Make anonymous nomad read only

2022-07-26 20:20:43 -07:00 · 2022-07-26 20:20:43 -07:00 · 963a863e2d
commit 963a863e2d
parent 3033c581f3
3 changed files with 30 additions and 8 deletions
--- a/nomad/acls/acls.tf
+++ b/nomad/acls/acls.tf
@ -1,5 +1,4 @@
 resource "nomad_acl_policy" "create_post_bootstrap_policy" {
  # count       = can(tobool(var.nomad_secret_id)) ? 1 : 0
  name        = "anonymous"
  description = "Anon RW"
  rules_hcl   = file("${path.module}/nomad-anon-bootstrap.hcl")
--- a/nomad/acls/nomad-admin-policy.hcl
+++ b/nomad/acls/nomad-admin-policy.hcl
@ -0,0 +1,24 @@
 namespace "*" {
  policy       = "write"
  capabilities = ["alloc-node-exec"]
 }
 agent {
  policy = "write"
 }
 operator {
  policy = "write"
 }
 quota {
  policy = "write"
 }
 node {
  policy = "write"
 }
 host_volume "*" {
  policy = "write"
 }
--- a/nomad/acls/nomad-anon-bootstrap.hcl
+++ b/nomad/acls/nomad-anon-bootstrap.hcl
@ -1,24 +1,23 @@
 namespace "*" {
-  policy       = "write"
+  policy       = "read"
  capabilities = ["alloc-node-exec"]
 }
 agent {
-  policy = "write"
+  policy = "read"
 }
 operator {
-  policy = "write"
+  policy = "read"
 }
 quota {
-  policy = "write"
+  policy = "read"
 }
 node {
-  policy = "write"
+  policy = "read"
 }
 host_volume "*" {
-  policy = "write"
+  policy = "read"
 }