docker
/
docs
mirror of https://github.com/docker/docs.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'master' of github.com:docker/docs-private into repo-events-log-682

This commit is contained in:
Maria Bermudez 2018-09-14 17:43:07 -07:00
parent 3dc7adbff1 54a320be52
commit b8846681f9
5 changed files with 41 additions and 29 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
_data/toc.yaml
View File

@ -1564,12 +1564,12 @@ manuals:
title: Add SANs to cluster certificates
- path: /ee/ucp/admin/configure/collect-cluster-metrics/
title: Collect UCP cluster metrics with Prometheus
- path: /ee/ucp/admin/configure/configure-rbac-kube/
title: Configure Kubernetes Role-Based Access Control
- path: /ee/ucp/admin/configure/enable-saml-authentication/
title: Enable SAML authentication
- path: /ee/ucp/authorization/configure-rbac-kube/
title: Configure native Kubernetes role-based access control
- path: /ee/ucp/admin/configure/create-audit-logs/
title: Create UCP audit logs
- path: /ee/ucp/admin/configure/enable-saml-authentication/
title: Enable SAML authentication
- path: /ee/ucp/admin/configure/external-auth/
title: Integrate with LDAP
- path: /ee/ucp/admin/configure/external-auth/enable-ldap-config-file/

4
ee/dtr/admin/configure/garbage-collection.md
View File

@ -31,7 +31,7 @@ during garbage collection.
In your browser, navigate to `https://<dtr-url>` and log in with your credentials. Select **System** on the left navigation pane, and then click
the **Garbage collection** tab to schedule garbage collection.
![](../../images/garbage-collection-0.png){: .with-border}
![](../../images/garbage-collection-0.png){: .img-fluid .with-border}
Select for how long the garbage collection job should run:
* Until done: Run the job until all unused image layers are deleted.
@ -39,7 +39,7 @@ Select for how long the garbage collection job should run:
at a time.
* Never: Never delete unused image layers.
If you select *Until done* or *For x minutes*, you can specify a recurring schedule in UTC (Coordinated Universal Time) with the following options:
If you select ***Until done*** or ***For x minutes***, you can specify a recurring schedule in UTC (Coordinated Universal Time) with the following options:
* Custom cron schedule - (Hour, Day of Month, Month, Weekday)
* Daily at midnight UTC
* Every Saturday at 1am UTC

7
ee/dtr/user/tag-pruning.md
View File

@ -47,7 +47,12 @@ DTR allows you to set your pruning triggers based on the following image attribu
| License | Whether the image uses an intellectual property license and is one of or not one of your specified words | License name = `docker` |
| Last updated at | Whether the last image update was before your specified number of hours, days, weeks, or months. For details on valid time units, see [Go's ParseDuration function](https://golang.org/pkg/time/#ParseDuration). | Last updated at: Hours = `12` |
Specify one or more image attributes to add to your pruning criteria, then choose **Prune future tags** to apply your selection to future tags or **Prune all tags** to evaluate existing tags on your repository. Upon selection, you will see a confirmation message and will be redirected to your newly updated **Pruning** tab.
Specify one or more image attributes to add to your pruning criteria, then choose:
- **Prune future tags** to save the policy and apply your selection to future tags. Only matching tags after the policy addition will be pruned during garbage collection.
- **Prune all tags** to save the policy, and evaluate both existing and future tags on your repository.
Upon selection, you will see a confirmation message and will be redirected to your newly updated **Pruning** tab.
![](../images/tag-pruning-2.png){: .with-border}

