docker
/
docs
mirror of https://github.com/docker/docs.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
docs/ee/ucp/authorization/deploy-stateless-app.md

172 lines
4.5 KiB
Markdown
Raw Blame History

This file contains invisible Unicode characters

This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

---
title: Deploy a simple stateless app with RBAC
description: Learn how to deploy a simple application and customize access to resources.
keywords: rbac, authorize, authentication, user, team, UCP, Kubernetes
---
This tutorial explains how to deploy a NGINX web server and limit access to one
team with role-based access control (RBAC).
## Scenario
You are the Docker Enteprise system administrator at Acme Company and need to configure
permissions to company resources. The best way to do this is to:
- Build the organization with teams and users.
- Define roles with allowable operations per resource types, like
permission to run containers.
- Create collections or namespaces for accessing actual resources.
- Create grants that join team + role + resource set.
## Build the organization
Add the organization, `acme-datacenter`, and create three teams according to the
following structure:
```
acme-datacenter
├── dba
│ └── Alex*
├── dev
│ └── Bett
└── ops
├── Alex*
└── Chad
```
Learn to [create and configure users and teams](create-users-and-teams-manually.md).
## Kubernetes deployment
In this section, we deploy NGINX with Kubernetes. See [Swarm stack](#swarm-stack)
for the same exercise with Swarm.
### Create namespace
Create a namespace to logically store the NGINX application:
1. Click **Kubernetes** > **Namespaces**.
2. Paste the following manifest in the terminal window and click **Create**.
```
apiVersion: v1
kind: Namespace
metadata:
name: nginx-namespace
```
### Create a team
Learn to [create and configure users and teams](create-users-and-teams-manually.md).
### Define roles
For this exercise, create a simple role for the ops team. To learn how to create roles for Kubernetes,
see [Configure native Kubernetes role-based access control](/ee/ucp/admin/configure/configure-rbac-kube/).
### Grant access
Grant the ops team (and only the ops team) access to nginx-namespace with the
custom role, **Kube Deploy**.
```
acme-datacenter/ops + Kube Deploy + nginx-namespace
```
### Deploy NGINX
You've configured Docker EE. The `ops` team can now deploy `nginx`.
1. Log on to UCP as "chad" (on the `ops`team).
2. Click **Kubernetes** > **Namespaces**.
3. Paste the following manifest in the terminal window and click **Create**.
```yaml
apiVersion: apps/v1beta2 # Use apps/v1beta1 for versions < 1.8.0
kind: Deployment
metadata:
name: nginx-deployment
spec:
selector:
matchLabels:
app: nginx
replicas: 2
template:
metadata:
labels:
app: nginx
spec:
containers:
- name: nginx
image: nginx:latest
ports:
- containerPort: 80
```
4. Log on to UCP as each user and ensure that:
- `dba` (alex) can't see `nginx-namespace`.
- `dev` (bett) can't see `nginx-namespace`.
## Swarm stack
In this section, we deploy `nginx` as a Swarm service. See [Kubernetes Deployment](#kubernetes-deployment)
for the same exercise with Kubernetes.
### Create collection paths
Create a collection for NGINX resources, nested under the `/Shared` collection:
```
/
├── System
└── Shared
   └── nginx-collection
```
> **Tip**: To drill into a collection, click **View Children**.
Learn to [group and isolate cluster resources](group-resources.md).
### Define roles
You can use the built-in roles or define your own. For this exercise, create a
simple role for the ops team:
1. Click **Roles** under **User Management**.
2. Click **Create Role**.
3. On the **Details** tab, name the role `Swarm Deploy`.
4. On the **Operations** tab, check all **Service Operations**.
5. Click **Create**.
Learn to [create and configure users and teams](define-roles.md).
### Grant access
Grant the ops team (and only the ops team) access to `nginx-collection` with
the built-in role, **Swarm Deploy**.
```
acme-datacenter/ops + Swarm Deploy + /Shared/nginx-collection
```
Learn to [grant role-access to cluster resources](grant-permissions.md).
### Deploy NGINX
You've configured Docker EE. The `ops` team can now deploy an `nginx` Swarm
service.
1. Log on to UCP as chad (on the `ops`team).
2. Click **Swarm** > **Services**.
3. Click **Create Stack**.
4. On the Details tab, enter:
- Name: `nginx-service`
- Image: nginx:latest
5. On the Collections tab:
- Click `/Shared` in the breadcrumbs.
- Select `nginx-collection`.
6. Click **Create**.
7. Log on to UCP as each user and ensure that:
- `dba` (alex) cannot see `nginx-collection`.
- `dev` (bett) cannot see `nginx-collection`.
Reference in New Issue View Git Blame Copy Permalink