Role-based Access Control for Kubernetes with Docker Enterprise

Docker Enterprise Team - January 17, 2020 - ,

This post was originally published on January 24, 2018 on the Docker blog.

Last week we released the latest beta for Docker Enterprise Edition 2.0. Without a doubt one of the most significant features in this release is providing a single management control plane for both Swarm and Kubernetes-based clusters – including clusters made up of both Swarm and Kubernetes workers. This offers customers unparalleled choice in how they manage both their traditional and cloud native applications.

When we were looking at doing this release we knew we couldn’t just slap a GUI on top of Kubernetes and call it good. We wanted to find areas where we could simplify and secure the deployment of  applications onto Kubernetes nodes.

One such area is role-based access control (RBAC). Docker EE 17.06 introduced an enhanced RBAC solution that provided flexible and granular access controls across multiple teams and users. While Kubernetes first introduced a basic RBAC solution with the 1.6 release, in this upcoming release, we extend Docker EE’s existing RBAC support to support Kubernetes primitives.

In addition to the five predefined authentication roles in Docker EE (view only, full control, none, etc) there are 33 different categories of operations that administrators can use to create custom roles. And, each of these categories covers multiple different settings. For administrators this means they can mix and match between a set of sensible default roles for some users or creating highly-customized roles where needed.

A Mixed Orchestrator RBAC Example

For me this was a bit overwhelming until I dove in and tried out a couple different scenarios. For instance let’s say we have three people: Katherine, Saavni, and Kahlil. Katherine is our container administrator, and she has full access to all of the Kubernetes namespaces and swarm resources on our cluster. Kahlil is a junior admin who doesn’t need to necessarily manage running Kubernetes resources, but does need a degree of visibility into Kubernetes-based applications running on the production systems. The same goes for Saavni, only she’s focused on Swarm-based applications.

For Khalil, Katherine setup a custom role that only allows a user to list pods. She then created a grant that gave Kahlil that role, but only for the ‘prod-web’ namespace.

Next, Katherine created a custom role that allows a user to list swarm services, and granted that role to Saavni for the ‘prod_db’ collection.

video thumbnail

As you would expect, Khalil is limited to that single namespace (prod-web) and all he can do is see what pods are running. He cannot modify those running pods, nor can he create new pods. And, of course, he cannot see any pods that might be running in other namespaces.  These restrictions are applied whether Khalil is accessing the Kubernetes cluster via Docker EE’s Universal Control Plane or via the command line using a Docker EE client bundle and Kubectl.

video thumbnail

And, for Saavni, the same restrictions apply to the Swarm services running in our prod-db collection. Additionally, Saavni has no access to any Kubernetes resources, and Khalil has no access to any of the Swarm resources.

video thumbnail

This is a pretty rudimentary example, but it should give you a good idea of the degree of flexibility that Docker EE’s RBAC implementation affords including being able to provide RBAC for both Kubernetes and Swarm using the same management paradigm, as well as having those controls work whether the applications are being managed via the GUI or CLI.

Authentication for Kubernetes Resources

So, how does it all work under the covers for the Kubernetes resources? Docker EE leverages the Kubernetes webhook authentication model. This feature enables the validation of all requests by an outside source. With Docker EE we use the control plane’s RBAC controller, eNZi. Each Kubernetes request, whether issued via the CLI or the GUI, is validated against Docker EE’s authN/authZ database, and then rejected or accepted as appropriate.

The integration of Kubernetes and Docker EE’s access controls is only one of the new features of the upcoming release. We’ve also done a lot of work to integrate Kubernetes with Docker Trusted Registry (as well as adding DTR image mirroring), made major improvements to our HTTP routing functionality.


To learn more about Docker Enterprise:

From Virtualization to Containerization
Learn how to move from monolithic to microservices in this free eBook
Download Now
Radio Cloud Native – Week of May 11th, 2022

Every Wednesday, Nick Chase and Eric Gregory from Mirantis go over the week’s cloud native and industry news. This week they discussed: Docker Extensions Artificial Intelligence shows signs that it's reaching the common person Google Cloud TPU VMs reach general availability Google buys MobileX, folds into Google Cloud NIST changes Palantir is back, and it's got a Blanket Purchase Agreement at the Department of Health and Human …

Radio Cloud Native – Week of May 11th, 2022
Where do Ubuntu 20.04, OpenSearch, Tungsten Fabric, and more all come together? In the latest Mirantis Container Cloud releases!

In the last several weeks we have released two updates to Mirantis Container Cloud - versions 2.16 and 2.17, which bring a number of important changes and enhancements. These are focused on both keeping key components up to date to provide the latest functionality and security fixes, and also delivering new functionalities for our customers to take advantage of in …

Where do Ubuntu 20.04, OpenSearch, Tungsten Fabric, and more all come together? In the latest Mirantis Container Cloud releases!
Monitoring Kubernetes costs using Kubecost and Mirantis Kubernetes Engine [Transcript]

Cloud environments & Kubernetes are becoming more and more expensive to operate and manage. In this demo-rich workshop, Mirantis and Kubecost demonstrate how to deploy Kubecost as a Helm chart on top of Mirantis Kubernetes Engine. Lens users will be able to visualize their Kubernetes spend directly in the Lens desktop application, allowing users to view spend and costs efficiently …

Monitoring Kubernetes costs using Kubecost and Mirantis Kubernetes Engine [Transcript]
Service Mesh for Mere Mortals
A Guide to Istio and How to Use Service Mesh Platforms
Technical training
Learn Kubernetes & OpenStack from Deployment Experts
Prep for certification!
View schedule
The Definitive Guide to Container Platforms