Sentinel Overview

This feature requires .

Consul 1.0 adds integration with Sentinel for policy enforcement. Sentinel policies help extend the ACL system in Consul beyond the static “read”, “write”, and “deny” policies to support full conditional logic and integration with external systems.

Sentinel policies are applied during writes to the KV Store.

Ensure values written during KV updates end in ‘dc1’

  1. key "datacenter_name" {
  2.   policy = "write"
  3.   sentinel {
  4.       code = <<EOF
  5. main = rule { strings.has_suffix(value, "dc1") }
  6. EOF
  7.       enforcementlevel = "soft-mandatory"
  8.   }
  9. }

If the enforcementlevel property is not set, it defaults to “hard-mandatory”.

Consul imports all the from Sentinel except http. All functions in these imports are available to be used in policies.

Variables injected during KV store writes

The following are two examples of ACL policies with Sentinel rules.

Any values stored under the key ‘dc1’ end with ‘dev’

  1. key "dc1" {
  2.     policy = "write"
  3.     sentinel {
  4.         code = <<EOF
  5. import "strings"
  6. main = rule { strings.has_suffix(value, "dev") }
  7.     }
  8. }

Restricted Update Time

The key ‘haproxy_version’ can only be updated during business hours

  1. key "haproxy_version" {
  2.     policy = "write"
  3.     sentinel {
  4.         code = <<EOF
  5. import "time"
  6. main = rule { time.now.hour > 8 and time.now.hour < 17 }
  7. EOF
  8.     }
  9. }