Table of Contents
You've learned the basics of Kubernetes, including how to set up Pods and Deployments to run your applications, and you're now ready to move your organization's workloads into Kubernetes.
You're well on your way towards getting everything running in Kubernetes, but you soon realize that you're restricted in how you can manage access to the cluster—you're missing functionality like tracking who is doing what inside the cluster.
This is when you start looking at Kubernetes access control providers like Teleport and Loft. These tools help you with the very basics of access management, like authenticating and authorizing users by updating the request limits of a specific Pod. However, these tools also provide you with more advanced use cases, like just-in-time access, or simply a better approach to user management.
This article compares the two tools in specific areas like how they handle authentication and authorization, the self-service abilities they provide, and how easy they are to use. By the end, you'll be able to make an informed decision on what tool is best for you.
Comparing the Tools
Before going into a point-by-point comparison of the tools, it's important to note that Teleport and Loft aren't targeting the exact same market. Teleport has positioned itself in the space of infrastructure access, and only infrastructure access. However, it’s not only focused on access to Kubernetes, it also allows you to configure access to other services like SSH.
On the other hand, Loft focuses solely on Kubernetes, but not only on access. Instead, its primary focus is providing an entire self-service platform for Kubernetes with additional capabilities like vclusters, cost optimization, and user empowerment. This comparison focuses on how well each tool performs in specific areas, but these variations in their core goals is definitely something that needs to be kept in mind.
Authentication and Authorization
How well the tools handle authentication and authorization is likely the most important point to compare when discussing access control. On the surface, they handle it very similarly. With both tools, it's possible to integrate into any existing auth provider you may have, like Azure AD or Okta, removing the need to create separate users for your Kubernetes cluster.
You access your Kubernetes clusters by using each tool’s respective CLI tool. With a simple login
command, you’ll have access to your Kubernetes cluster. In both tools, it's easy to use role-based access control (RBAC) and make changes on the fly. Teleport offers just-in-time access, so users can easily request access to the cluster, letting administrators grant access for a short period of time.
If you want support for multifactor authentication (MFA), both tools offer this ability; however only Teleport offers it natively. If you’re setting up Loft using a username and password, it’s not possible to enable MFA. But, if you’re using one of their many SSO integrations, then you can use the MFA capabilities of the SSO provider. On the other hand, Teleport offers MFA for native users inside Teleport.
Self-Service
Engineers have started to pay more and more attention to whether a platform has self-service capabilities. Loft wins in this area, as the entire platform is based around the concept of empowering developers. Once a user is created, they can quickly go in and create their own spaces in a Kubernetes cluster. Spaces are a special feature within the Loft platform and are essentially the same as namespaces, with the one key difference being that they're virtual objects. In practice, this means that your developers are able to work in their own little corner of a Kubernetes cluster, not having to worry about neighboring resources. However, under the hood, they never interact with Namespaces directly. They don't create Namespaces, and they don't delete Namespaces. Something that will sound very attractive to a Kubernetes administrator.
Unfortunately, Teleport doesn't offer such capabilities seeing as how it mainly focuses on a general access control solution and isn't deeply nor exclusively integrated into Kubernetes. So, your decision on what tool you should use will heavily depend on whether you’re looking for a solution only for Kubernetes, or if you need a solution that's available for other platforms as well.
Ease of Setup
The two tools have somewhat different approaches to how they’re set up. Here again, the contrasting core goals of each platform is apparent. As Loft works exclusively with Kubernetes, you need only focus on setting it up in that environment.
The first step to getting started with Loft is downloading their CLI tool. From here you need to run loft start
, and you’ll be guided through the rest of the installation process. Under the hood, it's using a Helm chart to deploy to your cluster, but getting a guided installation reduces the room for errors. Once the installation is done it's already integrated into your Kubernetes cluster, and you can start adding users or integrating with an SSO provider.
Looking at Teleport’s installation instructions, they’re not hugely different. Here, you also use a Helm chart to install the tool, but you’ll be using Helm directly rather than through a guided installation. Next, you can get started creating users or integrating with an SSO provider.
Developer Experience
This is the area where the best tool depends entirely on what your use case and goal is. When it comes to access control, the two tools are very similar. From a developer point of view, the process of getting access to a cluster looks pretty much the same. You use one of the CLI tools from the respective providers, and from there you'll get access to the cluster, should you be authorized.
The biggest factor that comes into play in terms of developer experience is how available the access control service is. Using Teleport, you deploy the auth service and this is where any access requests will go when developers want access to the cluster. It's the same thing with Loft, except Loft has the ability to enable geo-redundancy, which can help you not only increase uptime, but also reduce latency, making for a more stable access control solution.
Conclusion
At this point, you should be able to make a more informed decision on what tool is best for you when it comes to Kubernetes access control. In the end, it mostly comes down to what you want out of the tool. If you strictly want access control and nothing more, then perhaps Teleport is the more viable solution.
However, if you want more capabilities out of the platform, then Loft is without a doubt the better option. You also need to look at whether you want an access control solution that works in a lot of different use cases, or whether you need something that's exclusively dedicated to and deeply integrated with Kubernetes.
Photo by Christian Stahl on Unsplash