we are working on exploring Nomad, and we ran into questions upon reading about ACL and playing with it.
We are through adding ACLs to servers and using the vault secret engine BUT what puzzles me is the client subject (discussed here in another topic but don’t see a clear explanation)…
There is no “way” (config field, CLI flag) to give ACL token to nomad client, i.e., all they need to connect to the cluster is the correct address and certificate.
Am I missing something here? it seems that ACLs in nomad is only related to API and not to actual client connection.
What did we miss? or misunderstand?
I hope your exploration with Nomad is going well.
I’ll preface my comments by pointing out Nomad’s security concepts documentation which I feel you would find interesting reading and describes the different methods used to make Nomad secure.
all they need to connect to the cluster is the correct address and certificate
Yes this is correct. The above linked document describes the various ways which using mTLS secures client to server access.
ACLs in nomad is only related to API and not to actual client connection
Yes this is correct. The Nomad ACL system that consists of Policies, Roles, and Tokens are designed to provide a capability-based control mechanism for Nomad administrators. This control grants or denies access to Nomad API endpoints and related actions.
Please let me know if you have any further questions.
jrasell and the Nomad team