mirror of
https://github.com/status-im/consul.git
synced 2025-01-11 06:16:08 +00:00
initial commit adding admin partitions section to docs - several more changes to come
This commit is contained in:
parent
d3e3d70fbd
commit
e1276cbb23
91
website/content/docs/enterprise/admin-partitions.mdx
Normal file
91
website/content/docs/enterprise/admin-partitions.mdx
Normal file
@ -0,0 +1,91 @@
|
|||||||
|
---
|
||||||
|
layout: docs
|
||||||
|
page_title: Consul Enterprise Admin Partitions
|
||||||
|
description: Consul Enterprise enables you to create paritions that can be administrated across namespaces.
|
||||||
|
---
|
||||||
|
|
||||||
|
# Consul Enterprise Admin Partitions
|
||||||
|
|
||||||
|
<EnterpriseAlert>
|
||||||
|
This feature requires{' '}
|
||||||
|
<a href="https://www.hashicorp.com/products/consul/">Consul Enterprise</a>{' '}
|
||||||
|
with the Governance and Policy module.
|
||||||
|
</EnterpriseAlert>
|
||||||
|
|
||||||
|
This topic provides and overview of admin partitions, which are entities that define one or more administrative boundaries for single Consul deployments.
|
||||||
|
|
||||||
|
## Introduction
|
||||||
|
|
||||||
|
Admin partitions exist a level above namespaces in the identity hierarchy and contain one or more namespaces. Admin partitions support multiple independent namespaces with the same name. As a result, admin partitions enable you to define administrative and communcation boundaries between services managed by separate teams or belonging to separate stakeholders. They can also segment production and non-production services within the Consul deployment.
|
||||||
|
|
||||||
|
### Default Admin Partition
|
||||||
|
|
||||||
|
Each Consul cluster will have at least one default admin partition (named `default`). Any resource created without specifying an admin partition will exist in the default partition.
|
||||||
|
|
||||||
|
The `default` admin partition is special in that it may contain namespaces and other entities that are replicated between datacenters.
|
||||||
|
|
||||||
|
### Naming Admin Partitions
|
||||||
|
|
||||||
|
Only characters that are valid in DNS names can be used to name admin partitions.
|
||||||
|
Names must also start with a letter.
|
||||||
|
|
||||||
|
### Namespaces
|
||||||
|
|
||||||
|
When an admin partition is created, it will include a `default` namespace. You can create additional namespaces within the partition.
|
||||||
|
|
||||||
|
All namespaces must exist within an admin partition. By extension, the partition will also contain all namespaced resources.
|
||||||
|
|
||||||
|
Within a single datacenter, a namespace in one admin partition is logically separate from any other namespace with the same name in other admin partitions.
|
||||||
|
|
||||||
|
### Cross-datacenter Replication
|
||||||
|
|
||||||
|
Only resources in the default admin partition will be replicated to secondary datacenters.
|
||||||
|
|
||||||
|
|
||||||
|
### DNS Queries
|
||||||
|
|
||||||
|
Client agents will be configured to operate within a specific admin partition. The DNS interface will only return results for a single admin partition.
|
||||||
|
|
||||||
|
### Service Mesh Configurations
|
||||||
|
|
||||||
|
Values specified for [`proxy-defaults`](docs/connect/config-entries/proxy-defaults) configurations are scoped to a specific partition. Services registered in the partition will use the partition's `proxy-defaults` values.
