Deploy a simple stateless app with RBAC¶
This topic describes how to deploy an NGINX web server, limiting access to one team using role-based access control (RBAC).
You are the MKE system administrator and will configure permissions to company resources using a four-step process:
Build the organization with teams and users.
Define roles with allowable operations per resource type, such as permission to run containers.
Create collections or namespaces for accessing actual resources.
Create grants that join team, role, and resource set.
To deploy a simple stateless app with RBAC:
Build the organization:
Log in to the MKE web UI.
Add an organization called
company-datacenter
.Create three teams according to the following structure:
Team
Users
DBA
Alex
Dev
Bett
Ops
Alex, Chad
Deploy NGINX with Kubernetes:
Create a namespace:
Click Kubernetes > Create.
Paste the following manifest in the Object YAML editor and click Create.
apiVersion: v1 kind: Namespace metadata: name: nginx-namespace
Create a role for the Ops team called
kube-deploy
:Click Kubernetes > Create.
Select nginx-namespace from the Namespace drop-down.
Paste the following manifest in the Object YAML editor and click Create.
apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: kube-deploy rules: - apiGroups: ["*"] resources: ["*"] verbs: ["*"]
Create a role binding, to allow the Ops team to deploy applications to nginx-namespace:
Click Access Control > Grants.
Select the Kubernetes tab and click Create Role Binding.
Under Subject, select Organizations and configure Organization as
company-datacenter
and Team asOps
.Click Next.
Under Resource Set, select nginx-namespace and click Next.
Under Role, select the kube-deploy role and click Create.
Deploy an application as a member of the Ops team:
Log in to the MKE web UI as Chad, a member of the Ops team.
Click Kubernetes > Create.
Select nginx-namespace from the Namespace drop-down.
Paste the following manifest in the Object YAML editor and click Create.
apiVersion: apps/v1 kind: Deployment metadata: name: nginx-deployment spec: replicas: 2 selector: matchLabels: app: nginx template: metadata: labels: app: nginx spec: containers: - name: nginx image: nginx:latest ports: - containerPort: 80
Verify that Ops team members can view the nginx-deployment resources:
Log in to the MKE web UI as Alex, a member of the Ops team.
Click Kubernetes > Controllers.
Confirm the presence of NGINX
deployment
andReplicaSet
.
Verify that Dev team members cannot view the nginx-deployment resources:
Log in to the MKE web UI as Bett, who is not a member of the Ops team.
Click Kubernetes > Controllers.
Confirm that NGINX
deployment
andReplicaSet
are not present.
Deploy NGINX as a Swarm service:
Create a collection for NGINX resources called
nginx-collection
nested under the Shared collection. To view child collections, click View Children.Create a simple role for the Ops team called
Swarm Deploy
.Create a grant for the Ops team to access the nginx-collection with the Swarm Deploy custom role.
Log in to the MKE web UI as Chad on the Ops team.
Click Swarm > Services > Create.
On the Details tab, enter the following:
Name:
nginx-service
Image:
nginx:latest
On the Collection tab, click View Children next to Swarm and then next to Shared.
Click nginx-collection, then click Create.
Sign in as each user and verify that the following users cannot see nginx-collection:
Alex on the DBA team
Bett on the Dev team