Audit Logging in Loft
Loft auditing provides a security-relevant, chronological set of records documenting the sequence of actions in loft. Loft audits the activities generated by users and by applications that use the Loft API.
Loft is able to log activities related to:
- Management Instance changes, such as creation of new virtual clusters, spaces etc.
- Changes within a virtual cluster or space
- Changes within a connected cluster
Auditing in Loft is very similar to auditing Kubernetes clusters in general.
Enable Auditing
Loft auditing is configured through the Loft config in the Loft UI (Admin -> Config).
An example configuration could look like:
audit:
enabled: true
level: 1
Changing the Loft auditing configuration requires a restart to take effect. You can restart Loft either through the Loft UI or via kubectl: kubectl rollout restart deploy/loft -n loft
Each request on each stage of its execution generates an audit event, which is then pre-processed according to a certain policy and written to a backend (currently only log backends are supported). The policy determines what's recorded and the backends persist the records.
Each request can be recorded with an associated stage. The defined stages are:
RequestReceived
- The stage for events generated as soon as the audit handler receives the request, and before it is delegated down the handler chain.ResponseComplete
- The response body has been completed and no more bytes will be sent.Panic
- Events generated when a panic occurred.
The audit logging feature increases the memory consumption of Loft because some context required for auditing is stored for each request. Memory consumption depends on the audit logging configuration.
Audit Levels
For easier configuration, Loft provides audit levels, that are preconfigured audit policies for the most common use cases. These levels range from 1 to 4 where 1 logs the fewest requests, while 4 logs the most. A more detailed description can be found below:
- Level 1: will log modifying requests such as creation / modification or deletion of any objects
- Level 2: like Level 1 but will also log the metadata of reading requests, such as listing pods inside a virtual cluster or space. It won't log the response or request payload and instead only the metadata such as request origin, target etc.
- Level 3: like Level 2 but instead of only logging the request metadata will also log the complete request payload sent to Loft
- Level 4: like Level 3 but instead of only logging metadata and request payload, will also log the response Loft has sent to the requester
For all of these levels certain internal read-only apis are not logged since those might pollute the log and drastically increase log size. If you also want to log these, please create a custom audit policy as described below.
You can configure the audit level through the Loft config, that can be modified either through the Loft UI or helm:
- UI
- Helm
- Go to the Admin > Config view using the menu on the left.
- In the input field that appears, enter the following config:
audit:
enabled: true
level: 1 - Click on the button and wait until Loft has restarted.
Create a new file values.yaml
:
config:
audit:
enabled: true
level: 1
Then apply these values with helm (make sure to specify the correct Loft version):
helm upgrade loft loft --namespace loft \
--repo https://charts.loft.sh \
--version $LOFT_VERSION \
--reuse-values \
--values values.yaml
Optional: Audit Policy
It is recommended to use audit levels instead of audit policy directly, because a policy is much more complex to define.
As an alternative to Audit levels, policy allows you to define exact rules about what events should be recorded and what data they should include. When an event is processed, it's compared against the list of rules in order. The first matching rule sets the audit granularity of the event. The defined audit granularity options are:
None
- don't log events that match this rule.Metadata
- log request metadata (requesting user, timestamp, resource, verb, etc.) but not request or response body.Request
- log event metadata and request body but not response body. This does not apply for non-resource requests.RequestResponse
- log event metadata, request and response bodies. This does not apply for non-resource requests.
An example policy that catches all requests would look like this:
audit:
enabled: true
policy:
rules:
- level: Metadata
omitStages:
- RequestReceived
Below you can find a complete policy reference:
kind
required string
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
kind
required string apiVersion
required string
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
apiVersion
required string metadata
required object
metadata
required object name
required string
Name must be unique within a namespace. Is required when creating resources, although
some resources may allow a client to request the generation of an appropriate name
automatically. Name is primarily intended for creation idempotence and configuration
definition.
Cannot be updated.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#names
name
required string generateName
required string
GenerateName is an optional prefix, used by the server, to generate a unique
name ONLY IF the Name field has not been provided.
If this field is used, the name returned to the client will be different
than the name passed. This value will also be combined with a unique suffix.
The provided value has the same validation rules as the Name field,
and may be truncated by the length of the suffix required to make the value
unique on the server.
If this field is specified and the generated name exists, the server will return a 409.
Applied only if Name is not specified.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#idempotency
generateName
required string namespace
required string
Namespace defines the space within which each name must be unique. An empty namespace is
equivalent to the "default" namespace, but "default" is the canonical representation.
Not all objects are required to be scoped to a namespace - the value of this field for
those objects will be empty.
Must be a DNS_LABEL.
Cannot be updated.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces
namespace
required string selfLink
required string
Deprecated: selfLink is a legacy read-only field that is no longer populated by the system.
selfLink
required string uid
required string
UID is the unique in time and space value for this object. It is typically generated by
the server on successful creation of a resource and is not allowed to change on PUT
operations.
Populated by the system.
Read-only.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#uids
uid
required string resourceVersion
required string
An opaque value that represents the internal version of this object that can
be used by clients to determine when objects have changed. May be used for optimistic
concurrency, change detection, and the watch operation on a resource or set of resources.
Clients must treat these values as opaque and passed unmodified back to the server.
They may only be valid for a particular resource or set of resources.
Populated by the system.
Read-only.
Value must be treated as opaque by clients and .
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency
resourceVersion
required string generation
required integer
A sequence number representing a specific generation of the desired state.
Populated by the system. Read-only.
generation
required integer creationTimestamp
required object
CreationTimestamp is a timestamp representing the server time when this object was
created. It is not guaranteed to be set in happens-before order across separate operations.
Clients may not set this value. It is represented in RFC3339 form and is in UTC.
Populated by the system.
Read-only.
Null for lists.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
creationTimestamp
required object deletionTimestamp
required object
DeletionTimestamp is RFC 3339 date and time at which this resource will be deleted. This
field is set by the server when a graceful deletion is requested by the user, and is not
directly settable by a client. The resource is expected to be deleted (no longer visible
from resource lists, and not reachable by name) after the time in this field, once the
finalizers list is empty. As long as the finalizers list contains items, deletion is blocked.
Once the deletionTimestamp is set, this value may not be unset or be set further into the
future, although it may be shortened or the resource may be deleted prior to this time.
For example, a user may request that a pod is deleted in 30 seconds. The Kubelet will react
by sending a graceful termination signal to the containers in the pod. After that 30 seconds,
the Kubelet will send a hard termination signal (SIGKILL) to the container and after cleanup,
remove the pod from the API. In the presence of network partitions, this object may still
exist after this timestamp, until an administrator or automated process can determine the
resource is fully terminated.
If not set, graceful deletion of the object has not been requested.
Populated by the system when a graceful deletion is requested.
Read-only.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
deletionTimestamp
required object deletionGracePeriodSeconds
required integer
Number of seconds allowed for this object to gracefully terminate before
it will be removed from the system. Only set when deletionTimestamp is also set.
May only be shortened.
Read-only.
deletionGracePeriodSeconds
required integer labels
required object
Map of string keys and values that can be used to organize and categorize
(scope and select) objects. May match selectors of replication controllers
and services.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels
labels
required object annotations
required object
Annotations is an unstructured key value map stored with a resource that may be
set by external tools to store and retrieve arbitrary metadata. They are not
queryable and should be preserved when modifying objects.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations
annotations
required object ownerReferences
required object[]
List of objects depended by this object. If ALL objects in the list have
been deleted, this object will be garbage collected. If this object is managed by a controller,
then an entry in this list will point to this controller, with the controller field set to true.
There cannot be more than one managing controller.
ownerReferences
required object[] apiVersion
required string
API version of the referent.
apiVersion
required string kind
required string
Kind of the referent.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
kind
required string name
required string
Name of the referent.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#names
name
required string uid
required string
UID of the referent.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#uids
uid
required string controller
required boolean false
If true, this reference points to the managing controller.
controller
required boolean false blockOwnerDeletion
required boolean false
If true, AND if the owner has the "foregroundDeletion" finalizer, then
the owner cannot be deleted from the key-value store until this
reference is removed.
See https://kubernetes.io/docs/concepts/architecture/garbage-collection/#foreground-deletion
for how the garbage collector interacts with this field and enforces the foreground deletion.
Defaults to false.
To set this field, a user needs "delete" permission of the owner,
otherwise 422 (Unprocessable Entity) will be returned.
blockOwnerDeletion
required boolean false finalizers
required string[]
Must be empty before the object is deleted from the registry. Each entry
is an identifier for the responsible component that will remove the entry
from the list. If the deletionTimestamp of the object is non-nil, entries
in this list can only be removed.
Finalizers may be processed and removed in any order. Order is NOT enforced
because it introduces significant risk of stuck finalizers.
finalizers is a shared field, any actor with permission can reorder it.
If the finalizer list is processed in order, then this can lead to a situation
in which the component responsible for the first finalizer in the list is
waiting for a signal (field value, external system, or other) produced by a
component responsible for a finalizer later in the list, resulting in a deadlock.
Without enforced ordering finalizers are free to order amongst themselves and
are not vulnerable to ordering changes in the list.
finalizers
required string[] managedFields
required object[]
ManagedFields maps workflow-id and version to the set of fields
that are managed by that workflow. This is mostly for internal
housekeeping, and users typically shouldn't need to set or
understand this field. A workflow can be the user's name, a
controller's name, or the name of a specific apply path like
"ci-cd". The set of fields is always in the version that the
workflow used when modifying the object.
managedFields
required object[] manager
required string
Manager is an identifier of the workflow managing these fields.
manager
required string operation
required string
Operation is the type of operation which lead to this ManagedFieldsEntry being created.
