mirror of
https://github.com/kemko/nomad.git
synced 2026-01-01 16:05:42 +03:00
ce04fe4a4e
Nomad client agents run as privileged processes and require access to much of the cluster state, secrets, etc. to operate. But we can improve upon this by tightening up the virtual policy that use for RPC requests authenticated by the node secret ID. This changeset removes the `node:read`, `plugin:read`, and `plugin:list` policy, as well as namespace operations. In return, we add a `AllowClientOp` check to the RPCs the client uses that would otherwise need those policies. Where possible, the update RPCs have also been changed to match on node ID so that a client can only make the RPC that impacts itself. In future work, we may be able to downscope further by adding node pool filtering to `AllowClientOp`. Ref: https://github.com/hashicorp/nomad-enterprise/issues/1528 Ref: https://github.com/hashicorp/nomad-enterprise/pull/1529 Ref: https://hashicorp.atlassian.net/browse/NET-9925