Link from getting started; note on incremental adoption

This commit is contained in:
Paul Banks 2018-06-13 16:38:11 +01:00 committed by Jack Pearkes
parent ac0c5c2bfa
commit 20a6a40216
2 changed files with 18 additions and 12 deletions

View File

@ -9,21 +9,26 @@ description: |-
## Running Connect in Production ## Running Connect in Production
Consul Connect can secure all inter-service communication via mutual TLS. It's Consul Connect can secure all inter-service communication via mutual TLS. It's
designed to work with minimal configuration out of the box, but completing the designed to work with [minimal configuration out of the
[security checklist](/docs/connect/security.html) and understanding the [Consul box](/intro/getting-started/connect.html), but completing the [security
security model](/docs/internals/security.html) are prerequisites for production checklist](/docs/connect/security.html) and understanding the [Consul security
model](/docs/internals/security.html) are prerequisites for production
deployments. deployments.
This guide aims to walk through the steps required to ensure the security This guide aims to walk through the steps required to ensure the security
guarantees hold. guarantees hold.
We assume a cluster is already running with an appropriate number of servers and We assume a cluster is already running with an appropriate number of servers and
clients. To follow along with this guide in a dev environment you can follow our clients and that other reference material like the
[getting started guide](/intro/getting-started/install.html). For a production
cluster we expect other reference material like the
[deployment](/docs/guides/deployment.html) and [deployment](/docs/guides/deployment.html) and
[performance](/docs/guides/performance.html) guides have been followed. [performance](/docs/guides/performance.html) guides have been followed.
In practical deployments it may be necessary to incrementally adopt Connect
service-by-service. In this case some or all of the advice below may not apply
during the transition but should give a good understanding on which security
properties have been sacrificed in the interim. The final deployment goal should
be to end up compliant with all the advice below.
The steps we need to get to a secure Connect cluster are: The steps we need to get to a secure Connect cluster are:
1. [Configure ACLs](#configure-acls) 1. [Configure ACLs](#configure-acls)
@ -55,8 +60,9 @@ A secure ACL setup must meet these criteria:
`allow` but add an explicit ACL denying anonymous `service:write`. Note `allow` but add an explicit ACL denying anonymous `service:write`. Note
however that in this case the Connect intention graph will also default to however that in this case the Connect intention graph will also default to
`allow` and explicit `deny` intentions will be needed to restrict service `allow` and explicit `deny` intentions will be needed to restrict service
access. It is assumed for the remainder of this guide that ACL policy access. Also note that explicit rules to limit who can manage intentions are
defaults to `deny`. necessary in this case. It is assumed for the remainder of this guide that
ACL policy defaults to `deny`.
2. **Each service must have a distinct ACL token** that is restricted to 2. **Each service must have a distinct ACL token** that is restricted to
`service:write` only for the named service. Current Consul ACLs only support `service:write` only for the named service. Current Consul ACLs only support
prefix matching but in a near-future release we will allow exact name prefix matching but in a near-future release we will allow exact name

View File

@ -21,10 +21,10 @@ without being aware of Connect at all. Applications may also
[natively integrate with Connect](/docs/connect/native.html) [natively integrate with Connect](/docs/connect/native.html)
for optimal performance and security. for optimal performance and security.
-> **Security note:** The getting started guide will show Connect features -> **Security note:** The getting started guide will show Connect features and
and focus on ease of use with a dev-mode agent. We will _not setup_ Connect in a focus on ease of use with a dev-mode agent. We will _not setup_ Connect in a
production-recommended secure way. Please read the Connect reference production-recommended secure way. Please read the [Connect production
documentation on security best practices to understand the tradeoffs. guide](/docs/guides/connect-production.html) to understand the tradeoffs.
~> **Windows Support**: The proxy management feature was designed to run on all platforms but has a known issue on the Windows platform at Beta launch preventing it from starting proxy processes. This will be fixed in a future release. ~> **Windows Support**: The proxy management feature was designed to run on all platforms but has a known issue on the Windows platform at Beta launch preventing it from starting proxy processes. This will be fixed in a future release.