Deploy a simple stateless app with RBAC

This topic describes how to deploy an NGINX web server, limiting access to one team using role-based access control (RBAC).

You are the MKE system administrator and will configure permissions to company resources using a four-step process:

  1. Build the organization with teams and users.

  2. Define roles with allowable operations per resource type, such as permission to run containers.

  3. Create collections or namespaces for accessing actual resources.

  4. Create grants that join team, role, and resource set.


To deploy a simple stateless app with RBAC:

  1. Build the organization:

    1. Log in to the MKE web UI.

    2. Add an organization called company-datacenter.

    3. Create three teams according to the following structure:

      Team

      Users

      DBA

      Alex

      Dev

      Bett

      Ops

      Alex, Chad

  2. Deploy NGINX with Kubernetes:

    1. Click Kubernetes > Namespaces.

    2. Paste the following manifest in the Object YAML editor and click Create.

      apiVersion: v1
      kind: Namespace
      metadata:
        name: nginx-namespace
      
    3. Create a simple role for the Ops team called Kube Deploy.

    4. Create a grant for the Ops team to access the nginx-namespace with the Kube Deploy custom role.

    5. Log in to the MKE web UI as Chad on the Ops team.

    6. Click Kubernetes > Namespaces.

    7. Paste the following manifest in the Object YAML editor and click Create.

      apiVersion: apps/v1beta2
      kind: Deployment
      metadata:
      name: nginx-deployment
      spec:
      selector:
         matchLabels:
            app: nginx
      replicas: 2
      template:
         metadata:
            labels:
            app: nginx
         spec:
            containers:
            - name: nginx
            image: nginx:latest
            ports:
            - containerPort: 80
      

      Note

      Use apps/v1beta1 for versions lower than 1.8.0.

    8. Sign in as each user and verify that the following users cannot see nginx-namespace:

      • Alex on the DBA team

      • Bett on the Dev team

  3. Deploy NGINX as a Swarm service:

    1. Create a collection for NGINX resources called nginx-collection nested under the Shared collection. To view child collections, click View Children.

    2. Create a simple role for the Ops team called Swarm Deploy.

    3. Create a grant for the Ops team to access the nginx-collection with the Swarm Deploy custom role.

    4. Log in to the MKE web UI as Chad on the Ops team.

    5. Click Swarm > Services > Create.

    6. On the Details tab, enter the following:

      • Name: nginx-service

      • Image: nginx:latest

    7. On the Collection tab, click View Children next to Swarm and then next to Shared.

    8. Click nginx-collection, then click Create.

    9. Sign in as each user and verify that the following users cannot see nginx-collection:

      • Alex on the DBA team

      • Bett on the Dev team