Avoid user from submiting jobs to a specific datacenter

masuberu · April 15, 2024, 3:50am

Dear hashicorp nomad user community,

I have a simple question regarding policies and nomad jobs.

lets image I have 2 different datacenters (dcA and dcB). Then, lets imagine both datacenters contains one namespace with same name.

My question is:

how can I deny users from submitting Nomad jobs to dcB? I have been checking the token policies documentation and it is not clear to me how can I enforce a user to only be able to submit nomad jobs to a specific dc.

Any idea on how to do this?

thank you very much

Kamilcuk · April 18, 2024, 8:50am

This can be most probably done with Nomad enterprise Sentinel policies | Nomad | HashiCorp Developer .

You can run your own proxy server that and check all requests to Nomad and apply your own policy depending on tokens. This can be done with anything, you can take a look at openresty and nginx lua plugin. I started a proof-of-concept once.

Or, alternatively, I have a process that scans all jobs in Nomad and checks for our policy, and stops and notifies about bad jobs.

Topic		Replies	Views
Enforcing Node Allocation to Specific Namespaces in Nomad Open Source Nomad	1	75	June 18, 2024
Does the automatic anti-affinity work with parameterized jobs Nomad	0	308	July 22, 2021
Ensuring two jobs cannot run on the same node Nomad	7	1974	February 14, 2022
How can I deny users the capability of purging jobs from nomad ui? Nomad	0	5	October 4, 2024
Deploy to the 'current' datacenter Nomad	0	470	November 5, 2020

Avoid user from submiting jobs to a specific datacenter

Related topics