diff --git a/_data/toc.yaml b/_data/toc.yaml index 32e1df4d6c..6e886a5505 100644 --- a/_data/toc.yaml +++ b/_data/toc.yaml @@ -1564,12 +1564,12 @@ manuals: title: Add SANs to cluster certificates - path: /ee/ucp/admin/configure/collect-cluster-metrics/ title: Collect UCP cluster metrics with Prometheus - - path: /ee/ucp/admin/configure/configure-rbac-kube/ - title: Configure Kubernetes Role-Based Access Control - - path: /ee/ucp/admin/configure/enable-saml-authentication/ - title: Enable SAML authentication + - path: /ee/ucp/authorization/configure-rbac-kube/ + title: Configure native Kubernetes role-based access control - path: /ee/ucp/admin/configure/create-audit-logs/ title: Create UCP audit logs + - path: /ee/ucp/admin/configure/enable-saml-authentication/ + title: Enable SAML authentication - path: /ee/ucp/admin/configure/external-auth/ title: Integrate with LDAP - path: /ee/ucp/admin/configure/external-auth/enable-ldap-config-file/ diff --git a/ee/dtr/admin/configure/garbage-collection.md b/ee/dtr/admin/configure/garbage-collection.md index 2493b2c82d..1e9161ff95 100644 --- a/ee/dtr/admin/configure/garbage-collection.md +++ b/ee/dtr/admin/configure/garbage-collection.md @@ -31,7 +31,7 @@ during garbage collection. In your browser, navigate to `https://` and log in with your credentials. Select **System** on the left navigation pane, and then click the **Garbage collection** tab to schedule garbage collection. -![](../../images/garbage-collection-0.png){: .with-border} +![](../../images/garbage-collection-0.png){: .img-fluid .with-border} Select for how long the garbage collection job should run: * Until done: Run the job until all unused image layers are deleted. @@ -39,7 +39,7 @@ Select for how long the garbage collection job should run: at a time. * Never: Never delete unused image layers. -If you select *Until done* or *For x minutes*, you can specify a recurring schedule in UTC (Coordinated Universal Time) with the following options: +If you select ***Until done*** or ***For x minutes***, you can specify a recurring schedule in UTC (Coordinated Universal Time) with the following options: * Custom cron schedule - (Hour, Day of Month, Month, Weekday) * Daily at midnight UTC * Every Saturday at 1am UTC diff --git a/ee/dtr/user/tag-pruning.md b/ee/dtr/user/tag-pruning.md index a4205105dc..b7d39e3849 100644 --- a/ee/dtr/user/tag-pruning.md +++ b/ee/dtr/user/tag-pruning.md @@ -47,7 +47,12 @@ DTR allows you to set your pruning triggers based on the following image attribu | License | Whether the image uses an intellectual property license and is one of or not one of your specified words | License name = `docker` | | Last updated at | Whether the last image update was before your specified number of hours, days, weeks, or months. For details on valid time units, see [Go's ParseDuration function](https://golang.org/pkg/time/#ParseDuration). | Last updated at: Hours = `12` | -Specify one or more image attributes to add to your pruning criteria, then choose **Prune future tags** to apply your selection to future tags or **Prune all tags** to evaluate existing tags on your repository. Upon selection, you will see a confirmation message and will be redirected to your newly updated **Pruning** tab. +Specify one or more image attributes to add to your pruning criteria, then choose: + +- **Prune future tags** to save the policy and apply your selection to future tags. Only matching tags after the policy addition will be pruned during garbage collection. +- **Prune all tags** to save the policy, and evaluate both existing and future tags on your repository. + +Upon selection, you will see a confirmation message and will be redirected to your newly updated **Pruning** tab. ![](../images/tag-pruning-2.png){: .with-border} diff --git a/ee/ucp/admin/configure/configure-rbac-kube.md b/ee/ucp/admin/configure/configure-rbac-kube.md index e1f280afee..d5a1aca946 100644 --- a/ee/ucp/admin/configure/configure-rbac-kube.md +++ b/ee/ucp/admin/configure/configure-rbac-kube.md @@ -1,6 +1,6 @@ --- -title: Enable Kubernetes RBAC -description: Learn how to configure role-based access control for Kubernetes +title: Configure native Kubernetes role-based access control +description: Learn how to configure native role-based access control for Kubernetes keywords: Kubernetes, ucp, RBAC redirect_from: - /ee/ucp/authorization/migrate-kubernetes-roles/ @@ -25,12 +25,12 @@ To create a Kuberenetes role in the UCP web interface: 2. Navigate to the **Access Control**. 3. In the lefthand menu, select **Roles**. -![Kubernetes Grants in UCP](/ee/ucp/images/kube-rbac-roles.png) + ![Kubernetes Grants in UCP](/ee/ucp/images/kube-rbac-roles.png) 4. Select the **Kubernetes** tab at the top of the window. 5. Select **Create** to create a Kubernetes role object in the following dialog: -![Kubernetes Role Creation in UCP](/ee/ucp/images/kube-role-create.png) + ![Kubernetes Role Creation in UCP](/ee/ucp/images/kube-role-create.png) 6. Select a namespace from the **Namespace** dropdown list. Selecting a specific namespace creates a role for use in that namespace, but selecting all namespaces creates a `ClusterRole` where you can create rules for cluster-scoped Kubernetes resources as well as namespaced resources. 