From 3b84788f4eeb89a2e9b7126ef74369188394537a Mon Sep 17 00:00:00 2001 From: ddeyo Date: Tue, 11 Sep 2018 14:13:46 -0700 Subject: [PATCH 1/9] procedure numbering fix --- ee/ucp/admin/configure/configure-rbac-kube.md | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/ee/ucp/admin/configure/configure-rbac-kube.md b/ee/ucp/admin/configure/configure-rbac-kube.md index e1f280afee..03e90ed75a 100644 --- a/ee/ucp/admin/configure/configure-rbac-kube.md +++ b/ee/ucp/admin/configure/configure-rbac-kube.md @@ -25,12 +25,12 @@ To create a Kuberenetes role in the UCP web interface: 2. Navigate to the **Access Control**. 3. In the lefthand menu, select **Roles**. -![Kubernetes Grants in UCP](/ee/ucp/images/kube-rbac-roles.png) + ![Kubernetes Grants in UCP](/ee/ucp/images/kube-rbac-roles.png) 4. Select the **Kubernetes** tab at the top of the window. 5. Select **Create** to create a Kubernetes role object in the following dialog: -![Kubernetes Role Creation in UCP](/ee/ucp/images/kube-role-create.png) + ![Kubernetes Role Creation in UCP](/ee/ucp/images/kube-role-create.png) 6. Select a namespace from the **Namespace** dropdown list. Selecting a specific namespace creates a role for use in that namespace, but selecting all namespaces creates a `ClusterRole` where you can create rules for cluster-scoped Kubernetes resources as well as namespaced resources. 7. Provide the YAML for the role, either by entering it in the **Object YAML** editor or select **Click to upload a .yml file** to choose and upload a .yml file instead. @@ -50,12 +50,12 @@ To create a grant for a Kuberenetes role in the UCP web interface: 2. Navigate to the **Access Control**. 3. In the lefthand menu, select **Grants**. -![Kubernetes Grants in UCP](/ee/ucp/images/kube-rbac-grants.png) + ![Kubernetes Grants in UCP](/ee/ucp/images/kube-rbac-grants.png) 4. Select the **Kubernetes** tab at the top of the window. All grants to Kubernetes roles can be viewed in the Kubernetes tab. 5. Select **Create New Grant** to start the Create Role Binding wizard and create a new grant for a given user, team or service. -![Kubernetes Create Role Binding in UCP](../../images/kube-grant-wizard.png) + ![Kubernetes Create Role Binding in UCP](../../images/kube-grant-wizard.png) 6. Select the subject type. Your choices are: - **All Users** @@ -64,11 +64,11 @@ To create a grant for a Kuberenetes role in the UCP web interface: 7. To create a user role binding, select a username from the **Users** dropdown list then select **Next**. 8. Select a resource set for the subject. The **default** namespace is automatically selected. To use a different namespace, select the **Select Namespace** button next to the desired namespace. For `Cluster Role Binding`, slide the **Apply Role Binding to all namespaces** selector to the right. -![Kubernetes Create User Role Binding in UCP](/ee/ucp/images/kube-grant-rolebinding.png) + ![Kubernetes Create User Role Binding in UCP](/ee/ucp/images/kube-grant-rolebinding.png) 9. Select **Next** to continue. 10. Select the **Cluster Role** from the dropdown list. If you create a `ClusterRoleBinding` (by selecting **Apply Role Binding to all namespaces**) then you may only select ClusterRoles. If you select a specific namespace, you can choose any role from that namespace or any ClusterRole. -![Kubernetes Select Cluster Role in UCP](/ee/ucp/images/kube-grant-roleselect.png) + ![Kubernetes Select Cluster Role in UCP](/ee/ucp/images/kube-grant-roleselect.png) 11. Select **Create** to complete creating the grant. From b6b3fe9e72c2712bfd5e1aedba0dcd2b451e6baf Mon Sep 17 00:00:00 2001 From: ddeyo Date: Tue, 11 Sep 2018 14:20:43 -0700 Subject: [PATCH 2/9] build issues fixed --- ee/ucp/admin/configure/create-audit-logs.md | 31 ++++++++++++--------- 1 file changed, 18 insertions(+), 13 deletions(-) diff --git a/ee/ucp/admin/configure/create-audit-logs.md b/ee/ucp/admin/configure/create-audit-logs.md index f3cf53cda9..f67351bd9a 100644 --- a/ee/ucp/admin/configure/create-audit-logs.md +++ b/ee/ucp/admin/configure/create-audit-logs.md @@ -38,23 +38,28 @@ You can use audit logs to help with the following use cases: ## Procedure -1. Download the UCP Client bundle [Download client bundle from the command line] (https://success.docker.com/article/download-client-bundle-from-the-cli). +1. Download the UCP Client bundle [Download client bundle from the command line](https://success.docker.com/article/download-client-bundle-from-the-cli). 2. Retrieve JSON for current audit log configuration. -``` -export DOCKER_CERT_PATH=~/ucp-bundle-dir/ -curl --cert ${DOCKER_CERT_PATH}/cert.pem --key ${DOCKER_CERT_PATH}/key.pem --cacert ${DOCKER_CERT_PATH}/ca.pem -k -X GET https://ucp-domain/api/ucp/config/logging > auditlog.json -``` -3. Modify the auditLevel field to metadata or request. -``` -vi auditlog.json -{"logLevel":"INFO","auditLevel":"metadata","supportDumpIncludeAuditLogs":false} -``` + ``` + export DOCKER_CERT_PATH=~/ucp-bundle-dir/ + curl --cert ${DOCKER_CERT_PATH}/cert.pem --key ${DOCKER_CERT_PATH}/key.pem --cacert ${DOCKER_CERT_PATH}/ca.pem -k -X GET https://ucp-domain/api/ucp/config/logging > auditlog.json + ``` + +3. Modify the auditLevel field to metadata or request. + + ``` + vi auditlog.json + + {"logLevel":"INFO","auditLevel":"metadata","supportDumpIncludeAuditLogs":false} + ``` + 4. Send the JSON request for the auditlog config with the same API path but with the `PUT` method. -``` -curl --cert ${DOCKER_CERT_PATH}/cert.pem --key ${DOCKER_CERT_PATH}/key.pem --cacert ${DOCKER_CERT_PATH}/ca.pem -k -H "Content-Type: application/json" -X PUT --data $(cat auditlog.json) https://ucp-domain/api/ucp/config/logging -``` + + ``` + curl --cert ${DOCKER_CERT_PATH}/cert.pem --key ${DOCKER_CERT_PATH}/key.pem --cacert ${DOCKER_CERT_PATH}/ca.pem -k -H "Content-Type: application/json" -X PUT --data $(cat auditlog.json) https://ucp-domain/api/ucp/config/logging + ``` 5. Create any workload or RBAC grants in Kubernetes and generate a support dump to check the contents of ucp-controller.log file for audit log entries. From f252d03b409f939ba6218d9049b97eea35dd944a Mon Sep 17 00:00:00 2001 From: ddeyo Date: Wed, 12 Sep 2018 13:51:54 -0700 Subject: [PATCH 3/9] topic and TOC fix --- _data/toc.yaml | 2 +- ee/ucp/admin/configure/configure-rbac-kube.md | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/_data/toc.yaml b/_data/toc.yaml index 0145bfaca1..fe623e4155 100644 --- a/_data/toc.yaml +++ b/_data/toc.yaml @@ -1561,7 +1561,7 @@ manuals: - path: /ee/ucp/admin/configure/add-sans-to-cluster/ title: Add SANs to cluster certificates - path: /ee/ucp/authorization/configure-rbac-kube/ - title: Configure Kubernetes Role-Based Access Control + title: Configure native Kubernetes Role-Based Access Control - path: /ee/ucp/admin/configure/external-auth/ title: Integrate with LDAP - path: /ee/ucp/admin/configure/external-auth/enable-ldap-config-file/ diff --git a/ee/ucp/admin/configure/configure-rbac-kube.md b/ee/ucp/admin/configure/configure-rbac-kube.md index 03e90ed75a..0785a9376f 100644 --- a/ee/ucp/admin/configure/configure-rbac-kube.md +++ b/ee/ucp/admin/configure/configure-rbac-kube.md @@ -1,6 +1,6 @@ --- -title: Enable Kubernetes RBAC -description: Learn how to configure role-based access control for Kubernetes +title: Enable native Kubernetes RBAC +description: Learn how to configure native role-based access control for Kubernetes keywords: Kubernetes, ucp, RBAC redirect_from: - /ee/ucp/authorization/migrate-kubernetes-roles/ From 43e7df10e408111c65876caa09c8cf92b96b7281 Mon Sep 17 00:00:00 2001 From: ddeyo Date: Wed, 12 Sep 2018 13:54:51 -0700 Subject: [PATCH 4/9] fix update --- _data/toc.yaml | 2 +- ee/ucp/admin/configure/configure-rbac-kube.