Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/mxab/nacp

Admission Controller as a proxy for Nomad. Define OPA rules for validation and mutation or plugin remotes
https://github.com/mxab/nacp

admission-controller devsecops nomad notary notation opa

Last synced: 3 months ago
JSON representation

Admission Controller as a proxy for Nomad. Define OPA rules for validation and mutation or plugin remotes

Host: GitHub
URL: https://github.com/mxab/nacp
Owner: mxab
License: mpl-2.0
Created: 2023-02-11T12:28:44.000Z (over 1 year ago)
Default Branch: main
Last Pushed: 2024-04-15T21:24:24.000Z (7 months ago)
Last Synced: 2024-04-17T06:13:03.204Z (7 months ago)
Topics: admission-controller, devsecops, nomad, notary, notation, opa
Language: Go
Homepage:
Size: 371 KB
Stars: 33
Watchers: 5
Forks: 2
Open Issues: 3
Metadata Files:
- Readme: README.md
- License: LICENSE

Awesome Lists containing this project

awesome-opa - Nomad Admission Control Proxy - An admission controller that can be used as a proxy to Nomad's API for mutation and validation with builtin OPA support. (Nomad / Blogs and Articles)

README

        # NACP - Nomad Admission Control Proxy

[![Quality Gate Status](https://sonarcloud.io/api/project_badges/measure?project=mxab_nacp&metric=alert_status)](https://sonarcloud.io/summary/new_code?id=mxab_nacp)

A proxy infront of the Nomad API that allows to perform mutation and validation on the job data.

![nacp](https://user-images.githubusercontent.com/1607547/224442234-685950f7-43ff-4570-91d1-fe004827caef.png)

## How

It intercepts the Nomad API calls that include job data (plan, register, validate) and performs mutation and validation on the job data. The job data is at that point is already transformed from HCL to JSON.

If any errors occur the proxy will return the error to the Nomad API caller.

Warnings are attached to the Nomad response when they come back from the actual Nomad API.

Currently validation comes into two flavors:

- Embedded OPA rules

- Webhooks

## Mutation

During the mutation phase the job data is modified by the configured mutators.

### OPA

The opa mutator uses the [OPA](https://www.openpolicyagent.org/) policy engine to perform the mutation.

The OPA rule is expects to return a [JSONPatch](https://jsonpatch.com/) object. The JSONPatch object is then applied to the job data.

It can also return errors and warnings.

An example rego could look like this:

```rego

package hello_world_meta

import future.keywords

patch contains ops if [

   input.Name == "greeting_job"

   ops:= {

        "op": "add",

        "path": "/Meta",

        "value": {

            "hello": "world"

        }

    }

]

errors contains msg if {

    input.Name == "silent_job"

    msg := "cannot greet"

}

warnings contains msg if {

  input.Name == "had_no_coffee_yet_job"

  msg := "you should have coffee first"

}

```

For the embedded you also have to define the query that is used to extract the patch from the OPA response:

```hcl

mutator "opa_json_patch" "hello_world_opa_mutator" {

    opa_rule {

        query = <"

    }

  }

}

```

# Note

This work was inspired by the internal [Nomad Admission Controller](https://github.com/hashicorp/nomad/blob/v1.5.0/nomad/job_endpoint_hooks.go#L74)