07:00
### Controlling Injection Via Annotation
By default, the injector will inject only when the
[injection annotation](#consul-hashicorp-com-connect-inject)
on the pod (not the deployment) is set to `true`:
```yaml
annotations:
2020-04-06 16:27:35 -04:00
'consul.hashicorp.com/connect-inject': 'true'
2020-02-04 12:05:25 -07:00
```
### Injection Defaults
If you wish for the injector to always inject, you can set the default to `true`
in the Helm chart:
```yaml
connectInject:
enabled: true
default: true
```
You can then exclude specific pods via annotation:
```yaml
annotations:
2020-04-06 16:27:35 -04:00
'consul.hashicorp.com/connect-inject': 'false'
2020-02-04 12:05:25 -07:00
```
### Controlling Injection Via Namespace
You can control which Kubernetes namespaces are allowed to be injected via
the `k8sAllowNamespaces` and `k8sDenyNamespaces` keys:
```yaml
connectInject:
enabled: true
2020-04-06 16:27:35 -04:00
k8sAllowNamespaces: ['*']
2020-02-04 12:05:25 -07:00
k8sDenyNamespaces: []
```
In the default configuration (shown above), services from all namespaces are allowed
to be injected. Whether or not they're injected depends on the value of `connectInject.default`
and the `consul.hashicorp.com/connect-inject` annotation.
If you wish to only enable injection in specific namespaces, you can list only those
namespaces in the `k8sAllowNamespaces` key. In the configuration below
only the `my-ns-1` and `my-ns-2` namespaces will be enabled for injection.
All other namespaces will be ignored, even if the connect inject [annotation](#consul-hashicorp-com-connect-inject)
is set.
```yaml
connectInject:
enabled: true
2020-04-06 16:27:35 -04:00
k8sAllowNamespaces: ['my-ns-1', 'my-ns-2']
2020-02-04 12:05:25 -07:00
k8sDenyNamespaces: []
```
2020-04-06 16:27:35 -04:00
If you wish to enable injection in every namespace _except_ specific namespaces, you can
2020-02-04 12:05:25 -07:00
use `*` in the allow list to allow all namespaces and then specify the namespaces to exclude in the deny list:
```yaml
2020-08-13 14:29:59 -07:00
connectInject:
2020-02-04 12:05:25 -07:00
enabled: true
2020-04-06 16:27:35 -04:00
k8sAllowNamespaces: ['*']
2020-08-13 14:29:59 -07:00
k8sDenyNamespaces: ['no-inject-ns-1', 'no-inject-ns-2']
2020-02-04 12:05:25 -07:00
```
-> **NOTE:** The deny list takes precedence over the allow list. If a namespace
2020-04-06 16:27:35 -04:00
is listed in both lists, it will **not** be synced.
2020-02-04 12:05:25 -07:00
~> **NOTE:** The `kube-system` and `kube-public` namespaces will never be injected.
### Consul Enterprise Namespaces
Consul Enterprise 1.7+ supports Consul namespaces. When Kubernetes pods are registered
into Consul, you can control which Consul namespace they are registered into.
There are three options available:
2020-04-06 16:27:35 -04:00
1. **Single Destination Namespace** – Register all Kubernetes pods, regardless of namespace,
into the same Consul namespace.
2020-02-04 12:05:25 -07:00
2020-04-08 20:09:01 -04:00
This can be configured with:
2020-02-04 12:05:25 -07:00
2020-04-08 20:09:01 -04:00
```yaml
global:
enableConsulNamespaces: true
2020-04-06 16:27:35 -04:00
2020-04-08 20:09:01 -04:00
connectInject:
enabled: true
consulNamespaces:
consulDestinationNamespace: 'my-consul-ns'
```
2020-02-04 12:05:25 -07:00
2020-04-08 20:09:01 -04:00
-> **NOTE:** If the destination namespace does not exist we will create it.
2020-02-04 12:05:25 -07:00
2020-04-06 16:27:35 -04:00
1. **Mirror Namespaces** - Register each Kubernetes pod into a Consul namespace with the same name as its Kubernetes namespace.
For example, pod `foo` in Kubernetes namespace `ns-1` will be synced to the Consul namespace `ns-1`.
If a mirrored namespace does not exist in Consul, it will be created.
2020-04-07 14:55:19 -04:00
This can be configured with:
2020-04-08 20:09:01 -04:00
```yaml
2020-02-04 12:05:25 -07:00
global:
2020-04-08 20:09:01 -04:00
enableConsulNamespaces: true
2020-04-07 14:55:19 -04:00
2020-04-08 20:09:01 -04:00
connectInject:
enabled: true
consulNamespaces:
mirroringK8S: true
```
2020-02-04 12:05:25 -07:00
2020-04-06 16:27:35 -04:00
1. **Mirror Namespaces With Prefix** - Register each Kubernetes pod into a Consul namespace with the same name as its Kubernetes
namespace **with a prefix**.
For example, given a prefix `k8s-`, pod `foo` in Kubernetes namespace `ns-1` will be synced to the Consul namespace `k8s-ns-1`.
2020-02-04 12:05:25 -07:00
2020-04-08 20:09:01 -04:00
This can be configured with:
2020-04-06 16:27:35 -04:00
2020-04-08 20:09:01 -04:00
```yaml
global:
enableConsulNamespaces: true
2020-04-06 16:27:35 -04:00
2020-04-08 20:09:01 -04:00
connectInject:
enabled: true
consulNamespaces:
mirroringK8S: true
mirroringK8SPrefix: 'k8s-'
```
2020-02-04 12:05:25 -07:00
### Consul Enterprise Namespace Upstreams
2020-04-06 16:27:35 -04:00
2021-06-22 17:34:20 -06:00
When [transparent proxy](/docs/connect/transparent-proxy) is enabled and ACLs are disabled,
the upstreams will be configured automatically across Consul namespaces.
When ACLs are enabled, you must configure it by specifying an [intention](/docs/connect/intentions),
allowing services across Consul namespaces to talk to each other.
If you wish to specify an upstream explicitly via the `consul.hashicorp.com/connect-service-upstreams` annotation,
2020-02-04 12:05:25 -07:00
use the format `[service-name].[namespace]:[port]:[optional datacenter]`:
```yaml
annotations:
2020-04-06 16:27:35 -04:00
'consul.hashicorp.com/connect-inject': 'true'
'consul.hashicorp.com/connect-service-upstreams': '[service-name].[namespace]:[port]:[optional datacenter]'
2020-02-04 12:05:25 -07:00
```
See [consul.hashicorp.com/connect-service-upstreams](#consul-hashicorp-com-connect-service-upstreams) for more details.
2021-06-22 17:34:20 -06:00
-> **Note:** When you specify upstreams via an upstreams annotation, you will need to use
`localhost:<port>` with the port from the upstreams annotation instead of KubeDNS to connect to your upstream
application.
2018-10-07 23:30:07 -07:00
### Verifying the Installation
To verify the installation, run the
2020-08-18 18:22:29 -04:00
["Accepting Inbound Connections"](/docs/k8s/connect#accepting-inbound-connections)
2018-10-07 23:30:07 -07:00
example from the "Usage" section above. After running this example, run
2022-01-12 15:05:01 -08:00
`kubectl get pod static-server --output yaml`. In the raw YAML output, you should
2018-10-07 23:30:07 -07:00
see injected Connect containers and an annotation
`consul.hashicorp.com/connect-inject-status` set to `injected`. This
confirms that injection is working properly.
If you do not see this, then use `kubectl logs` against the injector pod
and note any errors.