Merge pull request #10725 from hashicorp/banks-patch-3
Call out the incompatibility of wildcards and L7 permissions
This commit is contained in:
commit
05c8387891
|
@ -355,7 +355,7 @@ spec:
|
|||
{
|
||||
name: 'Name',
|
||||
description:
|
||||
"The name of the destination service for all intentions defined in this config entry. This may be set to the wildcard character (`*`) to match all services that don't otherwise have intentions defined.",
|
||||
"The name of the destination service for all intentions defined in this config entry. This may be set to the wildcard character (`*`) to match all services that don't otherwise have intentions defined. Wildcard intentions cannot be used when defining L7 [`Permissions`](/docs/connect/config-entries/service-intentions#permissions).",
|
||||
type: 'string: <required>',
|
||||
yaml: false,
|
||||
},
|
||||
|
@ -364,7 +364,7 @@ spec:
|
|||
type: `string: "default"`,
|
||||
enterprise: true,
|
||||
description:
|
||||
"Specifies the namespaces the config entry will apply to. This may be set to the wildcard character (`*`) to match all services in all namespaces that don't otherwise have intentions defined.",
|
||||
"Specifies the namespaces the config entry will apply to. This may be set to the wildcard character (`*`) to match all services in all namespaces that don't otherwise have intentions defined. Wildcard intentions cannot be used when defining L7 [`Permissions`](/docs/connect/config-entries/service-intentions#permissions).",
|
||||
yaml: false,
|
||||
},
|
||||
{
|
||||
|
@ -398,7 +398,7 @@ spec:
|
|||
hcl: false,
|
||||
type: 'string: <required>',
|
||||
description:
|
||||
"The name of the destination service for all intentions defined in this config entry. This may be set to the wildcard character (`*`) to match all services that don't otherwise have intentions defined.",
|
||||
"The name of the destination service for all intentions defined in this config entry. This may be set to the wildcard character (`*`) to match all services that don't otherwise have intentions defined. Wildcard intentions cannot be used when defining L7 [`Permissions`](/docs/connect/config-entries/service-intentions#permissions).",
|
||||
},
|
||||
{
|
||||
name: 'namespace',
|
||||
|
@ -406,7 +406,7 @@ spec:
|
|||
enterprise: true,
|
||||
type: 'string: <optional>',
|
||||
description:
|
||||
"Specifies the namespaces the config entry will apply to. This may be set to the wildcard character (`*`) to match all services in all namespaces that don't otherwise have intentions defined. If not set, the namespace used will depend on the `connectInject.consulNamespaces` configuration. See [ServiceIntentions Special Case (Enterprise)](/docs/k8s/crds#serviceintentions-special-case-enterprise) for more details.",
|
||||
"Specifies the namespaces the config entry will apply to. This may be set to the wildcard character (`*`) to match all services in all namespaces that don't otherwise have intentions defined. If not set, the namespace used will depend on the `connectInject.consulNamespaces` configuration. See [ServiceIntentions Special Case (Enterprise)](/docs/k8s/crds#serviceintentions-special-case-enterprise) for more details. Wildcard intentions cannot be used when defining L7 [`Permissions`](/docs/connect/config-entries/service-intentions#permissions).",
|
||||
},
|
||||
],
|
||||
},
|
||||
|
@ -470,7 +470,9 @@ spec:
|
|||
provided permissions in this intention will be subject to the default
|
||||
intention behavior is defined by the default [ACL policy](/docs/agent/options#acl_default_policy).<br><br>
|
||||
This should be omitted for an L4 intention as it is mutually exclusive with
|
||||
the \`Action\` field.`,
|
||||
the \`Action\` field.<br><br>
|
||||
Setting \`Permissions\` is not valid if a wildcard is used for the \`Name\` or \`Namespace\` because they can only be
|
||||
applied to services with a compatible protocol.`,
|
||||
yaml: `The list of all [additional L7 attributes](#intentionpermission) that extend the intention match criteria.<br><br>
|
||||
Permission precedence is applied top to bottom. For any given request the
|
||||
first permission to match in the list is terminal and stops further
|
||||
|
@ -478,7 +480,9 @@ spec:
|
|||
provided permissions in this intention will be subject to the default
|
||||
intention behavior is defined by the default [ACL policy](/docs/agent/options#acl_default_policy).<br><br>
|
||||
This should be omitted for an L4 intention as it is mutually exclusive with
|
||||
the \`action\` field.`,
|
||||
the \`action\` field.<br><br>
|
||||
Setting \`permissions\` is not valid if a wildcard is used for the \`spec.destination.name\` or \`spec.destination.namespace\`
|
||||
because they can only be applied to services with a compatible protocol.`,
|
||||
},
|
||||
},
|
||||
{
|
||||
|
|
Loading…
Reference in New Issue