I have case where a service stop checking intention rules after 2 times and then no matter new intention rules added / modification, it won’t take effect
and another case where a service always check intention rules (I suspect this is the expected behavior)
I checked by tailing the consul client logs and grep -i authz shown below
2020-09-04T10:40:01.175Z [DEBUG] agent.envoy: Connect AuthZ ALLOWED: source=spiffe://9a093476-498e-4adb-81b4-74b6126047e3.consul/ns/default/dc/us-east-1/svc/staging-test-header-based-routing destination=spiffe://9a093476-498e-4adb-81b4-74b6126047e3.consul/ns/default/dc/us-east-1/svc/user-auth reason="ACLs disabled, access is allowed by default"
2020-09-04T10:40:55.668Z [DEBUG] agent.envoy: Connect AuthZ ALLOWED: source=spiffe://9a093476-498e-4adb-81b4-74b6126047e3.consul/ns/default/dc/us-east-1/svc/userapi destination=spiffe://9a093476-498e-4adb-81b4-74b6126047e3.consul/ns/default/dc/us-east-1/svc/user-auth reason="ACLs disabled, access is allowed by default"
My questions are:
- what is the expected behaviour? Do every service-to-service calls need to always check intention rules?
- I can’t find anything different between the two services in terms of consul annotations. Could anyone help me understand more here?