Consul
Service intentions configuration reference
This topic provides reference information for the service intentions configuration entry. Intentions are configurations for controlling access between services in the service mesh. A single service intentions configuration entry specifies one destination service and one or more L4 traffic sources, L7 traffic sources, or combination of traffic sources. Refer to Service mesh intentions overview for additional information.
Configuration model
The following outline shows how to format the service intentions configuration entry. Click on a property name to view details about the configuration.
Kind
: string | required | must be set toservice-intentions
Name
: string | requiredNamespace
: string |default
| EnterprisePartition
: string |default
| EnterpriseMeta
: mapJWT
: mapProviders
: list of mapsName
: stringVerifyClaims
: list of maps
Sources
: list | no defaultName
: string | no defaultPeer
: string | no defaultNamespace
: string | no default | EnterprisePartition
: string | no default | EnterpriseSamenessGroup
: string | no default | EnterpriseAction
: string | no default | required for L4 intentionsPermissions
: list | no defaultPrecedence
: numberType
: string |consul
Description
: stringLegacyID
: stringLegacyMeta
: mapLegacyCreateTime
: stringLegacyUpdateTime
: string
Complete configuration
When every field is defined, a service intentions configuration entry has the following form:
Kind = "service-intentions"
Name = "<name of destination service>"
Namespace = "<destination namespace>" # string
Partition = "<destination partition>" # string
Meta = {
"<key-1>" = "<value-1>"
"<key-2>" = "<value-2>"
}
JWT = {
Providers = [
{
Name = "<JWT-provider-name>"
VerifyClaims = [
{
Path = ["<claim>"]
Value = "<api.apps.organization.com>"
}
]
}
]
}
Sources = [
{
Name = "<name of service sending traffic>" # string
Peer = "<name of cluster containing source service>" # string
Namespace = "<namespace containing source service>" # string
Partition = "<sources-partition>" # string
SamenessGroup = "<group-name>" # string
Action = "allow" or "deny" # string for L4 intentions
Permissions = [
{
Action = "allow" or "deny" # string for L7 intentions
HTTP = {
PathExact = "<exact path to match>" # string
PathPrefix = "<path prefix to match>" # string
PathRegex = "<regex pattern to match>" # string
Methods = [
"<fist http method to match>", # string
"<second http method to match>"
]
Header = [
{
Name = "<http header name>" # string
Present = <true or false> # boolean
Invert = <true or false> # boolean
},
{
Name = "<http header name>" # string
Exact = "<header-value>" # boolean
IgnoreCase = <true or false> # boolean
Invert = <true or false> # boolean
},
{
Name = "<http header name>" # string
Prefix = "<source header value prefix>" # string
IgnoreCase = <true or false> # boolean
Invert = <true or false> # boolean
},
{
Name = "<http header name>" # string
Suffix = "<source header value suffix>" # string
IgnoreCase = <true or false> # boolean
Invert = <true or false> # boolean
},
{
Name = "<http header name>" # string
Contains = "<value to search for>" # string
IgnoreCase = <true or false> # boolean
Invert = <true or false> # boolean
},
{
Name = "<http header name>" # string
Regex = "<regex pattern to match>" # string
Invert = <true or false> # boolean
}
]
}
}
]
Type = "consul" # string
Description = "<description for API responses>" # string
Precedence = <read-only> # number
LegacyID = <read-only> # string
LegacyMeta = <read-only> # string
LegacyCreateTime = <read-only> # string
LegacyUpdateTime = <read-only> # string
}
]
Specification
This section provides details about the fields you can configure in the service intentions configuration entry.
Kind
Specifies the type of configuration entry to implement. Must be set to service-intentions
.
Values
- Default: None
- This field is required.
- Data type: String value that must be set to
service-intentions
.
Name
Specifies a name of the destination service for all intentions defined in the configuration entry.
Values
- Default: Defaults to the name of the node after writing the entry to the Consul server.
- This field is required.
- Data type: String
You can also specify a wildcard character (*
) to match all services without intentions. Intentions that are applied with a wildcard, however, are not supported when defining L7 Permissions
.
Namespace
Enterprise
Specifies the namespace that the configuration entry applies to. Services in the namespace are the traffic destinations that the intentions allow or deny traffic to.
Values
- Default:
default
- Data type: String
You can also specify a wildcard character (*
) to match all namespaces. Intentions that are applied with a wildcard, however, are not supported when defining L7 Permissions
.
Partition
Enterprise
Specifies the admin partition to apply the configuration entry. Services in the specified partition are the traffic destinations that the intentions allow or deny traffic to.
