status-im
/
consul
mirror of https://github.com/status-im/consul.git
2
0
Fork 0
Code Issues Projects Releases Wiki Activity

Add docs for default_intention_policy (#20886)

This commit is contained in:
Chris S. Kim 2024-03-22 15:33:17 -04:00 committed by GitHub
parent f3f2175edd
commit 12fd9db45d
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
2 changed files with 16 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
website/content/docs/agent/config/config-files.mdx
View File

@ -447,6 +447,10 @@ Refer to the [formatting specification](https://golang.org/pkg/time/#ParseDurati
- `data_dir` Equivalent to the [`-data-dir` command-line flag](/consul/docs/agent/config/cli-flags#_data_dir). - `data_dir` Equivalent to the [`-data-dir` command-line flag](/consul/docs/agent/config/cli-flags#_data_dir).
- `default_intention_policy` Controls how service-to-service traffic is authorized
in the absence of specific intentions.
Can be set to `allow`, `deny`, or left empty to default to [`acl.default_policy`](#acl_default_policy).
- `disable_anonymous_signature` Disables providing an anonymous - `disable_anonymous_signature` Disables providing an anonymous
signature for de-duplication with the update check. See [`disable_update_check`](#disable_update_check). signature for de-duplication with the update check. See [`disable_update_check`](#disable_update_check).

16
website/content/docs/connect/security.mdx
View File

@ -26,12 +26,20 @@ of Consul.
## Checklist ## Checklist
### Default Intention Policy Set
Consul should be configured with a default deny intention policy. This forces
all service-to-service communication to be explicitly
allowed via an allow [intention](/consul/docs/connect/intentions).
In the absence of `default_intention_policy` Consul will fall back to the ACL
default policy when determining whether to allow or deny communications without
an explicit intention.
### ACLs Enabled with Default Deny ### ACLs Enabled with Default Deny
Consul must be configured to use ACLs with a default deny policy. This forces Consul must be configured to use ACLs with a default deny policy. This forces
all requests to have explicit anonymous access or provide an ACL token. The all requests to have explicit anonymous access or provide an ACL token.
configuration also forces all service-to-service communication to be explicitly
allowed via an allow [intention](/consul/docs/connect/intentions).
To learn how to enable ACLs, please see the To learn how to enable ACLs, please see the
[tutorial on ACLs](/consul/tutorials/security/access-control-setup-production). [tutorial on ACLs](/consul/tutorials/security/access-control-setup-production).
@ -100,7 +108,7 @@ will not be encrypted or authorized via service mesh.
Envoy exposes an **unauthenticated** Envoy exposes an **unauthenticated**
[administration interface](https://www.envoyproxy.io/docs/envoy/latest/operations/admin) [administration interface](https://www.envoyproxy.io/docs/envoy/latest/operations/admin)
that can be used to query and modify the proxy. This interface that can be used to query and modify the proxy. This interface
allows potentially sensitive information to be retrieved, such as: allows potentially sensitive information to be retrieved, such as:
* Envoy configuration * Envoy configuration