Make anonymous nomad read only

2022-07-26 20:20:43 -07:00 · 2022-07-26 20:20:43 -07:00 · 963a863e2d
commit 963a863e2d
parent 3033c581f3
3 changed files with 30 additions and 8 deletions
--- a/nomad/acls/acls.tf
+++ b/nomad/acls/acls.tf
@ -1,5 +1,4 @@
 resource "nomad_acl_policy" "create_post_bootstrap_policy" {
-  # count       = can(tobool(var.nomad_secret_id)) ? 1 : 0
  name        = "anonymous"
  description = "Anon RW"
  rules_hcl   = file("${path.module}/nomad-anon-bootstrap.hcl")
--- a/nomad/acls/nomad-admin-policy.hcl
+++ b/nomad/acls/nomad-admin-policy.hcl
@ -0,0 +1,24 @@
+namespace "*" {
+  policy       = "write"
+  capabilities = ["alloc-node-exec"]
+}
+
+agent {
+  policy = "write"
+}
+
+operator {
+  policy = "write"
+}
+
+quota {
+  policy = "write"
+}
+
+node {
+  policy = "write"
+}
+
+host_volume "*" {
+  policy = "write"
+}
--- a/nomad/acls/nomad-anon-bootstrap.hcl
+++ b/nomad/acls/nomad-anon-bootstrap.hcl
@ -1,24 +1,23 @@
 namespace "*" {
-  policy       = "write"
-  capabilities = ["alloc-node-exec"]
+  policy       = "read"
 }

 agent {
-  policy = "write"
+  policy = "read"
 }

 operator {
-  policy = "write"
+  policy = "read"
 }

 quota {
-  policy = "write"
+  policy = "read"
 }

 node {
-  policy = "write"
+  policy = "read"
 }

 host_volume "*" {
-  policy = "write"
+  policy = "read"
 }