Hello, I’m currently doing some basic connectivity testing of the consul mesh v1.13.2
, before we start the implementation in our project. My test scenario is the following:
Given I have the following services running:
- service-a (ubuntu, meshed)
- service-b (ubuntu, not meshed)
- service-c (hashicorp/http-echo, meshed)
- service-d (hashicorp/http-echo/ not meshed)
Note:
- all meshed services are running transparent proxy
-
dev
ns has the following metadata:
apiVersion: v1
kind: Namespace
metadata:
labels:
consul.hashicorp.com/connect-inject: enabled
consul.hashicorp.com/transparent-proxy: "true"
kubernetes.io/metadata.name: dev
name: dev
The following deployments & services are present in the dev
namespace:
k -n dev get pods
NAME READY STATUS RESTARTS AGE
service-a-6898c564bc-55lbd 2/2 Running 0 17h
service-b-b6c4679d4-pq595 1/1 Running 0 17h
service-c-859d9d8678-jjm8f 2/2 Running 0 17h
service-c-859d9d8678-mz8nh 2/2 Running 0 17h
service-d-7f4494b8f6-ddjd2 1/1 Running 0 20h
service-d-7f4494b8f6-tkp5k 1/1 Running 0 20h
❯ k -n dev get services
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
service-a-svc ClusterIP 10.0.244.34 <none> 5678/TCP 2d19h
service-b-svc ClusterIP 10.0.14.106 <none> 5678/TCP 2d21h
service-c-svc ClusterIP 10.0.176.237 <none> 5678/TCP 2d21h
service-d-svc ClusterIP 10.0.210.43 <none> 5678/TCP 20h
And I have the following service intentions defined:
❯ k -n consul exec -it consul-server-0 consul -- consul intention match -source service-a-svc
* => * (allow)
When I try to call D from B (both outside of the mesh):
❯ k -n dev exec -it service-b-b6c4679d4-pq595 -- bash
root@service-b-b6c4679d4-pq595:/# curl http://service-d-svc
Action: Deny. Reason: No rule matched. Proceeding with default action
root@service-b-b6c4679d4-pq595:/# curl http://service-d-svc.dev.svc.cluster.local
Action: Deny. Reason: No rule matched. Proceeding with default action.
Then:
- I’m getting blocked, while calling D from B, despite the fact that
* => * (allow)
is in effect - Service intentions do not appear to have an effect, in all other cases, when setting them via consul UI
- Service intentions do not appear to have an effect in all other cases, when setting them via
kubectl
as CRDs (dev
namespace, same as the services)
Can anyone explain those phenomenons to me? It seems as if I’ve missed something simple.