status-im
/
consul
mirror of https://github.com/status-im/consul.git
2
0
Fork 0
Code Issues Projects Releases Wiki Activity

Merge pull request #10725 from hashicorp/banks-patch-3 

Call out the incompatibility of wildcards and L7 permissions
This commit is contained in:
Paul Banks 2021-09-28 13:51:41 +01:00 committed by GitHub
parent 10b52a284b c118e51d5c
commit 020e2692da
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 10 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
website/content/docs/connect/config-entries/service-intentions.mdx
View File

@ -355,7 +355,7 @@ spec:
{ {
name: 'Name', name: 'Name',
description: description:
"The name of the destination service for all intentions defined in this config entry. This may be set to the wildcard character (`*`) to match all services that don't otherwise have intentions defined.", "The name of the destination service for all intentions defined in this config entry. This may be set to the wildcard character (`*`) to match all services that don't otherwise have intentions defined. Wildcard intentions cannot be used when defining L7 [`Permissions`](/docs/connect/config-entries/service-intentions#permissions).",
type: 'string: <required>', type: 'string: <required>',
yaml: false, yaml: false,
}, },
@ -364,7 +364,7 @@ spec:
type: `string: "default"`, type: `string: "default"`,
enterprise: true, enterprise: true,
description: description:
"Specifies the namespaces the config entry will apply to. This may be set to the wildcard character (`*`) to match all services in all namespaces that don't otherwise have intentions defined.", "Specifies the namespaces the config entry will apply to. This may be set to the wildcard character (`*`) to match all services in all namespaces that don't otherwise have intentions defined. Wildcard intentions cannot be used when defining L7 [`Permissions`](/docs/connect/config-entries/service-intentions#permissions).",
yaml: false, yaml: false,
}, },
{ {
@ -398,7 +398,7 @@ spec:
hcl: false, hcl: false,
type: 'string: <required>', type: 'string: <required>',
description: description:
"The name of the destination service for all intentions defined in this config entry. This may be set to the wildcard character (`*`) to match all services that don't otherwise have intentions defined.", "The name of the destination service for all intentions defined in this config entry. This may be set to the wildcard character (`*`) to match all services that don't otherwise have intentions defined. Wildcard intentions cannot be used when defining L7 [`Permissions`](/docs/connect/config-entries/service-intentions#permissions).",
}, },
{ {
name: 'namespace', name: 'namespace',
@ -406,7 +406,7 @@ spec:
enterprise: true, enterprise: true,
type: 'string: <optional>', type: 'string: <optional>',
description: description:
"Specifies the namespaces the config entry will apply to. This may be set to the wildcard character (`*`) to match all services in all namespaces that don't otherwise have intentions defined. If not set, the namespace used will depend on the `connectInject.consulNamespaces` configuration. See [ServiceIntentions Special Case (Enterprise)](/docs/k8s/crds#serviceintentions-special-case-enterprise) for more details.", "Specifies the namespaces the config entry will apply to. This may be set to the wildcard character (`*`) to match all services in all namespaces that don't otherwise have intentions defined. If not set, the namespace used will depend on the `connectInject.consulNamespaces` configuration. See [ServiceIntentions Special Case (Enterprise)](/docs/k8s/crds#serviceintentions-special-case-enterprise) for more details. Wildcard intentions cannot be used when defining L7 [`Permissions`](/docs/connect/config-entries/service-intentions#permissions).",
}, },
], ],
}, },
@ -470,7 +470,9 @@ spec:
provided permissions in this intention will be subject to the default provided permissions in this intention will be subject to the default
intention behavior is defined by the default [ACL policy](/docs/agent/options#acl_default_policy).<br><br> intention behavior is defined by the default [ACL policy](/docs/agent/options#acl_default_policy).<br><br>
This should be omitted for an L4 intention as it is mutually exclusive with This should be omitted for an L4 intention as it is mutually exclusive with
the \`Action\` field.`, the \`Action\` field.<br><br>
Setting \`Permissions\` is not valid if a wildcard is used for the \`Name\` or \`Namespace\` because they can only be
applied to services with a compatible protocol.`,
yaml: `The list of all [additional L7 attributes](#intentionpermission) that extend the intention match criteria.<br><br> yaml: `The list of all [additional L7 attributes](#intentionpermission) that extend the intention match criteria.<br><br>
Permission precedence is applied top to bottom. For any given request the Permission precedence is applied top to bottom. For any given request the
first permission to match in the list is terminal and stops further first permission to match in the list is terminal and stops further
@ -478,7 +480,9 @@ spec:
provided permissions in this intention will be subject to the default provided permissions in this intention will be subject to the default
intention behavior is defined by the default [ACL policy](/docs/agent/options#acl_default_policy).<br><br> intention behavior is defined by the default [ACL policy](/docs/agent/options#acl_default_policy).<br><br>
This should be omitted for an L4 intention as it is mutually exclusive with This should be omitted for an L4 intention as it is mutually exclusive with
the \`action\` field.`, the \`action\` field.<br><br>
Setting \`permissions\` is not valid if a wildcard is used for the \`spec.destination.name\` or \`spec.destination.namespace\`
because they can only be applied to services with a compatible protocol.`,
}, },
}, },
{ {