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/_data/toc.yaml b/_data/toc.yaml index fe623e4155..b6b250d8ea 100644 --- a/_data/toc.yaml +++ b/_data/toc.yaml @@ -1561,7 +1561,7 @@ manuals: - path: /ee/ucp/admin/configure/add-sans-to-cluster/ title: Add SANs to cluster certificates - path: /ee/ucp/authorization/configure-rbac-kube/ - title: Configure native Kubernetes Role-Based Access Control + title: Configure native Kubernetes role-based access control - path: /ee/ucp/admin/configure/external-auth/ title: Integrate with LDAP - path: /ee/ucp/admin/configure/external-auth/enable-ldap-config-file/ diff --git a/ee/ucp/admin/configure/configure-rbac-kube.md b/ee/ucp/admin/configure/configure-rbac-kube.md index 0785a9376f..d5a1aca946 100644 --- a/ee/ucp/admin/configure/configure-rbac-kube.md +++ b/ee/ucp/admin/configure/configure-rbac-kube.md @@ -1,5 +1,5 @@ --- -title: Enable native Kubernetes RBAC +title: Configure native Kubernetes role-based access control description: Learn how to configure native role-based access control for Kubernetes keywords: Kubernetes, ucp, RBAC redirect_from: From ba06a8cee2e96c85c8bcda4c18d3fb1501ee7fd8 Mon Sep 17 00:00:00 2001 From: ddeyo Date: Wed, 12 Sep 2018 14:41:49 -0700 Subject: [PATCH 5/9] maria's feedback incorporated --- ee/ucp/admin/configure/create-audit-logs.md | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/ee/ucp/admin/configure/create-audit-logs.md b/ee/ucp/admin/configure/create-audit-logs.md index f67351bd9a..e19b19d6a3 100644 --- a/ee/ucp/admin/configure/create-audit-logs.md +++ b/ee/ucp/admin/configure/create-audit-logs.md @@ -47,12 +47,14 @@ You can use audit logs to help with the following use cases: curl --cert ${DOCKER_CERT_PATH}/cert.pem --key ${DOCKER_CERT_PATH}/key.pem --cacert ${DOCKER_CERT_PATH}/ca.pem -k -X GET https://ucp-domain/api/ucp/config/logging > auditlog.json ``` -3. Modify the auditLevel field to metadata or request. +3. Open auditlog.json to modify the 'auditlevel' field to `metadata` or `request`. ``` - vi auditlog.json - - {"logLevel":"INFO","auditLevel":"metadata","supportDumpIncludeAuditLogs":false} + { + "logLevel": "INFO", + "auditLevel": "metadata", + "supportDumpIncludeAuditLogs": false + } ``` 4. Send the JSON request for the auditlog config with the same API path but with the `PUT` method. From 4f1c25402701e8280e2df84bb51f5b5f31a31709 Mon Sep 17 00:00:00 2001 From: ddeyo Date: Wed, 12 Sep 2018 14:44:57 -0700 Subject: [PATCH 6/9] link fixed --- ee/ucp/admin/configure/create-audit-logs.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ee/ucp/admin/configure/create-audit-logs.md b/ee/ucp/admin/configure/create-audit-logs.md index e19b19d6a3..ffe4fd7526 100644 --- a/ee/ucp/admin/configure/create-audit-logs.md +++ b/ee/ucp/admin/configure/create-audit-logs.md @@ -65,7 +65,7 @@ You can use audit logs to help with the following use cases: 5. Create any workload or RBAC grants in Kubernetes and generate a support dump to check the contents of ucp-controller.log file for audit log entries. -6. Optionally, configure the Docker Engine driver to logstash and collect and query audit logs within ELK stack after deploying ELK. https://success.docker.com/article/elasticsearch-logstash-kibana-logging +6. Optionally, configure the Docker Engine driver to logstash and collect and query audit logs within ELK stack after deploying ELK. (https://success.docker.com/article/elasticsearch-logstash-kibana-logging) ## API endpoints ignored From 7dd28ef0487a63c94fa594e9a8cedba46134855d Mon Sep 17 00:00:00 2001 From: Maria Bermudez Date: Thu, 13 Sep 2018 18:04:27 -0700 Subject: [PATCH 7/9] Formatting changes to online garbage collection --- ee/dtr/admin/configure/garbage-collection.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/ee/dtr/admin/configure/garbage-collection.md b/ee/dtr/admin/configure/garbage-collection.md index 2493b2c82d..1e9161ff95 100644 --- a/ee/dtr/admin/configure/garbage-collection.md +++ b/ee/dtr/admin/configure/garbage-collection.md @@ -31,7 +31,7 @@ during garbage collection. In your browser, navigate to `https://` and log in with your credentials. Select **System** on the left navigation pane, and then click the **Garbage collection** tab to schedule garbage collection. -![](../../images/garbage-collection-0.png){: .with-border} +![](../../images/garbage-collection-0.png){: .img-fluid .with-border} Select