Skip to main content

Consul API Gateway 0.2 Brings New Cross-Namespace Controls

Consul API Gateway 0.2, now generally available, enhances the gateway’s traffic management capabilities by adding cross-namespace reference policy enforcement.

Apr 27 2022Jeff Apple, Peter McCarron

Today we’re pleased to announce the general availability of the Consul API Gateway version 0.2. This release includes an update that allows users to better control how traffic is routed between Kubernetes namespaces. Previously, users could route requests from the API Gateway across various namespaces without providing any sort of explicit permissions. While this meant that any service connected to the service mesh was reachable, it didn’t allow users to set the more granular restrictions or permissions that they may expect. In this blog post, we’ll explain how Consul API Gateway 0.2 solves for this challenge using cross-namespace reference policies.

»Enforcing Cross-Namespace Communication

In the Kubernetes Gateway API specification, an administrator of a namespace needs to create ReferencePolicies in order for their services to receive traffic routed to them from gateway routes in other namespaces. This can help prevent things like accidentally exposing a service externally when it shouldn’t be. As an example, here is a ReferencePolicy that is created in the same namespace that the services are in and allows them to receive traffic from an HTTPRoute in the prod-gw-ns namespace:

apiVersion: gateway.networking.k8s.io/v1alpha2
kind: ReferencePolicy
metadata:
  name: allow-prod-traffic
  namespace: the-services-ns
spec:
  from:
  - group: gateway.networking.k8s.io
    kind: HTTPRoute
    namespace: prod-gw-ns
  to:
    kind: Service

ReferencePolicies are used in conjunction with the various route types supported by the API Gateway: HTTProutes and TCProutes. One important note: ReferencePolicies can support only one from and to section, so if you intend to create enforcement rules for more than two namespaces, you will need to create policies for each combination of namespaces. This creates a better security model, ensuring that all communication between namespaces is authorized. The diagram below illustrates this architecture:

Cross-namespace gateway policies

»Next Steps

Version 0.2 of the Consul API Gateway is now generally available for all users. To get started, use the latest Consul Helm chart and be sure to install the most recent version of the Consul API Gateway CRDs. For more information, please visit the Consul API Gateway documentation.

Kubernetes

Sign up for the latest HashiCorp news

By submitting this form, you acknowledge and agree that HashiCorp will process your personal information in accordance with the Privacy Policy.

More blog posts like this one

HashiCorp at AWS re:Invent: Your blueprint to cloud success
November 07 2024 | Company
HashiCorp at AWS re:Invent: Your blueprint to cloud success

If you’re attending AWS re:Invent in Las Vegas, Dec. 2 - Dec. 6th, visit us for breakout sessions, expert talks, and product demos to learn how to take a unified approach to Infrastructure and Security Lifecycle Management.

Consul 1.20 improves multi-tenancy, metrics, and OpenShift deployment
October 15 2024 | Products & Technology
Consul 1.20 improves multi-tenancy, metrics, and OpenShift deployment

HashiCorp Consul 1.20 is a significant upgrade for the Kubernetes operator and developer experience, including better multi-tenant service discovery, catalog registration metrics, and secure OpenShift integration.

New SLM offerings for Vault, Boundary, and Consul at HashiConf 2024 make security easier
October 15 2024 | Products & Technology
New SLM offerings for Vault, Boundary, and Consul at HashiConf 2024 make security easier

The latest Security Lifecycle Management (SLM) features from HashiCorp Vault, Boundary, and Consul help organizations offer a smoother path to better security practices for developers.