HashiConf More sessions have been added to the conference agenda. Buy your pass and plan your schedule. Register
Nomad
Nomad Home

nomad sentinel apply command reference

The sentinel apply command is used to write a new, or update an existing, Sentinel policy.

Enterprise

This feature requires Nomad Enterprise(opens in new tab).

Usage

nomad sentinel apply [options] <Policy Name> <Policy File>

The sentinel apply command requires two arguments, the policy name and the policy file. The policy file can be read from stdin by specifying "-" as the file name.

Additionally, you must specify the -scope option. Refer to the -scope field description for more information.

Sentinel commands are only available when ACLs are enabled. This command requires a management token.

Options

  • -description : Sets a human readable description for the policy

  • -scope : Required. Sets the scope of the policy and when it should be enforced. Specify one of the following:

    • The submit-job scope for registering jobs
    • The submit-host-volume scope for creating or updating dynamic host volumes.

    Refer to the Sentinel guide for scope details.

  • -level : (default: advisory) Sets the enforcement level of the policy. Must be one of advisory, soft-mandatory, hard-mandatory.

Examples

Write a policy:

$ nomad sentinel write -scope "submit-job" -description "My test policy" foo test.sentinel
Successfully wrote "foo" Sentinel policy!

General options

  • -address=<addr>: The address of the Nomad server. Overrides the NOMAD_ADDR environment variable if set. Defaults to http://127.0.0.1:4646.

  • -region=<region>: The region of the Nomad server to forward commands to. Overrides the NOMAD_REGION environment variable if set. Defaults to the Agent's local region.

  • -no-color: Disables colored command output. Alternatively, NOMAD_CLI_NO_COLOR may be set. This option takes precedence over -force-color.

  • -force-color: Forces colored command output. This can be used in cases where the usual terminal detection fails. Alternatively, NOMAD_CLI_FORCE_COLOR may be set. This option has no effect if -no-color is also used.

  • -ca-cert=<path>: Path to a PEM encoded CA cert file to use to verify the Nomad server SSL certificate. Overrides the NOMAD_CACERT environment variable if set.

  • -ca-path=<path>: Path to a directory of PEM encoded CA cert files to verify the Nomad server SSL certificate. If both -ca-cert and -ca-path are specified, -ca-cert is used. Overrides the NOMAD_CAPATH environment variable if set.

  • -client-cert=<path>: Path to a PEM encoded client certificate for TLS authentication to the Nomad server. Must also specify -client-key. Overrides the NOMAD_CLIENT_CERT environment variable if set.

  • -client-key=<path>: Path to an unencrypted PEM encoded private key matching the client certificate from -client-cert. Overrides the NOMAD_CLIENT_KEY environment variable if set.

  • -tls-server-name=<value>: The server name to use as the SNI host when connecting via TLS. Overrides the NOMAD_TLS_SERVER_NAME environment variable if set.

  • -tls-skip-verify: Do not verify TLS certificate. This is highly not recommended. Verification will also be skipped if NOMAD_SKIP_VERIFY is set.

  • -token: The SecretID of an ACL token to use to authenticate API requests with. Overrides the NOMAD_TOKEN environment variable if set.

Edit this page on GitHub