diff --git a/_data/toc.yaml b/_data/toc.yaml index b59c78f1cb..f22b0adcc1 100644 --- a/_data/toc.yaml +++ b/_data/toc.yaml @@ -1560,6 +1560,8 @@ manuals: title: Add labels to cluster nodes - path: /ee/ucp/admin/configure/add-sans-to-cluster/ title: Add SANs to cluster certificates + - path: /ee/ucp/authorization/configure-rbac-kube/ + title: Configure Kubernetes Role-Based Access Control - path: /ee/ucp/admin/configure/external-auth/ title: Integrate with LDAP - path: /ee/ucp/admin/configure/external-auth/enable-ldap-config-file/ @@ -1646,8 +1648,6 @@ manuals: - path: /ee/ucp/authorization/pull-images/ title: Allow users to pull images - path: /ee/ucp/authorization/migrate-kubernetes-roles/ - title: Configure Kubernetes Role-Based Access Control - - path: /ee/ucp/authorization/configure-rbac-kube/ title: Docker EE Standard use case - path: /ee/ucp/authorization/ee-advanced/ title: Docker EE Advanced use case diff --git a/ee/ucp/authorization/congigure-rbac-kube.md b/ee/ucp/authorization/congigure-rbac-kube.md index 044e4b381f..1495e41965 100644 --- a/ee/ucp/authorization/congigure-rbac-kube.md +++ b/ee/ucp/authorization/congigure-rbac-kube.md @@ -5,20 +5,20 @@ keywords: Kuberenetes, ucp, RBAC redirects: /ee/ucp/authorization/migrate-kubernetes-roles/ --- -UCP 3.0 used its own role-based asccess control (RBAC) for Kubernetes clusters. New in UCP 3.1 is the ability to use Kube RBAC. The benefits of doing this are: +UCP 3.0 used its own role-based asccess control (RBAC) for Kubernetes clusters. New in UCP 3.1 is the ability to use Kubernetes RBAC. The benefits of doing this are: -- Many ecosystem applications and integrations expect Kube RBAC as a part of their YAML files to provide access to service accounts. +- Many ecosystem applications and integrations expect Kubernetes RBAC as a part of their YAML files to provide access to service accounts. - Organizations planning to run UCP both on-premesis as well as in hosted cloud services want to run Kubernetes applications on both sets of environments, without manually changing RBAC for their YAML file. -Kubernetes RBAC is turned on by default when customers upgrade to UCP 3.1. See [RBAC authorization in Kubernetes](https://v1-8.docs.kubernetes.io/docs/admin/authorization/rbac/) for more information about Kubernetes. +Kubernetes RBAC is turned on by default for Kubernetes clusters when customers upgrade to UCP 3.1. See [RBAC authorization in Kubernetes](https://v1-8.docs.kubernetes.io/docs/admin/authorization/rbac/) for more information about Kubernetes role-based access control. -Starting with UCP 3.1, Kubernetes & Swarm roles have separate views. You can view all the roles for a particular cluster under **Access Control** then **Users**. Select Kubernetes or Swarm to view the specific roles for each. +Starting with UCP 3.1, Kubernetes & Swarm roles have separate views. You can view all the roles for a particular cluster under **Access Control** then **Roles**. Select Kubernetes or Swarm to view the specific roles for each. ## Creating roles You create Kubernetes roles either through the CLI using `kubectl` or through the UCP web interface. -To create a Kuberenetes roles in the UCP web interface: +To create a Kuberenetes role in the UCP web interface: 1. Go to the UCP web UI. 2. Navigate to the **Access Control**. @@ -31,7 +31,7 @@ To create a Kuberenetes roles in the UCP web interface: ![Kubernetes Role Creation in UCP](../images/kube-role-create.png) -6. Select a namespace from the **Namespace** dropdown list. +6. Select a namespace from the **Namespace** dropdown list. Selecting a specific namespace creates a role for use in that namespace, but selecting all namespaces creates a `ClusterRole` where you can create rules for cluster-scoped Kubernetes resources as well as namespaced resources. 7. Provide the YAML for the role, either by entering it in the **Object YAML** editor or select **Click to upload a .yml file** to choose and upload a .yml file instead. 8. When you have finished specifying the YAML, Select **Create** to complete role creation. @@ -41,7 +41,7 @@ To create a Kuberenetes roles in the UCP web interface: Kubernetes provides 2 types of role grants: - `ClusterRoleBinding` which applies to all namespaces -- `RoleBinding1` which applies to a specific namespace +- `RoleBinding` which applies to a specific namespace To create a grant for a Kuberenetes role in the UCP web interface: @@ -61,12 +61,12 @@ To create a grant for a Kuberenetes role in the UCP web interface: - **Organizations** - **Service account** 7. To create a user role binding, select a username from the **Users** dropdown list then select **Next**. -8. Select a resource set for the subject. The **default** namespace is automatically selected. To use a different namespace, select the **Select Namespace** button next to the desired namespace. For `Cluster Role Binding`, slide the **Apply Role Binding to all namespace** selector to the right. +8. Select a resource set for the subject. The **default** namespace is automatically selected. To use a different namespace, select the **Select Namespace** button next to the desired namespace. For `Cluster Role Binding`, slide the **Apply Role Binding to all namespaces** selector to the right. ![Kubernetes Create User Role Binding in UCP](../images/kube-grant-rolebinding.png) 9. Select **Next** to continue. -10. Select the **Cluster Role** from the dropdown list. +10. Select the **Cluster Role** from the dropdown list. If you create a `ClusterRoleBinding` (by selecting **Apply Role Binding to all namespaces**) then you may only select ClusterRoles. If you select a specific namespace, you can choose any role from that namespace or any ClusterRole. ![Kubernetes Select Cluster Role in UCP](../images/kube-grant-roleselect.png)