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
## Requirements
|
||||||
|
|
||||||
|
In client agent configurations, the admin partition name should be specified in the agent configuration:
|
||||||
|
|
||||||
|
```hcl
|
||||||
|
partition = "<NAME>"
|
||||||
|
```
|
||||||
|
The anti-entropy sync will use the configured admin partition name when registering the node.
|
||||||
|
|
||||||
|
The agent token used by the client agent will need to allow `node:write` in the admin partition.
|
||||||
|
|
||||||
|
The `read` permission for `proxy-defaults` require `admin_partition:read` for the specific partition. The `write` permission for proxy-defaults require `mesh:write`. See [Admin Partition Rules](/docs/security/acl/acl-rules#admin-partition-rules) for additional information
|
||||||
|
|
||||||
|
Any queries for the proxy-defaults config entry must include the appropriate `EnterpriseMeta`, which specifies the admin partition.
|
||||||
|
|
||||||
|
The write permissions for ingress and terminating gateways must be `operator:write`.
|
||||||
|
|
||||||
|
Existing intentions must be set to `deny` all traffic from outside the admin partition.
|
||||||
|
|
||||||
|
Any map keys used to compile the [discovery chain](/docs/connect/l7-traffic/discovery-chain) must include the admin partition name.
|
||||||
|
|
||||||
|
Wildcards (`*`) are not supported when creating intentions for admin partitions.
|
||||||
|
|
||||||
|
|
||||||
|
## Usage
|
||||||
|
|
||||||
|
You can use create and manage admin partitions through the CLI. Refer to the [admin partition CLI documentation](/commands/admin-partition) for details.
|
||||||
|
|
||||||
|
The expected use case to create admin partitions on Kubernetes clusters. Refer to the following documentation and tutorial for instructions:
|
||||||
|
|
||||||
|
* [Service Mesh](/docs/k8s/connect)
|
||||||
|
* LINK TO TUTORIAL
|
||||||
|
|
||||||
|
## Known Limitations
|
||||||
|
|
||||||
|
* Gossip between nodes in different admin partitions must be constrained. You can accomplish this with through the use of [network segments](network-segments).
|
||||||
|
* Cross-partition communication is not currently supported.
|
@ -611,3 +611,26 @@ only be done within the default namespace.
|
|||||||
This means that rules and policies will be implicitly namespaced and do not need additional configuration.
|
This means that rules and policies will be implicitly namespaced and do not need additional configuration.
|
||||||
The restrictions outlined above will apply to these rules and policies. Additionally, rules and policies within a
|
The restrictions outlined above will apply to these rules and policies. Additionally, rules and policies within a
|
||||||
specific namespace are prevented from accessing resources in another namespace.
|
specific namespace are prevented from accessing resources in another namespace.
|
||||||
|
|
||||||
|
#### Admin Partition Rules <EnterpriseAlert inline />
|
||||||
|
|
||||||
|
The `admin_partition` and `admin_partition_prefix` rules define the scope to one or more admin partitions. The `mesh` resource controls access to the `partition` API. You can include any number of namespace rules. In the following example, the agent has write access to the `ex-namespace` namespace, as well as namespaces prefixed with `ex-` in the `example` partition:
|
||||||
|
|
||||||
|
```hcl
|
||||||
|
admin_partition "example" {
|
||||||
|
mesh = "write"
|
||||||
|
node "my-node" {
|
||||||
|
policy = "write"
|
||||||
|
}
|
||||||
|
...
|
||||||
|
namespace "ex-namespace" {
|
||||||
|
...
|
||||||
|
}
|
||||||
|
namespace_prefix "exns-" {
|
||||||
|
...
|
||||||
|
}
|
||||||
|
}
|
||||||
|
admin_partition_prefix "ex-" {
|
||||||
|
... (Same as above)
|
||||||
|
}
|
||||||
|
```
|
@ -846,6 +846,10 @@
|
|||||||
"title": "Overview",
|
"title": "Overview",
|
||||||
"path": "enterprise"
|
"path": "enterprise"
|
||||||
},
|
},
|
||||||
|
{
|
||||||
|
"title": "Admin Partitions <sup>BETA</sup>",
|
||||||
|
"path": "enterprise/admin-partitions"
|
||||||
|
},
|
||||||
{
|
{
|
||||||
"title": "Audit Logging",
|
"title": "Audit Logging",
|
||||||
"path": "enterprise/audit-logging"
|
"path": "enterprise/audit-logging"
|
||||||
|
Loading…
x
Reference in New Issue
Block a user