The only valid values for this field are 'Apply' and 'Update'.
operation
required string apiVersion
required string
APIVersion defines the version of this resource that this field set
applies to. The format is "group/version" just like the top-level
APIVersion field. It is necessary to track the version of a field
set because it cannot be automatically converted.
apiVersion
required string time
required object
Time is the timestamp of when the ManagedFields entry was added. The
timestamp will also be updated if a field is added, the manager
changes any of the owned fields value or removes a field. The
timestamp does not update when a field is removed from the entry
because another manager took it over.
time
required object fieldsType
required string
FieldsType is the discriminator for the different fields format and version.
There is currently only one possible value: "FieldsV1"
fieldsType
required string fieldsV1
required object
FieldsV1 holds the first JSON version format as described in the "FieldsV1" type.
fieldsV1
required object subresource
required string
Subresource is the name of the subresource used to update that object, or
empty string if the object was updated through the main resource. The
value of this field is used to distinguish between managers, even if they
share the same name. For example, a status update will be distinct from a
regular update using the same manager name.
Note that the APIVersion field is not related to the Subresource field and
it always corresponds to the version of the main resource.
subresource
required string status
required object
status
required object auth
required object
Authentication holds the information for authentication
auth
required object oidc
required object
OIDC holds oidc authentication configuration
oidc
required object issuerUrl
required string
IssuerURL is the URL the provider signs ID Tokens as. This will be the "iss"
field of all tokens produced by the provider and is used for configuration
discovery.
The URL is usually the provider's URL without a path, for example
"https://accounts.google.com" or "https://login.salesforce.com".
The provider must implement configuration discovery.
See: https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfig
issuerUrl
required string clientId
required string
ClientID the JWT must be issued for, the "sub" field. This plugin only trusts a single
client to ensure the plugin can be used with public providers.
The plugin supports the "authorized party" OpenID Connect claim, which allows
specialized providers to issue tokens to a client for a different client.
See: https://openid.net/specs/openid-connect-core-1_0.html#IDToken
clientId
required string clientSecret
required string
ClientSecret to issue tokens from the OIDC provider
clientSecret
required string redirectURI
required string
loft redirect uri. E.g. https://loft.my.domain/auth/oidc/callback
redirectURI
required string postLogoutRedirectURI
required string
Loft URI to be redirected to after successful logout by OIDC Provider
postLogoutRedirectURI
required string caFile
required string
Path to a PEM encoded root certificate of the provider. Optional
caFile
required string insecureCa
required boolean false
Specify whether to communicate without validating SSL certificates
insecureCa
required boolean false preferredUsername
required string
Configurable key which contains the preferred username claims
preferredUsername
required string loftUsernameClaim
required string
LoftUsernameClaim is the JWT field to use as the user's username.
loftUsernameClaim
required string usernameClaim
required string
UsernameClaim is the JWT field to use as the user's id.
usernameClaim
required string emailClaim
required string
EmailClaim is the JWT field to use as the user's email.
emailClaim
required string usernamePrefix
required string
UsernamePrefix, if specified, causes claims mapping to username to be prefix with
the provided value. A value "oidc:" would result in usernames like "oidc:john".
usernamePrefix
required string groupsClaim
required string
GroupsClaim, if specified, causes the OIDCAuthenticator to try to populate the user's
groups with an ID Token field. If the GroupsClaim field is present in an ID Token the value
must be a string or list of strings.
groupsClaim
required string groups
required string[]
If required groups is non empty, access is denied if the user is not part of at least one
of the specified groups.
groups
required string[] scopes
required string[]
Scopes that should be sent to the server. If empty, defaults to "email" and "profile".
scopes
required string[] getUserInfo
required boolean false
GetUserInfo, if specified, tells the OIDCAuthenticator to try to populate the user's
information from the UserInfo.
getUserInfo
required boolean false groupsPrefix
required string
GroupsPrefix, if specified, causes claims mapping to group names to be prefixed with the
value. A value "oidc:" would result in groups like "oidc:engineering" and "oidc:marketing".
groupsPrefix
required string type
required string
Type of the OIDC to show in the UI. Only for displaying purposes
type
required string clusterAccountTemplates
required object[]
Cluster Account Templates that will be applied for users logging in through this authentication
clusterAccountTemplates
required object[] name
required string
Name of the cluster account template to apply
name
required string sync
required boolean false
Sync defines if Loft should sync changes to the cluster account template
to the cluster accounts and create new accounts if new clusters match the templates.
sync
required boolean false accountName
required string
AccountName is the name of the account that should
be created. Defaults to the user or team kubernetes name.
accountName
required string groupClusterAccountTemplates
required object[]
A mapping between groups and cluster account templates. If the user has a certain group, the cluster
account template will be added during creation
groupClusterAccountTemplates
required object[] group
required string
Group is the name of the group that should be matched
group
required string clusterAccountTemplates
required object[]
Cluster Account Templates that will be applied for users logging in through this authentication
clusterAccountTemplates
required object[] name
required string
Name of the cluster account template to apply
name
required string sync
required boolean false
Sync defines if Loft should sync changes to the cluster account template
to the cluster accounts and create new accounts if new clusters match the templates.
sync
required boolean false accountName
required string
AccountName is the name of the account that should
be created. Defaults to the user or team kubernetes name.
accountName
required string github
required object
Github holds github authentication configuration
github
required object clientId
required string
ClientID holds the github client id
clientId
required string clientSecret
required string
ClientID holds the github client secret
clientSecret
required string redirectURI
required string
RedirectURI holds the redirect URI. Should be https://loft.domain.tld/auth/github/callback
redirectURI
required string orgs
required object[]
Loft queries the following organizations for group information.
Group claims are formatted as "(org):(team)".
For example if a user is part of the "engineering" team of the "coreos"
org, the group claim would include "coreos:engineering".
If orgs are specified in the config then user MUST be a member of at least one of the specified orgs to
authenticate with loft.
orgs
required object[] name
required string
Organization name in github (not slug, full name). Only users in this github
organization can authenticate.
name
required string teams
required string[]
Names of teams in a github organization. A user will be able to
authenticate if they are members of at least one of these teams. Users
in the organization can authenticate if this field is omitted from the
config file.
teams
required string[] hostName
required string
Required ONLY for GitHub Enterprise.
This is the Hostname of the GitHub Enterprise account listed on the
management console. Ensure this domain is routable on your network.
hostName
required string rootCA
required string
ONLY for GitHub Enterprise. Optional field.
Used to support self-signed or untrusted CA root certificates.
rootCA
required string clusterAccountTemplates
required object[]
Cluster Account Templates that will be applied for users logging in through this authentication
clusterAccountTemplates
required object[] name
required string
Name of the cluster account template to apply
name
required string sync
required boolean false
Sync defines if Loft should sync changes to the cluster account template
to the cluster accounts and create new accounts if new clusters match the templates.
sync
required boolean false accountName
required string
AccountName is the name of the account that should
be created. Defaults to the user or team kubernetes name.
accountName
required string groupClusterAccountTemplates
required object[]
A mapping between groups and cluster account templates. If the user has a certain group, the cluster
account template will be added during creation
groupClusterAccountTemplates
required object[] group
required string
Group is the name of the group that should be matched
group
required string clusterAccountTemplates
required object[]
Cluster Account Templates that will be applied for users logging in through this authentication
clusterAccountTemplates
required object[] name
required string
Name of the cluster account template to apply
name
required string sync
required boolean false
Sync defines if Loft should sync changes to the cluster account template
to the cluster accounts and create new accounts if new clusters match the templates.
sync
required boolean false accountName
required string
AccountName is the name of the account that should
be created. Defaults to the user or team kubernetes name.
accountName
required string gitlab
required object
Gitlab holds gitlab authentication configuration
gitlab
required object clientId
required string
Gitlab client id
clientId
required string clientSecret
required string
Gitlab client secret
clientSecret
required string redirectURI
required string
Redirect URI
redirectURI
required string baseURL
required string
BaseURL is optional, default = https://gitlab.com
baseURL
required string groups
required string[]
Optional groups whitelist, communicated through the "groups" scope.
If groups
is omitted, all of the user's GitLab groups are returned.
If groups
is provided, this acts as a whitelist - only the user's GitLab groups that are in the configured groups
below will go into the groups claim. Conversely, if the user is not in any of the configured groups
, the user will not be authenticated.
groups
required string[] groups
is omitted, all of the user's GitLab groups are returned.
