Deploy a simple stateless app with RBAC¶
This topic describes how to deploy an NGINX web server, limiting access to one team using role-based access control (RBAC).
You are the MKE system administrator and will configure permissions to company resources using a four-step process:
Build the organization with teams and users.
Define roles with allowable operations per resource type, such as permission to run containers.
Create collections or namespaces for accessing actual resources.
Create grants that join team, role, and resource set.
To deploy a simple stateless app with RBAC:
Build the organization:
Log in to the MKE web UI.
Add an organization called
company-datacenter
.Create three teams according to the following structure:
Team
Users
DBA
Alex
Dev
Bett
Ops
Alex, Chad
Deploy NGINX with Kubernetes:
Click Kubernetes > Namespaces.
Paste the following manifest in the Object YAML editor and click Create.
apiVersion: v1 kind: Namespace metadata: name: nginx-namespace
Create a simple role for the Ops team called
Kube Deploy
.Create a grant for the Ops team to access the nginx-namespace with the Kube Deploy custom role.
Log in to the MKE web UI as Chad on the Ops team.
Click Kubernetes > Namespaces.
Paste the following manifest in the Object YAML editor and click Create.
apiVersion: apps/v1beta2 kind: Deployment metadata: name: nginx-deployment spec: selector: matchLabels: app: nginx replicas: 2 template: metadata: labels: app: nginx spec: containers: - name: nginx image: nginx:latest ports: - containerPort: 80
Note
Use
apps/v1beta1
for versions lower than 1.8.0.Sign in as each user and verify that the following users cannot see nginx-namespace:
Alex on the DBA team
Bett on the Dev team
Deploy NGINX as a Swarm service:
Create a collection for NGINX resources called
nginx-collection
nested under the Shared collection. To view child collections, click View Children.Create a simple role for the Ops team called
Swarm Deploy
.Create a grant for the Ops team to access the nginx-collection with the Swarm Deploy custom role.
Log in to the MKE web UI as Chad on the Ops team.
Click Swarm > Services > Create.
On the Details tab, enter the following:
Name:
nginx-service
Image:
nginx:latest
On the Collection tab, click View Children next to Swarm and then next to Shared.
Click nginx-collection, then click Create.
Sign in as each user and verify that the following users cannot see nginx-collection:
Alex on the DBA team
Bett on the Dev team