Sentinel Overview

This feature requires Consul Enterprise.

Consul 1.0 adds integration with for policy enforcement. Sentinel policies help extend the ACL system in Consul beyond the static “read”, “write”, and “deny” policies to support full conditional logic and integration with external systems.

An optional field specifying code and enforcement level can be added to ACL policy definitions for Consul KV. The following policy ensures that the value written during a KV update must end with “dc1”.

If the enforcementlevel property is not set, it defaults to “hard-mandatory”.

Consul passes some context as variables into Sentinel, which are available to use inside any policies you write.

Variables injected during KV store writes

The following are two examples of ACL policies with Sentinel rules.

Restricted Update Time

The key “haproxy_version” can only be updated during business hours.