cosmonic-labs / netreap

A Cilium controller implementation for Nomad
https://netreap.io
Apache License 2.0
130 stars 8 forks source link

Nomad ALC token policy for Netrap #19

Open iamredbull opened 1 year ago

iamredbull commented 1 year ago

I run Netreap with this Nomad ACL policy:

namespace "*" {
  policy = "write"
  variables {
    path "*"{
            capabilities=["write"] 
    }
  }
  capabilities = ["read-job", "list-jobs", "parse-job", "read-job", "submit-job", "dispatch-job", "read-logs", "read-fs", "alloc-exec", "alloc-lifecycle", "csi-write-volume", "csi-mount-volume", "list-scaling-policies", "read-scaling-policy", "read-job-scaling", "scale-job"]
}

agent {
  policy = "write"
}

node {
  policy = "write"
}

operator {
  policy = "write"
}

quota {
  policy = "write"
}

host_volume "*" {
  policy = "write"
}

plugin {
  policy = "read"
}

But I am getting this error: Netreap logs:

2023-07-10T13:26:18.352Z    DEBUG   netreap/main.go:124 Starting node reaper
2023-07-10T13:26:18.352Z    DEBUG   reapers/nodes.go:107    Beginning reconciliation
2023-07-10T13:26:18.352Z    DEBUG   reapers/nodes.go:108    Getting nomad node list
2023-07-10T13:26:18.355Z    DEBUG   reapers/nodes.go:119    Finished constructing list of all nodesnodesmap
2023-07-10T13:26:18.355Z    DEBUG   reapers/nodes.go:121    Fetching cilium nodes from consul
2023-07-10T13:26:18.357Z    DEBUG   reapers/nodes.go:134    Node no longer exists in nomad, deletingnode
2023-07-10T13:26:18.361Z    FATAL   netreap/main.go:94  unable to start node reaper: error when starting node event stream: Unexpected response code: 500 (Permission denied)

Nomad logs:

13:27:42 cpx31 nomad[57220]:     2023-07-10T13:27:42.929Z [ERROR] http: request failed: method=GET path="/v1/event/stream?index=9223372036854775807&namespace=default&region=global" error="Permission denied" code=500
13:27:42 cpx31 nomad[57220]: http: request failed: method=GET path="/v1/event/stream?index=9223372036854775807&namespace=default&region=global" error="Permission denied" code=500

Can you please tell me which policies should I use to fix this error? So far I have been able to run Netreap with the main root token. Or do I need to use Nomad management token for Netreap job?

iamredbull commented 1 year ago

Could you help me with this pls? @deverton @protochron