Nomad client ACL for joining a cluster

Hello,
we are working on exploring Nomad, and we ran into questions upon reading about ACL and playing with it.

We are through adding ACLs to servers and using the vault secret engine BUT what puzzles me is the client subject (discussed here in another topic but don’t see a clear explanation)…

There is no “way” (config field, CLI flag) to give ACL token to nomad client, i.e., all they need to connect to the cluster is the correct address and certificate.
Am I missing something here? it seems that ACLs in nomad is only related to API and not to actual client connection.

What did we miss? or misunderstand?

1 Like

Hi @YafimK,

I hope your exploration with Nomad is going well.

I’ll preface my comments by pointing out Nomad’s security concepts documentation which I feel you would find interesting reading and describes the different methods used to make Nomad secure.

all they need to connect to the cluster is the correct address and certificate

Yes this is correct. The above linked document describes the various ways which using mTLS secures client to server access.

ACLs in nomad is only related to API and not to actual client connection

Yes this is correct. The Nomad ACL system that consists of Policies, Roles, and Tokens are designed to provide a capability-based control mechanism for Nomad administrators. This control grants or denies access to Nomad API endpoints and related actions.

Please let me know if you have any further questions.

Thanks,
jrasell and the Nomad team

  1. Thanks for the clarfications!
  2. I read it, for me its a bit alarming.
  3. In a scenario with EDGE deployments, a certificate might be robbed (even short lived certs are short not immediate), and an adversary might use it to connect multiple clients which might be used to peek into deployments. I’m guessing that there are additional scenarios …
  4. Maybe it’s just me… but mTLS shouldn’t replace access control for joining a cluster…