Portainer
/
portainer-docs
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Merge pull request #151 from samdulam/upgrade-docs 

access control and labels
pull/152/head
samdulam 2021-05-17 15:03:27 +12:00 committed by GitHub
parent 3b4b640e81 81e539d317
commit 2abc42c82d
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
11 changed files with 158 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

BIN
docs/v2.0-be/access/assets/AccessControl1.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 105 KiB

BIN
docs/v2.0-be/access/assets/AccessControl2.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 52 KiB

BIN
docs/v2.0-be/access/assets/AccessControl3.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 129 KiB

23
docs/v2.0-be/access/inportainer.md Normal file
View File

@ -0,0 +1,23 @@
# :fontawesome-solid-users-cog: Access Control
All docker or docker swarm resources created through Portainer except images have Access Control settings. You can set these at the time of creation or later on as needed. Any resources created through a stack or service will inherit the same access as the parent. Below are examples of different sets of Access Controls you can have.
### Administrators Only
![Access Control](assets/AccessControl1.png)
The is an example Create Stack screen, deploys a stack with Access Control Enabled and only Portainer Administrators will have access to the Stack and any Resources created through the stack (eg. Containers/Services/Volumes/Networks/Secrets etc)
### Public
![Access Control](assets/AccessControl2.png)
This is an example Create Service Screen, deploys a service with Access Control disabled. All Portainer Users will have access to the service and any resources created through the service (eg. Containers/Volumes/Networks/Secrets etc)
### Restricted to Specific Groups/Users
![Access Control](assets/AccessControl3.png)
This is an example Create Container Screen, deploys a Container with Access Control Enabled. Once you select the Restricted option, you may select 'one or more teams' and or 'one or more users' to have access to the Resource.
## :material-note-text: Notes
[Contribute to these docs](https://github.com/portainer/portainer-docs/blob/master/contributing.md){target=\_blank}

53
docs/v2.0-be/access/outofportainer.md Normal file
View File

@ -0,0 +1,53 @@
# :fontawesome-solid-users-cog: Access Control
Any resources deployed to docker or docker swarm outside of Portainer will be marked as external and you will have limited control over these resources. You can still enable Access Control on these using Labels.
By default any resources deployed outside of Portainer has Administrator Only access. You can control access using Labels:
| Label | Description | Notes |
|-------|-------------|-------|
| io.portainer.accesscontrol.public | All portainers users have access to the resource(s) | Takes precedence over team/user assignments |
| io.portainer.accesscontrol.teams=dev,prod | Access restricted to Teams dev and prod only | Can be used in conjunction with io.portainer.accesscontrol.users |
| io.portainer.accesscontrol.users=bob,adam | Access restricted to users bob and adam only | Can be used in conjunction with io.portainer.accesscontrol.teams |
## Examples
1. Deploy a stack using docker-compose and restrict access to Teams `dev` and `prod`
```yaml
version: '3.2'
services:
ltest:
image: busybox:latest
command: "ping localhost"
labels:
io.portainer.accesscontrol.teams: dev,prod
```
2. Deploy a stack using docker cli and restrict access to Team `testers` and Users `bob` and `adam`
```yaml
version: '3.2'
services:
ltest:
image: busybox:latest
command: "ping localhost"
labels:
io.portainer.accesscontrol.teams: testers
io.portainer.accesscontrol.users: bob,adam
```
3. Deploy a container using docker cli and make it accessible to all Portainer Users
```shell
docker run -d --label io.portainer.accesscontrol.public nginx:latest
```
4. Deploy a container using docker cli and restrict access to Teams `dev` and `prod` and Users `bob`
```shell
docker run -d --label io.portainer.accesscontrol.teams=dev,prod --label io.portainer.accesscontrol.users=bob nginx:latest
```
## :material-note-text: Notes
[Contribute to these docs](https://github.com/portainer/portainer-docs/blob/master/contributing.md){target=\_blank}

BIN
docs/v2.0/access/assets/AccessControl1.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 105 KiB

BIN
docs/v2.0/access/assets/AccessControl2.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 52 KiB

BIN
docs/v2.0/access/assets/AccessControl3.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 129 KiB

