Skip to content

Commit

Permalink
Backport of Add docs for default_intention_policy into release/1.18.x (
Browse files Browse the repository at this point in the history
  • Loading branch information
hc-github-team-consul-core committed Mar 25, 2024
1 parent bf51d89 commit 5948255
Show file tree
Hide file tree
Showing 2 changed files with 16 additions and 4 deletions.
4 changes: 4 additions & 0 deletions website/content/docs/agent/config/config-files.mdx
Original file line number Diff line number Diff line change
Expand Up @@ -447,6 +447,10 @@ Refer to the [formatting specification](https://golang.org/pkg/time/#ParseDurati

- `data_dir` Equivalent to the [`-data-dir` command-line flag](/consul/docs/agent/config/cli-flags#_data_dir).

- `default_intention_policy` Controls how service-to-service traffic is authorized
in the absence of specific intentions.
Can be set to `allow`, `deny`, or left empty to default to [`acl.default_policy`](#acl_default_policy).

- `disable_anonymous_signature` Disables providing an anonymous
signature for de-duplication with the update check. See [`disable_update_check`](#disable_update_check).

Expand Down
16 changes: 12 additions & 4 deletions website/content/docs/connect/security.mdx
Original file line number Diff line number Diff line change
Expand Up @@ -26,12 +26,20 @@ of Consul.

## Checklist

### Default Intention Policy Set

Consul should be configured with a default deny intention policy. This forces
all service-to-service communication to be explicitly
allowed via an allow [intention](/consul/docs/connect/intentions).

In the absence of `default_intention_policy` Consul will fall back to the ACL
default policy when determining whether to allow or deny communications without
an explicit intention.

### ACLs Enabled with Default Deny

Consul must be configured to use ACLs with a default deny policy. This forces
all requests to have explicit anonymous access or provide an ACL token. The
configuration also forces all service-to-service communication to be explicitly
allowed via an allow [intention](/consul/docs/connect/intentions).
all requests to have explicit anonymous access or provide an ACL token.

To learn how to enable ACLs, please see the
[tutorial on ACLs](/consul/tutorials/security/access-control-setup-production).
Expand Down Expand Up @@ -100,7 +108,7 @@ will not be encrypted or authorized via service mesh.

Envoy exposes an **unauthenticated**
[administration interface](https://www.envoyproxy.io/docs/envoy/latest/operations/admin)
that can be used to query and modify the proxy. This interface
that can be used to query and modify the proxy. This interface
allows potentially sensitive information to be retrieved, such as:

* Envoy configuration
Expand Down

0 comments on commit 5948255

Please sign in to comment.