If groups
is provided, this acts as a whitelist - only the user's GitLab groups that are in the configured groups
below will go into the groups claim. Conversely, if the user is not in any of the configured groups
, the user will not be authenticated.clusterAccountTemplates
required object[]
Cluster Account Templates that will be applied for users logging in through this authentication
clusterAccountTemplates
required object[] name
required string
Name of the cluster account template to apply
name
required string sync
required boolean false
Sync defines if Loft should sync changes to the cluster account template
to the cluster accounts and create new accounts if new clusters match the templates.
sync
required boolean false accountName
required string
AccountName is the name of the account that should
be created. Defaults to the user or team kubernetes name.
accountName
required string groupClusterAccountTemplates
required object[]
A mapping between groups and cluster account templates. If the user has a certain group, the cluster
account template will be added during creation
groupClusterAccountTemplates
required object[] group
required string
Group is the name of the group that should be matched
group
required string clusterAccountTemplates
required object[]
Cluster Account Templates that will be applied for users logging in through this authentication
clusterAccountTemplates
required object[] name
required string
Name of the cluster account template to apply
name
required string sync
required boolean false
Sync defines if Loft should sync changes to the cluster account template
to the cluster accounts and create new accounts if new clusters match the templates.
sync
required boolean false accountName
required string
AccountName is the name of the account that should
be created. Defaults to the user or team kubernetes name.
accountName
required string google
required object
Google holds google authentication configuration
google
required object clientId
required string
Google client id
clientId
required string clientSecret
required string
Google client secret
clientSecret
required string redirectURI
required string
loft redirect uri. E.g. https://loft.my.domain/auth/google/callback
redirectURI
required string scopes
required string[]
defaults to "profile" and "email"
scopes
required string[] hostedDomains
required string[]
Optional list of whitelisted domains
If this field is nonempty, only users from a listed domain will be allowed to log in
hostedDomains
required string[] groups
required string[]
Optional list of whitelisted groups
If this field is nonempty, only users from a listed group will be allowed to log in
groups
required string[] serviceAccountFilePath
required string
Optional path to service account json
If nonempty, and groups claim is made, will use authentication from file to
check groups with the admin directory api
serviceAccountFilePath
required string adminEmail
required string
Required if ServiceAccountFilePath
The email of a GSuite super user which the service account will impersonate
when listing groups
adminEmail
required string clusterAccountTemplates
required object[]
Cluster Account Templates that will be applied for users logging in through this authentication
clusterAccountTemplates
required object[] name
required string
Name of the cluster account template to apply
name
required string sync
required boolean false
Sync defines if Loft should sync changes to the cluster account template
to the cluster accounts and create new accounts if new clusters match the templates.
sync
required boolean false accountName
required string
AccountName is the name of the account that should
be created. Defaults to the user or team kubernetes name.
accountName
required string groupClusterAccountTemplates
required object[]
A mapping between groups and cluster account templates. If the user has a certain group, the cluster
account template will be added during creation
groupClusterAccountTemplates
required object[] group
required string
Group is the name of the group that should be matched
group
required string clusterAccountTemplates
required object[]
Cluster Account Templates that will be applied for users logging in through this authentication
clusterAccountTemplates
required object[] name
required string
Name of the cluster account template to apply
name
required string sync
required boolean false
Sync defines if Loft should sync changes to the cluster account template
to the cluster accounts and create new accounts if new clusters match the templates.
sync
required boolean false accountName
required string
AccountName is the name of the account that should
be created. Defaults to the user or team kubernetes name.
accountName
required string microsoft
required object
Microsoft holds microsoft authentication configuration
microsoft
required object clientId
required string
Microsoft client id
clientId
required string clientSecret
required string
Microsoft client secret
clientSecret
required string redirectURI
required string
loft redirect uri. Usually https://loft.my.domain/auth/microsoft/callback
redirectURI
required string tenant
required string
tenant configuration parameter controls what kinds of accounts may be authenticated in loft.
By default, all types of Microsoft accounts (consumers and organizations) can authenticate in loft via Microsoft.
To change this, set the tenant parameter to one of the following:
common - both personal and business/school accounts can authenticate in loft via Microsoft (default)
consumers - only personal accounts can authenticate in loft
organizations - only business/school accounts can authenticate in loft
tenant uuid or tenant name - only accounts belonging to specific tenant identified by either tenant uuid or tenant name can authenticate in loft
tenant
required string groups
required string[]
It is possible to require a user to be a member of a particular group in order to be successfully authenticated in loft.
groups
required string[] onlySecurityGroups
required boolean false
configuration option restricts the list to include only security groups. By default all groups (security, Office 365, mailing lists) are included.
onlySecurityGroups
required boolean false useGroupsAsWhitelist
required boolean false
Restrict the groups claims to include only the user’s groups that are in the configured groups
useGroupsAsWhitelist
required boolean false clusterAccountTemplates
required object[]
Cluster Account Templates that will be applied for users logging in through this authentication
clusterAccountTemplates
required object[] name
required string
Name of the cluster account template to apply
name
required string sync
required boolean false
Sync defines if Loft should sync changes to the cluster account template
to the cluster accounts and create new accounts if new clusters match the templates.
sync
required boolean false accountName
required string
AccountName is the name of the account that should
be created. Defaults to the user or team kubernetes name.
accountName
required string groupClusterAccountTemplates
required object[]
A mapping between groups and cluster account templates. If the user has a certain group, the cluster
account template will be added during creation
groupClusterAccountTemplates
required object[] group
required string
Group is the name of the group that should be matched
group
required string clusterAccountTemplates
required object[]
Cluster Account Templates that will be applied for users logging in through this authentication
clusterAccountTemplates
required object[] name
required string
Name of the cluster account template to apply
name
required string sync
required boolean false
Sync defines if Loft should sync changes to the cluster account template
to the cluster accounts and create new accounts if new clusters match the templates.
sync
required boolean false accountName
required string
AccountName is the name of the account that should
be created. Defaults to the user or team kubernetes name.
accountName
required string saml
required object
SAML holds saml authentication configuration
saml
required object redirectURI
required string
If the response assertion status value contains a Destination element, it
must match this value exactly.
Usually looks like https://your-loft-domain/auth/saml/callback
redirectURI
required string ssoURL
required string
SSO URL used for POST value.
ssoURL
required string caData
required string
CAData is a base64 encoded string that holds the ca certificate for validating the signature of the SAML response.
Either CAData, CA or InsecureSkipSignatureValidation needs to be defined.
caData
required string usernameAttr
required string
Name of attribute in the returned assertions to map to username
usernameAttr
required string emailAttr
required string
Name of attribute in the returned assertions to map to email
emailAttr
required string groupsAttr
required string
Name of attribute in the returned assertions to map to groups
groupsAttr
required string ca
required string
CA to use when validating the signature of the SAML response.
ca
required string insecureSkipSignatureValidation
required boolean false
Ignore the ca cert
insecureSkipSignatureValidation
required boolean false entityIssuer
required string
When provided Loft will include this as the Issuer value during AuthnRequest.
It will also override the redirectURI as the required audience when evaluating
AudienceRestriction elements in the response.
entityIssuer
required string ssoIssuer
required string
Issuer value expected in the SAML response. Optional.
ssoIssuer
required string groupsDelim
required string
If GroupsDelim is supplied the connector assumes groups are returned as a
single string instead of multiple attribute values. This delimiter will be
used split the groups string.
groupsDelim
required string allowedGroups
required string[]
List of groups to filter access based on membership
allowedGroups
required string[] filterGroups
required boolean false
If used with allowed groups, only forwards the allowed groups and not all
groups specified.
filterGroups
required boolean false nameIDPolicyFormat
required string
Requested format of the NameID. The NameID value is is mapped to the ID Token
'sub' claim.
This can be an abbreviated form of the full URI with just the last component. For
example, if this value is set to "emailAddress" the format will resolve to:
urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
If no value is specified, this value defaults to:
urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
nameIDPolicyFormat
required string urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
rancher
required object
Rancher holds the rancher authentication options
rancher
required object password
required object
Password holds password authentication relevant information
password
required object disabled
required boolean true
If true login via password is disabled
disabled
required boolean true connectors
required object[]
Connectors are optional additional connectors for Loft.
connectors
required object[] id
required string
ID is the id that should show up in the url
id
required string displayName
required string
DisplayName is the name that should show up in the ui
displayName
required string oidc
required object
OIDC holds oidc authentication configuration
oidc
required object issuerUrl
required string
IssuerURL is the URL the provider signs ID Tokens as. This will be the "iss"
field of all tokens produced by the provider and is used for configuration
discovery.
The URL is usually the provider's URL without a path, for example
"https://accounts.google.com" or "https://login.salesforce.com".
The provider must implement configuration discovery.
See: https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfig
issuerUrl
required string clientId
required string
ClientID the JWT must be issued for, the "sub" field. This plugin only trusts a single
client to ensure the plugin can be used with public providers.
The plugin supports the "authorized party" OpenID Connect claim, which allows
specialized providers to issue tokens to a client for a different client.
See: https://openid.net/specs/openid-connect-core-1_0.html#IDToken
clientId
required string clientSecret
required string
ClientSecret to issue tokens from the OIDC provider
clientSecret
required string redirectURI
required string
loft redirect uri. E.g. https://loft.my.domain/auth/oidc/callback
redirectURI
required string postLogoutRedirectURI
required string
Loft URI to be redirected to after successful logout by OIDC Provider
postLogoutRedirectURI
required string caFile
required string
Path to a PEM encoded root certificate of the provider. Optional
caFile
required string insecureCa
required boolean false
Specify whether to communicate without validating SSL certificates
insecureCa
required boolean false preferredUsername
required string
Configurable key which contains the preferred username claims
preferredUsername
required string loftUsernameClaim
required string
LoftUsernameClaim is the JWT field to use as the user's username.
loftUsernameClaim
required string usernameClaim
required string
UsernameClaim is the JWT field to use as the user's id.
usernameClaim
required string emailClaim
required string
EmailClaim is the JWT field to use as the user's email.
emailClaim
required string usernamePrefix
required string
UsernamePrefix, if specified, causes claims mapping to username to be prefix with
the provided value. A value "oidc:" would result in usernames like "oidc:john".
usernamePrefix
required string groupsClaim
required string
GroupsClaim, if specified, causes the OIDCAuthenticator to try to populate the user's
groups with an ID Token field. If the GroupsClaim field is present in an ID Token the value
must be a string or list of strings.
groupsClaim
required string groups
required string[]
If required groups is non empty, access is denied if the user is not part of at least one
of the specified groups.
groups
required string[] scopes
required string[]
Scopes that should be sent to the server. If empty, defaults to "email" and "profile".
scopes
required string[] getUserInfo
required boolean false
GetUserInfo, if specified, tells the OIDCAuthenticator to try to populate the user's
information from the UserInfo.
