mirror of https://github.com/status-im/consul.git
applying cfeedback left in comments
This commit is contained in:
parent
b1d73bee0a
commit
12473899c7
|
@ -13,9 +13,9 @@ Command: `consul admin-partition`
|
|||
|
||||
The `admin-partition` command enables you to create and manage Consul Enterprise administrative or admin partitions. Admin partitions are boundaries that allow multiple namespaces with the same name to exist independently of each other. This features is currently in beta.
|
||||
|
||||
If ACLs are enabled then a token with operator privileges may be required in order to use this command. Write
|
||||
requests are forwarded to the leader in the primary datacenter. Therefore these commands can be run against
|
||||
any agent in any datacenter.
|
||||
If ACLs are enabled then a token with operator privileges may be required in order to use this command.
|
||||
|
||||
You should only run the `admin-partition` command in the primary datacenter.
|
||||
|
||||
## Usage
|
||||
|
||||
|
@ -222,63 +222,16 @@ The following parameters are supported in admin partition defintion files:
|
|||
| --- | --- | --- | --- |
|
||||
| `Name` | String value that specifies the name of partiion you are creating or writing. <br/> The value must be valid DNS hostname value. | none | Required |
|
||||
| `Description` | String value that specifies a description for the partition you are creating or writing. <br/> The value should provide human-readable information to help other users understand the purpose of the partition. | none | Optional |
|
||||
| `ACLs` | Object that specifies the ACL configuration for the partition. <br/>See [ACL Configuration](#acl-configuration) for additional information. | none| Optional |
|
||||
| `Meta` | Map of key value pairs for adding metadata to the partition. <br/>See [Adding Metadata](#acl-configuration) for additional information. | none| Optional |
|
||||
|
||||
### Example Definition File
|
||||
|
||||
The following example shows an admin partition definition file that could be used with the [`write`](#write) command to create a partition:
|
||||
|
||||
```shell-session
|
||||
|
||||
```hcl
|
||||
Name = "dev-partition"
|
||||
Description = "Partition for dev team"
|
||||
ACLs {
|
||||
PolicyDefaults = [
|
||||
{
|
||||
ID = "77117cf6-d976-79b0-d63b-5a36ac69c8f1"
|
||||
},
|
||||
{
|
||||
Name = "node-read"
|
||||
}
|
||||
]
|
||||
RoleDefaults = [
|
||||
{
|
||||
"ID": "69748856-ae69-d620-3ec4-07844b3c6be7"
|
||||
},
|
||||
{
|
||||
"Name": "ns-team-2-read"
|
||||
}
|
||||
]
|
||||
}
|
||||
Meta {
|
||||
internal_id = "12345"
|
||||
}
|
||||
```
|
||||
|
||||
### ACL Configuration
|
||||
|
||||
The `acl` block enables you to define the ACL configuration. The following paramters are supported:
|
||||
|
||||
| Option | Description | Default | Required |
|
||||
| --- | --- | --- | --- |
|
||||
| `PolicyDefaults` | An array value listing the default policies to be applied to all tokens created in this admin partition. | none | Required |
|
||||
| `RoleDefaults` | An array value listing the default roles to be applied to all tokens created in this admin partition. | none | Optional |
|
||||
|
||||
|
||||
### Adding Metadata
|
||||
|
||||
You can add semantic meta data to the partition using the meta parameter. This parameter defines a map of max 64 key/value pairs. The following rules for defining metadata apply:
|
||||
|
||||
* Keys can only have ASCII characters (A - Z, a - z, 0 - 9, _, and -).
|
||||
* Keys can not have special characters.
|
||||
* Keys are limited to 128 characters.
|
||||
* Values are limited to 512 characters.
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
## HTTP API Options
|
||||
|
||||
You can include the following options to interact with the HTTP API when using the `admin-partition` command.
|
||||
|
|
|
@ -59,23 +59,18 @@ Your Consul configuration must meet the following requirements to use admin part
|
|||
### Security Configurations
|
||||
|
||||
* The agent token used by the client agent will need to allow `node:write` in the admin partition.
|
||||
* The `read` permission for `proxy-defaults` require `admin_partition:read` for the specific partition. The `write` permission for proxy-defaults require `mesh:write`. See [Admin Partition Rules](/docs/security/acl/acl-rules#admin-partition-rules) for additional information
|
||||
* The `write` permission for `proxy-defaults` requires `mesh:write`. See [Admin Partition Rules](/docs/security/acl/acl-rules#admin-partition-rules) for additional information.
|
||||
* The write permissions for ingress and terminating gateways must be `mesh:write`.
|
||||
* Existing intentions must be set to `deny` all traffic from outside the admin partition.
|
||||
* Wildcards (`*`) are not supported when creating intentions for admin partitions.
|
||||
|
||||
* Wildcards (`*`) are not supported when creating intentions for admin partitions, but you can use a wildcard to specify services within a partition.
|
||||
|
||||
### Agent Configurations
|
||||
|
||||
* Any queries for the proxy-defaults config entry must include the appropriate `EnterpriseMeta`, which specifies the admin partition.
|
||||
* In client agent configurations, the admin partition name should be specified in the agent configuration:
|
||||
|
||||
```hcl
|
||||
partition = "<NAME>"
|
||||
```
|
||||
* The anti-entropy sync will use the configured admin partition name when registering the node.
|
||||
* Any map keys used to compile the [discovery chain](/docs/connect/l7-traffic/discovery-chain) must include the admin partition name.
|
||||
|
||||
|
||||
### Kubernetes Requirements
|
||||
|
||||
|
@ -229,10 +224,6 @@ kubectl create secret generic license --from-file=key=[license file path i.e. ./
|
|||
|
||||
You can use create and manage admin partitions through the CLI. Refer to the [admin partition CLI documentation](/commands/admin-partition) for details.
|
||||
|
||||
### Admin Partitions on Kubernetes Tutorial
|
||||
|
||||
Refer to the [LINK TO TUTORIAL]() tutorial for additional information on how to create Consul admin partitions on Kubernetes
|
||||
|
||||
## Known Limitations
|
||||
|
||||
* Gossip between nodes in different admin partitions must be constrained. You can accomplish this with through the use of [network segments](network-segments).
|
||||
|
|
|
@ -614,7 +614,11 @@ specific namespace are prevented from accessing resources in another namespace.
|
|||
|
||||
#### Admin Partition Rules <EnterpriseAlert inline />
|
||||
|
||||
The `admin_partition` and `admin_partition_prefix` rules define the scope to one or more admin partitions. The `mesh` resource controls access to the `partition` API. You can include any number of namespace rules. In the following example, the agent has write access to the `ex-namespace` namespace, as well as namespaces prefixed with `ex-` in the `example` partition:
|
||||
The `admin_partition` and `admin_partition_prefix` rules set the scope to one or more admin partitions.
|
||||
|
||||
The `mesh` resource provides operator-level permissions for resources in the partition, such as ingress gateways or mesh proxy defaults.
|
||||
|
||||
You can include any number of namespace rules. In the following example, the agent has write access to the `ex-namespace` namespace, as well as namespaces prefixed with `ex-` in the `example` partition:
|
||||
|
||||
```hcl
|
||||
admin_partition "example" {
|
||||
|
|
Loading…
Reference in New Issue