status-im
/
consul
mirror of https://github.com/status-im/consul.git
2
0
Fork 0
Code Issues Projects Releases Wiki Activity

docs: Remove ACLs section from k8s cluster peering page (#20176) 

* Remove ACLs section

* Tech specs removal
This commit is contained in:
Jeff Boruszak 2024-01-12 11:28:35 -08:00 committed by GitHub
parent cba3b25196
commit 80ed31acac
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 2 additions and 25 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
website/content/docs/k8s/connect/cluster-peering/tech-specs.mdx
View File

@ -158,12 +158,4 @@ To learn how to change the mesh gateway mode to `local` on your Kubernetes deplo
The `exported-services` CRD is required in order for services to communicate across partitions with cluster peering connections. Basic guidance on using the `exported-services` configuration entry is included in [Establish cluster peering connections](/consul/docs/k8s/connect/cluster-peering/usage/establish-peering#export-services-between-clusters).
Refer to [`exported-services` configuration entry](/consul/docs/connect/config-entries/exported-services) for more information.
## ACL specifications
If ACLs are enabled, you must add tokens to grant the following permissions:
- Grant `service:write` permissions to services that define mesh gateways in their server definition.
- Grant `service:read` permissions for all services on the partition.
- Grant `mesh:write` permissions to the mesh gateways that participate in cluster peering connections. This permission allows a leaf certificate to be issued for mesh gateways to terminate TLS sessions for HTTP requests.
Refer to [`exported-services` configuration entry](/consul/docs/connect/config-entries/exported-services) for more information.

17
website/content/docs/k8s/connect/cluster-peering/usage/establish-peering.mdx
View File

@ -439,19 +439,4 @@ Before you can call services from peered clusters, you must set service intentio
}
```
</CodeBlockConfig>
### Authorize service reads with ACLs
If ACLs are enabled on a Consul cluster, sidecar proxies that access exported services as an upstream must have an ACL token that grants read access.
Read access to all imported services is granted using either of the following rules associated with an ACL token:
- `service:write` permissions for any service in the sidecar's partition.
- `service:read` and `node:read` for all services and nodes, respectively, in sidecar's namespace and partition.
For Consul Enterprise, the permissions apply to all imported services in the service's partition. These permissions are satisfied when using a [service identity](/consul/docs/security/acl/acl-roles#service-identities).
Refer to [Reading servers](/consul/docs/connect/config-entries/exported-services#reading-services) in the `exported-services` configuration entry documentation for example rules.
For additional information about how to configure and use ACLs, refer to [ACLs system overview](/consul/docs/security/acl).
</CodeBlockConfig>