Backport of Add docs for default_intention_policy into release/1.18.x (…

…#20892)
hashicorp · Mar 25, 2024 · 5948255 · 5948255
1 parent bf51d89
commit 5948255
Show file tree

Hide file tree

Showing 2 changed files with 16 additions and 4 deletions.
diff --git a/website/content/docs/agent/config/config-files.mdx b/website/content/docs/agent/config/config-files.mdx
@@ -447,6 +447,10 @@ Refer to the [formatting specification](https://golang.org/pkg/time/#ParseDurati
 
 - `data_dir` Equivalent to the [`-data-dir` command-line flag](/consul/docs/agent/config/cli-flags#_data_dir).
 
+- `default_intention_policy` Controls how service-to-service traffic is authorized
+  in the absence of specific intentions.
+  Can be set to `allow`, `deny`, or left empty to default to [`acl.default_policy`](#acl_default_policy).
+
 - `disable_anonymous_signature` Disables providing an anonymous
   signature for de-duplication with the update check. See [`disable_update_check`](#disable_update_check).
 

diff --git a/website/content/docs/connect/security.mdx b/website/content/docs/connect/security.mdx
@@ -26,12 +26,20 @@ of Consul.
 
 ## Checklist
 
+### Default Intention Policy Set
+
+Consul should be configured with a default deny intention policy. This forces
+all service-to-service communication to be explicitly
+allowed via an allow [intention](/consul/docs/connect/intentions).
+
+In the absence of `default_intention_policy` Consul will fall back to the ACL
+default policy when determining whether to allow or deny communications without
+an explicit intention.
+
 ### ACLs Enabled with Default Deny
 
 Consul must be configured to use ACLs with a default deny policy. This forces
-all requests to have explicit anonymous access or provide an ACL token. The
-configuration also forces all service-to-service communication to be explicitly
-allowed via an allow [intention](/consul/docs/connect/intentions).
+all requests to have explicit anonymous access or provide an ACL token.
 
 To learn how to enable ACLs, please see the
 [tutorial on ACLs](/consul/tutorials/security/access-control-setup-production).
@@ -100,7 +108,7 @@ will not be encrypted or authorized via service mesh.
 
 Envoy exposes an **unauthenticated**
 [administration interface](https://www.envoyproxy.io/docs/envoy/latest/operations/admin)
-that can be used to query and modify the proxy. This interface 
+that can be used to query and modify the proxy. This interface
 allows potentially sensitive information to be retrieved, such as:
 
 * Envoy configuration