Nomad Admission Control Proxy


I like to introduce a small project of mine:
A Nomad Admission Control Proxy

The idea is based on this Issue and Nomad’s Internal Admission Controller

The proxy can mutate and validate Nomad requests that contain job data like plan, register, and validate.

Currently it provides an embedded OPA processor as well as a webhook option.

For validation this means you can verify for example if a job contains required meta data or follows certain naming conventions.

For the mutation part the builtin OPA mutator expects JSONPatch operations that will be applied to the jobs json representation.

Although it is a very early version, I’m quite happy with the result. Some proof-of-concept mutators I built and am a little bit excited about:

  • Postgres Env Template Injection: A task marked with

    task "myapp" {
     meta { 
         postgres = "native" 

    will be updated with a vault policy and a template block that renders the native postgres clients PG... environment variables like PGUSER, PGPASSWORD etc

  • OAuth2 Proxy Injection: A TaskGroup with a service marked with

    group "myapp" {
      meta {
        secure = "web"
      service {
        name = "web"

    will get OAuth2-Proxy sidecar which will take the name of the service and forwards only authorized request to the upstream service.

Another idea I had but not yet test was to build a notary validator that checks if the specified container images are signed and approved before the deployment.

Looking forward to some ideas and feedback on how to further extend it or if this doesn’t make sense at all :slight_smile:


That looks awesome @mxab!

Would you mind if we add it to our website?

Feel free to open a PR against this file yourself if you prefer that :slightly_smiling_face:

1 Like

Thanks :slight_smile:

Here you go docs: mention Nomad Admission Control Proxy by mxab · Pull Request #16702 · hashicorp/nomad · GitHub

I had a technical question:
Even though I like the idea of the new task api unix socket, the concept kind of prevents a proxy enforcement.

Is there any way how to route the traffic via the socket through the proxy?