$ kubectl exec deploy/backend -c backend -- \
sh -c 'openssl s_client -connect $(hostname -i):20000 | \
openssl x509 -noout -text'
...
Certificate:
...
X509v3 Subject Alternative Name: critical
URI:spiffe://...consul/ns/default/dc/dc1/svc/backend
...
$ vagrant ssh
$ openssl s_client -connect localhost:22000 | openssl x509 -noout -text
...
X509v3 Subject Alternative Name:
URI:spiffe://....consul/ns/default/dc/dc1/svc/backend
...
$ kubectl apply -f deny-all-service-intentions.yaml serviceintentions.consul.hashicorp.com/deny-all created
$ kubectl get serviceintentions deny-all -n consul NAME SYNCED LAST SYNCED AGE deny-all True 1s 1s
$ kubectl apply -f frontend-service-intentions.yaml serviceintentions.consul.hashicorp.com/frontend created
$ kubectl get serviceintentions frontend NAME SYNCED LAST SYNCED AGE frontend True 1s 1s
$ kubectl apply -f backend-service-intentions.yaml serviceintentions.consul.hashicorp.com/backend created
$ kubectl get serviceintentions backend NAME SYNCED LAST SYNCED AGE backend True 1s 1s
$ vagrant ssh
$ cd ~
$ consul config write deny-all-service-intentions.hcl Config entry written: service-intentions/*
$ consul intention list
ID Source Action Destination Precedence
* deny * 5
$ consul config write frontend-service-intentions.hcl Config entry written: service-intentions/frontend
$ consul config write backend-service-intentions.hcl Config entry written: service-intentions/backend
$ kubectl apply -f frontend-service-intentions.yaml serviceintentions.consul.hashicorp.com/frontend configured
$ kubectl get serviceintentions frontend NAME SYNCED LAST SYNCED AGE frontend True 1s 10m
$ consul config write frontend-service-intentions.hcl Config entry written: service-intentions/frontend