Consul-ACL添加Token
开启ACL
创建acl.json配置文件放在容器中/consul/config并重启节点
{ "acl": { "enabled": true, "default_policy": "deny", "down_policy": "extend-cache" } }
创建启动Token
[root@k8s-master config]# docker exec -it consul-server1 /bin/sh / # consul acl bootstrap AccessorID: 0dc490ee-3d55-3cf5-8645-ff47d116140f SecretID: 2a558506-4c4b-4f3a-d0cf-c092b01303d0 Description: Bootstrap Token (Global Management) Local: false Create Time: 2021-06-01 08:52:05.501103749 +0000 UTC Policies: 00000000-0000-0000-0000-000000000001 - global-management
当我们执行完上面的命令后,日志就会输出 consul.acl: ACL bootstrap completed这段提示。
查看节点需要加入token,并重启节点
{ "acl": { "enabled": true, "default_policy": "deny", "enable_token_persistence": true, "tokens": { "master": "2a558506-4c4b-4f3a-d0cf-c092b01303d0" } } }
设定策略
可以通过命令设定,也可以登陆consul设定
创建策略文件
key_prefix "" { policy = "write" } node_prefix "" { policy = "write" } service_prefix "" { policy = "read" } perator = "read"
创建策略
export CONSUL_HTTP_TOKEN=2a558506-4c4b-4f3a-d0cf-c092b01303d0
consul acl policy create -name "token" -description "Agent Token Policy" -rules @agent-policy.hcl
本人是通过页面创建的,目前里面做了nginx服务发现
测试结果如下:只有通过token才能查看到里面的服务
[root@k8s-master config]# curl http://10.150.90.242:8500/v1/agent/services {} [root@k8s-master config]# curl http://10.150.90.242:8500/v1/agent/services?token=38af068f-7ded-9edd-d988-83e6c707bace {"nginx":{"ID":"nginx","Service":"nginx","Tags":[],"Meta":{},"Port":8888,"Address":"10.150.90.243","TaggedAddresses":{"lan_ipv4":{"Address":"10.150.90.243","Port":8888},"wan_ipv4":{"Address":"10.150.90.243","Port":8888}},"Weights":{"Passing":1,"Warning":1},"EnableTagOverride":false,"Datacenter":"dc1"},"userServiceId":{"ID":"userServiceId","Service":"userService","Tags":["primary","v1"],"Meta":{},"Port":8000,"Address":"127.0.0.1","TaggedAddresses":{"lan_ipv4":{"Address":"127.0.0.1","Port":8000},"wan_ipv4":{"Address":"127.0.0.1","Port":8000}},"Weights":{"Passing":1,"Warning":1},"EnableTagOverride":false,"Datacenter":"dc1"}}
参考:https://learn.hashicorp.com/tutorials/consul/access-control-setup-production#rule-specification
https://blog.csdn.net/YellowStar5/article/details/90966308
分类:
consul
【推荐】国内首个AI IDE,深度理解中文开发场景,立即下载体验Trae
【推荐】编程新体验,更懂你的AI,立即体验豆包MarsCode编程助手
【推荐】抖音旗下AI助手豆包,你的智能百科全书,全免费不限次数
【推荐】轻量又高性能的 SSH 工具 IShell:AI 加持,快人一步
· Linux系列:如何用heaptrack跟踪.NET程序的非托管内存泄露
· 开发者必知的日志记录最佳实践
· SQL Server 2025 AI相关能力初探
· Linux系列:如何用 C#调用 C方法造成内存泄露
· AI与.NET技术实操系列(二):开始使用ML.NET
· 被坑几百块钱后,我竟然真的恢复了删除的微信聊天记录!
· 没有Manus邀请码?试试免邀请码的MGX或者开源的OpenManus吧
· 【自荐】一款简洁、开源的在线白板工具 Drawnix
· 园子的第一款AI主题卫衣上架——"HELLO! HOW CAN I ASSIST YOU TODAY
· Docker 太简单,K8s 太复杂?w7panel 让容器管理更轻松!