getUserInfo
required boolean false groupsPrefix
required string
GroupsPrefix, if specified, causes claims mapping to group names to be prefixed with the
value. A value "oidc:" would result in groups like "oidc:engineering" and "oidc:marketing".
groupsPrefix
required string type
required string
Type of the OIDC to show in the UI. Only for displaying purposes
type
required string clusterAccountTemplates
required object[]
Cluster Account Templates that will be applied for users logging in through this authentication
clusterAccountTemplates
required object[] name
required string
Name of the cluster account template to apply
name
required string sync
required boolean false
Sync defines if Loft should sync changes to the cluster account template
to the cluster accounts and create new accounts if new clusters match the templates.
sync
required boolean false accountName
required string
AccountName is the name of the account that should
be created. Defaults to the user or team kubernetes name.
accountName
required string groupClusterAccountTemplates
required object[]
A mapping between groups and cluster account templates. If the user has a certain group, the cluster
account template will be added during creation
groupClusterAccountTemplates
required object[] group
required string
Group is the name of the group that should be matched
group
required string clusterAccountTemplates
required object[]
Cluster Account Templates that will be applied for users logging in through this authentication
clusterAccountTemplates
required object[] name
required string
Name of the cluster account template to apply
name
required string sync
required boolean false
Sync defines if Loft should sync changes to the cluster account template
to the cluster accounts and create new accounts if new clusters match the templates.
sync
required boolean false accountName
required string
AccountName is the name of the account that should
be created. Defaults to the user or team kubernetes name.
accountName
required string github
required object
Github holds github authentication configuration
github
required object clientId
required string
ClientID holds the github client id
clientId
required string clientSecret
required string
ClientID holds the github client secret
clientSecret
required string redirectURI
required string
RedirectURI holds the redirect URI. Should be https://loft.domain.tld/auth/github/callback
redirectURI
required string orgs
required object[]
Loft queries the following organizations for group information.
Group claims are formatted as "(org):(team)".
For example if a user is part of the "engineering" team of the "coreos"
org, the group claim would include "coreos:engineering".
If orgs are specified in the config then user MUST be a member of at least one of the specified orgs to
authenticate with loft.
orgs
required object[] name
required string
Organization name in github (not slug, full name). Only users in this github
organization can authenticate.
name
required string teams
required string[]
Names of teams in a github organization. A user will be able to
authenticate if they are members of at least one of these teams. Users
in the organization can authenticate if this field is omitted from the
config file.
teams
required string[] hostName
required string
Required ONLY for GitHub Enterprise.
This is the Hostname of the GitHub Enterprise account listed on the
management console. Ensure this domain is routable on your network.
hostName
required string rootCA
required string
ONLY for GitHub Enterprise. Optional field.
Used to support self-signed or untrusted CA root certificates.
rootCA
required string clusterAccountTemplates
required object[]
Cluster Account Templates that will be applied for users logging in through this authentication
clusterAccountTemplates
required object[] name
required string
Name of the cluster account template to apply
name
required string sync
required boolean false
Sync defines if Loft should sync changes to the cluster account template
to the cluster accounts and create new accounts if new clusters match the templates.
sync
required boolean false accountName
required string
AccountName is the name of the account that should
be created. Defaults to the user or team kubernetes name.
accountName
required string groupClusterAccountTemplates
required object[]
A mapping between groups and cluster account templates. If the user has a certain group, the cluster
account template will be added during creation
groupClusterAccountTemplates
required object[] group
required string
Group is the name of the group that should be matched
group
required string clusterAccountTemplates
required object[]
Cluster Account Templates that will be applied for users logging in through this authentication
clusterAccountTemplates
required object[] name
required string
Name of the cluster account template to apply
name
required string sync
required boolean false
Sync defines if Loft should sync changes to the cluster account template
to the cluster accounts and create new accounts if new clusters match the templates.
sync
required boolean false accountName
required string
AccountName is the name of the account that should
be created. Defaults to the user or team kubernetes name.
accountName
required string gitlab
required object
Gitlab holds gitlab authentication configuration
gitlab
required object clientId
required string
Gitlab client id
clientId
required string clientSecret
required string
Gitlab client secret
clientSecret
required string redirectURI
required string
Redirect URI
redirectURI
required string baseURL
required string
BaseURL is optional, default = https://gitlab.com
baseURL
required string groups
required string[]
Optional groups whitelist, communicated through the "groups" scope.
If groups
is omitted, all of the user's GitLab groups are returned.
If groups
is provided, this acts as a whitelist - only the user's GitLab groups that are in the configured groups
below will go into the groups claim. Conversely, if the user is not in any of the configured groups
, the user will not be authenticated.
groups
required string[] groups
is omitted, all of the user's GitLab groups are returned.
If groups
is provided, this acts as a whitelist - only the user's GitLab groups that are in the configured groups
below will go into the groups claim. Conversely, if the user is not in any of the configured groups
, the user will not be authenticated.clusterAccountTemplates
required object[]
Cluster Account Templates that will be applied for users logging in through this authentication
clusterAccountTemplates
required object[] name
required string
Name of the cluster account template to apply
name
required string sync
required boolean false
Sync defines if Loft should sync changes to the cluster account template
to the cluster accounts and create new accounts if new clusters match the templates.
sync
required boolean false accountName
required string
AccountName is the name of the account that should
be created. Defaults to the user or team kubernetes name.
accountName
required string groupClusterAccountTemplates
required object[]
A mapping between groups and cluster account templates. If the user has a certain group, the cluster
account template will be added during creation
groupClusterAccountTemplates
required object[] group
required string
Group is the name of the group that should be matched
group
required string clusterAccountTemplates
required object[]
Cluster Account Templates that will be applied for users logging in through this authentication
clusterAccountTemplates
required object[] name
required string
Name of the cluster account template to apply
name
required string sync
required boolean false
Sync defines if Loft should sync changes to the cluster account template
to the cluster accounts and create new accounts if new clusters match the templates.
sync
required boolean false accountName
required string
AccountName is the name of the account that should
be created. Defaults to the user or team kubernetes name.
accountName
required string google
required object
Google holds google authentication configuration
google
required object clientId
required string
Google client id
clientId
required string clientSecret
required string
Google client secret
clientSecret
required string redirectURI
required string
loft redirect uri. E.g. https://loft.my.domain/auth/google/callback
redirectURI
required string scopes
required string[]
defaults to "profile" and "email"
scopes
required string[] hostedDomains
required string[]
Optional list of whitelisted domains
If this field is nonempty, only users from a listed domain will be allowed to log in
hostedDomains
required string[] groups
required string[]
Optional list of whitelisted groups
If this field is nonempty, only users from a listed group will be allowed to log in
groups
required string[] serviceAccountFilePath
required string
Optional path to service account json
If nonempty, and groups claim is made, will use authentication from file to
check groups with the admin directory api
serviceAccountFilePath
required string adminEmail
required string
Required if ServiceAccountFilePath
The email of a GSuite super user which the service account will impersonate
when listing groups
adminEmail
required string clusterAccountTemplates
required object[]
Cluster Account Templates that will be applied for users logging in through this authentication
clusterAccountTemplates
required object[] name
required string
Name of the cluster account template to apply
name
required string sync
required boolean false
Sync defines if Loft should sync changes to the cluster account template
to the cluster accounts and create new accounts if new clusters match the templates.
sync
required boolean false accountName
required string
AccountName is the name of the account that should
be created. Defaults to the user or team kubernetes name.
accountName
required string groupClusterAccountTemplates
required object[]
A mapping between groups and cluster account templates. If the user has a certain group, the cluster
account template will be added during creation
groupClusterAccountTemplates
required object[] group
required string
Group is the name of the group that should be matched
group
required string clusterAccountTemplates
required object[]
Cluster Account Templates that will be applied for users logging in through this authentication
clusterAccountTemplates
required object[] name
required string
Name of the cluster account template to apply
name
required string sync
required boolean false
Sync defines if Loft should sync changes to the cluster account template
to the cluster accounts and create new accounts if new clusters match the templates.
sync
required boolean false accountName
required string
AccountName is the name of the account that should
be created. Defaults to the user or team kubernetes name.
accountName
required string microsoft
required object
Microsoft holds microsoft authentication configuration
microsoft
required object clientId
required string
Microsoft client id
clientId
required string clientSecret
required string
Microsoft client secret
clientSecret
required string redirectURI
required string
loft redirect uri. Usually https://loft.my.domain/auth/microsoft/callback
redirectURI
required string tenant
required string
tenant configuration parameter controls what kinds of accounts may be authenticated in loft.
By default, all types of Microsoft accounts (consumers and organizations) can authenticate in loft via Microsoft.
To change this, set the tenant parameter to one of the following:
common - both personal and business/school accounts can authenticate in loft via Microsoft (default)
consumers - only personal accounts can authenticate in loft
organizations - only business/school accounts can authenticate in loft
tenant uuid or tenant name - only accounts belonging to specific tenant identified by either tenant uuid or tenant name can authenticate in loft
tenant
required string groups
required string[]
It is possible to require a user to be a member of a particular group in order to be successfully authenticated in loft.
groups
required string[] onlySecurityGroups
required boolean false
configuration option restricts the list to include only security groups. By default all groups (security, Office 365, mailing lists) are included.
onlySecurityGroups
required boolean false useGroupsAsWhitelist
required boolean false
Restrict the groups claims to include only the user’s groups that are in the configured groups
useGroupsAsWhitelist
required boolean false clusterAccountTemplates
required object[]
Cluster Account Templates that will be applied for users logging in through this authentication
clusterAccountTemplates
required object[] name
required string
Name of the cluster account template to apply
name
required string sync
required boolean false
Sync defines if Loft should sync changes to the cluster account template
to the cluster accounts and create new accounts if new clusters match the templates.
sync
required boolean false accountName
required string
AccountName is the name of the account that should
be created. Defaults to the user or team kubernetes name.
accountName
required string groupClusterAccountTemplates
required object[]
A mapping between groups and cluster account templates. If the user has a certain group, the cluster
account template will be added during creation
groupClusterAccountTemplates
required object[] group
required string
Group is the name of the group that should be matched
group
required string clusterAccountTemplates
required object[]
Cluster Account Templates that will be applied for users logging in through this authentication
clusterAccountTemplates
required object[] name
required string
Name of the cluster account template to apply
name
required string sync
required boolean false
Sync defines if Loft should sync changes to the cluster account template
to the cluster accounts and create new accounts if new clusters match the templates.
sync
required boolean false accountName
required string
AccountName is the name of the account that should
be created. Defaults to the user or team kubernetes name.
accountName
required string saml
required object
SAML holds saml authentication configuration
saml
required object redirectURI
required string
If the response assertion status value contains a Destination element, it
must match this value exactly.
