You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
ACL binding rules for Workload identites is not working as expected.
In our infrastructure, we are using an open-source version of Nomad and Consul.
We have enforced a restriction in the naming convention of the service, i.e., it should be in the format -. This has been done so that we do not end up having the same identical service name belonging to different jobs running in different namespaces.
restriction is enforced by creating a policy for teams in consul that only allows write access to services having the prefix "namespace-"".
service_prefix "platforms-" {
policy = "write"
}
We would like to enable WI in Nomad and Consul, and the same restriction needs to be enforced on the service name naming convention. because if we don't put the restriction, different teams can have the same service name running in different namespaces in Nomad, which would cause issues.
We tried adding expressions in the acl binding rule selector field. However, it's not working as expected.
Reproduction Steps
Please find the authmethod and binding rule configuration Auth method:
8eba3cd0-12ca-8c60-e69f-7cb08b48c814:
AuthMethod: nomad-workloads
Description: Binding rule for Nomad tasks
BindType: role
BindName: ${value.nomad_namespace}-team
Selector: "nomad_service" not in value
f5a6e1c4-aeac-0d08-ed95-9c7dee49528d:
AuthMethod: nomad-workloads
Description: Binding rule for services registered from Nomad
BindType: service
BindName: ${value.nomad_service}
Selector: "nomad_service" in value and value.nomad_service contains value.nomad_namespace
I am able to create an ACL binding rule for service using bind type policy. which was for our usecase as we have policies for each namespace that give write access to the service.
ACL binding rules for Workload identites is not working as expected.
In our infrastructure, we are using an open-source version of Nomad and Consul.
We have enforced a restriction in the naming convention of the service, i.e., it should be in the format -. This has been done so that we do not end up having the same identical service name belonging to different jobs running in different namespaces.
restriction is enforced by creating a policy for teams in consul that only allows write access to services having the prefix "namespace-"".
We would like to enable WI in Nomad and Consul, and the same restriction needs to be enforced on the service name naming convention. because if we don't put the restriction, different teams can have the same service name running in different namespaces in Nomad, which would cause issues.
We tried adding expressions in the acl binding rule selector field. However, it's not working as expected.
Reproduction Steps
Please find the authmethod and binding rule configuration
Auth method:
Binding rule:
Nomad config file
Nomad Job file
When trying to run above Job, it fails with an error:
Please note that if I use the below selector in acl binding where namespace name is hardcoded, it works as expected.
Selector: "nomad_service" in value and value.nomad_service contains "platforms"
However, if we replace
platforms
withvalue.nomad_namespace
, it fails.-->
Consul and nomad version info
consul : v1.19.2
noamd : v1.9.3
The text was updated successfully, but these errors were encountered: