Merge pull request #10725 from hashicorp/banks-patch-3

Call out the incompatibility of wildcards and L7 permissions
2021-09-28 13:51:41 +01:00 · 2021-09-28 13:51:41 +01:00 · 05c8387891
parent 208389f5ad b9dd859c6d
commit 05c8387891
1 changed files with 10 additions and 6 deletions
--- a/website/content/docs/connect/config-entries/service-intentions.mdx
+++ b/website/content/docs/connect/config-entries/service-intentions.mdx
@ -355,7 +355,7 @@ spec:
    {
      name: 'Name',
      description:
-        "The name of the destination service for all intentions defined in this config entry. This may be set to the wildcard character (`*`) to match all services that don't otherwise have intentions defined.",
+        "The name of the destination service for all intentions defined in this config entry. This may be set to the wildcard character (`*`) to match all services that don't otherwise have intentions defined. Wildcard intentions cannot be used when defining L7 [`Permissions`](/docs/connect/config-entries/service-intentions#permissions).",
      type: 'string: <required>',
      yaml: false,
    },
@ -364,7 +364,7 @@ spec:
      type: `string: "default"`,
      enterprise: true,
      description:
-        "Specifies the namespaces the config entry will apply to. This may be set to the wildcard character (`*`) to match all services in all namespaces that don't otherwise have intentions defined.",
+        "Specifies the namespaces the config entry will apply to. This may be set to the wildcard character (`*`) to match all services in all namespaces that don't otherwise have intentions defined. Wildcard intentions cannot be used when defining L7 [`Permissions`](/docs/connect/config-entries/service-intentions#permissions).",
      yaml: false,
    },
    {
@ -398,7 +398,7 @@ spec:
          hcl: false,
          type: 'string: <required>',
          description:
-            "The name of the destination service for all intentions defined in this config entry. This may be set to the wildcard character (`*`) to match all services that don't otherwise have intentions defined.",
+            "The name of the destination service for all intentions defined in this config entry. This may be set to the wildcard character (`*`) to match all services that don't otherwise have intentions defined. Wildcard intentions cannot be used when defining L7 [`Permissions`](/docs/connect/config-entries/service-intentions#permissions).",
        },
        {
          name: 'namespace',
@ -406,7 +406,7 @@ spec:
          enterprise: true,
          type: 'string: <optional>',
          description:
-            "Specifies the namespaces the config entry will apply to. This may be set to the wildcard character (`*`) to match all services in all namespaces that don't otherwise have intentions defined. If not set, the namespace used will depend on the `connectInject.consulNamespaces` configuration. See [ServiceIntentions Special Case (Enterprise)](/docs/k8s/crds#serviceintentions-special-case-enterprise) for more details.",
+            "Specifies the namespaces the config entry will apply to. This may be set to the wildcard character (`*`) to match all services in all namespaces that don't otherwise have intentions defined. If not set, the namespace used will depend on the `connectInject.consulNamespaces` configuration. See [ServiceIntentions Special Case (Enterprise)](/docs/k8s/crds#serviceintentions-special-case-enterprise) for more details. Wildcard intentions cannot be used when defining L7 [`Permissions`](/docs/connect/config-entries/service-intentions#permissions).",
        },
      ],
    },
@ -470,7 +470,9 @@ spec:
                      provided permissions in this intention will be subject to the default
                      intention behavior is defined by the default [ACL policy](/docs/agent/options#acl_default_policy).<br><br>
                      This should be omitted for an L4 intention as it is mutually exclusive with
-                      the \`Action\` field.`,
+                      the \`Action\` field.<br><br>
+                      Setting \`Permissions\` is not valid if a wildcard is used for the \`Name\` or \`Namespace\` because they can only be
+                      applied to services with a compatible protocol.`,
        yaml: `The list of all [additional L7 attributes](#intentionpermission) that extend the intention match criteria.<br><br>
                      Permission precedence is applied top to bottom. For any given request the
                      first permission to match in the list is terminal and stops further
@ -478,7 +480,9 @@ spec:
                      provided permissions in this intention will be subject to the default
                      intention behavior is defined by the default [ACL policy](/docs/agent/options#acl_default_policy).<br><br>
                      This should be omitted for an L4 intention as it is mutually exclusive with
-                      the \`action\` field.`,
+                      the \`action\` field.<br><br>
+                      Setting \`permissions\` is not valid if a wildcard is used for the \`spec.destination.name\` or \`spec.destination.namespace\` 
+                      because they can only be applied to services with a compatible protocol.`,
      },
    },
    {