Intentions are set to default allow

Hi all,
created on consul with helm chart on k8s all, then create ServiceIntentions (all service deny to all ) with
- name: ‘*’
action: deny
in UI - its present but still i see warning " Intentions are set to default allow"
Why this still present ? how fix this?
Version Consul 1.11.3

Hi @alexei.mikheev1,

Per the intention docs

The default intention behavior is defined by the default_policy configuration. If the configuration is set allow , then all service mesh Connect connections will be allowed by default. If is set to deny , then all connections or requests will be denied by default.

(I just realized the first sentence should say: " The default intention behavior is defined by the ACL default_policy configuration".)

Have you enabled Consul ACLs in your environment by setting acls.manageSystemACLs to true in the Helm chart? If not, the default intention policy is allow. This correctly corresponds to the warning you are seeing displayed in the UI.

If you enable ACLs in your cluster, the default intention policy will change to deny, and the warning should disappear from the UI.

Hi @blake
Tank you for you answer, but i have another one - if i wants use terminating gateway to connect my services from inside AWS EKS to Out-Side service for example (Postgres AWS manage) , Which API will use from consul? If i choose low level API for registration (/catalog/register) do i need ACLs?

Is it correct if we going work with VOLT to use ACLs auntification ?



Yes, you will need to use the /catalog/register endpoint to register the external service. Whether or not you need ACLs depends on whether ACLs are enabled in your cluster. If ACLs are enabled, and the default policy is deny, then you will need to create a token with write permission to register the external service.

For example:

# service-foo-acl-policy.hcl
service "foo" {
  policy = "write"

Then create this policy in Consul and assign it to a newly created token.

$ consul acl policy create -name service-foo-acl-policy -rules=@service-foo-acl-policy.hcl
$ consul acl token create -policy-name service-foo-acl-policy

I’m not sure what Volt is. Would you mind explaining a bit more about this, and how you plan to use it with your Consul deployment?

hi @blake,
sorry it was typo i means VAULT