Usually looks like https://your-loft-domain/auth/saml/callback
redirectURI
required string ssoURL
required string
SSO URL used for POST value.
ssoURL
required string caData
required string
CAData is a base64 encoded string that holds the ca certificate for validating the signature of the SAML response.
Either CAData, CA or InsecureSkipSignatureValidation needs to be defined.
caData
required string usernameAttr
required string
Name of attribute in the returned assertions to map to username
usernameAttr
required string emailAttr
required string
Name of attribute in the returned assertions to map to email
emailAttr
required string groupsAttr
required string
Name of attribute in the returned assertions to map to groups
groupsAttr
required string ca
required string
CA to use when validating the signature of the SAML response.
ca
required string insecureSkipSignatureValidation
required boolean false
Ignore the ca cert
insecureSkipSignatureValidation
required boolean false entityIssuer
required string
When provided Loft will include this as the Issuer value during AuthnRequest.
It will also override the redirectURI as the required audience when evaluating
AudienceRestriction elements in the response.
entityIssuer
required string ssoIssuer
required string
Issuer value expected in the SAML response. Optional.
ssoIssuer
required string groupsDelim
required string
If GroupsDelim is supplied the connector assumes groups are returned as a
single string instead of multiple attribute values. This delimiter will be
used split the groups string.
groupsDelim
required string allowedGroups
required string[]
List of groups to filter access based on membership
allowedGroups
required string[] filterGroups
required boolean false
If used with allowed groups, only forwards the allowed groups and not all
groups specified.
filterGroups
required boolean false nameIDPolicyFormat
required string
Requested format of the NameID. The NameID value is is mapped to the ID Token
'sub' claim.
This can be an abbreviated form of the full URI with just the last component. For
example, if this value is set to "emailAddress" the format will resolve to:
urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
If no value is specified, this value defaults to:
urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
nameIDPolicyFormat
required string urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
disableTeamCreation
required boolean false
Prevents from team creation for the new groups associated with the user at the time of logging in through sso,
Default behaviour is false, this means that teams will be created for new groups.
disableTeamCreation
required boolean false accessKeyMaxTTLSeconds
required integer
AccessKeyMaxTTLSeconds is the global maximum lifespan of an accesskey in seconds.
Leaving it 0 or unspecified will disable it.
Specifying 2592000 will mean all keys have a Time-To-Live of 30 days.
accessKeyMaxTTLSeconds
required integer loginAccessKeyTTLSeconds
required integer
LoginAccessKeyTTLSeconds is the time in seconds an access key is kept
until it is deleted.
Leaving it unspecified will default to 20 days.
Setting it to zero will disable the ttl.
Specifying 2592000 will mean all keys have a default Time-To-Live of 30 days.
loginAccessKeyTTLSeconds
required integer customHttpHeaders
required object
CustomHttpHeaders are additional headers that should be set for the authentication endpoints
customHttpHeaders
required object oidc
required object
OIDC holds oidc provider relevant information
oidc
required object enabled
required boolean true
If true indicates that loft will act as an OIDC server
enabled
required boolean true wildcardRedirect
required boolean true
If true indicates that loft will allow wildcard '*' in client redirectURIs
wildcardRedirect
required boolean true clients
required object[]
The clients that are allowed to request loft tokens
clients
required object[] name
required string
The client name
name
required string clientId
required string
The client id of the client
clientId
required string clientSecret
required string
The client secret of the client
clientSecret
required string redirectURIs
required string[]
A registered set of redirect URIs. When redirecting from dex to the client, the URI
requested to redirect to MUST match one of these values, unless the client is "public".
redirectURIs
required string[] apps
required object
Apps holds configuration around apps
apps
required object noDefault
required boolean false
If this option is true, loft will not try to parse the default apps
noDefault
required boolean false repositories
required object[]
These are additional repositories that are parsed by loft
repositories
required object[] name
required string
Name is the name of the repository
name
required string url
required string
URL is the repository url
url
required string username
required string
Username of the repository
username
required string password
required string
Password of the repository
password
required string insecure
required boolean false
Insecure specifies if the chart should be retrieved without TLS
verification
insecure
required boolean false predefinedApps
required object[]
Predefined apps that can be selected in the Spaces ) Space menu
predefinedApps
required object[] chart
required string
Chart holds the repo/chart name of the predefined app
chart
required string initialVersion
required string
InitialVersion holds the initial version of this app.
This version will be selected automatically.
initialVersion
required string initialValues
required string
InitialValues holds the initial values for this app.
The values will be prefilled automatically. There are certain
placeholders that can be used within the values that are replaced
by the loft UI automatically.
initialValues
required string clusters
required string[]
Holds the cluster names where to display this app
clusters
required string[] title
required string
Title is the name that should be displayed for the predefined app.
If empty the chart name is used.
title
required string iconUrl
required string
IconURL specifies an url to the icon that should be displayed for this app.
If none is specified the icon from the chart metadata is used.
iconUrl
required string readmeUrl
required string
ReadmeURL specifies an url to the readme page of this predefined app. If empty
an url will be constructed to artifact hub.
readmeUrl
required string audit
required object
Audit holds audit configuration
audit
required object enabled
required boolean false
If audit is enabled and incoming api requests will be logged based on the supplied policy.
enabled
required boolean false disableAgentSyncBack
required boolean false
If true, the agent will not send back any audit logs to Loft itself.
disableAgentSyncBack
required boolean false level
required integer
Level is an optional log level for audit logs. Cannot be used together with policy
level
required integer policy
required object
The audit policy to use and log requests. By default loft will not log anything
policy
required object rules
required object[]
Rules specify the audit Level a request should be recorded at.
A request may match multiple rules, in which case the FIRST matching rule is used.
The default audit level is None, but can be overridden by a catch-all rule at the end of the list.
PolicyRules are strictly ordered.
rules
required object[] level
required string
The Level that requests matching this rule are recorded at.
level
required string users
required string[]
The users (by authenticated user name) this rule applies to.
An empty list implies every user.
users
required string[] userGroups
required string[]
The user groups this rule applies to. A user is considered matching
if it is a member of any of the UserGroups.
An empty list implies every user group.
userGroups
required string[] verbs
required string[]
The verbs that match this rule.
An empty list implies every verb.
verbs
required string[] resources
required object[]
Resources that this rule matches. An empty list implies all kinds in all API groups.
resources
required object[] group
required string
Group is the name of the API group that contains the resources.
The empty string represents the core API group.
group
required string resources
required string[]
Resources is a list of resources this rule applies to.
For example:
'pods' matches pods.
'pods/log' matches the log subresource of pods.
'' matches all resources and their subresources.
'pods/' matches all subresources of pods.
'*/scale' matches all scale subresources.
If wildcard is present, the validation rule will ensure resources do not
overlap with each other.
An empty list implies all resources and subresources in this API groups apply.
resources
required string[] resourceNames
required string[]
ResourceNames is a list of resource instance names that the policy matches.
Using this field requires Resources to be specified.
An empty list implies that every instance of the resource is matched.
resourceNames
required string[] namespaces
required string[]
Namespaces that this rule matches.
The empty string "" matches non-namespaced resources.
An empty list implies every namespace.
namespaces
required string[] nonResourceURLs
required string[]
NonResourceURLs is a set of URL paths that should be audited.
s are allowed, but only as the full, final step in the path.
Examples:
"/metrics" - Log requests for apiserver metrics
"/healthz" - Log all health checks
nonResourceURLs
required string[] omitStages
required string[]
OmitStages is a list of stages for which no events are created. Note that this can also
be specified policy wide in which case the union of both are omitted.
An empty list means no restrictions will apply.
omitStages
required string[] requestTargets
required string[]
RequestTargets is a list of request targets for which events are created.
An empty list implies every request.
requestTargets
required string[] clusters
required string[]
Clusters that this rule matches. Only applies to cluster requests.
If this is set, no events for non cluster requests will be created.
