docker
/
docs
mirror of https://github.com/docker/docs.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Move Kube rbac limitations notes (#443)

This commit is contained in:
Jim Galasyn 2018-01-23 09:50:51 -08:00
parent da544055a5
commit d1fdbb84c3
2 changed files with 18 additions and 18 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
ee/ucp/authorization/migrate-kubernetes-roles.md
View File

@ -109,4 +109,22 @@ UCP web UI.
User "jane" has access to inspect pods in the `default` namespace.
## Kubernetes limitations
There are a few limitations that you should be aware of when creating
Kubernetes workloads:
* Docker EE has its own RBAC system, so it's not possible to create
`ClusterRole` objects, `ClusterRoleBinding` objects, or any other object that is
created by using the `/apis/rbac.authorization.k8s.io` endpoints.
* To make sure your cluster is secure, only admin users can deploy pods with
privileged options. These are options like `PodSpec.hostIPC`, `PodSpec.hostNetwork`,
`PodSpec.hostPID`, `SecurityContext.allowPrivilegeEscalation`,
`SecurityContext.capabilities`, `SecurityContext.privileged`, and
`Volume.hostPath`.
* You can't grant permissions to Kubernetes service accounts.
The `default` service account has no permissions and can't use the Kubernetes
API. All other service accounts have full admin permissions and can only be
used by Docker EE administrators.
{% endif %}

18
ee/ucp/user/services/deploy-kubernetes-workload.md
View File

@ -261,23 +261,5 @@ You should see the currently running image:
Image: nginx:1.8
```
## Kubernetes limitations
There are a few limitations that you should be aware of when creating
Kubernetes workloads:
* Docker EE has its own RBAC system, so it's not possible to create
ClusterRole objects, ClusterRoleBinding objects, or any other object that is
created using the `/apis/rbac.authorization.k8s.io` endpoints.
* To make sure your cluster is secure, only admin users can deploy Pods with
privileged options. These are options like `PodSpec.hostIPC`, `PodSpec.hostNetwork`,
`PodSpec.hostPID`, `SecurityContext.allowPrivilegeEscalation`,
`SecurityContext.capabilities`, `SecurityContext.privileged`, and
`Volume.hostPath`.
* You can't grant permissions to Kubernetes service accounts.
The `default` service account has no permissions and cannot use the Kubernetes
API. All other service accounts have full admin permissions and can only be
used by Docker EE administrators.
{% endif %}
{% endif %}