Grant role-access to cluster resources
Estimated reading time: 1 minuteDocker EE administrators can create grants to control how users and organizations access resource sets.
A grant defines who has how much access to what resources. Each grant is a 1:1:1 mapping of subject, role, and resource set. For example, you can grant the “Prod Team” “Restricted Control” over services in the “/Production” collection.
A common workflow for creating grants has four steps:
- Add and configure subjects (users, teams, and service accounts).
- Define custom roles (or use defaults) by adding permitted API operations per type of resource.
- Group cluster resources into Swarm collections or Kubernetes namespaces.
- Create grants by combining subject + role + resource set.
Kubernetes grants
With Kubernetes orchestration, a grant is made up of subject, role, and namespace.
This section assumes that you have created objects for the grant: subject, role, namespace.
To create a Kubernetes grant (role binding) in UCP:
- Click Grants under Access Control.
- Click Create Role Binding.
- Click Namespaces under Kubernetes.
- Find the desired namespace and click Select Namespace.
- On the Roles tab, select a role.
- On the Subjects tab, select a user, team, organization, or service account to authorize.
- Click Create.
Swarm grants
With Swarm orchestration, a grant is made up of subject, role, and collection.
This section assumes that you have created objects to grant: teams/users, roles (built-in or custom), and a collection.
To create a grant in UCP:
- Click Grants under Access Control.
- Click Swarm
- Click Create Grant.
- In the Select Subject Type section, select Users or Organizations.
- Click View Children until you get to the desired collection and Select.
- On the Roles tab, select a role.
- On the Subjects tab, select a user, team, or organization to authorize.
- Click Create.
By default, all new users are placed in the
docker-datacenter
organization. To apply permissions to all Docker EE users, create a grant with thedocker-datacenter
org as a subject.