nomad

Locking Down Nomad: How to Implement ACLs and Secure Your Cluster

Ganesh Kumar

Ganesh Kumar

3 min read
Locking Down Nomad: How to Implement ACLs and Secure Your Cluster

Nomad is a flexible workload orchestrator that enables an organization to easily deploy and manage any containerized or legacy application using a single, unified workflow.

Nomad can run a diverse workload of Docker, non-containerized, microservice, and batch applications.

With powerful features, it becomes very important to secure the Nomad cluster.

Image description

If anyone gets access to the cluster, it can lead to a big security risk.

In this article, I will explain how to secure the Nomad cluster.

Enable ACL in Nomad

ACL is a feature in Nomad that allows you to control access to the cluster.

It is a way to implement the principle of least privilege, which means that users should only have access to the resources that they need to do their job.

To enable ACL in Nomad, you need to add the following lines to your Nomad server configuration file:

/etc/nomad.d/nomad.hcl

acl {
  enabled = true
}

Once it is enabled, you need to restart the Nomad server to apply the changes.

sudo systemctl restart nomad

Generate Security Token for Nomad

Once ACL is enabled, you need to generate a security token for Nomad.

You need to bootstrap the ACL system to generate the initial security token.

nomad acl bootstrap

It will return something like this

Accessor ID  = <ACCESSOR_ID>
Secret ID    = <SECRET_ID>
Name         = Bootstrap Token
Type         = management
Global       = true
Create Time  = <timestamp>
Expiry Time  = <none>
Create Index = <create_index>
Modify Index = <modify_index>
Policies     = n/a
Roles        = n/a

Copy the <SECRET_ID> to a secure location. You will need this token to access the Nomad UI and API.

Once this is done, if we try to access the Nomad UI or API without the token, it will return a 403 Forbidden error.

This means ACL is enabled and working.

Create Policy for Users

As it is recommended not to use the bootstrap token directly, we should create policies for users based on their roles.

Based on your requirements, you can create policies for users.

For example, let's create a policy for a user who can only read the jobs and node information.

Read-only access policy for a user.

namespace "default" {
  policy       = "read"
  capabilities = ["list-jobs", "read-job"]
}

agent {
  policy = "read"
}

operator {
  policy = "read"
}

quota {
  policy = "read"
}

node {
  policy = "read"
}

host_volume "*" {
  policy = "read"
}

This will ensure that users only have read access. This policy may be given to monitoring tools to monitor the cluster.

Create this file in ./nomad/policies/readonly.hcl

Once done, create a token for this policy.

nomad acl policy apply -description "Readonly policy" readonly ./nomad/policies/readonly.hcl
Successfully wrote "readonly" ACL policy!

Create Keys for Selected Policy

nomad acl token create -name="Read Only Token" -policy="readonly"

This will return

Accessor ID  = <ACCESSOR_ID>
Secret ID    = <SECRET_ID>
Name         = Read Only Token
Type         = client
Global       = false
Create Time  = <timestamp>
Expiry Time  = <none>
Create Index = <create_index>
Modify Index = <modify_index>
Policies     = [readonly]

Roles
<none>

Now with this token, we can access the Nomad UI and API with read-only access.

Conclusion

Nomad is a very powerful tool for orchestrating containers and other workloads.
But if we leave it unsecured, it can be a security risk.
It is very important to secure the Nomad cluster.

So, I hope you understood how to secure the Nomad cluster.

git-lrc

Any feedback or contributions are welcome! It’s online, source-available, and ready for anyone to use.
⭐ Star it on GitHub: https://github.com/HexmosTech/git-lrc

Read more