RBAC & Regex Permissions

On a shared host, you usually do not want every developer seeing every container. Assign allowed_containers patterns per user: exact names, wildcards, or full regex.

Action rights (two layers)

First enable the action on the server (ALLOW_START, ALLOW_STOP, ALLOW_RESTART, ALLOW_DELETE, ALLOW_SHELL). Then grant the matching can_* flag to each user in Admin. Both must be true, including for administrators.

Pattern matching

Exact name match

A plain string like redis matches only a container named exactly redis.

Wildcard matching

backend-* matches backend-api and backend-worker.*redis* matches any name containing redis.

Full regular expressions

Patterns with ^ or $ are treated as raw regex. Example: ^prod-.*-app$.

Multiple rules per user

Separate patterns with a comma (e.g. backend-*, *web-server, ^nginx-prod$). The user sees containers matching any rule.

Kubernetes patterns

When RUNTIME_MODE is kubernetes or both, the same allowed_containers field controls namespace and pod visibility. Patterns can match namespace names, pod names, or namespace/pod paths.

Namespace access

staging or prod grants visibility to every pod in that namespace.

Pods in a namespace

staging/api-* matches pods whose names start with api- in namespace staging.

Pod name across namespaces

*-worker-* matches pod names containing -worker- in any namespace the user can see.

Instance-level K8S_NAMESPACES further limits which namespaces DockLog queries. See the Kubernetes guide for setup and UI overview.

Edit or suggest changes on GitHub.