7. Provide the YAML for the role, either by entering it in the **Object YAML** editor or select **Click to upload a .yml file** to choose and upload a .yml file instead. @@ -50,12 +50,12 @@ To create a grant for a Kuberenetes role in the UCP web interface: 2. Navigate to the **Access Control**. 3. In the lefthand menu, select **Grants**. -![Kubernetes Grants in UCP](/ee/ucp/images/kube-rbac-grants.png) + ![Kubernetes Grants in UCP](/ee/ucp/images/kube-rbac-grants.png) 4. Select the **Kubernetes** tab at the top of the window. All grants to Kubernetes roles can be viewed in the Kubernetes tab. 5. Select **Create New Grant** to start the Create Role Binding wizard and create a new grant for a given user, team or service. -![Kubernetes Create Role Binding in UCP](../../images/kube-grant-wizard.png) + ![Kubernetes Create Role Binding in UCP](../../images/kube-grant-wizard.png) 6. Select the subject type. Your choices are: - **All Users** @@ -64,11 +64,11 @@ To create a grant for a Kuberenetes role in the UCP web interface: 7. To create a user role binding, select a username from the **Users** dropdown list then select **Next**. 8. Select a resource set for the subject. The **default** namespace is automatically selected. To use a different namespace, select the **Select Namespace** button next to the desired namespace. For `Cluster Role Binding`, slide the **Apply Role Binding to all namespaces** selector to the right. -![Kubernetes Create User Role Binding in UCP](/ee/ucp/images/kube-grant-rolebinding.png) + ![Kubernetes Create User Role Binding in UCP](/ee/ucp/images/kube-grant-rolebinding.png) 9. Select **Next** to continue. 10. Select the **Cluster Role** from the dropdown list. If you create a `ClusterRoleBinding` (by selecting **Apply Role Binding to all namespaces**) then you may only select ClusterRoles. If you select a specific namespace, you can choose any role from that namespace or any ClusterRole. -![Kubernetes Select Cluster Role in UCP](/ee/ucp/images/kube-grant-roleselect.png) + ![Kubernetes Select Cluster Role in UCP](/ee/ucp/images/kube-grant-roleselect.png) 11. Select **Create** to complete creating the grant. diff --git a/ee/ucp/admin/configure/create-audit-logs.md b/ee/ucp/admin/configure/create-audit-logs.md index f3cf53cda9..ffe4fd7526 100644 --- a/ee/ucp/admin/configure/create-audit-logs.md +++ b/ee/ucp/admin/configure/create-audit-logs.md @@ -38,27 +38,34 @@ You can use audit logs to help with the following use cases: ## Procedure -1. Download the UCP Client bundle [Download client bundle from the command line] (https://success.docker.com/article/download-client-bundle-from-the-cli). +1. Download the UCP Client bundle [Download client bundle from the command line](https://success.docker.com/article/download-client-bundle-from-the-cli). 2. Retrieve JSON for current audit log configuration. -``` -export DOCKER_CERT_PATH=~/ucp-bundle-dir/ -curl --cert ${DOCKER_CERT_PATH}/cert.pem --key ${DOCKER_CERT_PATH}/key.pem --cacert ${DOCKER_CERT_PATH}/ca.pem -k -X GET https://ucp-domain/api/ucp/config/logging > auditlog.json -``` -3. Modify the auditLevel field to metadata or request. -``` -vi auditlog.json -{"logLevel":"INFO","auditLevel":"metadata","supportDumpIncludeAuditLogs":false} -``` + ``` + export DOCKER_CERT_PATH=~/ucp-bundle-dir/ + curl --cert ${DOCKER_CERT_PATH}/cert.pem --key ${DOCKER_CERT_PATH}/key.pem --cacert ${DOCKER_CERT_PATH}/ca.pem -k -X GET https://ucp-domain/api/ucp/config/logging > auditlog.json + ``` + +3. Open auditlog.json to modify the 'auditlevel' field to `metadata` or `request`. + + ``` + { + "logLevel": "INFO", + "auditLevel": "metadata", + "supportDumpIncludeAuditLogs": false + } + ``` + 4. Send the JSON request for the auditlog config with the same API path but with the `PUT` method. -``` -curl --cert ${DOCKER_CERT_PATH}/cert.pem --key ${DOCKER_CERT_PATH}/key.pem --cacert ${DOCKER_CERT_PATH}/ca.pem -k -H "Content-Type: application/json" -X PUT --data $(cat auditlog.json) https://ucp-domain/api/ucp/config/logging -``` + + ``` + curl --cert ${DOCKER_CERT_PATH}/cert.pem --key ${DOCKER_CERT_PATH}/key.pem --cacert ${DOCKER_CERT_PATH}/ca.pem -k -H "Content-Type: application/json" -X PUT --data $(cat auditlog.json) https://ucp-domain/api/ucp/config/logging + ``` 5. Create any workload or RBAC grants in Kubernetes and generate a support dump to check the contents of ucp-controller.log file for audit log entries. -6. Optionally, configure the Docker Engine driver to logstash and collect and query audit logs within ELK stack after deploying ELK. https://success.docker.com/article/elasticsearch-logstash-kibana-logging +6. Optionally, configure the Docker Engine driver to logstash and collect and query audit logs within ELK stack after deploying ELK. (https://success.docker.com/article/elasticsearch-logstash-kibana-logging) ## API endpoints ignored