kemko/nomad
1
0
Fork 0
mirror of https://github.com/kemko/nomad.git synced 2026-01-01 16:05:42 +03:00
Code Issues Packages Projects Releases Wiki Activity

docs: fix missing entry from template function_denylist (#26458)

Browse Source 
The docs for the `template` block accurately describe the template configuration
default function denylist in the body but the default parameters are missing
values. The equivalent docs in the `client` configuration are missing
`executeTemplate` as well.
This commit is contained in:
Tim Gross
2025-08-07 15:47:14 -04:00
committed by GitHub
parent e16a3339ad
commit 9717719502
2 changed files with 12 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
website/content/docs/configuration/client.mdx
View File

@@ -506,10 +506,11 @@ refer to the [drivers documentation](/nomad/docs/job-declare/task-driver).
### `template` Parameters
- `function_denylist` `([]string: ["plugin", "writeToFile"])` - Specifies a
list of template rendering functions that should be disallowed in job specs.
By default the `plugin` and `writeToFile` functions are disallowed as they
allow unrestricted root access to the host.
- `function_denylist` `([]string: ["plugin", "executeTemplate",
"writeToFile"])` - Specifies a list of template rendering functions that
should be disallowed in job specs. By default the `plugin`, `executeTemplate`
and `writeToFile` functions are disallowed as they allow unrestricted root
access to the host or allow recursive execution.
- `disable_file_sandbox` `(bool: false)` - Allows templates access to arbitrary
files on the client host via the `file` function. By default, templates can

13
website/content/docs/job-specification/template.mdx
View File

@@ -795,12 +795,13 @@ access it by index. This secret was set using
The `template` block has the following [client configuration
options](/nomad/docs/configuration/client#options):
- `function_denylist` `([]string: ["plugin"])` - Specifies a list of template
rendering functions that should be disallowed in job specs. By default, the
`plugin` function is disallowed as it allows running arbitrary commands on the
host as root (unless Nomad is configured to run as a non-root user),
`executeTemplate` is disallowed to prevent accidental or malicious infinitely
recursive execution, and `writeToFile` is disallowed.
- `function_denylist` `([]string: ["plugin", "executeTemplate",
"writeToFile"])` - Specifies a list of template rendering functions that
should be disallowed in job specs. By default, the `plugin` function is
disallowed as it allows running arbitrary commands on the host as root (unless
Nomad is configured to run as a non-root user), `executeTemplate` is
disallowed to prevent accidental or malicious infinitely recursive execution,
and `writeToFile` is disallowed.
- `disable_file_sandbox` `(bool: false)` - Allows templates access to arbitrary
files on the client host via the `file` function. By default, templates can