Enforcing Node Allocation to Specific Namespaces in Nomad Open Source

I’m working with a Nomad open source cluster that has multiple namespaces. I need to restrict certain nodes to specific namespaces. Here’s the scenario:

• Nodes node1, node2, and node3 should be exclusively assigned to the Dev namespace.
• Jobs created in the Dev namespace should only run on node1, node2, and node3.
• With ACLs enabled, users with access to the Dev namespace should only see nodes assigned to Dev.

I’ve looked into node pools, which seem to help restrict job allocation. However, operators can still choose to allocate jobs to nodes in the default pool by not specifying the node_pool field in the job spec.

Is there a way to enforce that workloads in a namespace are strictly allocated to their assigned nodes? Any suggestions or best practices would be greatly appreciated.

Hi, with Nomad enterprise there is sentinel policies, and with them you can assert specific contraints are there when running a job in specific namespace.

Bottom line, you have to run your job with a specific constraint attached to it. You just have to be consistent and make sure all your jobs have specific constraint. You could add tags to each node with the name of the namespace and make sure there is a constraints { attribute = "${meta.namespace}" value = "the_namespace" } in the job definitions.

You could also set nodes to be in different datacenters and run jobs with datacenters equal to the namespace, but that doesn’t sound that flexible, but may be a solution.