Consul on k8s, how to provide ACL to service?

Hello, I try to test consul service mesh on k8s, which deploy with helm.
helm manifest:

# name your datacenter
  name: consul
  datacenter: l7
generate certificate
    enabled: false

    enableAutoEncrypt: false
    manageSystemACLs: true

  replicas: 1
  bootstrapExpect: 1
    enabled: true
    maxUnavailable: 0
  extraConfig: |
      "telemetry": {
        "prometheus_retention_time": "10s"
      "ui_config": {
        "enabled": true,
        "metrics_provider": "prometheus",
        "metrics_proxy": {
          "base_url": "http://prometheus-server"

  enabled: true
  grpc: true

  enabled: true
    enabled: true
    type: LoadBalancer

  enabled: true
  default: true
  k8sAllowNamespaces: ["consul-test"]

    enabled: true
    defaultProtocol: "http"
    proxyDefaults: |
        "envoy_prometheus_bind_addr": ""

  enabled: true

deploy service is the simple demo app.
two service: web → api
the demo is work as expect. I can provide acl through intention to enable or disable api service accessable.

But how can I provide acl on service web ?
I try to create token and policy like below:

service "web" {
	policy = "deny"
service "web-sidecar-proxy" {
	policy = "deny"
service_prefix "" {
	policy = "deny"
node_prefix "" {
	policy = "deny"

But, when test with : curl http://webservice, I can get service response OK.

How I can’t restrict the service web accessable with a token?

Hi, so correct me if I’m wrong but are you trying to restrict access to web from a user?

In this case, you would need to add a Kubernetes ingress controller or API gateway because intentions are for calls between services in the mesh (e.g. web => api) not for calls from outside the mesh to inside the mesh (e.g. user => web).

Consul does have an ingress gateway (External <> Internal Services - Ingress Gateways | Consul by HashiCorp) however it does not currently support token-based authentication.

Yes, that’s I get.
Because follow the document, when consul run out k8s, it can config service acl with token, as below:

consul acl token create -description "Token for Dashboard Service" \
  -policy-name dashboard-service
service {
  name = "dashboard",
  port = 9002,
  token = "57c5d69a-5f19-469b-0543-12a487eecc66",
  check {
    id = "dashboard-check",
    http = "http://localhost:9002/health",
    method = "GET",
    interval = "1s",
    timeout = "1s"