An empty list means no restrictions will apply.
clusters
required string[] omitStages
required string[]
OmitStages is a list of stages for which no events are created. Note that this can also
be specified per rule in which case the union of both are omitted.
omitStages
required string[] dataStoreEndpoint
required string
DataStoreEndpoint is an endpoint to store events in.
dataStoreEndpoint
required string dataStoreTTL
required integer
DataStoreMaxAge is the maximum number of hours to retain old log events in the datastore
dataStoreTTL
required integer path
required string
The path where to save the audit log files. This is required if audit is enabled. Backup log files will
be retained in the same directory.
path
required string maxAge
required integer
MaxAge is the maximum number of days to retain old log files based on the
timestamp encoded in their filename. Note that a day is defined as 24
hours and may not exactly correspond to calendar days due to daylight
savings, leap seconds, etc. The default is not to remove old log files
based on age.
maxAge
required integer maxBackups
required integer
MaxBackups is the maximum number of old log files to retain. The default
is to retain all old log files (though MaxAge may still cause them to get
deleted.)
maxBackups
required integer maxSize
required integer
MaxSize is the maximum size in megabytes of the log file before it gets
rotated. It defaults to 100 megabytes.
maxSize
required integer compress
required boolean false
Compress determines if the rotated log files should be compressed
using gzip. The default is not to perform compression.
compress
required boolean false loftHost
required string
LoftHost holds the domain where the loft instance is hosted. This should not include https or http. E.g. loft.my-domain.com
loftHost
required string devPodSubDomain
required string
DevPodSubDomain holds a subdomain in the following form *.workspace.my-domain.com
devPodSubDomain
required string uiSettings
required object
UISettings holds the settings for modifying the Loft user interface
uiSettings
required object loftVersion
required string
LoftVersion holds the current loft version
loftVersion
required string logoURL
required string
LogoURL is url pointing to the logo to use in the Loft UI. This path must be accessible for clients accessing
the Loft UI!
logoURL
required string logoBackgroundColor
required string
LogoBackgroundColor is the color value (ex: "#12345") to use as the background color for the logo
logoBackgroundColor
required string legalTemplate
required string
LegalTemplate is a text (html) string containing the legal template to prompt to users when authenticating to Loft
legalTemplate
required string primaryColor
required string
PrimaryColor is the color value (ex: "#12345") to use as the primary color
primaryColor
required string sidebarColor
required string
SidebarColor is the color value (ex: "#12345") to use for the sidebar
sidebarColor
required string accentColor
required string
AccentColor is the color value (ex: "#12345") to use for the accent
accentColor
required string customCss
required string[]
CustomCSS holds URLs with custom css files that should be included when loading the UI
customCss
required string[] customJavaScript
required string[]
CustomJavaScript holds URLs with custom js files that should be included when loading the UI
customJavaScript
required string[] navBarButtons
required object[]
NavBarButtons holds extra nav bar buttons
navBarButtons
required object[] position
required string
Position holds the position of the button, can be one of:
TopStart, TopEnd, BottomStart, BottomEnd. Defaults to BottomEnd
position
required string text
required string
Text holds text for the button
text
required string link
required string
Link holds the link of the navbar button
link
required string icon
required string
Icon holds the url of the icon to display
icon
required string vault
required object
VaultIntegration holds the vault integration configuration
vault
required object enabled
required boolean false
Enabled indicates if the Vault Integration is enabled for the project -- this knob only
enables the syncing of secrets to or from Vault, but does not setup Kubernetes authentication
methods or Kubernetes secrets engines for vclusters.
enabled
required boolean false address
required string
Address defines the address of the Vault instance to use for this project.
Will default to the VAULT_ADDR
environment variable if not provided.
address
required string VAULT_ADDR
environment variable if not provided.skipTLSVerify
required boolean false
SkipTLSVerify defines if TLS verification should be skipped when connecting to Vault.
skipTLSVerify
required boolean false namespace
required string
Namespace defines the namespace to use when storing secrets in Vault.
namespace
required string auth
required object
Auth defines the authentication method to use for this project.
auth
required object token
required string
Token defines the token to use for authentication.
token
required string tokenSecretRef
required object
TokenSecretRef defines the Kubernetes secret to use for token authentication.
Will be used if token
is not provided.
Secret data should contain the token
key.
tokenSecretRef
required object token
is not provided.token
key.name
required string
Name of the referent.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
TODO: Add other useful fields. apiVersion, kind, uid?
name
required string key
required string
The key of the secret to select from. Must be a valid secret key.
key
required string optional
required boolean false
Specify whether the Secret or its key must be defined
optional
required boolean false syncInterval
required string
SyncInterval defines the interval at which to sync secrets from Vault.
Defaults to 1m.
See https://pkg.go.dev/time#ParseDuration for supported formats.
syncInterval
required string 1m.
See https://pkg.go.dev/time#ParseDuration for supported formats.Persisting Audit Logs
There are 2 ways how to persist Loft audit logs. Either you can deploy Loft with a persistent volume claim or let Loft connect to a persistent database. The PVC approach does not work for HA mode for Loft.
Deploy Loft with a PVC to save Audit Logs
Create a new values.yaml
with the following values:
audit:
persistence:
enabled: true
# size: 30Gi
Then apply the values via helm:
helm upgrade loft -n loft --version $VERSION \
--repo https://charts.loft.sh \
--reuse-values \
-f values.yaml
Use a persistent database as Loft audit backend
Go to Admin > Config and specify the following Loft config setting:
audit:
dataStoreEndpoint: mysql://username:password@tcp(hostname:3306)/database-name
Then press Apply and wait until Loft is restarted.
Viewing and Exporting Audit Logs
By default, Loft will log audit events to the following locations:
- To a log file in json format located at
/var/log/loft/audit.log
inside the Loft container. Each line inside the log represents a single audit event. - To an internal sqlite storage located at
/var/log/loft/audit.db
inside the Loft container. This sqlite database is used to display audit log events in the Loft UI. By default audit events in the sqlite are not persisted, so restarting Loft will clear the database. Instead of using a sqlite database, Loft is also able to write those events to a persistent mysql database that can be configured through the Loft config. E.g.:
audit:
enabled: true
dataStoreEndpoint: mysql://username:password@tcp(hostname:3306)/database-name
Enable Audit SideCar
To easily export the audit events to third party systems, we recommend to enable the audit log sidecar that will print all the audit events onto stdout in a separate container which then can be easily watched and exported. Enabling the sidecar is only possible through helm values.
Create a values.yaml
with the following contents:
audit:
enableSideCar: true
You cannot configure this under Admin > Config, since this requires a change in the Loft deployment itself, which is why this is a helm option only
Then update the helm release via:
helm upgrade loft loft --namespace loft \
--repo https://charts.loft.sh \
--version $LOFT_VERSION \
--reuse-values \
--values values.yaml
Wait until Loft has restarted, then you can view the audit logs via:
kubectl logs -n loft -l app=loft -c audit -f
Audit Config Reference
kind
required string
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
kind
required string apiVersion
required string
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
apiVersion
required string metadata
required object
metadata
required object name
required string
Name must be unique within a namespace. Is required when creating resources, although
some resources may allow a client to request the generation of an appropriate name
automatically. Name is primarily intended for creation idempotence and configuration
definition.
Cannot be updated.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#names
name
required string generateName
required string
GenerateName is an optional prefix, used by the server, to generate a unique
name ONLY IF the Name field has not been provided.
If this field is used, the name returned to the client will be different
than the name passed. This value will also be combined with a unique suffix.
The provided value has the same validation rules as the Name field,
and may be truncated by the length of the suffix required to make the value
unique on the server.
If this field is specified and the generated name exists, the server will return a 409.
Applied only if Name is not specified.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#idempotency
generateName
required string namespace
required string
Namespace defines the space within which each name must be unique. An empty namespace is
equivalent to the "default" namespace, but "default" is the canonical representation.
Not all objects are required to be scoped to a namespace - the value of this field for
those objects will be empty.
Must be a DNS_LABEL.
Cannot be updated.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces
namespace
required string selfLink
required string
Deprecated: selfLink is a legacy read-only field that is no longer populated by the system.
selfLink
required string uid
required string
UID is the unique in time and space value for this object. It is typically generated by
the server on successful creation of a resource and is not allowed to change on PUT
operations.
Populated by the system.
Read-only.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#uids
uid
required string resourceVersion
required string
An opaque value that represents the internal version of this object that can
be used by clients to determine when objects have changed. May be used for optimistic
concurrency, change detection, and the watch operation on a resource or set of resources.
Clients must treat these values as opaque and passed unmodified back to the server.
They may only be valid for a particular resource or set of resources.
Populated by the system.
Read-only.
Value must be treated as opaque by clients and .
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency
resourceVersion
required string generation
required integer
A sequence number representing a specific generation of the desired state.
Populated by the system. Read-only.
generation
required integer creationTimestamp
required object
CreationTimestamp is a timestamp representing the server time when this object was
created. It is not guaranteed to be set in happens-before order across separate operations.
Clients may not set this value. It is represented in RFC3339 form and is in UTC.
Populated by the system.
Read-only.
Null for lists.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
creationTimestamp
required object deletionTimestamp
required object
DeletionTimestamp is RFC 3339 date and time at which this resource will be deleted. This
field is set by the server when a graceful deletion is requested by the user, and is not
directly settable by a client. The resource is expected to be deleted (no longer visible
from resource lists, and not reachable by name) after the time in this field, once the
finalizers list is empty. As long as the finalizers list contains items, deletion is blocked.
Once the deletionTimestamp is set, this value may not be unset or be set further into the
future, although it may be shortened or the resource may be deleted prior to this time.
For example, a user may request that a pod is deleted in 30 seconds. The Kubelet will react
by sending a graceful termination signal to the containers in the pod. After that 30 seconds,
the Kubelet will send a hard termination signal (SIGKILL) to the container and after cleanup,
remove the pod from the API. In the presence of network partitions, this object may still
exist after this timestamp, until an administrator or automated process can determine the
resource is fully terminated.
If not set, graceful deletion of the object has not been requested.
Populated by the system when a graceful deletion is requested.
Read-only.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
deletionTimestamp
required object deletionGracePeriodSeconds
required integer
Number of seconds allowed for this object to gracefully terminate before
it will be removed from the system. Only set when deletionTimestamp is also set.
May only be shortened.
