Consul on k8s, how to provide ACL to service?

chenyg0911 · January 29, 2021, 9:34am

Hello, I try to test consul service mesh on k8s, which deploy with helm.
helm manifest:

# name your datacenter
global:
  name: consul
  datacenter: l7
  tls:
generate certificate
    enabled: false

servers
    enableAutoEncrypt: false
  acls:
    manageSystemACLs: true


server:
  replicas: 1
  bootstrapExpect: 1
  disruptionBudget:
    enabled: true
    maxUnavailable: 0
  extraConfig: |
    {
      "telemetry": {
        "prometheus_retention_time": "10s"
      },
      "ui_config": {
        "enabled": true,
        "metrics_provider": "prometheus",
        "metrics_proxy": {
          "base_url": "http://prometheus-server"
        }
      }
    }

client:
  enabled: true
  grpc: true

ui:
  enabled: true
  service:
    enabled: true
    type: LoadBalancer

connectInject:
  enabled: true
  default: true
  k8sAllowNamespaces: ["consul-test"]

  centralConfig:
    enabled: true
    defaultProtocol: "http"
    proxyDefaults: |
      {
        "envoy_prometheus_bind_addr": "0.0.0.0:9102"
      }

controller:
  enabled: true

deploy service is the simple demo app.
two service: web → api
the demo is work as expect. I can provide acl through intention to enable or disable api service accessable.

But how can I provide acl on service web ?
I try to create token and policy like below:
web-deny.hcl

service "web" {
	policy = "deny"
}
service "web-sidecar-proxy" {
	policy = "deny"
}
service_prefix "" {
	policy = "deny"
}
node_prefix "" {
	policy = "deny"
}

But, when test with : curl http://webservice, I can get service response OK.

How I can’t restrict the service web accessable with a token?

lkysow · January 29, 2021, 6:08pm

Hi, so correct me if I’m wrong but are you trying to restrict access to web from a user?

In this case, you would need to add a Kubernetes ingress controller or API gateway because intentions are for calls between services in the mesh (e.g. web => api) not for calls from outside the mesh to inside the mesh (e.g. user => web).

Consul does have an ingress gateway (External <> Internal Services - Ingress Gateways | Consul by HashiCorp) however it does not currently support token-based authentication.

chenyg0911 · February 1, 2021, 2:46am

Yes, that’s I get.
Because follow the document, when consul run out k8s, it can config service acl with token, as below:

consul acl token create -description "Token for Dashboard Service" \
  -policy-name dashboard-service
service {
  name = "dashboard",
  port = 9002,
  token = "57c5d69a-5f19-469b-0543-12a487eecc66",
  check {
    id = "dashboard-check",
    http = "http://localhost:9002/health",
    method = "GET",
    interval = "1s",
    timeout = "1s"
  }
}

Topic		Replies	Views
Consul-Kubernetes Consul	6	1862	March 30, 2020
Consul and Prometheus with ACLs and TLS enable Consul prometheus	9	2916	September 24, 2022
Service discovery k8s required ACLs Consul	0	362	February 23, 2023
Enable ACL in consul helm chart Consul k8s , acl	0	191	October 23, 2023
Issue on mesh gateway (Vm) on wan federated consul cluster (k8s<->vm) Consul k8s , helm , consul	7	754	November 16, 2022

Consul on k8s, how to provide ACL to service?

Related topics