Node access control in Docker EE AdvancedEstimated reading time: 1 minute
These are the docs for UCP version 2.2.18
To select a different version, use the selector below.
The ability to segment scheduling and visibility by node is called
node access control and is a feature of Docker EE Advanced. By default,
all nodes that aren’t infrastructure nodes (UCP & DTR nodes) belong to a
built-in collection called
/Shared. By default, all application workloads
in the cluster will get scheduled on nodes in the
/Shared collection. This
includes users that are deploying in their private collections
/Shared/Private/) and in any other collections under
/Shared. This is
enabled by a built-in grant that grants every UCP user the
capability against the
Node Access Control works by placing nodes into custom collections outside of
/Shared. If the
scheduler capability is granted via a role to a user or
group of users against a collection, they can schedule
containers and services on these nodes. In the following example, users with
scheduler capability against
/collection1 can schedule
applications on those nodes.
In the directory these collections lie outside of the
collection so users without grants will not have access to these collections
unless explicitly granted access. These users can only deploy
applications on the built-in
/Shared collection nodes.
The tree representation of this collection structure looks like this:
/ ├── Shared ├── System ├── collection1 └── collection2 ├── sub-collection1 └── sub-collection2
With the use of default collections, users, teams, and organizations can be constrained to what nodes and physical infrastructure they are capable of deploying on.