Read-only.
deletionGracePeriodSeconds
required integer labels
required object
Map of string keys and values that can be used to organize and categorize
(scope and select) objects. May match selectors of replication controllers
and services.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels
labels
required object annotations
required object
Annotations is an unstructured key value map stored with a resource that may be
set by external tools to store and retrieve arbitrary metadata. They are not
queryable and should be preserved when modifying objects.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations
annotations
required object ownerReferences
required object[]
List of objects depended by this object. If ALL objects in the list have
been deleted, this object will be garbage collected. If this object is managed by a controller,
then an entry in this list will point to this controller, with the controller field set to true.
There cannot be more than one managing controller.
ownerReferences
required object[] apiVersion
required string
API version of the referent.
apiVersion
required string kind
required string
Kind of the referent.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
kind
required string name
required string
Name of the referent.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#names
name
required string uid
required string
UID of the referent.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#uids
uid
required string controller
required boolean false
If true, this reference points to the managing controller.
controller
required boolean false blockOwnerDeletion
required boolean false
If true, AND if the owner has the "foregroundDeletion" finalizer, then
the owner cannot be deleted from the key-value store until this
reference is removed.
See https://kubernetes.io/docs/concepts/architecture/garbage-collection/#foreground-deletion
for how the garbage collector interacts with this field and enforces the foreground deletion.
Defaults to false.
To set this field, a user needs "delete" permission of the owner,
otherwise 422 (Unprocessable Entity) will be returned.
blockOwnerDeletion
required boolean false finalizers
required string[]
Must be empty before the object is deleted from the registry. Each entry
is an identifier for the responsible component that will remove the entry
from the list. If the deletionTimestamp of the object is non-nil, entries
in this list can only be removed.
Finalizers may be processed and removed in any order. Order is NOT enforced
because it introduces significant risk of stuck finalizers.
finalizers is a shared field, any actor with permission can reorder it.
If the finalizer list is processed in order, then this can lead to a situation
in which the component responsible for the first finalizer in the list is
waiting for a signal (field value, external system, or other) produced by a
component responsible for a finalizer later in the list, resulting in a deadlock.
Without enforced ordering finalizers are free to order amongst themselves and
are not vulnerable to ordering changes in the list.
finalizers
required string[] managedFields
required object[]
ManagedFields maps workflow-id and version to the set of fields
that are managed by that workflow. This is mostly for internal
housekeeping, and users typically shouldn't need to set or
understand this field. A workflow can be the user's name, a
controller's name, or the name of a specific apply path like
"ci-cd". The set of fields is always in the version that the
workflow used when modifying the object.
managedFields
required object[] manager
required string
Manager is an identifier of the workflow managing these fields.
manager
required string operation
required string
Operation is the type of operation which lead to this ManagedFieldsEntry being created.
The only valid values for this field are 'Apply' and 'Update'.
operation
required string apiVersion
required string
APIVersion defines the version of this resource that this field set
applies to. The format is "group/version" just like the top-level
APIVersion field. It is necessary to track the version of a field
set because it cannot be automatically converted.
apiVersion
required string time
required object
Time is the timestamp of when the ManagedFields entry was added. The
timestamp will also be updated if a field is added, the manager
changes any of the owned fields value or removes a field. The
timestamp does not update when a field is removed from the entry
because another manager took it over.
time
required object fieldsType
required string
FieldsType is the discriminator for the different fields format and version.
There is currently only one possible value: "FieldsV1"
fieldsType
required string fieldsV1
required object
FieldsV1 holds the first JSON version format as described in the "FieldsV1" type.
fieldsV1
required object subresource
required string
Subresource is the name of the subresource used to update that object, or
empty string if the object was updated through the main resource. The
value of this field is used to distinguish between managers, even if they
share the same name. For example, a status update will be distinct from a
regular update using the same manager name.
Note that the APIVersion field is not related to the Subresource field and
it always corresponds to the version of the main resource.
subresource
required string status
required object
status
required object auth
required object
Authentication holds the information for authentication
auth
required object oidc
required object
OIDC holds oidc authentication configuration
oidc
required object issuerUrl
required string
IssuerURL is the URL the provider signs ID Tokens as. This will be the "iss"
field of all tokens produced by the provider and is used for configuration
discovery.
The URL is usually the provider's URL without a path, for example
"https://accounts.google.com" or "https://login.salesforce.com".
The provider must implement configuration discovery.
See: https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfig
issuerUrl
required string clientId
required string
ClientID the JWT must be issued for, the "sub" field. This plugin only trusts a single
client to ensure the plugin can be used with public providers.
The plugin supports the "authorized party" OpenID Connect claim, which allows
specialized providers to issue tokens to a client for a different client.
See: https://openid.net/specs/openid-connect-core-1_0.html#IDToken
clientId
required string clientSecret
required string
ClientSecret to issue tokens from the OIDC provider
clientSecret
required string redirectURI
required string
loft redirect uri. E.g. https://loft.my.domain/auth/oidc/callback
redirectURI
required string postLogoutRedirectURI
required string
Loft URI to be redirected to after successful logout by OIDC Provider
postLogoutRedirectURI
required string caFile
required string
Path to a PEM encoded root certificate of the provider. Optional
caFile
required string insecureCa
required boolean false
Specify whether to communicate without validating SSL certificates
insecureCa
required boolean false preferredUsername
required string
Configurable key which contains the preferred username claims
preferredUsername
required string loftUsernameClaim
required string
LoftUsernameClaim is the JWT field to use as the user's username.
loftUsernameClaim
required string usernameClaim
required string
UsernameClaim is the JWT field to use as the user's id.
usernameClaim
required string emailClaim
required string
EmailClaim is the JWT field to use as the user's email.
emailClaim
required string usernamePrefix
required string
UsernamePrefix, if specified, causes claims mapping to username to be prefix with
the provided value. A value "oidc:" would result in usernames like "oidc:john".
usernamePrefix
required string groupsClaim
required string
GroupsClaim, if specified, causes the OIDCAuthenticator to try to populate the user's
groups with an ID Token field. If the GroupsClaim field is present in an ID Token the value
must be a string or list of strings.
groupsClaim
required string groups
required string[]
If required groups is non empty, access is denied if the user is not part of at least one
of the specified groups.
groups
required string[] scopes
required string[]
Scopes that should be sent to the server. If empty, defaults to "email" and "profile".
scopes
required string[] getUserInfo
required boolean false
GetUserInfo, if specified, tells the OIDCAuthenticator to try to populate the user's
information from the UserInfo.
getUserInfo
required boolean false groupsPrefix
required string
GroupsPrefix, if specified, causes claims mapping to group names to be prefixed with the
value. A value "oidc:" would result in groups like "oidc:engineering" and "oidc:marketing".
groupsPrefix
required string type
required string
Type of the OIDC to show in the UI. Only for displaying purposes
type
required string clusterAccountTemplates
required object[]
Cluster Account Templates that will be applied for users logging in through this authentication
clusterAccountTemplates
required object[] name
required string
Name of the cluster account template to apply
name
required string sync
required boolean false
Sync defines if Loft should sync changes to the cluster account template
to the cluster accounts and create new accounts if new clusters match the templates.
sync
required boolean false accountName
required string
AccountName is the name of the account that should
be created. Defaults to the user or team kubernetes name.
accountName
required string groupClusterAccountTemplates
required object[]
A mapping between groups and cluster account templates. If the user has a certain group, the cluster
account template will be added during creation
groupClusterAccountTemplates
required object[] group
required string
Group is the name of the group that should be matched
group
required string clusterAccountTemplates
required object[]
Cluster Account Templates that will be applied for users logging in through this authentication
clusterAccountTemplates
required object[] name
required string
Name of the cluster account template to apply
name
required string sync
required boolean false
Sync defines if Loft should sync changes to the cluster account template
to the cluster accounts and create new accounts if new clusters match the templates.
sync
required boolean false accountName
required string
AccountName is the name of the account that should
be created. Defaults to the user or team kubernetes name.
accountName
required string github
required object
Github holds github authentication configuration
github
required object clientId
required string
ClientID holds the github client id
clientId
required string clientSecret
required string
ClientID holds the github client secret
clientSecret
required string redirectURI
required string
RedirectURI holds the redirect URI. Should be https://loft.domain.tld/auth/github/callback
redirectURI
required string orgs
required object[]
Loft queries the following organizations for group information.
Group claims are formatted as "(org):(team)".
For example if a user is part of the "engineering" team of the "coreos"
org, the group claim would include "coreos:engineering".
If orgs are specified in the config then user MUST be a member of at least one of the specified orgs to
authenticate with loft.
orgs
required object[] name
required string
Organization name in github (not slug, full name). Only users in this github
organization can authenticate.
name
required string teams
required string[]
Names of teams in a github organization. A user will be able to
authenticate if they are members of at least one of these teams. Users
in the organization can authenticate if this field is omitted from the
config file.
teams
required string[] hostName
required string
Required ONLY for GitHub Enterprise.
This is the Hostname of the GitHub Enterprise account listed on the
management console. Ensure this domain is routable on your network.
hostName
required string rootCA
required string
ONLY for GitHub Enterprise. Optional field.
