My team and I are trying to apply authorization rules to Nomad clients, example scenario:
should only be able to accessjobA
client3should only be able to access
- Someone who has access to the configuration of a Nomad client only shouldn’t be able to assign it to another environment (eg. I should not be able to assign
env2without admin permissions to the Nomad servers).
We already have mTLS in place and we were looking into Namespaces, ACLs and Sentinel policies as well, but we couldn’t find a way to solve (other than security by obscurity - using secrets as cluster names).
Our current idea is to add (optional) capability for Nomad to authorize clients via ACLs as well (not just API calls): that way we can generate an ACL token for a Nomad client, only having access to a given namespace (and we would create a namespace for each environment).
Are we missing something and is there a better way to do this?
Thank you in advance,