kemko/nomad
1
0
Fork 0
mirror of https://github.com/kemko/nomad.git synced 2026-01-01 16:05:42 +03:00
Code Issues Packages Projects Releases Wiki Activity

sentinel: remove default scope for Sentinel apply command (#24601)

Browse Source 
When we add a Sentinel scope for dynamic host volumes, having a default `-scope`
value for `sentinel apply` risks accidentally adding policies for volumes to the
job scope. This would immediately prevent any job from being submitted. Forcing
the administrator to pass a `-scope` will prevent accidental misuse.

Ref: https://github.com/hashicorp/nomad-enterprise/pull/2087
Ref: https://github.com/hashicorp/nomad/pull/24479
This commit is contained in:
Tim Gross
2024-12-03 14:30:15 -05:00
parent d700538921
commit 787fbbe671
3 changed files with 23 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
.changelog/24601.txt Normal file
View File

@@ -0,0 +1,3 @@
```release-note:breaking-change
sentinel: The sentinel apply command now requires the -scope option
```

6
api/sentinel.go
View File

@@ -82,3 +82,9 @@ type SentinelPolicyListStub struct {
CreateIndex uint64 CreateIndex uint64
ModifyIndex uint64 ModifyIndex uint64
} }
// Possible Sentinel scopes
const (
SentinelScopeSubmitJob = "submit-job"
SentinelScopeSubmitHostVolume = "submit-host-volume"
)

17
command/sentinel_apply.go
View File

@@ -37,8 +37,9 @@ Apply Options:
-description -description
Sets a human readable description for the policy. Sets a human readable description for the policy.
-scope (default: submit-job) -scope
Sets the scope of the policy and when it should be enforced. Sets the scope of the policy and when it should be enforced. One of
"submit-job" or "submit-host-volume".
-level (default: advisory) -level (default: advisory)
Sets the enforcement level of the policy. Must be one of advisory, Sets the enforcement level of the policy. Must be one of advisory,
@@ -73,7 +74,7 @@ func (c *SentinelApplyCommand) Run(args []string) int {
flags := c.Meta.FlagSet(c.Name(), FlagSetClient) flags := c.Meta.FlagSet(c.Name(), FlagSetClient)
flags.Usage = func() { c.Ui.Output(c.Help()) } flags.Usage = func() { c.Ui.Output(c.Help()) }
flags.StringVar(&description, "description", "", "") flags.StringVar(&description, "description", "", "")
flags.StringVar(&scope, "scope", "submit-job", "") flags.StringVar(&scope, "scope", "", "")
flags.StringVar(&enfLevel, "level", "advisory", "") flags.StringVar(&enfLevel, "level", "advisory", "")
if err := flags.Parse(args); err != nil { if err := flags.Parse(args); err != nil {
return 1 return 1
@@ -107,6 +108,16 @@ func (c *SentinelApplyCommand) Run(args []string) int {
} }
} }
switch scope {
case api.SentinelScopeSubmitJob, api.SentinelScopeSubmitHostVolume:
case "":
c.Ui.Error("-scope flag is required")
return 1
default:
c.Ui.Error(fmt.Sprintf("Error: invalid -scope value: %q", scope))
return 1
}
// Construct the policy // Construct the policy
sp := &api.SentinelPolicy{ sp := &api.SentinelPolicy{
Name: policyName, Name: policyName,