Intentions are set to default allow

alexei.mikheev1 · February 13, 2022, 8:27am

Hi all,
created on consul with helm chart on k8s all, then create ServiceIntentions (all service deny to all ) with
sources:
- name: ‘*’
action: deny
in UI - its present but still i see warning " Intentions are set to default allow"
Why this still present ? how fix this?
Version Consul 1.11.3

blake · February 13, 2022, 9:04am

Hi @alexei.mikheev1,

Per the intention docs…

The default intention behavior is defined by the default_policy configuration. If the configuration is set allow , then all service mesh Connect connections will be allowed by default. If is set to deny , then all connections or requests will be denied by default.

(I just realized the first sentence should say: " The default intention behavior is defined by the ACL default_policy configuration".)

Have you enabled Consul ACLs in your environment by setting acls.manageSystemACLs to true in the Helm chart? If not, the default intention policy is allow. This correctly corresponds to the warning you are seeing displayed in the UI.

If you enable ACLs in your cluster, the default intention policy will change to deny, and the warning should disappear from the UI.

alexei.mikheev1 · February 13, 2022, 2:25pm

Hi @blake
Tank you for you answer, but i have another one - if i wants use terminating gateway to connect my services from inside AWS EKS to Out-Side service for example (Postgres AWS manage) , Which API will use from consul? If i choose low level API for registration (/catalog/register) do i need ACLs?

Is it correct if we going work with VOLT to use ACLs auntification ?

Tanks

blake · February 15, 2022, 5:37pm

@alexei.mikheev1,

Yes, you will need to use the /catalog/register endpoint to register the external service. Whether or not you need ACLs depends on whether ACLs are enabled in your cluster. If ACLs are enabled, and the default policy is deny, then you will need to create a token with write permission to register the external service.

For example:

# service-foo-acl-policy.hcl
service "foo" {
  policy = "write"
}

Then create this policy in Consul and assign it to a newly created token.

$ consul acl policy create -name service-foo-acl-policy -rules=@service-foo-acl-policy.hcl
$ consul acl token create -policy-name service-foo-acl-policy

I’m not sure what Volt is. Would you mind explaining a bit more about this, and how you plan to use it with your Consul deployment?

alexei.mikheev1 · February 17, 2022, 6:47am

hi @blake,
sorry it was typo i means VAULT

Topic		Replies	Views
External AuthZ with Envoy and OpenPolicyAgent Consul connect	0	27	August 15, 2024
Consul on k8s, how to provide ACL to service? Consul	2	360	February 1, 2021
Service stop checking intention rules after 2 checks Consul	1	308	September 4, 2020
HCSEC-2021-16 - Consul’s Application-Aware Intentions Deny Action Fails Open When Combined With Default Deny Policy Security security-consul	0	8261	July 15, 2021
Removing permissions from default (anonymous) policy causes multi-DC Connect connections to fail Consul k8s	2	1036	June 2, 2020

Intentions are set to default allow

Related topics