docs: namespace ACL permissions for exported services #22162
Conversation
github-actions
bot
added
the
type/docs
boruszak
added
backport/ent/1.15
|
|
||
| If ACLs are enabled, exported services between partitions that use dataplanes may experience errors when you define namespace partitions with the `*` wildcard. Consul dataplanes use a token with the `builtin/service` policy attached, but this policy does not include access to all namespaces. | ||
|
|
||
| Add the following policies to the service token attached to Consul dataplanes to grant Consul access to exported services across all namespaces: |
There was a problem hiding this comment.
| Add the following policies to the service token attached to Consul dataplanes to grant Consul access to exported services across all namespaces: | |
| Add these policies to the service token attached to Consul dataplanes to grant Consul access to exported services across all namespaces. |
Kind of a grey area... but I applied the "introduce code block... descriptive sentence that ends with a period" rule
| } | ||
| ``` | ||
|
|
||
| </CodeTabs> | ||
| </Tab> | ||
| </Tabs> | ||
|
|
||
| If you experience errors using the wildcard to export services on Consul on Kubernetes, make sure the [service token](/consul/docs/security/acl/tokens/create/create-a-service-token) is attached to a policy that grants read access to all namespaces: |
There was a problem hiding this comment.
| If you experience errors using the wildcard to export services on Consul on Kubernetes, make sure the [service token](/consul/docs/security/acl/tokens/create/create-a-service-token) is attached to a policy that grants read access to all namespaces: | |
| If you experience errors using the wildcard to export services on Consul on Kubernetes, make sure the [service token](/consul/docs/security/acl/tokens/create/create-a-service-token) is attached to a policy that grants read access to all namespaces as in this example. |
|
📣 Hi @boruszak! a backport is missing for this PR [22162] for versions [1.15,1.18,1.19] please perform the backport manually and add the following snippet to your backport PR description: |
4 similar comments
|
📣 Hi @boruszak! a backport is missing for this PR [22162] for versions [1.15,1.18,1.19] please perform the backport manually and add the following snippet to your backport PR description: |
|
📣 Hi @boruszak! a backport is missing for this PR [22162] for versions [1.15,1.18,1.19] please perform the backport manually and add the following snippet to your backport PR description: |
|
📣 Hi @boruszak! a backport is missing for this PR [22162] for versions [1.15,1.18,1.19] please perform the backport manually and add the following snippet to your backport PR description: |
|
📣 Hi @boruszak! a backport is missing for this PR [22162] for versions [1.15,1.18,1.19] please perform the backport manually and add the following snippet to your backport PR description: |
|
📣 Hi @boruszak! a backport is missing for this PR [22162] for versions [1.15,1.19] please perform the backport manually and add the following snippet to your backport PR description: |
4 similar comments
|
📣 Hi @boruszak! a backport is missing for this PR [22162] for versions [1.15,1.19] please perform the backport manually and add the following snippet to your backport PR description: |
|
📣 Hi @boruszak! a backport is missing for this PR [22162] for versions [1.15,1.19] please perform the backport manually and add the following snippet to your backport PR description: |
|
📣 Hi @boruszak! a backport is missing for this PR [22162] for versions [1.15,1.19] please perform the backport manually and add the following snippet to your backport PR description: |
|
📣 Hi @boruszak! a backport is missing for this PR [22162] for versions [1.15,1.19] please perform the backport manually and add the following snippet to your backport PR description: |
|
📣 Hi @boruszak! a backport is missing for this PR [22162] for versions [1.15,1.19] please perform the backport manually and add the following snippet to your backport PR description: |
10 similar comments
|
📣 Hi @boruszak! a backport is missing for this PR [22162] for versions [1.15,1.19] please perform the backport manually and add the following snippet to your backport PR description: |
|
📣 Hi @boruszak! a backport is missing for this PR [22162] for versions [1.15,1.19] please perform the backport manually and add the following snippet to your backport PR description: |
|
📣 Hi @boruszak! a backport is missing for this PR [22162] for versions [1.15,1.19] please perform the backport manually and add the following snippet to your backport PR description: |
|
📣 Hi @boruszak! a backport is missing for this PR [22162] for versions [1.15,1.19] please perform the backport manually and add the following snippet to your backport PR description: |
|
📣 Hi @boruszak! a backport is missing for this PR [22162] for versions [1.15,1.19] please perform the backport manually and add the following snippet to your backport PR description: |
|
📣 Hi @boruszak! a backport is missing for this PR [22162] for versions [1.15,1.19] please perform the backport manually and add the following snippet to your backport PR description: |
|
📣 Hi @boruszak! a backport is missing for this PR [22162] for versions [1.15,1.19] please perform the backport manually and add the following snippet to your backport PR description: |
|
📣 Hi @boruszak! a backport is missing for this PR [22162] for versions [1.15,1.19] please perform the backport manually and add the following snippet to your backport PR description: |
|
📣 Hi @boruszak! a backport is missing for this PR [22162] for versions [1.15,1.19] please perform the backport manually and add the following snippet to your backport PR description: |
|
📣 Hi @boruszak! a backport is missing for this PR [22162] for versions [1.15,1.19] please perform the backport manually and add the following snippet to your backport PR description: |
Description
This PR updates two pages of documentation in response to a support ticket.
Consul dataplanes use the
builtin/servicepolicy for their ACL permissions, but this policy does not grant access to all namespaces. Because the exported services configuration entry page included examples with the*wildcard, users experienced errors due to incorrect ACL permissions.These updates specifically state the required ACL policies.
Preview links
Exported services configuration entry reference
Consul Dataplanes overview
PR Checklist