luxolus
/
open-consul
2
0
Fork 0
Code Issues 1 Pull Requests Packages Releases Wiki Activity

applying feedback on rc admin partition documentation

This commit is contained in:
trujillo-adam 2021-12-14 11:28:38 -08:00
parent 55d482d006
commit 28d5df03ad
1 changed files with 13 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

20
website/content/docs/enterprise/admin-partitions.mdx
View File

@ -22,7 +22,7 @@ Admin partitions exist a level above namespaces in the identity hierarchy. They
### Default Admin Partition
Each Consul cluster will have a default admin partition (named `default`). The `default` admin partition is special because it may contain namespaces and other entities that are replicated between datacenters. The `default` partition must also contain the Consul servers.
Each Consul cluster will have a default admin partition named `default`. The `default` admin partition is special because it can contain namespaces and other resources that are replicated between datacenters. The `default` partition must also contain the Consul servers.
Any resource created without specifying an admin partition will inherit the partition of the ACL token.
@ -35,7 +35,7 @@ Names must also begin with a lowercase letter.
### Namespaces
When an admin partition is created, it will include the `default` namespace. You can create additional namespaces within the partition. Resources created within a namespace will be inherited by the partition.
When an admin partition is created, it will include the `default` namespace. You can create additional namespaces within the partition. Resources created within a namespace are not shared across partitions.
### Cross-datacenter Replication
@ -47,7 +47,7 @@ Client agents will be configured to operate within a specific admin partition. T
### Service Mesh Configurations
Values specified for [`proxy-defaults`](/docs/connect/config-entries/proxy-defaults) and [`mesh`](/docs/connect/config-entries/mesh) configurations are scoped to a specific partition. Services registered in the partition will use the partition's `proxy-defaults` and `mesh` values.
The partition in which [`proxy-defaults`](/docs/connect/config-entries/proxy-defaults) and [`mesh`](/docs/connect/config-entries/mesh) configurations are created define the scope of the configurations. Services registered in a partition will use the `proxy-defaults` and `mesh` configurations that have been created in the partition.
### Cross-partition Networking
@ -66,7 +66,7 @@ Your Consul configuration must meet the following requirements to use admin part
* The agent token used by the client agent must allow `node:write` in the admin partition.
* The `write` permission for `proxy-defaults` requires `mesh:write`. See [Admin Partition Rules](/docs/security/acl/acl-rules#admin-partition-rules) for additional information.
* The `write` permissions for ingress and terminating gateways require `mesh:write` privileges.
* Wildcards (`*`) are not supported when creating intentions for admin partitions. The partition name must be explicitly specified.
* Wildcards (`*`) are not supported for the partitions field when creating intentions for admin partitions. The partition name must be explicitly specified.
* With the exception of the `default` admin partition, ACL rules configured for admin partitions are isolated, so policies defined in partitions outside of the `default` partition can only reference their local partition.
### Agent Configurations
@ -84,7 +84,7 @@ One of the primary use cases for admin partitions is for enabling a service mesh
* Two or more Kubernetes clusters. Consul servers must be deployed to a single cluster. The other clusters should run Consul clients.
* A Consul Enterprise license must be installed on each Kubernetes cluster.
* The helm chart for consul-k8s v0.34.1 or greater.
* The helm chart for consul-k8s v0.38.0 or greater.
* Consul 1.11.0-ent or greater.
* All Consul clients must be able to communicate with the Consul servers in the `default` partition, and all servers must be able to communicate with the clients.
@ -118,7 +118,7 @@ Verify that your Consul deployment meets the [Kubernetes Requirements](#kubernet
enableConsulNamespaces: true
tls:
enabled: true
image: hashicorp/consul-enterprise:1.11.0-ent-beta3
image: hashicorp/consul-enterprise:1.11.0-ent-rc
adminPartitions:
enabled: true
acls:
@ -137,6 +137,9 @@ Verify that your Consul deployment meets the [Kubernetes Requirements](#kubernet
meshGateway:
enabled: true
replicas: 1
dns:
enabled: true
enableRedirection: true
```
</CodeBlockConfig>
</CodeTabs>
@ -191,7 +194,7 @@ Verify that your Consul deployment meets the [Kubernetes Requirements](#kubernet
global:
enabled: false
enableConsulNamespaces: true
image: hashicorp/consul-enterprise:1.11.0-ent-beta3
image: hashicorp/consul-enterprise:1.11.0-ent-rc
adminPartitions:
enabled: true
name: clients
@ -229,6 +232,9 @@ Verify that your Consul deployment meets the [Kubernetes Requirements](#kubernet
meshGateway:
enabled: true
replicas: 1
dns:
enabled: true
enableRedirection: true
```
</CodeBlockConfig>
</CodeTabs>