Values
- Default:
default
- Data type: String
Meta
Specifies key-value pairs to add to the KV store when the configuration entry is evaluated.
Values
- Default: None
- Data type: Map of one or more key-value pairs
- keys: String
- values: String, integer, or float
JWT
Specifies a JSON Web Token provider configured in a JWT provider configuration entry, as well as additional configurations for verifying a service's JWT before authorizing communication between services
Values
- Default: None
- Data type: Map that contains
JWT{}.Providers
JWT{}.Providers
Specifies the names of one or more previously configured JWT provider configuration entries, which include the information necessary to validate a JSON web token.
Values
- Default: None
- Data type: List of maps
JWT{}.Providers[].Name
Specifies the name of a JWT provider defined in the Name
field of the jwt-provider
configuration entry. You must write the JWT Provider to Consul before referencing it in a service intention.
Values
- Default: None
- Data type: String
JWT{}.Providers[].VerifyClaims
Specifies additional token information to verify beyond what is configured in the JWT provider configuration entry. This map takes the form of a JSON web token claim and a value to match for verification.
Values
JWT{}.Providers[].VerifyClaims[].Path
Specifies the path to the claim in the JSON web token. For more information about JWT claims, refer to the IETF standards documentation.
Values
- Default: None
- Data type: List of strings
JWT{}.Providers[].VerifyClaims.Value
Specifies the value to match on when verifying the claim designated in JWT{}.Providers[].VerifyClaims[].Path
.
Values
- Default: None
- Data type: String
Sources[]
List of configurations that define intention sources and the authorization granted to the sources. You can specify source configurations in any order, but Consul stores and evaluates them in order of reverse precedence at runtime. Refer to Precedence
for additional information.
Values
- Default: None
- List of objects that contain the following fields:
Name
Peer
Namespace
EnterprisePartition
EnterpriseSamenessGroup
EnterpriseAction
Permissions
Precedence
Type
Description
LegacyID
LegacyMeta
LegacyCreateTime
LegacyUpdateTime
Sources[].Name
Specifies the name of the source that the intention allows or denies traffic from. If Type
is set to consul
, then the value refers to the name of a Consul service. The source is not required to be registered into the Consul catalog.
Values
- Default: None
- This field is required.
- Data type: String
Sources[].Peer
Specifies the name of a peered Consul cluster that the intention allows or denies traffic from. Refer to Cluster peering overview for additional information about peers.
The Peer
and Partition
fields are mutually exclusive.
Values
- Default: None
- Data type: String
Sources[].Namespace
Enterprise
Specifies the traffic source namespace that the intention allows or denies traffic from.
Values
Sources[].Partition
Enterprise
Specifies the name of an admin partition that the intention allows or denies traffic from. Refer to Admin Partitions for additional information about partitions.
The Peer
and Partition
fields are mutually exclusive.
Values
Sources[].SamenessGroup
Enterprise
Specifies the name of a sameness group that the intention allows or denies traffic from. Refer to create sameness groups for additional information.
Values
- Default: None
- Data type: string
Sources[].Action
Specifies the action to take when the source sends traffic to the destination service. The value is either allow
or deny
. Do not configure this field to apply L7 intentions to the same source. Configure the Permissions
field instead.
Values
- Default: None
- This field is required for L4 intentions.
- Data type: String value set to either
allow
ordeny
Refer to the following examples for additional guidance:
- L4 Intentions for specific sources and destinations
- L4 intentions for all destinations
- L4 intentions for all sources
- L4 and L7
Sources[].Permissions[]
Specifies a list of permissions for L7 traffic sources. The list contains one or more actions and a set of match criteria for each action.
Consul applies permissions in the order specified in the configuration. Beginning at the top of the list, Consul applies the first matching request and stops evaluating against the remaining configurations.
For requests that do not match any of the defined permissions, Consul applies the intention behavior defined in the acl_default_policy
configuration.
Do not configure this field for L4 intentions. Use the Sources.Action
parameter instead.
The Permissions
only applies to services with a compatible protocol. Permissions
are not supported when the Name
or Namespace
field is configured with a wildcard because service instances or services in a namespace may use different protocols.
Values
Refer to the following examples for additional guidance:
Sources[].Permissions[].Action
Specifies the action to take when the source sends traffic to the destination service. The value is either allow
or deny
.
Values
- Default: None
- This field is required.
- Data type: String value set to either
allow
ordeny
.
Sources[].Permissions[].HTTP
Specifies a set of HTTP-specific match criteria. Consul applies the action defined in the Action
field to source traffic that matches the criteria.
Values
- Default: None
- This field is required.
