Merge pull request #5302 from hashicorp/docs/k8s-acl

Update k8s ACL documentation
This commit is contained in:
Rebecca Zanzig 2019-02-07 13:46:44 -08:00 committed by GitHub
commit fc1d9e5d78
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 10 additions and 7 deletions

View File

@ -67,17 +67,20 @@ sync to understand how the syncing works.
The sync process must authenticate to both Kubernetes and Consul to read The sync process must authenticate to both Kubernetes and Consul to read
and write services. and write services.
For Consul, the process accepts both the standard CLI flag `-token` and
the environment variable `CONSUL_HTTP_TOKEN`. This should be set to an
Consul [ACL token](/docs/guides/acl.html) if ACLs are enabled. This
can also be configured using the Helm chart to read from a Kubernetes
secret.
For Kubernetes, a valid kubeconfig file must be provided with cluster For Kubernetes, a valid kubeconfig file must be provided with cluster
and auth information. The sync process will look into the default locations and authentication information. The sync process will look into the default locations
for both in-cluster and out-of-cluster authentication. If `kubectl` works, for both in-cluster and out-of-cluster authentication. If `kubectl` works,
then the sync program should work. then the sync program should work.
For Consul, if ACLs are configured on the cluster, a Consul
[ACL token](https://learn.hashicorp.com/consul/advanced/day-1-operations/acl-guide)
will need to be provided. Review the [ACL rules](/docs/agent/acl-rules.html)
when creating this token so that it only allows the necessary privileges. The catalog
sync process accepts this token by using the [`CONSUL_HTTP_TOKEN`](docs/commands/index.html#consul_http_token)
environment variable. This token should be set as a
[Kubernetes secret](https://kubernetes.io/docs/concepts/configuration/secret/#creating-your-own-secrets)
and referenced in the Helm chart.
## Kubernetes to Consul ## Kubernetes to Consul
This sync registers Kubernetes services to the Consul catalog automatically. This sync registers Kubernetes services to the Consul catalog automatically.