使用 Hashicorp 的 Nomad,我遵循了从任务访问变量教程的与工作负载相关的 ACL 策略部分中概述的步骤,并且可以正常工作。
以下是名为
sensitive.policy.hcl
的策略文件示例:
namespace "sensitive" {
variables {
path "*" {
capabilities = ["read"]
}
path "azure/*" {
capabilities = ["read"]
}
}
}
应用到实际工作中,效果符合预期:
$ nomad namespace apply -description "Namespace for sensitive variables" sensitive
$ nomad var put -namespace sensitive @../path/to/sensitive.nv.hcl
$ nomad acl policy apply -description "Sensitive policy" -namespace default -job ARealJobThatExists sensitive /path/to/sensitive.policy.hcl
然后在模板中使用它:
job "ARealJobThatExists" {
...
group "example" {
...
task "example" {
...
# Template to load sensitive properties into ENV VARs
template {
change_mode = "restart"
error_on_missing_key = true
destination = "${NOMAD_SECRETS_DIR}/.azure"
data = <<EOT
{{- with nomadVar "azure/properties@system" -}}
PROP1 = {{ .prop1 }}
PROP2 = {{ .prop2 }}
{{- end -}}
EOT
}
...
}
}
}
但是,我想将相同的策略关联到尚不存在的多个工作负载(作业)。换句话说,我想主动将该策略与作业的通配符相关联,以便新作业(由同事创建)将自动具有对现有机密的读取访问权限。同事可以列出秘密/变量,但不能读取它们。
我尝试了以下方法,但没有成功:
$ nomad acl policy apply -description "Proactive sensitive policy" -namespace default -job "*" sensitive /path/to/sensitive.policy.hcl
检查策略会返回以下内容:
$ nomad acl policy info sensitive
Name = sensitive
Description = Proactive sensitive policy
CreateIndex = 12070
ModifyIndex = 12070
Associated Workload
Namespace = default
JobID = *
Group = <none>
Task = <none>
有办法实现这一点还是我应该提出功能请求?