Service intentions configuration entry reference

This topic provides reference information for the service intentions configuration entry. Intentions are configurations for controlling access between services in the service mesh. A single service intentions configuration entry specifies one destination service and one or more L4 traffic sources, L7 traffic sources, or combination of traffic sources. Refer to Service mesh intentions overview for additional information.

Configuration model

The following outline shows how to format the service intentions configuration entry. Click on a property name to view details about the configuration.

• Kind: string | required | must be set to service-intentions
• Name: string | required
• Namespace: string | default | EnterpriseEnterprise
• Partition: string | default | EnterpriseEnterprise
• Meta: map
• JWT: map
  • Providers: list of maps
    • Name: string
    • VerifyClaims: list of maps
      • Path: list of strings
      • Value: string

• Sources: list | no default

  • Name: string | no default
  • Peer: string | no default
  • Namespace: string | no default | EnterpriseEnterprise
  • Partition: string | no default | EnterpriseEnterprise
  • SamenessGroup: string | no default | EnterpriseEnterprise
  • Action: string | no default | required for L4 intentions
  • Permissions: list | no default
    • Action: string | no default | required
    • HTTP: map | required
      • PathExact: string
      • PathPrefix: string
      • PathRegex: string
      • Methods: list
      • Header: list of maps
        • Name: string | required
        • Present: boolean | false
        • Exact: string
        • Prefix: string
        • Suffix: string
        • Regex: string
        • Invert: boolean | false
  • Precedence: number
  • Type: string | consul
  • Description: string
  • LegacyID: string
  • LegacyMeta: map
  • LegacyCreateTime: string
  • LegacyUpdateTime: string

• apiVersion: string | must be set to consul.hashicorp.com/v1alpha1

• kind: string | must be set to ServiceIntentions
• metadata: map | required
  • name: string | required
  • namespace: string | default | EnterpriseEnterprise
• spec: map | no default
  • destination: map | no default
    • name: string | required
    • namespace: string | default | EnterpriseEnterprise
  • jwt: map
    • providers: list of maps
      • name: string
      • verifyClaims: list of maps
        • path: list of strings
        • value: string
  • sources: list | no default
    • name: string | no default
    • peer: string | no default
    • namespace: string | no default | EnterpriseEnterprise
    • partition: string | no default | EnterpriseEnterprise
    • samenessGroup: string | no default | EnterpriseEnterprise
    • action: string | no default | required for L4 intentions
    • permissions: list | no default
      • action: string | no default | required
      • http: map | required
        • pathExact: string | no default
        • pathPrefix: string | no default
        • pathRegex: string | no default
        • methods: list | no default
          • header: list of maps |no default
            • name: string | required
            • present: boolean | false
            • exact: string | no default
            • prefix: string | no default
            • suffix: string | no default
            • regex: string | no default
            • invert: boolean | false
    • description: string

Complete configuration

When every field is defined, a service intentions configuration entry has the following form:

Kind =  "service-intentions"
Name = "<name of destination service>"  
Namespace = "<destination namespace>"                    # string
Partition = "<destination partition>"                    # string
Meta = {
  "<key-1>" = "<value-1>"    
  "<key-2>" = "<value-2>"    
  } 
JWT = {
    Providers = [
      {
        Name = "<JWT-provider-name>"
        VerifyClaims = [
            {
                Path = ["<claim>"]
                Value = "<api.apps.organization.com>"
            }
        ]
      }
    ]
}
Sources = [
  {
    Name =  "<name of service sending traffic>"            # string
    Peer =  "<name of cluster containing source service>"  # string
    Namespace = "<namespace containing source service>"    # string
    Partition = "<sources-partition>"                      # string
    SamenessGroup = "<group-name>"                         # string
    Action = "allow" or "deny"                             # string for L4 intentions
    Permissions = [                                        
      {                                                  
        Action = "allow" or "deny"                   # string for L7 intenions
        HTTP =  {                                      
          PathExact =  "<exact path to match>"       # string 
          PathPrefix = "<path prefix to match>"      # string 
          PathRegex = "<regex pattern to match>"     # string 
          Methods = [                    
            "<fist http method to match>",           # string
            "<second http method to match>"
          ]
          Header = [
            {
              Name = "<http header name>"              # string
              Present = <true or false>                # boolean
            },
            {
              Name = "<http header name>"              # string
              Exact = "<header-value>"                 # boolean
            },
            {
              Name = "<http header name>"              # string
              Prefix = "<source header value prefix>"  # string
            },
            {
              Name = "<http header name>"              # string
              Suffix = "<source header value suffix>"  # string
            },
            {
              Name = "<http header name>"              # string
              Regex = "<regex pattern to match>"       # string
              Invert = <true or false>                 # boolean
            }
         ] 
        }
      } 
    ]
    Type = "consul"                                     # string     
    Description = "<description for API responses>"     # string 
    Precedence = <read-only>                            # number
    LegacyID = <read-only>                              # string 
    LegacyMeta = <read-only>                            # string
    LegacyCreateTime = <read-only>                      # string
    LegacyUpdateTime = <read-only>                      # string            
  }
]

