Sentinel
Nomad
Nomad is a simple, flexible scheduler and workload orchestrator. Nomad Enterprise uses Sentinel to augment the built-in ACL system to provide advanced policy enforcement. Sentinel policies can currently execute on job submission (creation, update).
Sentinel policies have full access to the job structure. This allows the Sentinel policy to control behavior based on any attribute within a job, such as the driver, resource requests, network configuration, volume configuration, and more. The information that Sentinel policies have access to will expand over time.
Nomad fully supports all enforcement levels.
For soft mandatory policies, the sentinel-override
capability must be
available on the user's ACL policy to allow override. Overrides are always
logged.
The Nomad integration with Sentinel is documented in depth in the Nomad Enterprise documentation. Please read that page for full documentation. This page will only show basic examples.
Examples
Example: Only allow Docker-based jobs.
# Test policy only allows Docker based tasks
main = rule { all_drivers_docker }
# all_drivers_docker checks that all the drivers in use are Docker
all_drivers_docker = rule {
all job.task_groups as tg {
all tg.tasks as task {
task.driver is "docker"
}
}
}