Initiate node drain from the node itself

Hi,

I have a use case where a script running on nomad client node would need to trigger the drain mode on the same node.

The cluster has ACL enabled and to provide all nomad client machines with tokens capable of node:write is not an option

I am wondering since that script would already have root access on the node, is there any way to bypass the ACL? In other words, is there any way for the client to tell servers that it has to be drained?

Thanks a lot,
Ruslan

If you have vault integration, you could create a nomad token via vault with node:write permissions within your script and use this token which may be valid only for some minutes.

Depending how the node drain is triggered, this process has to get a vault token which has a policy assigned with permissions to get a nomad token capable to drain the node in question.