apiVersion: consul.hashicorp.com/v1alpha1
kind: ServiceIntentions
metadata:
  name: <name of destination service>
  namespace: <destination namespace>
spec:
  destination:
    name: <name of destination service>
    namespace: <destination namespace>
  jwt:
    providers:
      name: <JWT-provider-name>
      verifyClaims:
                path: [<aud>]
                value: <api.apps.organization.com>
  sources:
    name: <name of service sending traffic>
    peer: <name of cluster containing source service>
    namespace: <namespace containing source service>
    partition: <sources-partition>
    samenessGroup: <group-name>
    action: allow or deny
    permissions:
    - action: allow or deny
      http:
        pathExact: <exact path to match>
        pathPrefix: <path prefix to match>
        pathRegex: <regex pattern to match>
        methods:
        - <fist http method to match>
          <second http method to match>
      header:
      - name: <http header name>
        present: true
      - name: <http header name>
        exact: false
      - name: <http header name>
        prefix: <source header value prefix>
      - name: <http header name>
        suffix: <source header value suffix>
      - name: <http header name>
        regex: <regex pattern to match>
        invert: false
  description: <description for API responses>

{
   "Kind":"service-intentions",
   "Name":"<name of destination service>",
   "Namespace":"<destination namespace>",
   "Partition":"<destination partition>",
   "Meta":{
      "key-1":"<value-1>",
      "key-2":"<value-2>"
   },
   "JWT": {
    "Providers": [
      {
        "Name": "<JWT-provider-name>",
        "VerifyClaims": [
            {
                "Path": ["<aud>"],
                "Value": "<api.apps.organization.com>"
            }
        ]
      }
    ]
   },
   "Sources":[
      {
         "Name":"<name of service sending traffic>",
         "Peer":"<name of cluster containing source service>",
         "Namespace":"<namespace containing source service>",
         "Partition":"<sources-partition>",
         "SamenessGroup":"<group-name>",
         "Action":"allow or deny",
         "Permissions":[
            {
               "Action":"allow or deny",
               "HTTP":{
                  "PathExact":"<exact path to match>",
                  "PathPrefix":"<path prefix to match>",
                  "PathRegex":"<regex pattern to match>",
                  "Methods":[
                     "<fist http method to match>",
                     "<second http method to match>"
                  ],
                  "Header":[
                     {
                        "Name":"<http header name>",
                        "Present":true
                     },
                     {
                        "Name":"<http header name>",
                        "Exact":false
                     },
                     {
                        "Name":"<http header name>",
                        "Prefix":"<source header value prefix>"
                     },
                     {
                        "Name":"<http header name>",
                        "Suffix":"<source header value suffix>"
                     },
                     {
                        "Name":"<http header name>",
                        "Regex":"<regex pattern to match>",
                        "Invert":false
                     }
                  ]
               }
            }
         ],
         "Type":"consul",
         "Description":"<description for API responses>",
         "Precedence":"<read-only-number>",
         "LegacyID":"<read-only-string>",
         "LegacyMeta":"<read-only-string>",
         "LegacyCreateTime":"<read-only-string>",
         "LegacyUpdateTime":"<read-only-string>"
      }
   ]
}

Specification

This section provides details about the fields you can configure in the service intentions configuration entry.

Kind

Specifies the type of configuration entry to implement. Must be set to service-intentions.

Values

• Default: None
• This field is required.
• Data type: String value that must be set to service-intentions.

Name

Specifies a name of the destination service for all intentions defined in the configuration entry.

