Skip to content

Commit

Permalink
Backport of docs: Remove ACLs section from k8s cluster peering page i…
Browse files Browse the repository at this point in the history
…nto release/1.17.x (#20198)

* backport of commit ce0c9be

* backport of commit 98bb280

---------

Co-authored-by: boruszak <jeffrey.boruszak@hashicorp.com>
  • Loading branch information
hc-github-team-consul-core and boruszak authored Jan 16, 2024
1 parent 0b4f4fd commit 9a36b73
Show file tree
Hide file tree
Showing 2 changed files with 2 additions and 25 deletions.
10 changes: 1 addition & 9 deletions website/content/docs/k8s/connect/cluster-peering/tech-specs.mdx
Original file line number Diff line number Diff line change
Expand Up @@ -158,12 +158,4 @@ To learn how to change the mesh gateway mode to `local` on your Kubernetes deplo

The `exported-services` CRD is required in order for services to communicate across partitions with cluster peering connections. Basic guidance on using the `exported-services` configuration entry is included in [Establish cluster peering connections](/consul/docs/k8s/connect/cluster-peering/usage/establish-peering#export-services-between-clusters).

Refer to [`exported-services` configuration entry](/consul/docs/connect/config-entries/exported-services) for more information.

## ACL specifications

If ACLs are enabled, you must add tokens to grant the following permissions:

- Grant `service:write` permissions to services that define mesh gateways in their server definition.
- Grant `service:read` permissions for all services on the partition.
- Grant `mesh:write` permissions to the mesh gateways that participate in cluster peering connections. This permission allows a leaf certificate to be issued for mesh gateways to terminate TLS sessions for HTTP requests.
Refer to [`exported-services` configuration entry](/consul/docs/connect/config-entries/exported-services) for more information.
Original file line number Diff line number Diff line change
Expand Up @@ -439,19 +439,4 @@ Before you can call services from peered clusters, you must set service intentio
}
```

</CodeBlockConfig>

### Authorize service reads with ACLs

If ACLs are enabled on a Consul cluster, sidecar proxies that access exported services as an upstream must have an ACL token that grants read access.

Read access to all imported services is granted using either of the following rules associated with an ACL token:

- `service:write` permissions for any service in the sidecar's partition.
- `service:read` and `node:read` for all services and nodes, respectively, in sidecar's namespace and partition.

For Consul Enterprise, the permissions apply to all imported services in the service's partition. These permissions are satisfied when using a [service identity](/consul/docs/security/acl/acl-roles#service-identities).

Refer to [Reading servers](/consul/docs/connect/config-entries/exported-services#reading-services) in the `exported-services` configuration entry documentation for example rules.

For additional information about how to configure and use ACLs, refer to [ACLs system overview](/consul/docs/security/acl).
</CodeBlockConfig>

0 comments on commit 9a36b73

Please sign in to comment.