Configure applicable cluster role-based access control policies

docker

Classification:

compliance

Framework:

cis-docker

Control:

8.1.4

Set up the docker integration.

Description

The Universal Control Plane provides robust role-based access control (RBAC) capabilities that can be used to further harden a deployment. Building off of the default set of RBAC components which includes subjects, roles, resource collections, and grants, an appropriate RBAC model should be developed that aligns with your organization’s IT Security policies. This involves creating custom roles and collections.

Rationale

The RBAC functionality provided by UCP includes a set of defaults that should be customized to satisfy your organization’s security requirements. The following roles are included by default: None, View Only, Restricted Control, Scheduler, and Full Control. While by default, these roles are applicable to a number of simple management and application deployment scenarios, they are too broad in regards to the permissions allocated by each. As such, custom roles should be created to extend these defaults.

Audit

The UCP “User Management” UI can be used to validate the configured RBAC model satisfies the requirements of your organization.

Remediation

UCP RBAC components can be configured as required via the UCP “User Management” UI.

Impact

None

Default value

None

References

  1. https://docs.docker.com/datacenter/ucp/2.2/guides/access-control/
  2. https://success.docker.com/article/Docker_Reference_Architecture-_Securing_Docker_EE_and_Security_Best_Practices#ucpsecurity

CIS controls

None