开启ACL
创建acl.json配置文件放在容器中/consul/config并重启节点
{ "acl": { "enabled": true, "default_policy": "deny", "down_policy": "extend-cache" } }
创建启动Token
[root@k8s-master config]# docker exec -it consul-server1 /bin/sh / # consul acl bootstrap AccessorID: 0dc490ee-3d55-3cf5-8645-ff47d116140f SecretID: 2a558506-4c4b-4f3a-d0cf-c092b01303d0 Description: Bootstrap Token (Global Management) Local: false Create Time: 2021-06-01 08:52:05.501103749 +0000 UTC Policies: 00000000-0000-0000-0000-000000000001 - global-management
当我们执行完上面的命令后,日志就会输出 consul.acl: ACL bootstrap completed
这段提示。
查看节点需要加入token,并重启节点
{ "acl": { "enabled": true, "default_policy": "deny", "enable_token_persistence": true, "tokens": { "master": "2a558506-4c4b-4f3a-d0cf-c092b01303d0" } } }
设定策略
可以通过命令设定,也可以登陆consul设定
创建策略文件
key_prefix "" { policy = "write" } node_prefix "" { policy = "write" } service_prefix "" { policy = "read" } perator = "read"
创建策略
export CONSUL_HTTP_TOKEN=2a558506-4c4b-4f3a-d0cf-c092b01303d0
consul acl policy create -name "token" -description "Agent Token Policy" -rules @agent-policy.hcl
本人是通过页面创建的,目前里面做了nginx服务发现
测试结果如下:只有通过token才能查看到里面的服务
[root@k8s-master config]# curl http://10.150.90.242:8500/v1/agent/services {} [root@k8s-master config]# curl http://10.150.90.242:8500/v1/agent/services?token=38af068f-7ded-9edd-d988-83e6c707bace {"nginx":{"ID":"nginx","Service":"nginx","Tags":[],"Meta":{},"Port":8888,"Address":"10.150.90.243","TaggedAddresses":{"lan_ipv4":{"Address":"10.150.90.243","Port":8888},"wan_ipv4":{"Address":"10.150.90.243","Port":8888}},"Weights":{"Passing":1,"Warning":1},"EnableTagOverride":false,"Datacenter":"dc1"},"userServiceId":{"ID":"userServiceId","Service":"userService","Tags":["primary","v1"],"Meta":{},"Port":8000,"Address":"127.0.0.1","TaggedAddresses":{"lan_ipv4":{"Address":"127.0.0.1","Port":8000},"wan_ipv4":{"Address":"127.0.0.1","Port":8000}},"Weights":{"Passing":1,"Warning":1},"EnableTagOverride":false,"Datacenter":"dc1"}}
参考:https://learn.hashicorp.com/tutorials/consul/access-control-setup-production#rule-specification
https://blog.csdn.net/YellowStar5/article/details/90966308