Nomad Enterprise Sentinel Testing

nomad_sentinel_demo.sh

nomad agent -dev -bind 0.0.0.0  -acl-enabled >nomad-server.log &
sleep 5

nomad acl bootstrap -json > bootstrap.json
export NOMAD_TOKEN=$(jq -r .SecretID bootstrap.json)

# creating a namespace and quota
nomad namespace apply -description "QA instances of webservers" web-qa
nomad quota init
nomad quota apply spec.hcl

cat << EOF > namespace.hcl
name        = "web-qa"
description = "Namespace for developers"
quota       = "default-quota"

capabilities {
  enabled_task_drivers  = ["docker", "exec"]
  disabled_task_drivers = ["raw_exec"]
}

meta {
  owner        = "Doug"
  contact_mail = "doug@example.com"
}
EOF
nomad namespace apply namespace.hcl


# creating policy and token
cat << EOF > anonymous.policy.hcl
# Allow read only access to all namespaces
namespace "*" {
  policy = "read"
}

agent {
  policy = "read"
}

node {
  policy = "read"
}

quota {
  policy = "read"
}
EOF
cat << EOF > app-dev.policy.hcl
# Allow read only access to the default namespace
namespace "default" {
  policy = "read"
}

# Allow writing to the web-qa namespace
namespace "web-qa" {
  policy = "write"
}

agent {
  policy = "read"
}

node {
  policy = "read"
}

quota {
  policy = "read"
}
EOF
nomad acl policy apply -description "Anonymous policy" anonymous anonymous.policy.hcl
nomad acl policy apply -description "Application Developer policy" app-dev app-dev.policy.hcl

nomad acl role create -name=app-developers -description "Role for Application Developers" -policy=app-dev
nomad acl token create -json -name="Doug" -ttl=5m -role-name=app-developers > client_token.json


cat << EOF > test.sentinel
## Test policy always fails for demonstration purposes

# ACLToken fields from https://github.com/hashicorp/nomad/blob/main/nomad/structs/structs.go#L12367-L12395
print("Token information on AccessorID", nomad_acl_token.accessor_id)
# print("Token information on SecretID", nomad_acl_token.secret_id)
print("Token information on Name", nomad_acl_token.name)
print("Token information on Type", nomad_acl_token.type)
print("Token information on Policies", nomad_acl_token.policies)
print("Token information on Roles", nomad_acl_token.roles)
print("Token information on Global", nomad_acl_token.global)
print("Token information on ExpirationTTL (nanoseconds)", nomad_acl_token.expiration_ttl)

# Namespace fields from https://github.com/hashicorp/nomad/blob/main/nomad/structs/structs.go#L5207-L5231
print("Namespace information on Name", namespace.name)
print("Namespace information on Description", namespace.description)
print("Namespace information on Quota", namespace.quota)
print("Namespace information on Capabilities EnabledTaskDrivers", namespace.capabilities.enabled_task_drivers)
print("Namespace information on Capabilities DisabledTaskDrivers", namespace.capabilities.disabled_task_drivers)
print("Namespace information on Meta", namespace.meta)

# Job information is from https://github.com/hashicorp/nomad/blob/main/nomad/structs/structs.go#L4253-L4386
print("Job information on Region", job.region)

# https://github.com/hashicorp/nomad/blob/main/nomad/structs/structs.go#L5194
# print("Job information on MultiRegion Strategy (...)", job.multiregion.strategy)
# print("Job information on MultiRegion Strategy OnFailure", job.multiregion.strategy)

# https://github.com/hashicorp/nomad/blob/main/nomad/structs/structs.go#L5199-L5204
# print("Job information on MultiRegion Regions", job.multiregion.regions)

print("Job information on Namespace", job.namespace)
print("Job information on Name", job.name)
print("Job information on Type", job.type)
print("Job information on Priority", job.priority)
print("Job information on Datacenters", job.datacenters)

# https://github.com/hashicorp/nomad/blob/main/nomad/structs/structs.go#L9048-L9052
# print("Job information on Constraints", job.constraints.)

# https://github.com/hashicorp/nomad/blob/main/nomad/structs/structs.go#L9163-L9168
# print("Job information on Affinities", job.affinities.)

# https://github.com/hashicorp/nomad/blob/main/nomad/structs/structs.go#L9254-L9267
# print("Job information on Spreads", job.spreads.)

# https://github.com/hashicorp/nomad/blob/main/nomad/structs/structs.go#L5039-L5079
# print("Job information on Update Strategy", job.update.)

# https://github.com/hashicorp/nomad/blob/main/nomad/structs/structs.go#L5375-L5398
# print("Job information on Periodic", job.periodic.)

# https://github.com/hashicorp/nomad/blob/main/nomad/structs/structs.go#L5543-L5552
# print("Job information on Parameterized Job", job.parameterized_job.)

print("Job information on SubmitTime", job.submit_time)
print("Job information on Metadata", job.Meta)
 
print("Job information on TaskGroups", job.task_groups)

main = rule { false }
EOF

nomad sentinel apply -level=advisory test-policy test.sentinel
# nomad sentinel apply -level=soft-mandatory test-policy test.sentinel
nomad job init -short

export NOMAD_TOKEN=$(jq -r .SecretID client_token.json)
export NOMAD_NAMESPACE=web-qa
nomad job run -detach example.nomad.hcl

# export NOMAD_TOKEN=$(jq -r .SecretID bootstrap.json)
# nomad ui -authenticate