Hello, I'm Ganesh. I'm building git-lrc, an AI code reviewer that runs on every commit. It is free, unlimited, and source-available on Github. Star Us to help devs discover the project. Do give it a try and share your feedback for improving the product.
Nomad is a flexible workload orchestrator that enables an organization to easily deploy and manage any containerized or legacy application using a single, unified workflow.
Nomad can run a diverse workload of Docker, non-containerized, microservice, and batch applications.
With powerful features, it becomes very important to secure the Nomad cluster.
If anyone gets access to the cluster, it can lead to a big security risk.
In this article I will explain how to secure the Nomad cluster.
Enable ACL in Nomad
ACL is a feature in Nomad that allows you to control access to the cluster.
It is a way to implement the principle of least privilege, which means that users should only have access to the resources that they need to do their job.
To enable ACL in Nomad, you need to add the following lines to your Nomad server configuration file:
/etc/nomad.d/nomad.hcl
acl {
enabled = true
}
Once it is enabled, you need to restart the Nomad server to apply the changes.
sudo systemctl restart nomad
Generate Security Token for Nomad
Once ACL is enabled, you need to generate a security token for Nomad.
You need to bootstrap the ACL system to generate the initial security token.
nomad acl bootstrap
It will return something like this
Accessor ID = <ACCESSOR_ID>
Secret ID = <SECRET_ID>
Name = Bootstrap Token
Type = management
Global = true
Create Time = <timestamp>
Expiry Time = <none>
Create Index = <create_index>
Modify Index = <modify_index>
Policies = n/a
Roles = n/a
Copy and to a secure location. You will need this token to access the Nomad UI and API.
Once this is done if we try to access the Nomad UI or API without the token, it will return 403 Forbidden.
Which means ACL is enabled and working.
Create Policy for Users
As it is recommended not to use bootstrap token directly, we should create policies for users based on their roles.
Based on requirements you can create policies for users.
For example, let's create a policy for a user who can only read the jobs and node information.
Readonly access policy for a user.
namespace "default" {
policy = "read"
capabilities = ["list-jobs", "read-job"]
}
agent {
policy = "read"
}
operator {
policy = "read"
}
quota {
policy = "read"
}
node {
policy = "read"
}
host_volume "*" {
policy = "read"
}
This will make sure only read access for the users. This may be given to monitoring tools to monitor the cluster.
Create this file in ./nomad/policies/readonly.hcl
Once done create a token for this policy.
nomad acl policy apply -description "Readonly policy" readonly ./nomad/policies/readonly.hcl
Successfully wrote "readonly" ACL policy!
Create Keys for Selected Policy
nomad acl token create -name="Read Only Token" -policy="readonly"
This will return
Accessor ID = <ACCESSOR_ID>
Secret ID = <SECRET_ID>
Name = Read Only Token
Type = client
Global = false
Create Time = <timestamp>
Expiry Time = <none>
Create Index = <create_index>
Modify Index = <modify_index>
Policies = [readonly]
Roles
<none>
Now with this token we can access the Nomad UI and API with read only access.
Conclusion
Nomad is very powerful tool for orchestrating containers and other workloads.
But if we leave it unsecured it can be a security risk.
It is very important to secure the Nomad cluster.
So, I hope you understood how to secure the Nomad cluster.
Any feedback or contributors are welcome! Itβs online, source-available, and ready for anyone to use.
β Star it on GitHub: https://github.com/HexmosTech/git-lrc
Top comments (0)