user avatar
allow ACL policies to be associated with workload identity (#14140)
Tim Gross authored
The original design for workload identities and ACLs allows for operators to
extend the automatic capabilities of a workload by using a specially-named
policy. This has shown to be potentially unsafe because of naming collisions, so
instead we'll allow operators to explicitly attach a policy to a workload
identity.

This changeset adds workload identity fields to ACL policy objects and threads
that all the way down to the command line. It also a new secondary index to the
ACL policy table on namespace and job so that claim resolution can efficiently
query for related policies.
2eaf3d72
Name Last commit Last update
.changelog allow ACL policies to be associated with workload identity (#14140)
.circleci build: print installed go version in cricle on windows
.github build: update to go1.19
.release Merge pull request #13815 from hashicorp/post-publish-website
.semgrep api: use errors.New not fmt.Errorf when error doesn't have format. (#14027)
.tours Make number of scheduler workers reloadable (#11593)
acl ACL: disallow missing `path` in secure variable policy (#14123)
api allow ACL policies to be associated with workload identity (#14140)
ci ci: fixup task runner chroot test
client template: use pointer values for gid and uid (#14203)
command allow ACL policies to be associated with workload identity (#14140)
contributing build: update to go1.19
demo demo/docs: update demo of Kadalu CSI Plugin (#13610)
dev docs: swap master for main in Nomad repo
drivers cleanup: replace TypeToPtr helper methods with pointer.Of (#14151)
e2e e2e: add e2e tests for nomad service disco checks
helper client: fix data races in config handling (#14139)
integrations spelling: registrations
internal/testing/apitests cleanup: replace TypeToPtr helper methods with pointer.Of (#14151)
jobspec template: use pointer values for gid and uid (#14203)
jobspec2 template: use pointer values for gid and uid (#14203)
lib build: run gofmt on all go source files
nomad allow ACL policies to be associated with workload identity (#14140)
plugins cleanup: replace TypeToPtr helper methods with pointer.Of (#14151)
scheduler cleanup: replace TypeToPtr helper methods with pointer.Of (#14151)
scripts
terraform
testutil
tools
ui
version
website
.git-blame-ignore-revs
.gitattributes
.gitignore
.go-version
.golangci.yml
.semgrepignore
CHANGELOG.md
CODEOWNERS
GNUmakefile
LICENSE
README.md
Vagrantfile
build_linux_arm.go
go.mod
go.sum
main.go
main_test.go

Nomad License: MPL 2.0 Discuss

HashiCorp Nomad logo

Nomad is a simple and flexible workload orchestrator to deploy and manage containers (docker, podman), non-containerized applications (executable, Java), and virtual machines (qemu) across on-prem and clouds at scale.

Nomad is supported on Linux, Windows, and macOS. A commercial version of Nomad, Nomad Enterprise, is also available.

Nomad provides several key features:

  • Deploy Containers and Legacy Applications: Nomad’s flexibility as an orchestrator enables an organization to run containers, legacy, and batch applications together on the same infrastructure. Nomad brings core orchestration benefits to legacy applications without needing to containerize via pluggable task drivers.

  • Simple & Reliable: Nomad runs as a single binary and is entirely self contained - combining resource management and scheduling into a single system. Nomad does not require any external services for storage or coordination. Nomad automatically handles application, node, and driver failures. Nomad is distributed and resilient, using leader election and state replication to provide high availability in the event of failures.

  • Device Plugins & GPU Support: Nomad offers built-in support for GPU workloads such as machine learning (ML) and artificial intelligence (AI). Nomad uses device plugins to automatically detect and utilize resources from hardware devices such as GPU, FPGAs, and TPUs.

  • Federation for Multi-Region, Multi-Cloud: Nomad was designed to support infrastructure at a global scale. Nomad supports federation out-of-the-box and can deploy applications across multiple regions and clouds.

  • Proven Scalability: Nomad is optimistically concurrent, which increases throughput and reduces latency for workloads. Nomad has been proven to scale to clusters of 10K+ nodes in real-world production environments.

  • HashiCorp Ecosystem: Nomad integrates seamlessly with Terraform, Consul, Vault for provisioning, service discovery, and secrets management.

Quick Start

Testing

See Learn: Getting Started for instructions on setting up a local Nomad cluster for non-production use.

Optionally, find Terraform manifests for bringing up a development Nomad cluster on a public cloud in the terraform directory.

Production

See Learn: Nomad Reference Architecture for recommended practices and a reference architecture for production deployments.

Documentation

Full, comprehensive documentation is available on the Nomad website: https://www.nomadproject.io/docs

Guides are available on HashiCorp Learn.

Contributing

See the contributing directory for more developer documentation.