| title | Deploy a simple stateless app with RBAC |
|---|---|
| description | Learn how to deploy a simple application and customize access to resources. |
| keywords | rbac, authorize, authentication, user, team, UCP, Kubernetes |
{% include enterprise_label_shortform.md %}
This tutorial explains how to deploy a NGINX web server and limit access to one team with role-based access control (RBAC).
You are the Docker Enteprise system administrator at Acme Company and need to configure permissions to company resources. The best way to do this is to:
- Build the organization with teams and users.
- Define roles with allowable operations per resource types, like permission to run containers.
- Create collections or namespaces for accessing actual resources.
- Create grants that join team + role + resource set.
Add the organization, acme-datacenter, and create three teams according to the
following structure:
acme-datacenter
├── dba
│ └── Alex*
├── dev
│ └── Bett
└── ops
├── Alex*
└── Chad
Learn to create and configure users and teams.
In this section, we deploy NGINX with Kubernetes. See Swarm stack for the same exercise with Swarm.
Create a namespace to logically store the NGINX application:
- Click Kubernetes > Namespaces.
- Paste the following manifest in the terminal window and click Create.
apiVersion: v1
kind: Namespace
metadata:
name: nginx-namespace
Learn to create and configure users and teams.
For this exercise, create a simple role for the ops team. To learn how to create roles for Kubernetes, see Configure native Kubernetes role-based access control.
Grant the ops team (and only the ops team) access to nginx-namespace with the custom role, Kube Deploy.
acme-datacenter/ops + Kube Deploy + nginx-namespace
You've configured Docker EE. The ops team can now deploy nginx.
- Log on to UCP as "chad" (on the
opsteam). - Click Kubernetes > Namespaces.
- Paste the following manifest in the terminal window and click Create.
apiVersion: apps/v1beta2 # Use apps/v1beta1 for versions < 1.8.0
kind: Deployment
metadata:
name: nginx-deployment
spec:
selector:
matchLabels:
app: nginx
replicas: 2
template:
metadata:
labels:
app: nginx
spec:
containers:
- name: nginx
image: nginx:latest
ports:
- containerPort: 80- Log on to UCP as each user and ensure that:
dba(alex) can't seenginx-namespace.dev(bett) can't seenginx-namespace.
In this section, we deploy nginx as a Swarm service. See Kubernetes Deployment
for the same exercise with Kubernetes.
Create a collection for NGINX resources, nested under the /Shared collection:
/
├── System
└── Shared
└── nginx-collection
Tip: To drill into a collection, click View Children.
Learn to group and isolate cluster resources.
You can use the built-in roles or define your own. For this exercise, create a simple role for the ops team:
- Click Roles under User Management.
- Click Create Role.
- On the Details tab, name the role
Swarm Deploy. - On the Operations tab, check all Service Operations.
- Click Create.
Learn to create and configure users and teams.
Grant the ops team (and only the ops team) access to nginx-collection with
the built-in role, Swarm Deploy.
acme-datacenter/ops + Swarm Deploy + /Shared/nginx-collection
Learn to grant role-access to cluster resources.
You've configured Docker EE. The ops team can now deploy an nginx Swarm
service.
- Log on to UCP as chad (on the
opsteam). - Click Swarm > Services.
- Click Create Stack.
- On the Details tab, enter:
- Name:
nginx-service - Image: nginx:latest
- Name:
- On the Collections tab:
- Click
/Sharedin the breadcrumbs. - Select
nginx-collection.
- Click
- Click Create.
- Log on to UCP as each user and ensure that:
dba(alex) cannot seenginx-collection.dev(bett) cannot seenginx-collection.