Values

• Default: Defaults to the name of the node after writing the entry to the Consul server.
• This field is required.
• Data type: String

You can also specify a wildcard character (*) to match all services without intentions. Intentions that are applied with a wildcard, however, are not supported when defining L7 Permissions.

Namespace EnterpriseEnterprise

Specifies the namespace that the configuration entry applies to. Services in the namespace are the traffic destinations that the intentions allow or deny traffic to.

Values

• Default: default
• Data type: String

You can also specify a wildcard character (*) to match all namespaces. Intentions that are applied with a wildcard, however, are not supported when defining L7 Permissions.

Partition EnterpriseEnterprise

Specifies the admin partition to apply the configuration entry. Services in the specified partition are the traffic destinations that the intentions allow or deny traffic to.

Values

• Default: default
• Data type: String

Meta

Specifies key-value pairs to add to the KV store when the configuration entry is evaluated.

Values

• Default: None
• Data type: Map of one or more key-value pairs
  • keys: String
  • values: String, integer, or float

JWT

Specifies a JSON Web Token provider configured in a JWT provider configuration entry, as well as additional configurations for verifying a service’s JWT before authorizing communication between services

Values

• Default: None
• Data type: Map that contains JWT{}.Providers

JWT{}.Providers

Specifies the names of one or more previously configured JWT provider configuration entries, which include the information necessary to validate a JSON web token.

Values

• Default: None
• Data type: List of maps

JWT{}.Providers[].Name

Specifies the name of a JWT provider defined in the Name field of the jwt-provider configuration entry. You must write the JWT Provider to Consul before referencing it in a service intention.

Values

• Default: None
• Data type: String

JWT{}.Providers[].VerifyClaims

Specifies additional token information to verify beyond what is configured in the JWT provider configuration entry. This map takes the form of a JSON web token claim and a value to match for verification.

Values

• Default: None

• Data type: List of maps that can contain the following parameters:

  • Path
  • Value

JWT{}.Providers[].VerifyClaims[].Path

Specifies the path to the claim in the JSON web token. For more information about JWT claims, refer to the IETF standards documentation.

Values

• Default: None
• Data type: List of strings

JWT{}.Providers[].VerifyClaims.Value

Specifies the value to match on when verifying the the claim designated in JWT{}.Providers[].VerifyClaims[].Path.

Values

• Default: None
• Data type: String

Sources[]

List of configurations that define intention sources and the authorization granted to the sources. You can specify source configurations in any order, but Consul stores and evaluates them in order of reverse precedence at runtime. Refer to Precedence for additional information.

Values

• Default: None
• List of objects that contain the following fields:
  • Name
  • Peer
  • Namespace EnterpriseEnterprise
  • Partition EnterpriseEnterprise
  • SamenessGroup EnterpriseEnterprise
  • Action
  • Permissions
  • Precedence
  • Type
  • Description
  • LegacyID
  • LegacyMeta
  • LegacyCreateTime
  • LegacyUpdateTime

Sources[].Name

Specifies the name of the source that the intention allows or denies traffic from. If Type is set to consul, then the value refers to the name of a Consul service. The source is not required to be registered into the Consul catalog.

Values

• Default: None
• This field is required.
• Data type: String

Sources[].Peer

Specifies the name of a peered Consul cluster that the intention allows or denies traffic from. Refer to Cluster peering overview for additional information about peers.

The Peer and Partition fields are mutually exclusive.

Values

• Default: None
• Data type: String

Sources[].Namespace EnterpriseEnterprise

Specifies the traffic source namespace that the intention allows or denies traffic from.

Values

• Default: If Peer is unspecified, defaults to the destination Namespace.
• Data type: String

Sources[].Partition EnterpriseEnterprise

Specifies the name of an admin partition that the intention allows or denies traffic from. Refer to Admin Partitions for additional information about partitions.

The Peer and Partition fields are mutually exclusive.

Values

• Default: If Peer is unspecified, defaults to the destination Partition.
• Data type: string

Sources[].SamenessGroup EnterpriseEnterprise

Specifies the name of a sameness group that the intention allows or denies traffic from. Refer to create samenes groups for additional information.

Values

• Default: None
• Data type: string

Sources[].Action

Specifies the action to take when the source sends traffic to the destination service. The value is either allow or deny. Do not configure this field to apply L7 intentions to the same source. Configure the Permissions field instead.

