Add Cluster Accounts

Now that users can authenticate with Loft, the question is how they get access to the clusters you connected in step 2 of this setup guide.

In Loft, access to a cluster is defined by a cluster account. A cluster account is an object created in each connected cluster that references a user or team and defines which access and restrictions apply. Every one of these clusters can run in a different availability zone or even in a different cloud platform etc. So, you can connect, for example, EKS clusters from AWS and GKE clusters from Google Cloud and then give people access depending on what they need to work with.

Loft Concepts - Accounts

That means that if a user signs in via single sign-on for the first time, they will not automatically have access to any clusters and cannot do anything.

There are 2 ways you can create cluster accounts for your users:

1. Manually creating and managing cluster accounts for each user in each cluster
2. Automatically create accounts for every new user using Account Templates

Both approaches are not mutually exclusive and are generally used in combination. Most Loft admins configure 2. and then manually edit accounts when needed, e.g. give users access to a newly connected cluster, change limits on a per-user basis, etc.

1. Manual Account Management

Accounts are defined on a per-cluster basis, i.e. if a user needs access to 3 clusters, they will need 3 accounts, one for each cluster.

Users in Loft do not automatically have access to clusters. To give a user access to a cluster, you need to create an account for this user within the cluster.

UI

Loft UI - Create Account

kubectl

Create file account.yaml:

apiVersion: tenancy.kiosk.sh/v1alpha1
kind: Account
metadata:
  name: johns-account
  labels:
    # the kubernetes name of the 
    # loft user you want to create
    # the account for
    loft.sh/user: my-loft-user
    # loft.sh/team: my-loft-team
spec:
  # Subjects should be empty since loft
  # will sync the subjects automatically
  # from the user or team
  subjects: [] 

Create the account using kubectl:

# IMPORTANT: Make sure to switch to the context of the connected cluster!
kubectl apply -f account.yaml

2. Automation via Account Templates

Loft provides a CRD called ClusterAccountTemplate which allows you to automatically create cluster accounts for users when they are being created or edited.

2.1 Use Default Account Templates

Loft provides 2 default account templates:

• loft-all-cluster-default which gives a user access to ALL connected clusters
• loft-all-cluster-admin which gives a user admin access to ALL connected clusters

You can view and edit these template by navigating to Users > Account Templates.

Manual Add/Edit User

The template loft-all-cluster-default is marked as default template to be used for new users. That means that when you add a new user manually via the UI (not using SSO) and you do not remove this template before creating the user, this template will be applied and the user will get access to all connected clusters.

Loft UI - Apply Cluster Account Templates

You can mark additional templates to be selected by default by adding the label loft.sh/default-template: "true" to the Kubernetes ClusterAccounteTemplate object.

Single Sign-On (SSO)

If you configured single sign-on, you may want to give users access to certain clusters when they sign in for the first time, potentially depending on their groups.

To tell Loft to automatically apply certain account templates to new users when they sign in via SSO for the first time, navigate to Admin > Config in Loft and add the following lines to your auth.oidc section of the config:

auth:
  oidc:
    issuerUrl: 'https://my.issuer.com/'
    clientId: CLIENT_ID
    clientSecret: CLIENT_SECRET
    groupsClaim: groups
    getUserInfo: true
    clusterAccountTemplates:              # Apply these templates to every new user
    - name: loft-all-clusters-default     # Name of template 1
      sync: true                          # If enabled Loft will sync changes in the cluster account template to the created accounts
    - name: some-other-account-template   # Name of template 2
      sync: true                          # If enabled Loft will sync changes in the cluster account template to the created accounts
    groupClusterAccountTemplates:         # Apply templates depending on the user's groups
     - group: admin-group:                # Apply if user has group `admin-group`
       clusterAccountTemplates:
       - name: loft-all-clusters-admin    # Name of the account template to apply
         sync: true                       # If enabled Loft will sync changes in the cluster account template to the created accounts

Configure Automatic Cluster Account Templates

Sync Cluster Account Templates

Usually it is recommended to enable sync via the clusterAccountTemplates[*].sync or groupClusterAccountTemplates[*].clusterAccountTemplates[*].sync option, as this enables you to maintain multiple accounts and resources just with a single cluster account template. Loft will watch the cluster account templates and update all users and teams that use this template automatically as soon as the template changes.

Update Cluster Account Templates

Loft will make sure that the cluster account templates that you specify in clusterAccountTemplates and groupClusterAccountTemplates will be synced to the user every time the users SSO tokens are refreshed (e.g. during login or after a certain time automatically). This means that if you for example add a new cluster account template in auth.oidc.clusterAccountTemplates this will also be set on an already existing user after their credentials were refreshed.

2.2 Custom Account Templates

Besides the two default ClusterAccountTemplates, you can add your own templates, e.g. for giving users access to only a specific set of clusters based on their groups. Learn more about adding your own custom ClusterAccountTemplates here.