23
docs/v2.0/access/inportainer.md Normal file
View File

@ -0,0 +1,23 @@
# :fontawesome-solid-users-cog: Access Control
All docker or docker swarm resources created through Portainer except images have Access Control settings. You can set these at the time of creation or later on as needed. Any resources created through a stack or service will inherit the same access as the parent. Below are examples of different sets of Access Controls you can have.
### Administrators Only
![Access Control](assets/AccessControl1.png)
The is an example Create Stack screen, deploys a stack with Access Control Enabled and only Portainer Administrators will have access to the Stack and any Resources created through the stack (eg. Containers/Services/Volumes/Networks/Secrets etc)
### Public
![Access Control](assets/AccessControl2.png)
This is an example Create Service Screen, deploys a service with Access Control disabled. All Portainer Users will have access to the service and any resources created through the service (eg. Containers/Volumes/Networks/Secrets etc)
### Restricted to Specific Groups/Users
![Access Control](assets/AccessControl3.png)
This is an example Create Container Screen, deploys a Container with Access Control Enabled. Once you select the Restricted option, you may select 'one or more teams' and or 'one or more users' to have access to the Resource.
## :material-note-text: Notes
[Contribute to these docs](https://github.com/portainer/portainer-docs/blob/master/contributing.md){target=\_blank}

53
docs/v2.0/access/outofportainer.md Normal file
View File

@ -0,0 +1,53 @@
# :fontawesome-solid-users-cog: Access Control
Any resources deployed to docker or docker swarm outside of Portainer will be marked as external and you will have limited control over these resources. You can still enable Access Control on these using Labels.
By default any resources deployed outside of Portainer has Administrator Only access. You can control access using Labels:
| Label | Description | Notes |
|-------|-------------|-------|
| io.portainer.accesscontrol.public | All portainers users have access to the resource(s) | Takes precedence over team/user assignments |
| io.portainer.accesscontrol.teams=dev,prod | Access restricted to Teams dev and prod only | Can be used in conjunction with io.portainer.accesscontrol.users |
| io.portainer.accesscontrol.users=bob,adam | Access restricted to users bob and adam only | Can be used in conjunction with io.portainer.accesscontrol.teams |
## Examples
1. Deploy a stack using docker-compose and restrict access to Teams `dev` and `prod`
```yaml
version: '3.2'
services:
ltest:
image: busybox:latest
command: "ping localhost"
labels:
io.portainer.accesscontrol.teams: dev,prod
```
2. Deploy a stack using docker cli and restrict access to Team `testers` and Users `bob` and `adam`
```yaml
version: '3.2'
services:
ltest:
image: busybox:latest
command: "ping localhost"
labels:
io.portainer.accesscontrol.teams: testers
io.portainer.accesscontrol.users: bob,adam
```
3. Deploy a container using docker cli and make it accessible to all Portainer Users
```shell
docker run -d --label io.portainer.accesscontrol.public nginx:latest
```
4. Deploy a container using docker cli and restrict access to Teams `dev` and `prod` and Users `bob`
```shell
docker run -d --label io.portainer.accesscontrol.teams=dev,prod --label io.portainer.accesscontrol.users=bob nginx:latest
```
## :material-note-text: Notes
[Contribute to these docs](https://github.com/portainer/portainer-docs/blob/master/contributing.md){target=\_blank}

6
mkdocs.yml
View File

@ -157,6 +157,9 @@ nav:
- 'Secrets':
- 'Add a new secret' : 'v2.0/secrets/add.md'
- 'Delete secrets' : 'v2.0/secrets/delete.md'
- 'Access Control':
- 'Resources Deployed through Portainer': 'v2.0/access/inportainer.md'
- 'Resources Deployed outside of Portainer': 'v2.0/access/outofportainer.md'
- Kubernetes:
- 'Applications':
- 'Deploy a new application' : 'v2.0/kubernetes/applications/create.md'
@ -231,6 +234,9 @@ nav:
- 'Secrets':
- 'Add a new secret' : 'v2.0-be/secrets/add.md'
- 'Delete secrets' : 'v2.0-be/secrets/delete.md'
- 'Access Control':
- 'Resources Deployed through Portainer': 'v2.0-be/access/inportainer.md'
- 'Resources Deployed outside of Portainer': 'v2.0-be/access/outofportainer.md'
- Kubernetes:
- 'Applications':
- 'Deploy a new application' : 'v2.0-be/kubernetes/applications/create.md'