Isolate swarm nodes to a specific team
Estimated reading time: 6 minutesThese are the docs for UCP version 2.2.4
To select a different version, use the selector below.
With Docker EE Advanced, you can enable physical isolation of resources
by organizing nodes into collections and granting Scheduler
access for
different users. To control access to nodes, move them to dedicated collections
where you can grant access to specific users, teams, and organizations.
In this example, a team gets access to a node collection and a resource collection, and UCP access control ensures that the team members can’t view or use swarm resources that aren’t in their collection.
You need a Docker EE Advanced license and at least two worker nodes to complete this example.
- Create an
Ops
team and assign a user to it. - Create a
/Prod
collection for the team’s node. - Assign a worker node to the
/Prod
collection. - Grant the
Ops
teams access to its collection.
Create a team
In the web UI, navigate to the Organizations & Teams page to create a team named “Ops” in your organization. Add a user who isn’t a UCP administrator to the team. Learn to create and manage teams.
Create a node collection and a resource collection
In this example, the Ops team uses an assigned group of nodes, which it accesses through a collection. Also, the team has a separate collection for its resources.
Create two collections: one for the team’s worker nodes and another for the team’s resources.
- Navigate to the Collections page to view all of the resource collections in the swarm.
- Click Create collection and name the new collection “Prod”.
- Click Create to create the collection.
- Find Prod in the list, and click View children.
- Click Create collection, and name the child collection “Webserver”. This creates a sub-collection for access control.
You’ve created two new collections. The /Prod
collection is for the worker
nodes, and the /Prod/Webserver
sub-collection is for access control to
an application that you’ll deploy on the corresponding worker nodes.
Move a worker node to a collection
By default, worker nodes are located in the /Shared
collection.
Worker nodes that are running DTR are assigned to the /System
collection.
To control access to the team’s nodes, move them to a dedicated collection.
Move a worker node by changing the value of its access label key,
com.docker.ucp.access.label
, to a different collection.
- Navigate to the Nodes page to view all of the nodes in the swarm.
- Click a worker node, and in the details pane, find its Collection.
If it’s in the
/System
collection, click another worker node, because you can’t move nodes that are in the/System
collection. By default, worker nodes are assigned to the/Shared
collection. - When you’ve found an available node, in the details pane, click Configure.
- In the Labels section, find
com.docker.ucp.access.label
and change its value from/Shared
to/Prod
. - Click Save to move the node to the
/Prod
collection.
Docker EE Advanced required
If you don’t have a Docker EE Advanced license, you’ll get the following error message when you try to change the access label: Nodes must be in either the shared or system collection without an advanced license. Get a Docker EE Advanced license.
Grant access for a team
You’ll need two grants to control access to nodes and container resources:
- Grant the
Ops
team theRestricted Control
role for the/Prod/Webserver
resources. - Grant the
Ops
team theScheduler
role against the nodes in the/Prod
collection.
Create two grants for team access to the two collections:
- Navigate to the Grants page and click Create Grant.
- In the left pane, click Collections, and in the Swarm collection, click View Children.
- In the Prod collection, click View Children.
- In the Webserver collection, click Select Collection.
- In the left pane, click Roles, and select Restricted Control in the dropdown.
- Click Subjects, and under Select subject type, click Organizations.
- Select your organization, and in the Team dropdown, select Ops.
- Click Create to grant the Ops team access to the
/Prod/Webserver
collection.
The same steps apply for the nodes in the /Prod
collection.
- Navigate to the Grants page and click Create Grant.
- In the left pane, click Collections, and in the Swarm collection, click View Children.
- In the Prod collection, click Select Collection.
- In the left pane, click Roles, and in the dropdown, select Scheduler.
- In the left pane, click Subjects, and under Select subject type, click Organizations.
- Select your organization, and in the Team dropdown, select Ops .
- Click Create to grant the Ops team
Scheduler
access to the nodes in the/Prod
collection.
Deploy a service as a team member
Your swarm is ready to show role-based access control in action. When a user
deploys a service, UCP assigns its resources to the user’s default collection.
From the target collection of a resource, UCP walks up the ancestor collections
until it finds nodes that the user has Scheduler
access to. In this example,
UCP assigns the user’s service to the /Prod/Webserver
collection and schedules
tasks on nodes in the /Prod
collection.
As a user on the Ops team, set your default collection to /Prod/Webserver
.
- Log in as a user on the Ops team.
- Navigate to the Collections page, and in the Prod collection, click View Children.
- In the Webserver collection, click the More Options icon and select Set to default.
Deploy a service automatically to worker nodes in the /Prod
collection.
All resources are deployed under the user’s default collection,
/Prod/Webserver
, and the containers are scheduled only on the nodes under
/Prod
.
- Navigate to the Services page, and click Create Service.
- Name the service “NGINX”, use the “nginx:latest” image, and click Create.
- When the nginx service status is green, click the service. In the details view, click Inspect Resource, and in the dropdown, select Containers.
-
Click the NGINX container, and in the details pane, confirm that its Collection is /Prod/Webserver.
- Click Inspect Resource, and in the dropdown, select Nodes.
-
Click the node, and in the details pane, confirm that its Collection is /Prod.
Alternative: Use a grant instead of the default collection
Another approach is to use a grant instead of changing the user’s default
collection. An administrator can create a grant for a role that has the
Service Create
permission against the /Prod/Webserver
collection or a child
collection. In this case, the user sets the value of the service’s access label,
com.docker.ucp.access.label
, to the new collection or one of its children
that has a Service Create
grant for the user.
Where to go next
- Node access control in Docker EE Advanced
- Isolate volumes between two different teams
- Deploy a service with view-only access across an organization