From 55970c6ccd0c30d47798d0fc6a5bc42687f295e4 Mon Sep 17 00:00:00 2001 From: freddygv Date: Tue, 30 Nov 2021 23:50:14 -0700 Subject: [PATCH] Avoid updating default decision from wildcard ixn Given that we do not allow wildcard partitions in intentions, no one ixn can override the DefaultAllow setting. Only the default ACL policy applies across all partitions. --- agent/consul/state/intention.go | 13 ------------- 1 file changed, 13 deletions(-) diff --git a/agent/consul/state/intention.go b/agent/consul/state/intention.go index 72850b29e9..ed71f10499 100644 --- a/agent/consul/state/intention.go +++ b/agent/consul/state/intention.go @@ -995,19 +995,6 @@ func (s *Store) intentionTopologyTxn(tx ReadTxn, ws memdb.WatchSet, maxIdx = index } - // Check for a wildcard intention (* -> *) since it overrides the default decision from ACLs - if len(intentions) > 0 { - // Intentions with wildcard source and destination have the lowest precedence, so they are last in the list - ixn := intentions[len(intentions)-1] - - if ixn.HasWildcardSource() && ixn.HasWildcardDestination() { - defaultDecision = acl.Allow - if ixn.Action == structs.IntentionActionDeny { - defaultDecision = acl.Deny - } - } - } - index, allServices, err := serviceListTxn(tx, ws, func(svc *structs.ServiceNode) bool { // Only include ingress gateways as downstreams, since they cannot receive service mesh traffic // TODO(freddy): One remaining issue is that this includes non-Connect services (typical services without a proxy)