Avoid user from submiting jobs to a specific datacenter

masuberu · April 15, 2024, 3:50am

Dear hashicorp nomad user community,

I have a simple question regarding policies and nomad jobs.

lets image I have 2 different datacenters (dcA and dcB). Then, lets imagine both datacenters contains one namespace with same name.

My question is:

how can I deny users from submitting Nomad jobs to dcB? I have been checking the token policies documentation and it is not clear to me how can I enforce a user to only be able to submit nomad jobs to a specific dc.

Any idea on how to do this?

thank you very much

Kamilcuk · April 18, 2024, 8:50am

This can be most probably done with Nomad enterprise Sentinel policies | Nomad | HashiCorp Developer .

You can run your own proxy server that and check all requests to Nomad and apply your own policy depending on tokens. This can be done with anything, you can take a look at openresty and nginx lua plugin. I started a proof-of-concept once.

Or, alternatively, I have a process that scans all jobs in Nomad and checks for our policy, and stops and notifies about bad jobs.