Values

• Default: None
• This field is required for L4 intentions.
• Data type: String value set to either allow or deny

Refer to the following examples for additional guidance:

• L4 Intentions for specific sources and destinations
• L4 intentions for all destinations
• L4 intentions for all sources
• L4 and L7

Sources[].Permissions[]

Specifies a list of permissions for L7 traffic sources. The list contains one or more actions and a set of match criteria for each action.

Consul applies permissions in the order specified in the configuration. Beginning at the top of the list, Consul applies the first matching request and stops evaluating against the remaining configurations.

For requests that do not match any of the defined permissions, Consul applies the intention behavior defined in the acl_default_policy configuration.

Do not configure this field for L4 intentions. Use the Sources.Action parameter instead.

The Permissions only applies to services with a compatible protocol. Permissions are not supported when the Name or Namespace field is configured with a wildcard because service instances or services in a namespace may use different protocols.

Values

• Default: None
• List of objects that contain the following fields:
  • Action
  • HTTP

Refer to the following examples for additional guidance:

• Rest access
• gRPC
• Cluster peering
• L4 and L7

Sources[].Permissions[].Action

Specifies the action to take when the source sends traffic to the destination service. The value is either allow or deny.

Values

• Default: None
• This field is required.
• Data type: String value set to either allow or deny.

Sources[].Permissions[].HTTP

Specifies a set of HTTP-specific match criteria. Consul applies the action defined in the Action field to source traffic that matches the criteria.

Values

• Default: None
• This field is required.
• Data type: Map

The following table describes the parameters that the HTTP map may contain:

Sources[].Permissions[].HTTP[].Header[]

Specifies a header name and matching criteria for HTTP request headers. The request header must match all specified criteria for the permission to apply.

Values

• Default: None
• Data type: list of objects

Each member of the Header list is a map that contains a Name field and at least one match criterion. The following table describes the parameters that each member of the Header list may contain:

Sources[].Precedence

The Precedence field contains a read-only integer. Consul generates the value based on name configurations for the source and destination services. Refer to Precedence and matching order for additional information.

Sources[].Type

Specifies the type of destination service that the configuration entry applies to. The only value supported is consul.

Values

• Default: consul
• Data type: String

Sources[].Description

Specifies a description of the intention. Consul presents the description in API responses to assist other tools integrated into the network.

Values

• Default: None
• Data type: String

Sources[].LegacyID

Read-only unique user ID (UUID) for the intention in the system. Consul generates the value and exposes it in the configuration entry so that legacy API endpoints continue to function. Refer to Read Specific Intention by ID for additional information.

Sources[].LegacyMeta

Read-only set of arbitrary key-value pairs to attach to the intention. Consul generates the metadata and exposes it in the configuration entry so that legacy intention API endpoints continue to function. Refer to Read Specific Intention by ID for additional information.

Sources[].CreateTime

Read-only timestamp for the intention creation. Consul exposes the timestamp in the configuration entry to allow legacy intention API endpoints to continue functioning. Refer to Read Specific Intention by ID for additional information.

Sources[].LegacyUpdateTime

Read-only timestamp marking the most recent intention update. Consul exposes the timestamp in the configuration entry to allow legacy intention API endpoints to continue functioning. Refer to Read Specific Intention by ID for additional information.

apiVersion

Specifies the version of the Consul API for integrating with Kubernetes. The value must be consul.hashicorp.com/v1alpha1.

Values

• Default: None
• This field is required.
• String value that must be set to consul.hashicorp.com/v1alpha1.

kind

Specifies the type of configuration entry to implement. Must be set to ServiceIntentions.

Values

• Default: None
• This field is required.
• Data type: String value that must be set to ServiceIntentions.

metadata

Map that contains an arbitrary name for the configuration entry and the namespace it applies to.

Values

• Default: None
• Data type: Map

metadata.name

Specifies an arbitrary name for the configuration entry. Note that in other configuration entries, the metadata.name field specifies the name of the service that the settings apply to. For service intentions, the service that accepts the configurations is the destination and is specified in the spec.destination.name field. Refer to the following topics for additional information:

• ServiceIntentions Special Case (OSS)
• ServiceIntentions Special Case (Enterprise)

Values

• Default: None
• Data type: String

metadata.namespace EnterpriseEnterprise

Specifies the namespace that the configuration entry applies to. Refer to Consul Enterprise for information about how Consul namespaces map to Kubernetes Namespaces. Open source Consul distributions (Consul OSS) ignore the metadata.namespace configuration.

