luxolus/open-consul
2
0
Fork 0
Code Issues 1 Pull requests Packages Releases Wiki Activity

Apply suggestions from code review

Browse source 
Apply suggestions from code review

Co-authored-by: Ashwin Venkatesh <ashwin@hashicorp.com>
Co-authored-by: David Yu <dyu@hashicorp.com>
This commit is contained in:
trujillo-adam 2021-12-14 11:51:34 -08:00 committed by GitHub
parent 9440677f31
commit d676e5803f
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
1 changed files with 11 additions and 5 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

16
website/content/docs/enterprise/admin-partitions.mdx
View file

@ -22,7 +22,7 @@ Admin partitions exist a level above namespaces in the identity hierarchy. They
### Default Admin Partition ### Default Admin Partition
Each Consul cluster will have a default admin partition (named `default`). The `default` admin partition is special because it may contain namespaces and other entities that are replicated between datacenters. The `default` partition must also contain the Consul servers. Each Consul cluster will have a default admin partition (named `default`). The `default` admin partition is special because it can contain namespaces and other resources that are replicated between datacenters. The `default` partition must also contain the Consul servers.
Any resource created without specifying an admin partition will inherit the partition of the ACL token. Any resource created without specifying an admin partition will inherit the partition of the ACL token.
@ -66,7 +66,7 @@ Your Consul configuration must meet the following requirements to use admin part
* The agent token used by the client agent must allow `node:write` in the admin partition. * The agent token used by the client agent must allow `node:write` in the admin partition.
* The `write` permission for `proxy-defaults` requires `mesh:write`. See [Admin Partition Rules](/docs/security/acl/acl-rules#admin-partition-rules) for additional information. * The `write` permission for `proxy-defaults` requires `mesh:write`. See [Admin Partition Rules](/docs/security/acl/acl-rules#admin-partition-rules) for additional information.
* The `write` permissions for ingress and terminating gateways require `mesh:write` privileges. * The `write` permissions for ingress and terminating gateways require `mesh:write` privileges.
* Wildcards (`*`) are not supported when creating intentions for admin partitions. The partition name must be explicitly specified. * Wildcards (`*`) are not supported for the partition field when creating intentions for admin partitions. The partition name must be explicitly specified.
* With the exception of the `default` admin partition, ACL rules configured for admin partitions are isolated, so policies defined in partitions outside of the `default` partition can only reference their local partition. * With the exception of the `default` admin partition, ACL rules configured for admin partitions are isolated, so policies defined in partitions outside of the `default` partition can only reference their local partition.
### Agent Configurations ### Agent Configurations
@ -84,7 +84,7 @@ One of the primary use cases for admin partitions is for enabling a service mesh
* Two or more Kubernetes clusters. Consul servers must be deployed to a single cluster. The other clusters should run Consul clients. * Two or more Kubernetes clusters. Consul servers must be deployed to a single cluster. The other clusters should run Consul clients.
* A Consul Enterprise license must be installed on each Kubernetes cluster. * A Consul Enterprise license must be installed on each Kubernetes cluster.
* The helm chart for consul-k8s v0.34.1 or greater. * The helm chart for consul-k8s v0.38.0 or greater.
* Consul 1.11.0-ent or greater. * Consul 1.11.0-ent or greater.
* All Consul clients must be able to communicate with the Consul servers in the `default` partition, and all servers must be able to communicate with the clients. * All Consul clients must be able to communicate with the Consul servers in the `default` partition, and all servers must be able to communicate with the clients.
@ -118,7 +118,7 @@ Verify that your Consul deployment meets the [Kubernetes Requirements](#kubernet
enableConsulNamespaces: true enableConsulNamespaces: true
tls: tls:
enabled: true enabled: true
image: hashicorp/consul-enterprise:1.11.0-ent-beta3 image: hashicorp/consul-enterprise:1.11.0-ent-rc
adminPartitions: adminPartitions:
enabled: true enabled: true
acls: acls:
@ -137,6 +137,9 @@ Verify that your Consul deployment meets the [Kubernetes Requirements](#kubernet
meshGateway: meshGateway:
enabled: true enabled: true
replicas: 1 replicas: 1
dns:
enabled: true
enableRedirection: true
``` ```
</CodeBlockConfig> </CodeBlockConfig>
</CodeTabs> </CodeTabs>
@ -191,7 +194,7 @@ Verify that your Consul deployment meets the [Kubernetes Requirements](#kubernet
global: global:
enabled: false enabled: false
enableConsulNamespaces: true enableConsulNamespaces: true
image: hashicorp/consul-enterprise:1.11.0-ent-beta3 image: hashicorp/consul-enterprise:1.11.0-ent-rc
adminPartitions: adminPartitions:
enabled: true enabled: true
name: clients name: clients
@ -229,6 +232,9 @@ Verify that your Consul deployment meets the [Kubernetes Requirements](#kubernet
meshGateway: meshGateway:
enabled: true enabled: true
replicas: 1 replicas: 1
dns:
enabled: true
enableRedirection: true
``` ```
</CodeBlockConfig> </CodeBlockConfig>
</CodeTabs> </CodeTabs>