Backport of docs: expand on Sentinel policy reference into release/1.6.x #19358

Co-authored-by: Tim Gross <tgross@hashicorp.com>
This commit is contained in:
hc-github-team-nomad-core 2023-12-07 13:17:12 -06:00 committed by GitHub
parent 852efb461e
commit e1a6a4c42f
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
3 changed files with 102 additions and 3 deletions

View file

@ -141,9 +141,9 @@ production on Fridays or only allowing users to run jobs that use
pre-authorized Docker images. Sentinel policies are defined as code, giving
operators considerable flexibility to meet compliance requirements.
See the [Sentinel Policies
Guide](/nomad/tutorials/governance-and-policy/sentinel) for a thorough
overview.
See the [Sentinel Policies Guide][] for a walk-through on deploying Sentinel
policies and the [Nomad Sentinel policy reference][] for more information on
what objects are available for policies.
## Multi-Cluster & Efficiency
@ -175,3 +175,5 @@ request a trial of Nomad Enterprise.
[multiregion deployments]: /nomad/docs/job-specification/multiregion
[autoscaling capabilities]: /nomad/tools/autoscaling
[scaling policies]: /nomad/tools/autoscaling/policy
[Sentinel Policies Guide]: /nomad/tutorials/governance-and-policy/sentinel
[Nomad Sentinel policy reference]: /nomad/docs/enterprise/sentinel

View file

@ -0,0 +1,93 @@
---
layout: docs
page_title: Sentinel Policy Reference
description: >-
Learn about Nomad Sentinel Policy Objects
---
## Sentinel
In Nomad Enterprise, operators can create Sentinel policies for fine-grained
policy enforcement. Sentinel policies build on top of the ACL system and allow
operators to define policies such as disallowing jobs to be submitted to
production on Fridays or only allowing users to run jobs that use pre-authorized
Docker images. Sentinel policies are defined as code, giving operators
considerable flexibility to meet compliance requirements.
See the [Nomad Sentinel Tutorial][] for more information about deploying
Sentinel policies, as well as the documentation for the [`nomad sentinel`
subcommands][]
### Sentinel Policies
Sentinel policies are specified in the [Sentinel Language][sentinel]. The
language is designed to be understandable for people who are reading and writing
policies, while remaining fast to evaluate. There is no limitation on how
complex policies can be, but they are in the execution path so care should be
taken to avoid adversely impacting performance.
In each scope, there are different objects made available for introspection,
such a job being submitted. Policies can inspect these objects to apply
fine-grained policies.
The following top-level objects are available to policies in the `submit-job`
scope automatically, without an explicit import.
* `job`: the submitted job. This is a [Sentinel Job
Object](#sentinel-job-objects).
* `existing_job`: the previous version of the job. If `job_exists` is true, this
will always be non-nil. This is also a [Sentinel Job
Object](#sentinel-job-objects).
* `job_exists`: a boolean field that indicates that a previous version of the
job exists.
* `nomad_acl_token`: the ACL token the job was submitted with. This is a
[Sentinel Nomad ACL Token Object](#sentinel-nomad-acl-token-objects).
* `namespace`: the namespace the job is in. This is a [Sentinel Nomad Namespace
Object](#sentinel-namespace-objects).
Sentinel convention for identifiers is lower case and separated by underscores.
All fields on an object are accessed by the same name, converted to lower case
and separating camel case to underscores.
### Sentinel Job Objects
The `job` and `existing_job` objects map to the [JSON job specification][], with
the fields converted to the Sentinel convention. Here are some examples:
| Job Field | Sentinel Accessor |
|------------------------------------------|---------------------------------------------|
| `job.ID` | `job.id` |
| `job.AllAtOnce` | `job.all_at_once` |
| `job.ParentID` | `job.parent_id` |
| `job.TaskGroups` | `job.task_groups` |
| `job.TaskGroups[0].EphemeralDisk.SizeMB` | `job.task_groups[0].ephemeral_disk.size_mb` |
### Sentinel ACL Token Objects
The `nomad_acl_token` object maps to the [ACL token][], with the fields
converted to the Sentinel convention. Here are some examples:
| Nomad ACL Token Field | Sentinel Accessor |
|-------------------------------|-------------------------------|
| `nomad_acl_token.AccessorID` | `nomad_acl_token.accessor_id` |
| `nomad_acl_token.Policies[0]` | `nomad_acl_token.policies[0]` |
Note that the `SecretID` field is always redacted to prevent credential leaks.
### Sentinel Namespace Objects
The `namespace` object maps to the [Namespace][], with the fields converted to
the Sentinel convention. Here are some examples:
| Namespace Field | Sentinel Accessor |
|----------------------------------------------|------------------------------------------------|
| `namespace.Description` | `namespace.description` |
| `namespace.NodePoolConfiguration.Allowed[0]` | `namespace.node_pool_configuration.allowed[0]` |
[Nomad Sentinel Tutorial]: /nomad/tutorials/governance-and-policy/sentinel
[`nomad sentinel` sub-commands]: /nomad/docs/commands/sentinel
[sentinel]: https://docs.hashicorp.com/sentinel
[JSON job specification]: /nomad/api-docs/json-jobs
[ACL token]: https://github.com/hashicorp/nomad/blob/v1.7.0-rc.1/nomad/structs/structs.go#L12991-L13020
[Namespace]: https://github.com/hashicorp/nomad/blob/v1.7.0-rc.1/nomad/structs/structs.go#L5306-L5338

View file

@ -2281,6 +2281,10 @@
"path": "enterprise/license/faq"
}
]
},
{
"title": "Sentinel",
"path": "enterprise/sentinel"
}
]
},