Values

• Default: default
• Data type: String

spec

Map that contains the details about the ServiceIntentions configuration entry. The apiVersion, kind, and metadata fields are siblings of the spec field. All other configurations are children.

Values

• Default: None
• This field is required.
• Data type: Map

spec.destination

Map that identifies the destination name and destination namespace that source services are allowed or denied access to.

Values

• Default: None
• This field is required.
• Data type: Map

spec.destination.name

Specifies the name of the destination service in the mesh that the intentions apply to. You can also specify a wildcard character (*) to match all services that are missing intention settings. Intentions that are applied with a wildcard, however, are not supported when defining L7 permissions.

Values

• Default: None
• This field is required.
• Data type: String

spec.jwt

Specifies a JSON Web Token provider configured in a JWT provider configuration entry, as well as additional configurations for verifying a service’s JWT before authorizing communication between services

Values

• Default: None
• Data type: Map that contains spec.jwt.providers

spec.jwt.providers

Specifies the names of one or more previously configured JWT provider configuration entries, which include the information necessary to validate a JSON web token.

Values

• Default: None
• Data type: List of maps

spec.jwt.providers[].name

Specifies the name of a JWT provider defined in the metadata.name field of the JWT provider configuration entry. You must write the JWT Provider to Consul before referencing it in a service intention.

Values

• Default: None
• Data type: String

spec.jwt.providers[].verifyClaims

Specifies additional token information to verify beyond what is configured in the JWT provider configuration entry. This map takes the form of a JSON web token claim and a value to match for verification.

Values

• Default: None

• Data type: List of maps that can contain the following parameters:

  • path
  • value

spec.jwt.providers[].verifyClaims[].path

Specifies the path to the claim in the JSON web token. For more information about JWT claims, refer to the IETF standards documentation.

Values

• Default: None
• Data type: List of strings

spec.jwt.providers[].verifyClaims[].value

Specifies the value to match on when verifying the the claim designated in JWT{}.Providers[].VerifyClaims[].Path.

Values

• Default: None
• Data type: String

spec.sources[]

List of configurations that define intention sources and the authorization granted to the sources. You can specify source configurations in any order, but Consul stores and evaluates them in order of reverse precedence at runtime.

Values

• Default: None
• List of objects that contain the following fields:
  • name
  • peer
  • namespace EnterpriseEnterprise
  • partition EnterpriseEnterprise
  • samenessGroup EnterpriseEnterprise
  • action
  • permissions
  • type
  • description

spec.sources[].name

Specifies the name of the source that the intention allows or denies traffic from. If type is set to consul, then the value refers to the name of a Consul service. The source is not required to be registered into the Consul catalog.

Values

• Default: None
• This field is required.
• Data type: String

spec.sources[].peer

Specifies the name of a peered Consul cluster that the intention allows or denies traffic from. Refer to Cluster peering overview for additional information about peers. The peer and partition fields are mutually exclusive.

Values

• Default: None
• Data type: String

spec.sources[].namespace EnterpriseEnterprise

Specifies the traffic source namespace that the intention allows or denies traffic from.

Values

• Default: If peer is unspecified, defaults to the namespace specified in the spec.destination.namespace field.
• Data type: String

spec.sources[].partition EnterpriseEnterprise

Specifies the name of an admin partition that the intention allows or denies traffic from. Refer to Admin Partitions for additional information about partitions. The peer and partition fields are mutually exclusive.

Values

• Default: If peer is unspecified, defaults to the partition specified in spec.destination.partition.
• Data type: String

spec.sources[].samenessGroup EnterpriseEnterprise

Specifies the name of a sameness group that the intention allows or denies traffic from. Refer to create samenes groups for additional information.

Values

• Default: None
• Data type: string

spec.sources[].action

Specifies the action to take when the source sends traffic to the destination service. The value is either allow or deny. Do not configure this field for L7 intentions. Configure the spec.sources.permissions field instead.

Values

• Default: None
• This field is required for L4 intentions.
• Data type: String value set to either allow or deny

spec.sources[].permissions[]

Specifies a list of permissions for L7 traffic sources. The list contains one or more actions and a set of match criteria for each action.