- Data type: Map
The following table describes the parameters that the HTTP map may contain:
Parameter | Description | Data type | Default |
---|---|---|---|
PathExact | Specifies an exact path to match on the HTTP request path. Do not specify PathExact if PathPrefix or PathRegex are configured in the same HTTP configuration. | string | none |
PathPrefix | Specifies a path prefix to match on the HTTP request path. Do not specify PathPrefix if PathExact or PathRegex are configured in the same HTTP configuration. | string | none |
PathRegex | Defines a regular expression to match on the HTTP request path. Do not specify PathRegex if PathExact or PathPrefix are configured in the same HTTP configuration. The regex syntax is proxy-specific. If using Envoy, refer to the re2 documentation for details. | string | none |
Methods | Specifies a list of HTTP methods. Consul applies the permission if a request matches the PathExact , PathPrefix , PathRegex , or Header , and the source sent the request using one of the specified methods. Refer to the Mozilla documentation for a list of supported request headers. | list | All request methods |
Header | Specifies a header name and matching criteria for HTTP request headers. Refer to Sources[].Permissions[].HTTP[].Header for details. | list of maps | none |
Sources[].Permissions[].HTTP[].Header[]
Specifies a header name and matching criteria for HTTP request headers. The request header must match all specified criteria for the permission to apply.
Values
- Default: None
- Data type: list of objects
Each member of the Header
list is a map that contains a Name
field and at least one match criterion. The following table describes the parameters that each member of the Header
list may contain:
Parameter | Description | Data type | Required |
---|---|---|---|
Name | Specifies the name of the header to match. | string | required |
Present | Enables a match if the header configured in the Name field appears in the request. Consul matches on any value as long as the header key appears in the request. Do not specify Present if Exact , Prefix , Suffix , or Regex are configured in the same Header configuration. | boolean | optional |
Exact | Specifies a value for the header key set in the Name field. If the request header value matches the Exact value, Consul applies the permission. Do not specify Exact if Present , Prefix , Suffix , or Regex are configured in the same Header configuration. | string | optional |
Prefix | Specifies a prefix value for the header key set in the Name field. If the request header value starts with the Prefix value, Consul applies the permission. Do not specify Prefix if Present , Exact , Suffix , or Regex are configured in the same Header configuration. | string | optional |
Suffix | Specifies a suffix value for the header key set in the Name field. If the request header value ends with the Suffix value, Consul applies the permission. Do not specify Suffix if Present , Exact , Prefix , or Regex are configured in the same Header configuration. | string | optional |
Contains | Specifies a contains value for the header key set in the Name field. If the request header value includes the Contains value, Consul applies the permission. Do not specify Contains if Present , Exact , Prefix , Suffix , or Regex are configured in the same header configuration. | string | optional |
Regex | Specifies a regular expression pattern as the value for the header key set in the Name field. If the request header value matches the regex, Consul applies the permission. Do not specify Regex if Present , Exact , Prefix , Suffix , or Contains are configured in the same Header configuration. The regex syntax is proxy-specific. If using Envoy, refer to the re2 documentation for details. | string | optional |
IgnoreCase | Ignores the case of the provided header value when matching with Exact , Prefix , Suffix , or Contains . Default is false . | boolean | optional |
Invert | Inverts the matching logic configured in the Header . Default is false . | boolean | optional |
Sources[].Precedence
The Precedence
field contains a read-only integer. Consul generates the value based on name configurations for the source and destination services. Refer to Precedence and matching order for additional information.
Sources[].Type
Specifies the type of destination service that the configuration entry applies to. The only value supported is consul
.
Values
- Default:
consul
- Data type: String
Sources[].Description
Specifies a description of the intention. Consul presents the description in API responses to assist other tools integrated into the network.
Values
- Default: None
- Data type: String
Sources[].LegacyID
Read-only unique user ID (UUID) for the intention in the system. Consul generates the value and exposes it in the configuration entry so that legacy API endpoints continue to function. Refer to Read Specific Intention by ID for additional information.
Sources[].LegacyMeta
Read-only set of arbitrary key-value pairs to attach to the intention. Consul generates the metadata and exposes it in the configuration entry so that legacy intention API endpoints continue to function. Refer to Read Specific Intention by ID for additional information.
Sources[].CreateTime
Read-only timestamp for the intention creation. Consul exposes the timestamp in the configuration entry to allow legacy intention API endpoints to continue functioning. Refer to Read Specific Intention by ID for additional information.
Sources[].LegacyUpdateTime
Read-only timestamp marking the most recent intention update. Consul exposes the timestamp in the configuration entry to allow legacy intention API endpoints to continue functioning. Refer to Read Specific Intention by ID for additional information.
