Hi there! I am trying to get the following setup, but I’m not quite sure if it’s possible in Nomad. The use case is the following: we allow user-supplied binaries, but we only want that binary to be able to communicate to its trusted sidecar (and nobody else).
Hi @wimax-grapl , in Nomad the scope of network trust is at the group level; at the moment there isn’t an obvious way to lock down a particular task in a group - they’re sharing the same network namespace.
The scope of work needed for this use case is similar to what’s needed for the implementation of support for Connect transparent gateways. Not everything we need exists yet both on the Nomad and Consul side but it’s something we’ve been thinking about.
One thought -
If the untrusted task is using the docker driver you might be able to make use of a docker driver network set specific to task - though I have not actually tried this