Spaces / Namespaces

Spaces are virtual objects which represent namespaces in a Kubernetes cluster. The advantage of letting engineers work with spaces is that you can give them the permission to list/get/create/delete spaces without having to give them the permission to list/get/create/delete namespaces.

While engineers work with spaces, Loft handles the underlying operations on the actual namespaces and enforces the restrictions that admins define for users, e.g. limting the number of spaces/namespaces.

Create Spaces

UI

Loft UI - Create Space

Creating spaces in the UI is easy but to actually use the space, a cluster user needs a valid kube-context which most non-admin users do not have by default. To get a kube-context limited to a certain space, run the following command using the CLI:

loft use space [SPACE_NAME]

How does it work?

To provide access to a space/namespace, Loft creates a new RBAC role binding for the Loft user. This is done in a way that this user can only access objects within this and other namespaces the user has access to. Then, Loft generates a kube-context using an access key and adds it to the ~/.kube/config file on the user's computer.

CLI

To create a space using the Loft CLI, run:

loft create space [SPACE_NAME]

Creating a space with the CLI will automatically set up a kube-context for this space on your computer, so you can immediately run kubectl, helm or any other commands that may use this namespace.

How does it work?

To provide access to a space/namespace, Loft creates a new RBAC role binding for the Loft user. This is done in a way that this user can only access objects within this and other namespaces the user has access to. Then, Loft generates a kube-context using an access key and adds it to the ~/.kube/config file on the user's computer.

kubectl

Create file space.yaml:

apiVersion: tenancy.kiosk.sh/v1alpha1
kind: Space
metadata:
  name: some-space-name

Create the space using kubectl:

kubectl apply -f space.yaml

Kube-Context Required

Using kubectl to create spaces requires you to have a valid kube-context. This is mainly useful for GitOps based provisioning of spaces.

Delete Spaces

UI

Loft UI - Delete Space

No Kube-Context Cleanup

This will not clean up the local kube-context you may have for this space. Only when removing a space using the Loft CLI, the local kube-context will also be removed from your ~/.kube/config file.

CLI

To delete a space using the Loft CLI, run:

loft delete space [SPACE_NAME]

Running this command will also remove the corresponding kube-context from the local ~/.kube/config file.

kubectl

Delete a space using kubectl:

kubectl delete space [SPACE_NAME]

No Kube-Context Cleanup

This will not clean up the local kube-context you may have for this space. Only when removing a space using the Loft CLI, the local kube-context will also be removed from your ~/.kube/config file.

Share Spaces

Sometimes it may be useful to give others access to one of your spaces. Since Loft's authorization system is based on Kubernetes RBAC, you can simply create a RoleBinding to give other users access. Allowing them to view and edit a namespace and/or resources within this namespace will enable them to see a corresponding space in the UI and also to run loft use space to configure a kube-context for accessing the space using kubectl, helm and other tools.

UI

Loft UI - Share Space

No Kube-Context Cleanup

This will not clean up the local kube-context you may have for this space. Only when removing a space using the Loft CLI, the local kube-context will also be removed from your ~/.kube/config file.

kubectl

Create file rolebinding.yaml:

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: space-access-john
  namespace: ml-experiment-1
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: admin
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: User
  name: john            # References the `spec.subject` defined in the User object

Create the RoleBinding using kubectl:

kubectl create -f rolebinding.yaml

No Kube-Context Cleanup

This will not clean up the local kube-context you may have for this space. Only when removing a space using the Loft CLI, the local kube-context will also be removed from your ~/.kube/config file.

Access Spaces

Accessing an already existing space can be either done by using the Loft CLI or constructing a kube config directly.

CLI

Just run the following command in the Loft CLI

loft use space [SPACE_NAME]

How does it work?

To provide access to a space/namespace, Loft creates a new RBAC role binding for the Loft user. This is done in a way that this user can only access objects within this and other namespaces the user has access to. Then, Loft generates a kube-context using an access key and adds it to the ~/.kube/config file on the user's computer.

Kube Config

If you need to construct a kube config directly, you'll need to generate an Access Key first. Then create a kubeconfig.yaml in the following format:

apiVersion: v1
kind: Config
clusters: 
- cluster:
    # Optional if untrusted certificate
    # insecure-skip-tls-verify: true
    server: https://my-loft-domain.com/kubernetes/cluster/$CLUSTER
  name: loft
contexts:
- context:
    cluster: loft
    user: loft
    namespace: $SPACE
  name: loft
current-context: loft
users:
- name: loft
  user:
    token: $ACCESS_KEY

Replace the $ACCESS_KEY with your generated access key, $CLUSTER with the name of the connected kubernetes cluster the space was created in and $SPACE with the name of the space. You can now use this kube config with any external applications such as kubectl or terraform.

Then run any command in the space with:

kubectl --kubeconfig kubeconfig.yaml get pods