docker
/
docs
mirror of https://github.com/docker/docs.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
docs/deploy/rbac/rbac-howto-deploy-stateless...

5.4 KiB
Raw Blame History

title description keywords redirect_from ui_tabs
Deploy a simple stateless app with RBAC Learn how to deploy a simple application and customize access to resources. rbac, authorize, authentication, users, teams, UCP, Docker
/ucp/
version orhigher
ucp-3.0 true
version orlower
ucp-2.2 true

{% if include.ui %} {% if include.version=="ucp-3.0" %}

This tutorial explains how to deploy a nginx web server and limit access to one team with role-based access control (RBAC).

Scenario

You are the Docker EE admin at Acme Company and need to configure permissions to company resources. The best way to do this is to:

  • Build the organization with teams and users
  • Create collections or namespaces for storing resources.
  • Create grants that specify which team can do what operations on which collection or namespace.
  • Give the ops team the all-clear to deploy nginx.

Build the organization

Add the organization, acme-datacenter, and create three teams according to the following structure:

acme-datacenter
├── dba
│   └── Alex Alutin
├── dev
│   └── Bett Bhatia
└── ops
    └── Chad Chavez

Easy username / passwords:

  • alex / alexalutin
  • bett / bettbhatia
  • chad / chadchavez

See: Create and configure users and teams.

Kubernetes deployment

In this section, we deploy nginx with Kubernetes. See Swarm stack for the same exercise with Swarm.

Create namespace

Create a namespace to logically store the nginx application:

  1. Click Kubernetes > Namespaces.
  2. Paste the following manifest in the terminal window:
apiVersion: v1
kind: Namespace
metadata:
  name: nginx-namespace
  1. Click Create.

Grant roles

Grant the ops team (and only the ops team) access to nginx-namespace with the built-in role, Full Control.

acme-datacenter/ops + Full Control + nginx-namespace

Deploy Nginx

You've configured Docker EE. The ops team can now deploy nginx.

  1. Log on to UCP as chad (on the opsteam).
  2. Click Kubernetes > Namespaces.
  3. Paste the following manifest in the terminal window and click Create.
apiVersion: apps/v1beta2 # for versions before 1.8.0 use apps/v1beta1
kind: Deployment
metadata:
  name: nginx-deployment
spec:
  selector:
    matchLabels:
      app: nginx
  replicas: 2
  template:
    metadata:
      labels:
        app: nginx
    spec:
      containers:
      - name: nginx
        image: nginx:1.7.9
        ports:
        - containerPort: 80
  1. Log on to UCP as each user and ensure that:
  • dba (alex) cannot see nginx-namespace.
  • dev (bett) cannot see nginx-namespace.

Swarm Stack

In this section, we deploy nginx as a Swarm service. See Kubernetes Deployment for the same exercise with Swarm.

Create collection paths

Create a collection for nginx resources, nested under the /Shared collection:

/
├── System
└── Shared
    └── nginx-collection

Tip: To drill into a collection, click View Children.

See: Group and isolate cluster resources.

Grant roles

Grant the ops team (and only the ops team) access to nginx-collection with the built-in role, Full Control.

acme-datacenter/ops + Full Control + /Shared/nginx-collection

See: Grant access to cluster resources.

Deploy Wordpress and MySQL with Swarm

You've configured Docker EE. The ops team can now deploy an nginx Swarm service.

  1. Log on to UCP as chad (on the opsteam).
  2. Click Swarm > Services.
  3. Click Create Stack.
  4. On the Details tab, enter:
    • Name: nginx-service
    • Image: nginx:latest
  5. On the Collections tab:
    • Click /Shared in the breadcrumbs.
    • Select nginx-collection.
  6. Click Create.
  7. Log on to UCP as each user and ensure that:
    • dba (alex) cannot see nginx-collection.
    • dev (bett) cannot see nginx-collection.

{% elsif include.version=="ucp-2.2" %}

Swarm Stack

In this section, we deploy nginx as a Swarm service. See Kubernetes Deployment for the same exercise with Swarm.

Create collection paths

Create a collection for nginx resources, nested under the /Shared collection:

/
├── System
└── Shared
    └── nginx-collection

Tip: To drill into a collection, click View Children.

See: Group and isolate cluster resources.

Grant roles

Grant the ops team (and only the ops team) access to nginx-collection with the built-in role, Full Control.

acme-datacenter/ops + Full Control + /Shared/nginx-collection

See: Grant access to cluster resources.

Deploy Wordpress and MySQL with Swarm

You've configured Docker EE. The ops team can now deploy an nginx Swarm service.

  1. Log on to UCP as chad (on the opsteam).
  2. Click Swarm > Services.
  3. Click Create Stack.
  4. On the Details tab, enter:
    • Name: nginx-service
    • Image: nginx:latest
  5. On the Collections tab:
    • Click /Shared in the breadcrumbs.
    • Select nginx-collection.
  6. Click Create.
  7. Log on to UCP as each user and ensure that:
    • dba (alex) cannot see nginx-collection.
    • dev (bett) cannot see nginx-collection.

{% endif %} {% endif %}