Consul applies permissions in the order specified in the configuration. Starting at the beginning of the list, Consul applies the first matching request and stops evaluating against the remaining configurations.

For requests that do not match any of the defined permissions, Consul applies the intention behavior defined in the acl_default_policy configuration.

Do not configure this field for L4 intentions. Use the spec.sources.action parameter instead.

permissions configurations only apply to services with a compatible protocol. As a result, they are not supported when the spec.destination.name or spec.destination.namespace field is configured with a wildcard because service instances or services in a namespace may use different protocols.

Values

• Default: None
• List of objects that contain the following fields:
  • action
  • http

spec.sources[].permissions[].action

Specifies the action to take when the source sends traffic to the destination service. The value is either allow or deny.

Values

• Default: None
• This field is required.
• Data type: String value set to either allow or deny

spec.sources[].permissions[].http

Specifies a set of HTTP-specific match criteria. Consul applies the action defined in the spec.sources.permissions.action field to source traffic that matches the criteria.

Values

• Default: None
• This field is required.
• Data type: Map

The following table describes the parameters that the HTTP map may contain:

spec.sources[].permissions[].http[].header

Specifies a set of criteria for matching HTTP request headers. The request header must match all specified criteria for the permission to apply.

Values

• Default: None
• Data type: List of maps

Each member of the header list is a map that contains a name field and at least one match criterion. The following table describes the parameters that each member of the header list may contain:

spec.sources[].type

Specifies the type of destination service that the configuration entry applies to. The only value supported is consul.

Values

• Default: consul
• Data type: String

spec.sources[].description

Specifies a description of the intention. Consul presents the description in API responses to assist other tools integrated into the network.

Values

• Default: None
• Data type: String

Examples

The following examples demonstrate potential use-cases for the service intentions configuration entry.

L4 Intentions for specific sources and destinations

The following example configuration entry specifies an L4 intention that denies traffic from web to db service instances, but allows traffic from api to db.

Kind = "service-intentions"
Name = "db"
Sources = [
  {
    Name   = "web"
    Action = "deny"
  },
  {
    Name   = "api"
    Action = "allow"
  }
]

apiVersion: consul.hashicorp.com/v1alpha1
kind: ServiceIntentions
metadata:
  name: db
spec:
  destination:
    name: db
  sources:
  - name: web
    action: deny
  - name: api
    action: allow

{
  "Kind": "service-intentions",
  "Name": "db",
  "Sources": [
    {
      "Action": "deny",
      "Name": "web"
    },
    {
      "Action": "allow",
      "Name": "api"
    }
  ]
}

L4 intentions for all destinations

In the following L4 example, the destination is configured with a * wildcard. As a result, traffic from web service instances is denied for any service in the datacenter.

Kind = "service-intentions"
Name = "*"
Sources = [
  {
    Name   = "web"
    Action = "deny"
  }
]

apiVersion: consul.hashicorp.com/v1alpha1
kind: ServiceIntentions
metadata:
  name: web-deny-all
spec:
  destination:
    name: *
  sources:
  - name: web
    action: deny

{
  "Kind": "service-intentions",
  "Name": "*",
  "Sources": [
    {
      "Action": "deny",
      "Name": "web"
    }
  ]
}

L4 intentions for all sources

In the following L4 example, the source is configured with a * wildcard. As a result, traffic from any service is denied to db service instances.

Kind = "service-intentions"
Name = "db"
Sources = [
  {
    Name   = "*"
    Action = "deny"
  }
]

apiVersion: consul.hashicorp.com/v1alpha1
kind: ServiceIntentions
metadata:
  name: db
spec:
  destination:
    name: db
  sources:
  - name: *
    action: deny

{
  "Kind": "service-intentions",
  "Name": "db",
  "Sources": [
    {
      "Action": "deny",
      "Name": "*"
    }
  ]
}

REST access

In the following example, the admin-dashboard and report-generator services have different levels of access when making REST calls:

Kind = "service-intentions"
Name = "api"
Sources = [
  {
    Name = "admin-dashboard"
    Permissions = [
      {
        Action = "allow"
        HTTP {
          PathPrefix = "/v2"
          Methods    = ["GET", "PUT", "POST", "DELETE", "HEAD"]
        }
      }
    ]
  },
  {
    Name = "report-generator"
    Permissions = [
      {
        Action = "allow"
        HTTP {
          PathPrefix = "/v2/widgets"
          Methods    = ["GET"]
        }
      }
    ]
  }
  # NOTE: a default catch-all based on the default ACL policy will apply to
  # unmatched connections and requests. Typically this will be DENY.
]

apiVersion: consul.hashicorp.com/v1alpha1
kind: ServiceIntentions
metadata:
  name: api
spec:
  destination:
    name: api
  sources:
    - name: admin-dashboard
      permissions:
        - action: allow
          http:
            pathPrefix: /v2
            methods: ['GET', 'PUT', 'POST', 'DELETE', 'HEAD']
    - name: report-generator
      permissions:
        - action: allow
          http:
            pathPrefix: /v2/widgets
            methods: ['GET']
    # NOTE: a default catch-all based on the default ACL policy will apply to
    # unmatched connections and requests. Typically this will be DENY.

{
  "Kind": "service-intentions",
  "Name": "api",
  "Sources": [
    {
      "Name": "admin-dashboard",
      "Permissions": [
        {
          "Action": "allow",
          "HTTP": {
            "PathPrefix": "/v2",
            "Methods": ["GET", "PUT", "POST", "DELETE", "HEAD"]
          }
        }
      ]
    },
    {
      "Name": "report-generator",
      "Permissions": [
        {
          "Action": "allow",
          "HTTP": {
            "PathPrefix": "/v2/widgets",
            "Methods": ["GET"]
          }
        }
      ]
    }
  ]
}

gRPC

In the following example, Consul denies requests from frontend-web to the IssueRefund gRPC service. Because gRPC method calls use the HTTP/2 protocol, you can apply an HTTP path-matching rule to control traffic:

Kind = "service-intentions"
Name = "billing"
Sources = [
  {
    Name = "frontend-web"
    Permissions = [
      # The frontend website can execute all billing service methods except
      # issuing refunds.
      {
        Action = "deny"
        HTTP {
          PathExact = "/mycompany.BillingService/IssueRefund"
        }
      },
      {
        Action = "allow"
        HTTP {
          PathPrefix = "/mycompany.BillingService/"
        }
      }
    ]
  },
  {
    Name = "support-portal"
    Permissions = [
      # But the support team portal page can execute all methods.
      {
        Action = "allow"
        HTTP {
          PathPrefix = "/mycompany.BillingService/"
        }
      }
    ]
  }
  # A default catch-all based on the default ACL policy applies to
  # unmatched connections and requests. This is typically DENY.
]

apiVersion: consul.hashicorp.com/v1alpha1
kind: ServiceIntentions
metadata:
  name: billing
spec:
  destination:
    name: billing
  sources:
    # The frontend website can execute all billing service methods except
    # issuing refunds.
    - name: frontend-web
      permissions:
        - action: deny
          http:
            pathExact: /mycompany.BillingService/IssueRefund
        - action: allow
          http:
            pathPrefix: '/mycompany.BillingService/'
    - name: support-protocol
      # But the support team portal page can execute all methods.
      permissions:
        - action: allow
          http:
            pathPrefix: '/mycompany.BillingService/'
  # A default catch-all based on the default ACL policy applies to
  # unmatched connections and requests. This is typically DENY.

{
  "Kind": "service-intentions",
  "Name": "billing",
  "Sources": [
    {
      "Name": "frontend-web",
      "Permissions": [
        {
          "Action": "deny",
          "HTTP": {
            "PathExact": "/mycompany.BillingService/IssueRefund"
          }
        },
        {
          "Action": "allow",
          "HTTP": {
            "PathPrefix": "/mycompany.BillingService/"
          }
        }
      ]
    },
    {
      "Name": "support-portal",
      "Permissions": [
        {
          "Action": "allow",
          "HTTP": {
            "PathPrefix": "/mycompany.BillingService/"
          }
        }
      ]
    }
  ]
}

L4 and L7

In the following example, Consul enforces application layer intentions that deny requests to api from hackathon-project but allow requests from web. In the same configuration entry, Consul enforces network layer intentions that allow requests from nightly-reconciler that send POST requests to the /v1/reconcile-data HTTP endpoint:

Kind = "service-intentions"
Name = "api"
Sources = [
  {
    Name   = "hackathon-project"
    Action = "deny"
  },
  {
    Name   = "web"
    Action = "allow"
  },
  {
    Name = "nightly-reconciler"
    Permissions = [
      {
        Action = "allow"
        HTTP {
          PathExact = "/v1/reconcile-data"
          Methods   = ["POST"]
        }
      }
    ]
  },
  # A default catch-all based on the default ACL policy applies to
  # unmatched connections and requests. This is typically DENY.
]

apiVersion: consul.hashicorp.com/v1alpha1
kind: ServiceIntentions
metadata:
  name: api
spec:
  destination:
    name: api
  sources:
    - name: hackathon-project
      action: deny
    - name: web
      action: allow
    - name: nightly-reconciler
      permissions:
        - action: allow
          http:
            pathExact: /v1/reconcile-data
            methods: ['POST']
    # A default catch-all based on the default ACL policy applies to
    # unmatched connections and requests. This is typically DENY.

{
  "Kind": "service-intentions",
  "Name": "api",
  "Sources": [
    {
      "Name": "hackathon-project",
      "Action": "deny"
    },
    {
      "Name": "web",
      "Action": "allow"
    },
    {
      "Name": "nightly-reconciler",
      "Permissions": [
        {
          "Action": "allow",
          "HTTP": {
            "PathExact": "/v1/reconcile-data",
            "Methods": ["POST"]
          }
        }
      ]
    }
  ]
}

Cluster peering

When using cluster peering connections, intentions secure your deployments with authorized service-to-service communication between remote datacenters. In the following example, the service intentions configuration entry authorizes the backend-service to communicate with the frontend-service that is hosted on remote peer cluster-02:

Kind      = "service-intentions"
Name      = "backend-service"
Sources = [
  {
    Name   = "frontend-service"
    Peer   = "cluster-02"
    Action = "allow"
  }
]

apiVersion: consul.hashicorp.com/v1alpha1
kind: ServiceIntentions
metadata:
  name: backend-deny
spec:
  destination:
    name: backend
  sources:
   - name: "*"
     action: deny
   - name: frontend
     action: allow
     peer: cluster-01 ## The peer of the source service

{
"Kind": "service-intentions",
"Name": "backend-service",
"Sources": [
  {
    "Name": "frontend-service",
    "Peer": "cluster-02",
    "Action": "allow"
    }
  ]
}

JWT validation with intentions

The following example configures a service intention that evaluates requests when a service named backend receives a request from the frontend service. When the request is sent to the /admin HTTP path, a JSON Web Token provided by Okta is evaluated. In addition to the validation requirements in a separate JWT provider configuration entry, an additional check occurs to confirm that the token has either a perms or role claim with the admin value. If it does, the request is authorized.

Because the intention allows requests that come from the / HTTP path, only requests on the /admin path are subject to token validation.

Kind = "service-intentions"
Name = "backend"
Sources = [
  {
    Name = "frontend"
    Permissions = [
      {
        HTTP = {
          PathExact = "/admin"
        }
        JWT = {
          Providers = [
            {
              Name = "okta"
              VerifyClaims = [
                {
                  Path = ["perms", "role"]
                  Value = "admin"
                }
              ]
            }
          ]
        }
      },
      {
        Action = "allow"
        HTTP = {
          PathPrefix = "/"
        }
      }
    ]
  }
]

  apiVersion: consul.hashicorp.com/v1alpha1
  kind: ServiceIntentions
  metadata:
    name: backend
  spec:
    sources:
      name: frontend
      permissions:
        http:
          pathExact: /admin
        jwt:
          providers:
            name: okta
            verifyClaims:
              path: 
                - perms
                - role
              value: admin
      action: allow
      http:
        pathPrefix: /

{
"Kind": "service-intentions",
"Name": "backend",
"Sources": [
  {
    "Name": "frontend",
    "Permissions": [
      {
        "HTTP": {
          "PathExact": "/admin"
        },
        "JWT": {
          "Providers": [
            {
              "Name": "okta",
              "VerifyClaims": [
                {
                  "Path": ["perms", "role"],
                  "Value": "admin"
                }
              ]
            }
          ]
        }
      },
      {
        "Action": "allow",
        "HTTP": {
          "PathPrefix": "/"
        }
      }
    ]
  }
]
}