Mirantis Kubernetes Engine enforces role-based access control when you deploy services. By default, you don’t need to do anything, because MKE deploys your services to a default collection, unless you specify another one. You can customize the default collection in your MKE profile page.
MKE defines a collection by its path. For example, a user’s default
collection has the path /Shared/Private/<username>
. To deploy a
service to a collection that you specify, assign the collection’s path
to the access label of the service. The access label is named
com.docker.ucp.access.label
.
When MKE deploys a service, it doesn’t automatically create the collections that correspond with your access labels. An administrator must create these collections and grant users access to them. Deployment fails if MKE can’t find a specified collection or if the user doesn’t have access to it.
Here’s an example of a docker service create
command that deploys a
service to a /Shared/database
collection:
docker service create \
--name redis_2 \
--label com.docker.ucp.access.label="/Shared/database"
redis:3.0.6
You can also specify a target collection for a service in a Compose
file. In the service definition, add a labels:
dictionary, and
assign the collection’s path to the com.docker.ucp.access.label
key.
If you don’t specify access labels in the Compose file, resources are placed in the user’s default collection when the stack is deployed.
You can place a stack’s resources into multiple collections, but most of the time, you won’t need to do this.
Here’s an example of a Compose file that specifies two services,
WordPress and MySQL, and gives them the access label
/Shared/wordpress
:
version: '3.1'
services:
wordpress:
image: wordpress
networks:
- wp
ports:
- 8080:80
environment:
WORDPRESS_DB_PASSWORD: example
deploy:
labels:
com.docker.ucp.access.label: /Shared/wordpress
mysql:
image: mysql:5.7
networks:
- wp
environment:
MYSQL_ROOT_PASSWORD: example
deploy:
labels:
com.docker.ucp.access.label: /Shared/wordpress
networks:
wp:
driver: overlay
labels:
com.docker.ucp.access.label: /Shared/wordpress
To deploy the application:
If the /Shared/wordpress
collection doesn’t exist, or if you don’t
have a grant for accessing it, MKE reports an error.
To confirm that the service deployed to the /Shared/wordpress
collection:
/Shared/wordpress
.Note
By default Docker Stacks will create a default overlay
network for your
stack. It will be attached to each container that is deployed. This works if
you have full control over your Default Collection or are an administrator.
If your administrators have locked down MKE to only allow you access to
specific collections and you manage multiple collections, then it can get
very difficult to manage the networks as well and you might run into
permissions errors. To fix this, you must define a custom network and attach
that to each service. The network must have the same
com.docker.ucp.access.label
Label as your service. If configured
correctly, then your network will correctly be grouped with the other resources in your stack.