Deploy a simple stateless app with RBAC

This topic describes how to deploy an NGINX web server, limiting access to one team using role-based access control (RBAC).

You are the MKE system administrator and will configure permissions to company resources using a four-step process:

  1. Build the organization with teams and users.

  2. Define roles with allowable operations per resource type, such as permission to run containers.

  3. Create collections or namespaces for accessing actual resources.

  4. Create grants that join team, role, and resource set.


To deploy a simple stateless app with RBAC:

  1. Build the organization:

    1. Log in to the MKE web UI.

    2. Add an organization called company-datacenter.

    3. Create three teams according to the following structure:

      Team

      Users

      DBA

      Alex

      Dev

      Bett

      Ops

      Alex, Chad

  2. Deploy NGINX with Kubernetes:

    1. Create a namespace:

      1. Click Kubernetes > Create.

      2. Paste the following manifest in the Object YAML editor and click Create.

        apiVersion: v1
        kind: Namespace
        metadata:
          name: nginx-namespace
        
    2. Create a role for the Ops team called kube-deploy:

      1. Click Kubernetes > Create.

      2. Select nginx-namespace from the Namespace drop-down.

      3. Paste the following manifest in the Object YAML editor and click Create.

        apiVersion: rbac.authorization.k8s.io/v1
        kind: Role
        metadata:
          name: kube-deploy
        rules:
        - apiGroups: ["*"]
          resources: ["*"]
          verbs: ["*"]
        
    3. Create a role binding, to allow the Ops team to deploy applications to nginx-namespace:

      1. Click Access Control > Grants.

      2. Select the Kubernetes tab and click Create Role Binding.

      3. Under Subject, select Organizations and configure Organization as company-datacenter and Team as Ops.

      4. Click Next.

      5. Under Resource Set, select nginx-namespace and click Next.

      6. Under Role, select the kube-deploy role and click Create.

    4. Deploy an application as a member of the Ops team:

      1. Log in to the MKE web UI as Chad, a member of the Ops team.

      2. Click Kubernetes > Create.

      3. Select nginx-namespace from the Namespace drop-down.

      4. Paste the following manifest in the Object YAML editor and click Create.

        apiVersion: apps/v1
        kind: Deployment
        metadata:
           name: nginx-deployment
        spec:
           replicas: 2
           selector:
              matchLabels:
              app: nginx
           template:
              metadata:
              labels:
                 app: nginx
              spec:
              containers:
              - name: nginx
                 image: nginx:latest
                 ports:
                 - containerPort: 80
        
  3. Verify that Ops team members can view the nginx-deployment resources:

    1. Log in to the MKE web UI as Alex, a member of the Ops team.

    2. Click Kubernetes > Controllers.

    3. Confirm the presence of NGINX deployment and ReplicaSet.

  4. Verify that Dev team members cannot view the nginx-deployment resources:

    1. Log in to the MKE web UI as Bett, who is not a member of the Ops team.

    2. Click Kubernetes > Controllers.

    3. Confirm that NGINX deployment and ReplicaSet are not present.

  5. Deploy NGINX as a Swarm service:

    1. Create a collection for NGINX resources called nginx-collection nested under the Shared collection. To view child collections, click View Children.

    2. Create a simple role for the Ops team called Swarm Deploy.

    3. Create a grant for the Ops team to access the nginx-collection with the Swarm Deploy custom role.

    4. Log in to the MKE web UI as Chad on the Ops team.

    5. Click Swarm > Services > Create.

    6. On the Details tab, enter the following:

      • Name: nginx-service

      • Image: nginx:latest

    7. On the Collection tab, click View Children next to Swarm and then next to Shared.

    8. Click nginx-collection, then click Create.

    9. Sign in as each user and verify that the following users cannot see nginx-collection:

      • Alex on the DBA team

      • Bett on the Dev team