Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/mxab/nacp
Admission Controller as a proxy for Nomad. Define OPA rules for validation and mutation or plugin remotes
https://github.com/mxab/nacp
admission-controller devsecops nomad notary notation opa
Last synced: 24 days ago
JSON representation
Admission Controller as a proxy for Nomad. Define OPA rules for validation and mutation or plugin remotes
- Host: GitHub
- URL: https://github.com/mxab/nacp
- Owner: mxab
- License: mpl-2.0
- Created: 2023-02-11T12:28:44.000Z (almost 2 years ago)
- Default Branch: main
- Last Pushed: 2024-04-15T21:24:24.000Z (8 months ago)
- Last Synced: 2024-04-17T06:13:03.204Z (8 months ago)
- Topics: admission-controller, devsecops, nomad, notary, notation, opa
- Language: Go
- Homepage:
- Size: 371 KB
- Stars: 33
- Watchers: 5
- Forks: 2
- Open Issues: 3
-
Metadata Files:
- Readme: README.md
- License: LICENSE
Awesome Lists containing this project
- awesome-opa - Nomad Admission Control Proxy - An admission controller that can be used as a proxy to Nomad's API for mutation and validation with builtin OPA support. (Nomad / Blogs and Articles)
README
# NACP - Nomad Admission Control Proxy
[![Quality Gate Status](https://sonarcloud.io/api/project_badges/measure?project=mxab_nacp&metric=alert_status)](https://sonarcloud.io/summary/new_code?id=mxab_nacp)
A proxy infront of the Nomad API that allows to perform mutation and validation on the job data.
![nacp](https://user-images.githubusercontent.com/1607547/224442234-685950f7-43ff-4570-91d1-fe004827caef.png)
## How
It intercepts the Nomad API calls that include job data (plan, register, validate) and performs mutation and validation on the job data. The job data is at that point is already transformed from HCL to JSON.
If any errors occur the proxy will return the error to the Nomad API caller.
Warnings are attached to the Nomad response when they come back from the actual Nomad API.Currently validation comes into two flavors:
- Embedded OPA rules
- Webhooks## Mutation
During the mutation phase the job data is modified by the configured mutators.
### OPA
The opa mutator uses the [OPA](https://www.openpolicyagent.org/) policy engine to perform the mutation.
The OPA rule is expects to return a [JSONPatch](https://jsonpatch.com/) object. The JSONPatch object is then applied to the job data.
It can also return errors and warnings.
An example rego could look like this:```rego
package hello_world_meta
import future.keywordspatch contains ops if [
input.Name == "greeting_job"
ops:= {
"op": "add",
"path": "/Meta",
"value": {
"hello": "world"
}
}
]errors contains msg if {
input.Name == "silent_job"
msg := "cannot greet"
}warnings contains msg if {
input.Name == "had_no_coffee_yet_job"
msg := "you should have coffee first"
}
```For the embedded you also have to define the query that is used to extract the patch from the OPA response:
```hcl
mutator "opa_json_patch" "hello_world_opa_mutator" {opa_rule {
query = <"
}
}
}
```# Note
This work was inspired by the internal [Nomad Admission Controller](https://github.com/hashicorp/nomad/blob/v1.5.0/nomad/job_endpoint_hooks.go#L74)