Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add default intention policy #20544

Merged
merged 2 commits into from
Feb 8, 2024
Merged

Add default intention policy #20544

merged 2 commits into from
Feb 8, 2024

Conversation

kisunji
Copy link
Contributor

@kisunji kisunji commented Feb 8, 2024
edited
Loading

Recommended to review commit-by-commit

Description

Adds a new agent configuration field DefaultIntentionPolicy (default_intention_policy) which controls how service-to-service traffic is authorized in the absence of specific intentions.

DefaultIntentionPolicy can be "allow", "deny", or "", where if left blank it will inherit the default ACL policy.

This field will de-couple the ACL subsystem from intentions, allowing users to incrementally adopt secure configurations one step at a time without dealing with implicit dependencies between the two subsystems.

Testing & Reproduction steps

  • Added unit tests which inject default intention policy and observe that it overrides the default ACL policy

PR Checklist

  • updated test coverage
  • external facing docs updated
  • appropriate backport labels added
  • not a security concern

@kisunji kisunji requested a review from a team as a code owner February 8, 2024 19:12
@github-actions github-actions bot added theme/acls ACL and token generation theme/config Relating to Consul Agent configuration, including reloading labels Feb 8, 2024
@kisunji kisunji enabled auto-merge (squash) February 8, 2024 19:15
@kisunji kisunji requested review from a team, johnlanda and roncodingenthusiast and removed request for a team February 8, 2024 19:15
@kisunji kisunji merged commit 26661a1 into main Feb 8, 2024
90 checks passed
@kisunji kisunji deleted the kisunji/default-intention-policy-backport branch February 8, 2024 20:25
@hc-github-team-consul-core hc-github-team-consul-core mentioned this pull request Feb 8, 2024
Merged
4 tasks
@dhiaayachi dhiaayachi mentioned this pull request Sep 27, 2024
Open
4 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mkeeler mkeeler mkeeler approved these changes

@johnlanda johnlanda Awaiting requested review from johnlanda

@roncodingenthusiast roncodingenthusiast Awaiting requested review from roncodingenthusiast

Assignees
No one assigned
Labels
theme/acls ACL and token generation theme/config Relating to Consul Agent configuration, including reloading
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@kisunji @mkeeler