for how long the garbage collection job should run: * Until done: Run the job until all unused image layers are deleted. @@ -39,7 +39,7 @@ Select for how long the garbage collection job should run: at a time. * Never: Never delete unused image layers. -If you select *Until done* or *For x minutes*, you can specify a recurring schedule in UTC (Coordinated Universal Time) with the following options: +If you select ***Until done*** or ***For x minutes***, you can specify a recurring schedule in UTC (Coordinated Universal Time) with the following options: * Custom cron schedule - (Hour, Day of Month, Month, Weekday) * Daily at midnight UTC * Every Saturday at 1am UTC From d9f52fbe2dc1f16132a9410cd2226a9c3d4c7383 Mon Sep 17 00:00:00 2001 From: Maria Bermudez Date: Fri, 14 Sep 2018 17:23:54 -0700 Subject: [PATCH 8/9] Update tag pruning policy addition message --- ee/dtr/user/tag-pruning.md | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/ee/dtr/user/tag-pruning.md b/ee/dtr/user/tag-pruning.md index a4205105dc..54fd5a8c18 100644 --- a/ee/dtr/user/tag-pruning.md +++ b/ee/dtr/user/tag-pruning.md @@ -47,7 +47,11 @@ DTR allows you to set your pruning triggers based on the following image attribu | License | Whether the image uses an intellectual property license and is one of or not one of your specified words | License name = `docker` | | Last updated at | Whether the last image update was before your specified number of hours, days, weeks, or months. For details on valid time units, see [Go's ParseDuration function](https://golang.org/pkg/time/#ParseDuration). | Last updated at: Hours = `12` | -Specify one or more image attributes to add to your pruning criteria, then choose **Prune future tags** to apply your selection to future tags or **Prune all tags** to evaluate existing tags on your repository. Upon selection, you will see a confirmation message and will be redirected to your newly updated **Pruning** tab. +Specify one or more image attributes to add to your pruning criteria, then choose: + **Prune future tags** to save your policy and apply your selection to future tags. Only matching tags after the policy addition will be pruned during garbage collection. + **Prune all tags** to save the policy, and evaluate both existing and future tags on your repository. + +Upon selection, you will see a confirmation message and will be redirected to your newly updated **Pruning** tab. ![](../images/tag-pruning-2.png){: .with-border} From fc00e1ad71787b85c1c3e683413e9db36d0646ee Mon Sep 17 00:00:00 2001 From: Maria Bermudez Date: Fri, 14 Sep 2018 17:28:29 -0700 Subject: [PATCH 9/9] Update tag-pruning.md Update formatting --- ee/dtr/user/tag-pruning.md | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/ee/dtr/user/tag-pruning.md b/ee/dtr/user/tag-pruning.md index 54fd5a8c18..b7d39e3849 100644 --- a/ee/dtr/user/tag-pruning.md +++ b/ee/dtr/user/tag-pruning.md @@ -48,8 +48,9 @@ DTR allows you to set your pruning triggers based on the following image attribu | Last updated at | Whether the last image update was before your specified number of hours, days, weeks, or months. For details on valid time units, see [Go's ParseDuration function](https://golang.org/pkg/time/#ParseDuration). | Last updated at: Hours = `12` | Specify one or more image attributes to add to your pruning criteria, then choose: - **Prune future tags** to save your policy and apply your selection to future tags. Only matching tags after the policy addition will be pruned during garbage collection. - **Prune all tags** to save the policy, and evaluate both existing and future tags on your repository. + +- **Prune future tags** to save the policy and apply your selection to future tags. Only matching tags after the policy addition will be pruned during garbage collection. +- **Prune all tags** to save the policy, and evaluate both existing and future tags on your repository. Upon selection, you will see a confirmation message and will be redirected to your newly updated **Pruning** tab.