When doing service catalog sync in consul running on k8s with an external consul cluster, I’m seeing this error on the acl init pods
PermissionDenied desc = Permission denied: token with AccessorID '#####' lacks permission 'service:write' on \"any service\""
Where does the docs say that permission is required? I was using manageSystemACLs: true
and gave the bootstrap toke the ability to write acls. So I thought that would establish the acls?
global:
enabled: false
acls:
manageSystemACLs: true
bootstrapToken:
secretName: bootstrap-token
secretKey: token
tls:
enabled: true
caCert:
secretName: consul-ca-cert
secretKey: tls.crt
caKey:
secretName: consul-ca-key
secretKey: tls.key
enableAutoEncrypt: true
verify: false
client:
enabled: true
# Set this to true to expose the Consul clients using the Kubernetes node
# IPs. If false, the pod IPs must be routable from the external servers.
exposeGossipPorts: true
join:
- 'hosts'
connectInject:
enabled: false
externalServers:
enabled: true
hosts:
- 'hosts'
syncCatalog:
enabled: true
toConsul: true
toK8S: false