16
ee/ucp/admin/configure/configure-rbac-kube.md
View File

@ -1,6 +1,6 @@
---
title: Enable Kubernetes RBAC
description: Learn how to configure role-based access control for Kubernetes
title: Configure native Kubernetes role-based access control
description: Learn how to configure native role-based access control for Kubernetes
keywords: Kubernetes, ucp, RBAC
redirect_from:
- /ee/ucp/authorization/migrate-kubernetes-roles/
@ -25,12 +25,12 @@ To create a Kuberenetes role in the UCP web interface:
2. Navigate to the **Access Control**.
3. In the lefthand menu, select **Roles**.
![Kubernetes Grants in UCP](/ee/ucp/images/kube-rbac-roles.png)
![Kubernetes Grants in UCP](/ee/ucp/images/kube-rbac-roles.png)
4. Select the **Kubernetes** tab at the top of the window.
5. Select **Create** to create a Kubernetes role object in the following dialog:
![Kubernetes Role Creation in UCP](/ee/ucp/images/kube-role-create.png)
![Kubernetes Role Creation in UCP](/ee/ucp/images/kube-role-create.png)
6. Select a namespace from the **Namespace** dropdown list. Selecting a specific namespace creates a role for use in that namespace, but selecting all namespaces creates a `ClusterRole` where you can create rules for cluster-scoped Kubernetes resources as well as namespaced resources.
7. Provide the YAML for the role, either by entering it in the **Object YAML** editor or select **Click to upload a .yml file** to choose and upload a .yml file instead.
@ -50,12 +50,12 @@ To create a grant for a Kuberenetes role in the UCP web interface:
2. Navigate to the **Access Control**.
3. In the lefthand menu, select **Grants**.
![Kubernetes Grants in UCP](/ee/ucp/images/kube-rbac-grants.png)
![Kubernetes Grants in UCP](/ee/ucp/images/kube-rbac-grants.png)
4. Select the **Kubernetes** tab at the top of the window. All grants to Kubernetes roles can be viewed in the Kubernetes tab.
5. Select **Create New Grant** to start the Create Role Binding wizard and create a new grant for a given user, team or service.
![Kubernetes Create Role Binding in UCP](../../images/kube-grant-wizard.png)
![Kubernetes Create Role Binding in UCP](../../images/kube-grant-wizard.png)
6. Select the subject type. Your choices are:
- **All Users**
@ -64,11 +64,11 @@ To create a grant for a Kuberenetes role in the UCP web interface:
7. To create a user role binding, select a username from the **Users** dropdown list then select **Next**.
8. Select a resource set for the subject. The **default** namespace is automatically selected. To use a different namespace, select the **Select Namespace** button next to the desired namespace. For `Cluster Role Binding`, slide the **Apply Role Binding to all namespaces** selector to the right.
![Kubernetes Create User Role Binding in UCP](/ee/ucp/images/kube-grant-rolebinding.png)
![Kubernetes Create User Role Binding in UCP](/ee/ucp/images/kube-grant-rolebinding.png)
9. Select **Next** to continue.
10. Select the **Cluster Role** from the dropdown list. If you create a `ClusterRoleBinding` (by selecting **Apply Role Binding to all namespaces**) then you may only select ClusterRoles. If you select a specific namespace, you can choose any role from that namespace or any ClusterRole.
![Kubernetes Select Cluster Role in UCP](/ee/ucp/images/kube-grant-roleselect.png)
![Kubernetes Select Cluster Role in UCP](/ee/ucp/images/kube-grant-roleselect.png)
11. Select **Create** to complete creating the grant.

35
ee/ucp/admin/configure/create-audit-logs.md
View File

@ -38,27 +38,34 @@ You can use audit logs to help with the following use cases:
## Procedure
1. Download the UCP Client bundle [Download client bundle from the command line] (https://success.docker.com/article/download-client-bundle-from-the-cli).
1. Download the UCP Client bundle [Download client bundle from the command line](https://success.docker.com/article/download-client-bundle-from-the-cli).
2. Retrieve JSON for current audit log configuration.
```
export DOCKER_CERT_PATH=~/ucp-bundle-dir/
curl --cert ${DOCKER_CERT_PATH}/cert.pem --key ${DOCKER_CERT_PATH}/key.pem --cacert ${DOCKER_CERT_PATH}/ca.pem -k -X GET https://ucp-domain/api/ucp/config/logging > auditlog.json
```
3. Modify the auditLevel field to metadata or request.
```
vi auditlog.json
{"logLevel":"INFO","auditLevel":"metadata","supportDumpIncludeAuditLogs":false}
```
```
export DOCKER_CERT_PATH=~/ucp-bundle-dir/
curl --cert ${DOCKER_CERT_PATH}/cert.pem --key ${DOCKER_CERT_PATH}/key.pem --cacert ${DOCKER_CERT_PATH}/ca.pem -k -X GET https://ucp-domain/api/ucp/config/logging > auditlog.json
```
3. Open auditlog.json to modify the 'auditlevel' field to `metadata` or `request`.
```
{
"logLevel": "INFO",
"auditLevel": "metadata",
"supportDumpIncludeAuditLogs": false
}
```
4. Send the JSON request for the auditlog config with the same API path but with the `PUT` method.
```
curl --cert ${DOCKER_CERT_PATH}/cert.pem --key ${DOCKER_CERT_PATH}/key.pem --cacert ${DOCKER_CERT_PATH}/ca.pem -k -H "Content-Type: application/json" -X PUT --data $(cat auditlog.json) https://ucp-domain/api/ucp/config/logging
```
```
curl --cert ${DOCKER_CERT_PATH}/cert.pem --key ${DOCKER_CERT_PATH}/key.pem --cacert ${DOCKER_CERT_PATH}/ca.pem -k -H "Content-Type: application/json" -X PUT --data $(cat auditlog.json) https://ucp-domain/api/ucp/config/logging
```
5. Create any workload or RBAC grants in Kubernetes and generate a support dump to check the contents of ucp-controller.log file for audit log entries.
6. Optionally, configure the Docker Engine driver to logstash and collect and query audit logs within ELK stack after deploying ELK. https://success.docker.com/article/elasticsearch-logstash-kibana-logging
6. Optionally, configure the Docker Engine driver to logstash and collect and query audit logs within ELK stack after deploying ELK. (https://success.docker.com/article/elasticsearch-logstash-kibana-logging)
## API endpoints ignored