Access control for Nomad clients

Hello everyone,

My team and I are trying to apply authorization rules to Nomad clients, example scenario:

Given clients:

  • env1: client1, client2.
  • env2: client3.

Given jobs:

  • env1: jobA, jobB, jobC.
  • env2: jobD.

Expected behavior:

  • client1 and client2should only be able to accessjobA, jobB, jobC`.
  • client3 should only be able to access jobD.
  • Someone who has access to the configuration of a Nomad client only shouldn’t be able to assign it to another environment (eg. I should not be able to assign client1 to env2 without admin permissions to the Nomad servers).

We already have mTLS in place and we were looking into Namespaces, ACLs and Sentinel policies as well, but we couldn’t find a way to solve (other than security by obscurity - using secrets as cluster names).

Our current idea is to add (optional) capability for Nomad to authorize clients via ACLs as well (not just API calls): that way we can generate an ACL token for a Nomad client, only having access to a given namespace (and we would create a namespace for each environment).

Are we missing something and is there a better way to do this?
Thank you in advance,
Szabolcs