Examples
The following examples demonstrate potential use-cases for the service intentions configuration entry.
L4 Intentions for specific sources and destinations
The following example configuration entry specifies an L4 intention that denies traffic from web
to db
service instances, but allows traffic from api
to db
.
Kind = "service-intentions"
Name = "db"
Sources = [
{
Name = "web"
Action = "deny"
},
{
Name = "api"
Action = "allow"
}
]
L4 intentions for all destinations
In the following L4 example, the destination is configured with a *
wildcard. As a result, traffic from web
service instances is denied for any service in the datacenter.
Kind = "service-intentions"
Name = "*"
Sources = [
{
Name = "web"
Action = "deny"
}
]
L4 intentions for all sources
In the following L4 example, the source is configured with a *
wildcard. As a result, traffic from any service is denied to db
service instances.
Kind = "service-intentions"
Name = "db"
Sources = [
{
Name = "*"
Action = "deny"
}
]
REST access
In the following example, the admin-dashboard
and report-generator
services have different levels of access when making REST calls:
Kind = "service-intentions"
Name = "api"
Sources = [
{
Name = "admin-dashboard"
Permissions = [
{
Action = "allow"
HTTP {
PathPrefix = "/v2"
Methods = ["GET", "PUT", "POST", "DELETE", "HEAD"]
}
}
]
},
{
Name = "report-generator"
Permissions = [
{
Action = "allow"
HTTP {
PathPrefix = "/v2/widgets"
Methods = ["GET"]
}
}
]
}
# NOTE: a default catch-all based on the default ACL policy will apply to
# unmatched connections and requests. Typically this will be DENY.
]
gRPC
In the following example, Consul denies requests from frontend-web
to the IssueRefund
gRPC service.
Because gRPC method calls use the HTTP/2 protocol, you can apply an HTTP path-matching rule to control traffic:
Kind = "service-intentions"
Name = "billing"
Sources = [
{
Name = "frontend-web"
Permissions = [
# The frontend website can execute all billing service methods except
# issuing refunds.
{
Action = "deny"
HTTP {
PathExact = "/mycompany.BillingService/IssueRefund"
}
},
{
Action = "allow"
HTTP {
PathPrefix = "/mycompany.BillingService/"
}
}
]
},
{
Name = "support-portal"
Permissions = [
# But the support team portal page can execute all methods.
{
Action = "allow"
HTTP {
PathPrefix = "/mycompany.BillingService/"
}
}
]
}
# A default catch-all based on the default ACL policy applies to
# unmatched connections and requests. This is typically DENY.
]
L4 and L7
In the following example, Consul enforces application layer intentions that deny requests to api
from hackathon-project
but allow requests from web
. In the same configuration entry, Consul enforces network layer intentions that allow requests from nightly-reconciler
that send POST
requests to the /v1/reconcile-data
HTTP endpoint:
Kind = "service-intentions"
Name = "api"
Sources = [
{
Name = "hackathon-project"
Action = "deny"
},
{
Name = "web"
Action = "allow"
},
{
Name = "nightly-reconciler"
Permissions = [
{
Action = "allow"
HTTP {
PathExact = "/v1/reconcile-data"
Methods = ["POST"]
}
}
]
},
# A default catch-all based on the default ACL policy applies to
# unmatched connections and requests. This is typically DENY.
]
Cluster peering
When using cluster peering connections, intentions secure your deployments with authorized service-to-service communication between remote datacenters. In the following example, the service intentions configuration entry authorizes the backend-service
to communicate with the frontend-service
that is hosted on remote peer cluster-02
:
Kind = "service-intentions"
Name = "backend-service"
Sources = [
{
Name = "frontend-service"
Peer = "cluster-02"
Action = "allow"
}
]
JWT validation with intentions
The following example configures a service intention that evaluates requests when a service named backend
receives a request from the frontend
service. When the request is sent to the /admin
HTTP path, a JSON Web Token provided by Okta is evaluated. In addition to the validation requirements in a separate JWT provider configuration entry, an additional check occurs to confirm that the token has either a perms
or role
claim with the admin
value. If it does, the request is authorized.
Because the intention allows requests that come from the /
HTTP path, only requests on the /admin
path are subject to token validation.
Kind = "service-intentions"
Name = "backend"
Sources = [
{
Name = "frontend"
Permissions = [
{
HTTP = {
PathExact = "/admin"
}
JWT = {
Providers = [
{
Name = "okta"
VerifyClaims = [
{
Path = ["perms", "role"]
Value = "admin"
}
]
}
]
}
},
{
Action = "allow"
HTTP = {
PathPrefix = "/"
}
}
]
}
]