Add enterprise docs for deny action (#20654)

proto-public/pbauth/v2beta1/traffic_permissions.pb.go

@@ -24,6 +24,9 @@ const (
 	_ = protoimpl.EnforceVersion(protoimpl.MaxVersion - 20)
 )
 
+// Action specifies the behavior of a TrafficPermission.
+// ACTION_DENY is only available in Consul enterprise.
+//
 // +kubebuilder:validation:Enum=ACTION_ALLOW;ACTION_DENY;ACTION_UNKNOWN
 // +kubebuilder:validation:Type=string
 type Action int32
@@ -75,6 +78,7 @@ func (Action) EnumDescriptor() ([]byte, []int) {
 	return file_pbauth_v2beta1_traffic_permissions_proto_rawDescGZIP(), []int{0}
 }
 
+// TrafficPermissions authorizes traffic between workloads in a Consul service mesh.
 type TrafficPermissions struct {
 	state         protoimpl.MessageState
 	sizeCache     protoimpl.SizeCache
@@ -84,6 +88,7 @@ type TrafficPermissions struct {
 	// where these traffic permissions should apply.
 	Destination *Destination `protobuf:"bytes,1,opt,name=destination,proto3" json:"destination,omitempty"`
 	// Action can be either allow or deny for the entire object. It will default to allow.
+	// Deny actions are available only in Consul Enterprise.
 	//
 	// If action is allow, we will allow the connection if one of the rules in Rules matches, in other words, we will deny
 	// all requests except for the ones that match Rules. If Consul is in default allow mode, then allow
@@ -152,6 +157,8 @@ func (x *TrafficPermissions) GetPermissions() []*Permission {
 	return nil
 }
 
+// NamespaceTrafficPermissions represents traffic permissions that should
+// apply to all destinations in a namespace.
 type NamespaceTrafficPermissions struct {
 	state         protoimpl.MessageState
 	sizeCache     protoimpl.SizeCache
@@ -207,6 +214,8 @@ func (x *NamespaceTrafficPermissions) GetPermissions() []*Permission {
 	return nil
 }
 
+// PartitionTrafficPermissions represents traffic permissions that should
+// apply to all destinations in a partition.
 type PartitionTrafficPermissions struct {
 	state         protoimpl.MessageState
 	sizeCache     protoimpl.SizeCache

proto-public/pbauth/v2beta1/traffic_permissions.proto

@@ -7,6 +7,7 @@ package hashicorp.consul.auth.v2beta1;
 
 import "pbresource/annotations.proto";
 
+// TrafficPermissions authorizes traffic between workloads in a Consul service mesh.
 message TrafficPermissions {
   option (hashicorp.consul.resource.spec) = {scope: SCOPE_NAMESPACE};
 
@@ -15,6 +16,7 @@ message TrafficPermissions {
   Destination destination = 1;
 
   // Action can be either allow or deny for the entire object. It will default to allow.
+  // Deny actions are available only in Consul Enterprise.
   //
   // If action is allow, we will allow the connection if one of the rules in Rules matches, in other words, we will deny
   // all requests except for the ones that match Rules. If Consul is in default allow mode, then allow
@@ -31,6 +33,8 @@ message TrafficPermissions {
   repeated Permission permissions = 3;
 }
 
+// NamespaceTrafficPermissions represents traffic permissions that should
+// apply to all destinations in a namespace.
 message NamespaceTrafficPermissions {
   option (hashicorp.consul.resource.spec) = {scope: SCOPE_NAMESPACE};
 
@@ -38,6 +42,8 @@ message NamespaceTrafficPermissions {
   repeated Permission permissions = 2;
 }
 
+// PartitionTrafficPermissions represents traffic permissions that should
+// apply to all destinations in a partition.
 message PartitionTrafficPermissions {
   option (hashicorp.consul.resource.spec) = {scope: SCOPE_PARTITION};
 
@@ -51,6 +57,9 @@ message Destination {
   string identity_name = 1;
 }
 
+// Action specifies the behavior of a TrafficPermission.
+// ACTION_DENY is only available in Consul enterprise.
+//
 // +kubebuilder:validation:Enum=ACTION_ALLOW;ACTION_DENY;ACTION_UNKNOWN
 // +kubebuilder:validation:Type=string
 enum Action {

website/content/docs/k8s/multiport/reference/trafficpermissions.mdx

@@ -45,7 +45,7 @@ spec:
   action: allow
   permissions:
     - sources:
-        - identityName: <sourceWorkloadIdentity> 
+        - identityName: <sourceWorkloadIdentity>
       destinationRules:
         - portNames:
             - <servicePortName>
@@ -135,6 +135,8 @@ Specifies the Workload identity for a service. The permissions you configure in
 
 Specifies whether the proxy should _allow traffic_ or _deny traffic_ between the destination in [`spec.destination`](#spec-destination) and the sources in [`spec.permissions.sources`](#spec-permissions-sources).
 
+`ACTION_DENY` is a governance feature available in Consul Enterprise that cannot be overridden by another `ACTION_ALLOW`.
+
 By default, Consul allows traffic between all services. When the Helm value `global.acls.manageSystemACLs` is set to `true`, then Consul operates in "default-deny" mode. In this mode, `TrafficPermissions` CRDs that allow traffic between services are required for service-to-service traffic.
 
 #### Values
@@ -143,7 +145,7 @@ By default, Consul allows traffic between all services. When the Helm value `glo
 - Data type: String that must contain one of the following values:
 
   - `ACTION_ALLOW`
-  - `ACTION_DENY`
+  - `ACTION_DENY` <EnterpriseAlert inline />
 
 ### `spec.permissions`
 
@@ -221,9 +223,10 @@ spec:
 
 ```
 
-### Deny traffic between a service and a specific port
+### Deny traffic between a service and a specific port <EnterpriseAlert inline />
 
 The following example configures traffic permissions to deny traffic when the `web` service makes a request to the `api` service on the `admin` port.
+This `ACTION_DENY` cannot be overridden by another `ACTION_ALLOW`.
 
 ```yaml
 apiVersion: auth.consul.hashicorp.com/v2beta1