Merge branch 'master' of github.com:docker/docs-private

ee/ucp/admin/configure/create-audit-logs.md

@@ -4,9 +4,9 @@ description: Learn how to create audit logs of all activity in UCP
 keywords: logs, ucp, swarm, kubernetes, audits
 ---
 
-Audit logs are focused on external user/agent actions and security rather than understanding state or events of the system itself. They are a chronological record of security-relevant activities by individual users, administrators or software components that have affected the system.
+Audit logs are a chronological record of security-relevant activities by individual users, administrators or software components that have affected the system. They are focused on external user/agent actions and security rather than understanding state or events of the system itself.
 
-Audit Logs capture all HTTP actions (GET, PUT, POST, PATCH, DELETE) to all UCP API, Swarm API and Kubernetes API endpoints that are invoked (except for the ignored list) and sent to Docker Engine via stdout. Creating audit logs is CLI driven and is an UCP component that integrates with Swarm, K8s, and UCP APIs.
+Audit Logs capture all HTTP actions (GET, PUT, POST, PATCH, DELETE) to all UCP API, Swarm API and Kubernetes API endpoints that are invoked (except for the ignored list) and sent to Docker Engine via stdout. Creating audit logs is a UCP component that integrates with Swarm, K8s, and UCP APIs.
 
 ## Logging levels
 
@@ -63,6 +63,41 @@ You can use audit logs to help with the following use cases:
 
 6. Optionally, configure the Docker Engine driver to logstash and collect and query audit logs within ELK stack after deploying ELK. (https://success.docker.com/article/elasticsearch-logstash-kibana-logging)
 
+## Sample logs
+
+Here is a sample audit log for a Kubernetes cluster.
+
+```
+{"audit"; {
+      "metadata": {...},
+      "level": "Metadata",
+      "timestamp": "2018-08-07T22:10:35Z",
+      "auditID": "7559d301-fa6b-4ad6-901c-b587fab75277",
+      "stage": "RequestReceived",
+      "requestURI": "/api/v1/namespaces/default/pods",
+      "verb": "list",
+      "user": {"username": "alice",...},
+      "sourceIPs": ["127.0.0.1"],
+      ...,
+      "requestReceivedTimestamp": "2018-08-07T22:10:35.428850Z"}}
+```
+Here is a sample audit log for a Swarm cluster.
+
+```
+{"audit"; {
+      "metadata": {...},
+      "level": "Metadata",
+      "timestamp": "2018-08-07T22:10:35Z",
+      "auditID": "7559d301-94e7-4ad6-901c-b587fab31512",
+      "stage": "RequestReceived",
+      "requestURI": "/v1.30/configs/create",
+      "verb": "post",
+      "user": {"username": "alice",...},
+      "sourceIPs": ["127.0.0.1"],
+      ...,
+      "requestReceivedTimestamp": "2018-08-07T22:10:35.428850Z"}}
+```
+
 ## API endpoints ignored
 
 The following API endpoints are ignored since they are not considered security events and may create a large amount of log entries.

ee/ucp/release-notes.md

@@ -37,7 +37,7 @@ upgrade your installation to the latest release.
 ### Kubernetes
 
 * Kubernetes is updated to version 1.11.2.
-* Kubernetes native RBAC feature manages access control for Kubernetes resources. Users can now create roles for Kubernetes APIs using Kubernetes `Role` and `ClusterRole` objects in the Kubernetes API. They can also grant permissions to users and service accounts with the `RoleBinding` and `ClusterRoleBinding` objects. The web interface for Kubernetes RBAC reflects these changes.
+* Kubernetes native RBAC feature manages access control for Kubernetes resources. Users can now create roles for Kubernetes APIs using Kubernetes `Role` and `ClusterRole` objects in the Kubernetes API. They can also grant permissions to users and service accounts with the `RoleBinding` and `ClusterRoleBinding` objects. The web interface for Kubernetes RBAC reflects these changes. Your old Kubernetes grants and roles will be automatically migrated during the UCP upgrade.
 
 ### Logging
 
@@ -60,6 +60,7 @@ Admins can configure UCP to use a SAML-enabled identity provider for user authen
 ### Configs
 
 * UCP now stores its configurations in its internal key-value store instead of in a Swarm configuration so changes can propagate across the cluster more quickly.
+* You can now use the `custom_api_server_headers` field in the UCP configuration to set arbitrary headers that are included with every UCP response.
 
 ## API updates
 
@@ -97,15 +98,14 @@ There are several backward-incompatible changes in the Kubernetes API that may a
 
 ## Deprecated features
 
-The following features are deprecated in UCP 3.1
+The following features are deprecated in UCP 3.1.
 
 * Collections
     *  User-created nested collections more than 2 layers deep within the root `/Swarm/` collection are deprecated and will be removed in future versions of the product. In the future, we recommend that at most only two levels of collections be created within UCP under the shared Cluster collection designated as `/Swarm/`. For example, if a production collection is created as a collection under the cluster collection `/Swarm/` as `/Swarm/production/` then at most one level of nestedness should be created, as in `/Swarm/production/app/`.
 
 * Kubernetes
-    * **PersistentVolumeLabel** admission controller is deprecated in Kubernetes 1.11. This functionality will be migrated to Cloud Controller Manager [https://kubernetes.io/docs/tasks/administer-cluster/running-cloud-controller/](https://kubernetes.io/docs/tasks/administer-cluster/running-cloud-controller/)
+    * **PersistentVolumeLabel** admission controller is deprecated in Kubernetes 1.11. This functionality will be migrated to [Cloud Controller Manager](https://kubernetes.io/docs/tasks/administer-cluster/running-cloud-controller/](https://kubernetes.io/docs/tasks/administer-cluster/running-cloud-controller/)
     * `--cni-install-url` is deprecated in favor of `--unmanaged-cni`
-    * KubeDNS is deprecated in favor of CoreDNS.
 
 # Version 3.0