website: clarify that modifying intentions will not kill the conn
This commit is contained in:
Mitchell Hashimoto
Jack Pearkes
parent
bf27d1ada2
commit
9509de1de6
|
|
@ -44,6 +44,11 @@ The intention above is a deny intention with a source of "web" and
|
|||
destination of "db". This says that connections from web to db are not
|
||||
allowed and the connection will be rejected.
|
||||
|
||||
When an intention is modified, existing connections will not be affected.
|
||||
This means that changing a connection from "allow" to "deny" today
|
||||
_will not_ kill the connection. Addressing this shortcoming is on
|
||||
the near term roadmap for Consul.
|
||||
|
||||
### Wildcard Intentions
|
||||
|
||||
An intention source or destination may also be the special wildcard
|
||||
|
|
@ -156,5 +161,5 @@ for registered services.
|
|||
Because all the intention data is cached locally, the agents can fail static.
|
||||
Even if the agents are severed completely from the Consul servers, inbound
|
||||
connection authorization continues to work for a configured amount of time.
|
||||
Changes to intentions will not be picked up until the partition heals, but
|
||||
Changes to intentions will not be picked up until the partition heals, but
|
||||
will then automatically take effect when connectivity is restored.
|
||||
|
|
|
|||
|
|
@ -185,6 +185,11 @@ connection again. Intentions allow services to be segmented via a centralized
|
|||
control plane (Consul). To learn more, read the reference documentation on
|
||||
[intentions](/docs/connect/intentions.html).
|
||||
|
||||
Note that in the current release of Consul, changing intentions will not
|
||||
affect existing connections. Therefore, you must establish a new connection
|
||||
to see the effects of a changed intention. This will be addressed in the near
|
||||
term in a future version of Consul.
|
||||
|
||||
## Next Steps
|
||||
|
||||
We've now configured a service on a single agent and used Connect for
|
||||
|
|
|
|||
Loading…
Reference in New Issue