Configure Cluster Access in Loft
The core feature of Loft is to enable users to get self-service access to Kubernetes and allow them to create isolated namespaces and virtual clusters whenever they need them.
This page will show you how to:
- Create a Test User
- Impersonate this user
- Switch back to our admin role and give the user access to a Kubernetes cluster
- Use impersonation again to verify the user's access to the cluster
1. Create Test User
Loft lets you connect a variety of SSO providers for authentication but for the sake of simplicity, let's just manually create a user to learn more about Loft's cluster access features:
- Go to the Users view using the main menu on the left
- Click on the button
- Use the field Display Name to enter the value Anna
- Click on the button at the very bottom
- Close the popup using the button
Remember: Everything you do in Loft UI, including creating a user, is effectively a kubectl command under the hood. So, everything you do in this guide creates or changes objects in your cluster and you could also manage these actions via kubectl or any kind of GitOps tool.
2. Impersonate User
Loft allows admins with appropriate RBAC permissions to impersonate users. Let's try this to see how Loft UI would look like for our newly created user:
- In the Users view, hover over the row with user Anna
- While hovering over the row, you will see buttons appear on the right in the Actions column
- Click on the button to Impersonate the user
- In the popup, click on the button to confirm that you want to start impersonation
- After impersonation has started, go to the Clusters view using the main menu on the left
- Verify that Anna has no access to any clusters
To also use Loft CLI as the impersonated user, you can run the following command while impersonation is active:
loft login localhost:9898 --insecure # or use your loft.domain.tld instead of localhost, and ideally with a valid SSL cert and without the --insecure flag
You can verify the login and print your user information via:
loft login
3. Configure Cluster Access
Let's give our test user Anna access to one of the clusters connected to this Loft instance:
- If you are still impersonating, click
- Go to the Clusters view using the main menu on the left
- Switch to the tab Cluster Access
- Click on the button
- Use the field Display Name and enter a Name for the cluster access
- In the Users & Teams section, make sure the Users tab is selected because we want to give an individual user access to a cluster
- Use the field Select Individual Users and select the User(s) you want to create this cluster access for
- In the Clusters section, either select All Clusters or the specific cluster that you want to make accessible for the user(s) you selected in the previous step
- Click the button at the bottom of the drawer
You can connect a variety of SSO providers to Loft. To automatically give users access to clusters based on their SSO user groups, you can switch to the Team Members tab to grant cluster access for each member of a team (e.g. for each member of a group in Active Directory, Okta, SAML, etc.)
4. Verify Cluster Access
After configuring the cluster access for test user Anna, let's verify that she can access the cluster:
- Go to the Users view using the main menu on the left
- Hover over the row with user Anna and click on the button to Impersonate the user
- In the popup, click on the button to confirm that you want to start impersonation
- Go to the Clusters view using the main menu on the left
- Verify that Anna now has access to the clusters you specified in her cluster access
With access to a cluster, users can typically:
Loft allows you to:
- Configure sleep mode for spaces to save Kubernetes cost
- Restrict cluster access for users via Space Constraints and Quotas