NatsUserRule YAML Specification
The NatsUserRule kind defines the NATS user-level policy for a microservice (or external client): connection limits, allowed connection types, and publish/subscribe allow/deny. Microservices reference it via natsConfig.natsRule in the Application or Microservice YAML. The application's NatsAccountRule supplies the account; the NatsUserRule supplies the user permissions within that account.
Example
apiVersion: datasance.com/v3
kind: NatsUserRule
metadata:
name: default-user
spec:
description: Default microservice user rule
maxSubscriptions: -1
maxPayload: -1
maxData: -1
bearerToken: false
allowedConnectionTypes:
- STANDARD
- WEBSOCKET
pubAllow:
- orders.>
subAllow:
- events.>
Main fields
| Field | Description |
|---|---|
metadata.name | Unique name. Use this in Microservice natsConfig.natsRule. |
spec.description | Optional description. |
spec.maxSubscriptions, spec.maxPayload, spec.maxData | Limits (-1 = unlimited). |
spec.bearerToken | Whether bearer token auth is allowed. |
spec.allowedConnectionTypes | e.g. STANDARD, WEBSOCKET, LEAFNODE, MQTT. |
spec.pubAllow, spec.pubDeny, spec.subAllow, spec.subDeny | Subject allow/deny lists. |
spec.src | Optional list of allowed client IPs/CIDRs. |
Deploy with potctl deploy -f nats-user-rule.yaml. For predefined rules, all fields, and credential flow, see Security – NATS User Rule and NATS JWT Authentication.
See anything wrong with the document? Help us improve it!