mirror of https://github.com/status-im/consul.git
Link from getting started; note on incremental adoption
This commit is contained in:
parent
ac0c5c2bfa
commit
20a6a40216
|
@ -9,21 +9,26 @@ description: |-
|
||||||
## Running Connect in Production
|
## Running Connect in Production
|
||||||
|
|
||||||
Consul Connect can secure all inter-service communication via mutual TLS. It's
|
Consul Connect can secure all inter-service communication via mutual TLS. It's
|
||||||
designed to work with minimal configuration out of the box, but completing the
|
designed to work with [minimal configuration out of the
|
||||||
[security checklist](/docs/connect/security.html) and understanding the [Consul
|
box](/intro/getting-started/connect.html), but completing the [security
|
||||||
security model](/docs/internals/security.html) are prerequisites for production
|
checklist](/docs/connect/security.html) and understanding the [Consul security
|
||||||
|
model](/docs/internals/security.html) are prerequisites for production
|
||||||
deployments.
|
deployments.
|
||||||
|
|
||||||
This guide aims to walk through the steps required to ensure the security
|
This guide aims to walk through the steps required to ensure the security
|
||||||
guarantees hold.
|
guarantees hold.
|
||||||
|
|
||||||
We assume a cluster is already running with an appropriate number of servers and
|
We assume a cluster is already running with an appropriate number of servers and
|
||||||
clients. To follow along with this guide in a dev environment you can follow our
|
clients and that other reference material like the
|
||||||
[getting started guide](/intro/getting-started/install.html). For a production
|
|
||||||
cluster we expect other reference material like the
|
|
||||||
[deployment](/docs/guides/deployment.html) and
|
[deployment](/docs/guides/deployment.html) and
|
||||||
[performance](/docs/guides/performance.html) guides have been followed.
|
[performance](/docs/guides/performance.html) guides have been followed.
|
||||||
|
|
||||||
|
In practical deployments it may be necessary to incrementally adopt Connect
|
||||||
|
service-by-service. In this case some or all of the advice below may not apply
|
||||||
|
during the transition but should give a good understanding on which security
|
||||||
|
properties have been sacrificed in the interim. The final deployment goal should
|
||||||
|
be to end up compliant with all the advice below.
|
||||||
|
|
||||||
The steps we need to get to a secure Connect cluster are:
|
The steps we need to get to a secure Connect cluster are:
|
||||||
|
|
||||||
1. [Configure ACLs](#configure-acls)
|
1. [Configure ACLs](#configure-acls)
|
||||||
|
@ -55,8 +60,9 @@ A secure ACL setup must meet these criteria:
|
||||||
`allow` but add an explicit ACL denying anonymous `service:write`. Note
|
`allow` but add an explicit ACL denying anonymous `service:write`. Note
|
||||||
however that in this case the Connect intention graph will also default to
|
however that in this case the Connect intention graph will also default to
|
||||||
`allow` and explicit `deny` intentions will be needed to restrict service
|
`allow` and explicit `deny` intentions will be needed to restrict service
|
||||||
access. It is assumed for the remainder of this guide that ACL policy
|
access. Also note that explicit rules to limit who can manage intentions are
|
||||||
defaults to `deny`.
|
necessary in this case. It is assumed for the remainder of this guide that
|
||||||
|
ACL policy defaults to `deny`.
|
||||||
2. **Each service must have a distinct ACL token** that is restricted to
|
2. **Each service must have a distinct ACL token** that is restricted to
|
||||||
`service:write` only for the named service. Current Consul ACLs only support
|
`service:write` only for the named service. Current Consul ACLs only support
|
||||||
prefix matching but in a near-future release we will allow exact name
|
prefix matching but in a near-future release we will allow exact name
|
||||||
|
|
|
@ -21,10 +21,10 @@ without being aware of Connect at all. Applications may also
|
||||||
[natively integrate with Connect](/docs/connect/native.html)
|
[natively integrate with Connect](/docs/connect/native.html)
|
||||||
for optimal performance and security.
|
for optimal performance and security.
|
||||||
|
|
||||||
-> **Security note:** The getting started guide will show Connect features
|
-> **Security note:** The getting started guide will show Connect features and
|
||||||
and focus on ease of use with a dev-mode agent. We will _not setup_ Connect in a
|
focus on ease of use with a dev-mode agent. We will _not setup_ Connect in a
|
||||||
production-recommended secure way. Please read the Connect reference
|
production-recommended secure way. Please read the [Connect production
|
||||||
documentation on security best practices to understand the tradeoffs.
|
guide](/docs/guides/connect-production.html) to understand the tradeoffs.
|
||||||
|
|
||||||
~> **Windows Support**: The proxy management feature was designed to run on all platforms but has a known issue on the Windows platform at Beta launch preventing it from starting proxy processes. This will be fixed in a future release.
|
~> **Windows Support**: The proxy management feature was designed to run on all platforms but has a known issue on the Windows platform at Beta launch preventing it from starting proxy processes. This will be fixed in a future release.
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue