cosmonic-labs/netreap

Nomad ALC token policy for Netrap

iamredbull opened this issue · 1 comments

iamredbull commented

I run Netreap with this Nomad ACL policy:

namespace "*" {
  policy = "write"
  variables {
    path "*"{
  			capabilities=["write"] 
    }
  }
  capabilities = ["read-job", "list-jobs", "parse-job", "read-job", "submit-job", "dispatch-job", "read-logs", "read-fs", "alloc-exec", "alloc-lifecycle", "csi-write-volume", "csi-mount-volume", "list-scaling-policies", "read-scaling-policy", "read-job-scaling", "scale-job"]
}

agent {
  policy = "write"
}

node {
  policy = "write"
}

operator {
  policy = "write"
}

quota {
  policy = "write"
}

host_volume "*" {
  policy = "write"
}

plugin {
  policy = "read"
}

But I am getting this error:
Netreap logs:

2023-07-10T13:26:18.352Z	DEBUG	netreap/main.go:124	Starting node reaper
2023-07-10T13:26:18.352Z	DEBUG	reapers/nodes.go:107	Beginning reconciliation
2023-07-10T13:26:18.352Z	DEBUG	reapers/nodes.go:108	Getting nomad node list
2023-07-10T13:26:18.355Z	DEBUG	reapers/nodes.go:119	Finished constructing list of all nodesnodesmap
2023-07-10T13:26:18.355Z	DEBUG	reapers/nodes.go:121	Fetching cilium nodes from consul
2023-07-10T13:26:18.357Z	DEBUG	reapers/nodes.go:134	Node no longer exists in nomad, deletingnode
2023-07-10T13:26:18.361Z	FATAL	netreap/main.go:94	unable to start node reaper: error when starting node event stream: Unexpected response code: 500 (Permission denied)

Nomad logs:

13:27:42 cpx31 nomad[57220]:     2023-07-10T13:27:42.929Z [ERROR] http: request failed: method=GET path="/v1/event/stream?index=9223372036854775807&namespace=default&region=global" error="Permission denied" code=500
13:27:42 cpx31 nomad[57220]: http: request failed: method=GET path="/v1/event/stream?index=9223372036854775807&namespace=default&region=global" error="Permission denied" code=500

Can you please tell me which policies should I use to fix this error? So far I have been able to run Netreap with the main root token. Or do I need to use Nomad management token for Netreap job?

iamredbull commented

Could you help me with this pls? @deverton @protochron