Clusters
With Loft, you can manage clusters, cluster access, namespaces, virtual clusters as well as applications running inside your connected clusters.
Connect Clusters
To manage a cluster within Loft, you must first connect the cluster to your Loft instance. You can also connect the cluster that Loft is running inside (Loft cluster), so you can manage this cluster using Loft as well.
Loft Cluster
To manage the cluster where Loft is running in (Loft cluster) using Loft, you need to connect it. You can skip this step if you only want to connect other clusters instead. However, it is often useful to connect the Loft cluster to manage this cluster using Loft although you may not want to make it available to the rest of your team.
- UI
- kubectl
In the Loft UI, navigate to "Clusters" and click the Connect Cluster button.
Define Cluster Name
Enter a name for your cluster. This name must be a Kubernetes-compatible object name, i.e. only lowercase characters and dashes are allowed.
Cluster names should tell engineers what the cluster is used for and where it is located, e.g. gke-prod, gke-dev-tpu-us-1, eks-dev-us-west-1
STEP 2
Connect Loft cluster
Since Loft already has access to the cluster it is running inside, you will see a special button Connect loft cluster which will let you connect the management cluster with a single click.
Loft is designed as a Kubernetes extension and provides Custom Resource Definitions for everything, so you can also connect a cluster using kubectl. The UI of Loft also uses kubectl under the hood, not just to connect clusters but also for anything else you can configure with the UI.
Create File: cluster.yaml
apiVersion: management.loft.sh/v1
kind: Cluster
metadata:
name: loft-cluster
spec:
config: {}
local: true
STEP 2
Create Cluster Object
# IMPORTANT: Run this command inside the Loft management cluster
kubectl apply -f cluster.yaml
After creating the cluster resource, the Loft controller will detect the new cluster and initialize it, i.e. it will install the kiosk helm chart into the cluster. To check if the cluster has been initialized, run:
kubectl get cluster -o custom-columns=NAME:metadata.name,PHASE:status.phase
Other Clusters
- UI
- kubectl
In the Loft UI, navigate to "Clusters" and click the Connect Cluster button.
Define Cluster Name
Enter a name for your cluster. This name must be a Kubernetes-compatible object name, i.e. only lowercase characters and dashes are allowed.
Cluster names should tell engineers what the cluster is used for and where it is located, e.g. gke-prod, gke-dev-tpu-us-1, eks-dev-us-west-1
STEP 2
Generate Kube-Config
To give Loft access to a cluster, you need to provide a kube-config for this cluster.
Option A: To automatically create a kube-config using Loft CLI, run the following command:
loft generate admin-kube-config
Make sure you are in the right cluster/context before executing the command shown above.
If you try to connect a Rancher provisioned cluster, please make sure you are using the Authorized Cluster Endpoint for the cluster you wish to connect. Otherwise, you'll experience problems with authentication as the default Rancher proxy authentication endpoint does not correctly support impersonation.
Option B: To manually create a kube-config, you need to:
- Create a ServiceAccount
- Create a ClusterRoleBinding to bind the ServiceAccount to the ClusterRole
cluster-admin - Create a kube-config for the cluster using the token of the ServiceAccount created above
STEP 3
Enter Kube-Config & Connect
Enter the kube-config into the textarea and click the Connect button.
Generate Kube-Config
To give Loft access to a cluster, you need to provide a kube-config for this cluster.
Option A: To automatically create a kube-config using Loft CLI, run the following command:
loft generate admin-kube-config
Make sure you are in the right cluster/context before executing the command shown above.
If you try to connect a Rancher provisioned cluster, please make sure you are using the Authorized Cluster Endpoint for the cluster you wish to connect. Otherwise, you'll experience problems with authentication as the default Rancher proxy authentication endpoint does not correctly support impersonation.
Option B: To manually create a kube-config, you need to:
- Create a ServiceAccount
- Create a ClusterRoleBinding to bind the ServiceAccount to the ClusterRole
cluster-admin - Create a kube-config for the cluster using the token of the ServiceAccount created above
STEP 2
Create File: cluster.yaml
apiVersion: management.loft.sh/v1
kind: Cluster
metadata:
name: some-cluster
spec:
config:
PASTE_KUBE_CONFIG_HERE
STEP 3
Create Cluster Object
# IMPORTANT: Run this command inside the Loft management cluster
kubectl apply -f cluster.yaml
After creating the cluster resource, the Loft controller will detect the new cluster and initialize it, i.e. it will install the kiosk helm chart into the cluster. To check if the cluster has been initialized, run:
kubectl get cluster -o custom-columns=NAME:metadata.name,PHASE:status.phase
Disconnect Clusters
With Loft, you can disconnect clusters with a single click or command.
Disconnecting a cluster will not remove anything from the cluster. It will only remove the credentials (kube-config) saved in Loft for connecting to the cluster. After disconnecting a cluster, you can simply reconnect it and everything will still be there: namespaces, apps, cluster account, account quotas, etc.
- UI
- kubectl
Run the following command to disconnect a cluster:
# IMPORTANT: Make sure you are using the context of the Loft cluster to run this command
kubectl delete cluster [CLUSTER_NAME]
Reconnect
Because Loft saves the entire state of a cluster within the cluster ifself, you can disconnect and simply reconnect a cluster without data loss.
Advanced Workflows
Reset Connected Cluster
Loft allows you to reset certain parts of a connected cluster, such as:
- default cluster roles: If specified, Loft will reset the default cluster roles in the target cluster used to determine RBAC permissions for Loft users and teams
- default templates: If specified, Loft will reset the default kiosk templates (
limit-rangeandnetwork-policy) - kiosk: If specified, Loft will delete and reinstall the kiosk chart into the target cluster
To reset a cluster, navigate to the Clusters view and press on the Reset button in the Actions column.
Disable Loft Agent
There might be cases where you don't want Loft to automatically handle loft-agent updates for you and you want to manually install or upgrade the loft agent. This can be achieved either by setting the environment variable DISABLE_AGENT to true in the Loft container or by setting the annotation loft.sh/cluster-ignore-agent: 'true' on a connected cluster.
If you do not install loft agent into a connected cluster at all, certain functionality, such as Spaces, Virtual Clusters, Apps, Accounts, Account Quotas & Security Templates will not be available in the cluster