Skip to content

Security Guide

This guide covers security best practices for the Nomad PaaS controlplane.

Secrets Management

Vault Integration

The controlplane integrates with HashiCorp Vault for secret management:

traits:
  - type: vault-secret
    properties:
      path: secret/data/production/db
      changeMode: restart
      env:
        username: DB_USER
        password: DB_PASS

Vault Policy

Ensure your Vault policy allows access:

path "secret/data/production/*" {
  capabilities = ["read"]
}

Environment Variables

Avoid storing secrets in environment variables directly:

# Bad - secrets visible in config
properties:
  env:
    - name: API_KEY
      value: "secret-key"

# Good - use Vault
traits:
  - type: vault-secret
    properties:
      path: secret/data/api-keys
      env:
        API_KEY: API_KEY

Network Security

TLS for Ingress

Always enable TLS for production workloads:

traits:
  - type: ingress
    properties:
      host: api.example.com
      tls: true
      # Uses Let's Encrypt by default

Service Mesh (Consul Connect)

Enable mTLS between services:

scopes:
  - scopeRef:
      kind: networkscope.nomad.oam.dev
      name: secure-network
    properties:
      networkMode: bridge
      serviceMesh: true
      connectSidecar: true

Multi-Tenancy Isolation

Namespace Isolation

Use separate namespaces for each tenant:

scopes:
  - scopeRef:
      kind: namespace.nomad.oam.dev
      name: tenant-ns
    properties:
      namespace: tenant-a

Resource Quotas

Set resource limits per namespace:

scopes:
  - scopeRef:
      kind: namespace.nomad.oam.dev
      name: production-ns
    properties:
      namespace: production
      quota: production-quota

Node Security

Node Constraints

Restrict workloads to specific nodes:

traits:
  - type: affinity
    properties:
      nodeClass: secure-nodes

Spread Across Datacenters

Improve availability by spreading across DCs:

traits:
  - type: affinity
    properties:
      spread: true

Image Security

Private Registries

Use image pull secrets for private registries:

properties:
  image: private-registry.io/myapp:latest
  imagePullSecret: my-registry-secret

Image Verification

Always use pinned image versions:

# Good - pinned version
properties:
  image: myapp:v1.2.3

# Avoid - latest tag
properties:
  image: myapp:latest

Network Policies

Restrict Ingress

Control which services can be accessed:

traits:
  - type: ingress
    properties:
      host: api.example.com
      middleware:
        - allowed-ips  # Restrict by IP

Audit Logging

Enable audit logging for compliance:

logging:
  level: info
  audit: true

Best Practices Checklist

  • [ ] Use Vault for all secrets
  • [ ] Enable TLS for all ingress
  • [ ] Enable Consul Connect for service mesh
  • [ ] Use separate namespaces per tenant
  • [ ] Set resource quotas
  • [ ] Pin image versions
  • [ ] Use node constraints for sensitive workloads
  • [ ] Enable audit logging
  • [ ] Regular security updates
  • [ ] Scan images for vulnerabilities