Used to support self-signed or untrusted CA root certificates.
rootCA
required string clusterAccountTemplates
required object[]
Cluster Account Templates that will be applied for users logging in through this authentication
clusterAccountTemplates
required object[] name
required string
Name of the cluster account template to apply
name
required string sync
required boolean false
Sync defines if Loft should sync changes to the cluster account template
to the cluster accounts and create new accounts if new clusters match the templates.
sync
required boolean false accountName
required string
AccountName is the name of the account that should
be created. Defaults to the user or team kubernetes name.
accountName
required string groupClusterAccountTemplates
required object[]
A mapping between groups and cluster account templates. If the user has a certain group, the cluster
account template will be added during creation
groupClusterAccountTemplates
required object[] group
required string
Group is the name of the group that should be matched
group
required string clusterAccountTemplates
required object[]
Cluster Account Templates that will be applied for users logging in through this authentication
clusterAccountTemplates
required object[] name
required string
Name of the cluster account template to apply
name
required string sync
required boolean false
Sync defines if Loft should sync changes to the cluster account template
to the cluster accounts and create new accounts if new clusters match the templates.
sync
required boolean false accountName
required string
AccountName is the name of the account that should
be created. Defaults to the user or team kubernetes name.
accountName
required string gitlab
required object
Gitlab holds gitlab authentication configuration
gitlab
required object clientId
required string
Gitlab client id
clientId
required string clientSecret
required string
Gitlab client secret
clientSecret
required string redirectURI
required string
Redirect URI
redirectURI
required string baseURL
required string
BaseURL is optional, default = https://gitlab.com
baseURL
required string groups
required string[]
Optional groups whitelist, communicated through the "groups" scope.
If groups
is omitted, all of the user's GitLab groups are returned.
If groups
is provided, this acts as a whitelist - only the user's GitLab groups that are in the configured groups
below will go into the groups claim. Conversely, if the user is not in any of the configured groups
, the user will not be authenticated.
groups
required string[] groups
is omitted, all of the user's GitLab groups are returned.
If groups
is provided, this acts as a whitelist - only the user's GitLab groups that are in the configured groups
below will go into the groups claim. Conversely, if the user is not in any of the configured groups
, the user will not be authenticated.clusterAccountTemplates
required object[]
Cluster Account Templates that will be applied for users logging in through this authentication
clusterAccountTemplates
required object[] name
required string
Name of the cluster account template to apply
name
required string sync
required boolean false
Sync defines if Loft should sync changes to the cluster account template
to the cluster accounts and create new accounts if new clusters match the templates.
sync
required boolean false accountName
required string
AccountName is the name of the account that should
be created. Defaults to the user or team kubernetes name.
accountName
required string groupClusterAccountTemplates
required object[]
A mapping between groups and cluster account templates. If the user has a certain group, the cluster
account template will be added during creation
groupClusterAccountTemplates
required object[] group
required string
Group is the name of the group that should be matched
group
required string clusterAccountTemplates
required object[]
Cluster Account Templates that will be applied for users logging in through this authentication
clusterAccountTemplates
required object[] name
required string
Name of the cluster account template to apply
name
required string sync
required boolean false
Sync defines if Loft should sync changes to the cluster account template
to the cluster accounts and create new accounts if new clusters match the templates.
sync
required boolean false accountName
required string
AccountName is the name of the account that should
be created. Defaults to the user or team kubernetes name.
accountName
required string google
required object
Google holds google authentication configuration
google
required object clientId
required string
Google client id
clientId
required string clientSecret
required string
Google client secret
clientSecret
required string redirectURI
required string
loft redirect uri. E.g. https://loft.my.domain/auth/google/callback
redirectURI
required string scopes
required string[]
defaults to "profile" and "email"
scopes
required string[] hostedDomains
required string[]
Optional list of whitelisted domains
If this field is nonempty, only users from a listed domain will be allowed to log in
hostedDomains
required string[] groups
required string[]
Optional list of whitelisted groups
If this field is nonempty, only users from a listed group will be allowed to log in
groups
required string[] serviceAccountFilePath
required string
Optional path to service account json
If nonempty, and groups claim is made, will use authentication from file to
check groups with the admin directory api
serviceAccountFilePath
required string adminEmail
required string
Required if ServiceAccountFilePath
The email of a GSuite super user which the service account will impersonate
when listing groups
adminEmail
required string clusterAccountTemplates
required object[]
Cluster Account Templates that will be applied for users logging in through this authentication
clusterAccountTemplates
required object[] name
required string
Name of the cluster account template to apply
name
required string sync
required boolean false
Sync defines if Loft should sync changes to the cluster account template
to the cluster accounts and create new accounts if new clusters match the templates.
sync
required boolean false accountName
required string
AccountName is the name of the account that should
be created. Defaults to the user or team kubernetes name.
accountName
required string groupClusterAccountTemplates
required object[]
A mapping between groups and cluster account templates. If the user has a certain group, the cluster
account template will be added during creation
groupClusterAccountTemplates
required object[] group
required string
Group is the name of the group that should be matched
group
required string clusterAccountTemplates
required object[]
Cluster Account Templates that will be applied for users logging in through this authentication
clusterAccountTemplates
required object[] name
required string
Name of the cluster account template to apply
name
required string sync
required boolean false
Sync defines if Loft should sync changes to the cluster account template
to the cluster accounts and create new accounts if new clusters match the templates.
sync
required boolean false accountName
required string
AccountName is the name of the account that should
be created. Defaults to the user or team kubernetes name.
accountName
required string microsoft
required object
Microsoft holds microsoft authentication configuration
microsoft
required object clientId
required string
Microsoft client id
clientId
required string clientSecret
required string
Microsoft client secret
clientSecret
required string redirectURI
required string
loft redirect uri. Usually https://loft.my.domain/auth/microsoft/callback
redirectURI
required string tenant
required string
tenant configuration parameter controls what kinds of accounts may be authenticated in loft.
By default, all types of Microsoft accounts (consumers and organizations) can authenticate in loft via Microsoft.
To change this, set the tenant parameter to one of the following:
common - both personal and business/school accounts can authenticate in loft via Microsoft (default)
consumers - only personal accounts can authenticate in loft
organizations - only business/school accounts can authenticate in loft
tenant uuid or tenant name - only accounts belonging to specific tenant identified by either tenant uuid or tenant name can authenticate in loft
tenant
required string groups
required string[]
It is possible to require a user to be a member of a particular group in order to be successfully authenticated in loft.
groups
required string[] onlySecurityGroups
required boolean false
configuration option restricts the list to include only security groups. By default all groups (security, Office 365, mailing lists) are included.
onlySecurityGroups
required boolean false useGroupsAsWhitelist
required boolean false
Restrict the groups claims to include only the user’s groups that are in the configured groups
useGroupsAsWhitelist
required boolean false clusterAccountTemplates
required object[]
Cluster Account Templates that will be applied for users logging in through this authentication
clusterAccountTemplates
required object[] name
required string
Name of the cluster account template to apply
name
required string sync
required boolean false
Sync defines if Loft should sync changes to the cluster account template
to the cluster accounts and create new accounts if new clusters match the templates.
sync
required boolean false accountName
required string
AccountName is the name of the account that should
be created. Defaults to the user or team kubernetes name.
accountName
required string groupClusterAccountTemplates
required object[]
A mapping between groups and cluster account templates. If the user has a certain group, the cluster
account template will be added during creation
groupClusterAccountTemplates
required object[] group
required string
Group is the name of the group that should be matched
group
required string clusterAccountTemplates
required object[]
Cluster Account Templates that will be applied for users logging in through this authentication
clusterAccountTemplates
required object[] name
required string
Name of the cluster account template to apply
name
required string sync
required boolean false
Sync defines if Loft should sync changes to the cluster account template
to the cluster accounts and create new accounts if new clusters match the templates.
sync
required boolean false accountName
required string
AccountName is the name of the account that should
be created. Defaults to the user or team kubernetes name.
accountName
required string saml
required object
SAML holds saml authentication configuration
saml
required object redirectURI
required string
If the response assertion status value contains a Destination element, it
must match this value exactly.
Usually looks like https://your-loft-domain/auth/saml/callback
redirectURI
required string ssoURL
required string
SSO URL used for POST value.
ssoURL
required string caData
required string
CAData is a base64 encoded string that holds the ca certificate for validating the signature of the SAML response.
Either CAData, CA or InsecureSkipSignatureValidation needs to be defined.
caData
required string usernameAttr
required string
Name of attribute in the returned assertions to map to username
usernameAttr
required string emailAttr
required string
Name of attribute in the returned assertions to map to email
emailAttr
required string groupsAttr
required string
Name of attribute in the returned assertions to map to groups
groupsAttr
required string ca
required string
CA to use when validating the signature of the SAML response.
ca
required string insecureSkipSignatureValidation
required boolean false
Ignore the ca cert
insecureSkipSignatureValidation
required boolean false entityIssuer
required string
When provided Loft will include this as the Issuer value during AuthnRequest.
It will also override the redirectURI as the required audience when evaluating
AudienceRestriction elements in the response.
entityIssuer
required string ssoIssuer
required string
Issuer value expected in the SAML response. Optional.
ssoIssuer
required string groupsDelim
required string
If GroupsDelim is supplied the connector assumes groups are returned as a
single string instead of multiple attribute values. This delimiter will be
used split the groups string.
groupsDelim
required string allowedGroups
required string[]
List of groups to filter access based on membership
allowedGroups
required string[] filterGroups
required boolean false
If used with allowed groups, only forwards the allowed groups and not all
groups specified.
filterGroups
required boolean false nameIDPolicyFormat
required string
Requested format of the NameID. The NameID value is is mapped to the ID Token
'sub' claim.
This can be an abbreviated form of the full URI with just the last component. For
example, if this value is set to "emailAddress" the format will resolve to:
urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
If no value is specified, this value defaults to:
urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
nameIDPolicyFormat
required string urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
rancher
required object
Rancher holds the rancher authentication options
rancher
required object password
required object
Password holds password authentication relevant information
password
required object disabled
required boolean true
If true login via password is disabled
disabled
required boolean true connectors
required object[]
Connectors are optional additional connectors for Loft.
connectors
required object[] id
required string
ID is the id that should show up in the url
id
required string displayName
required string
DisplayName is the name that should show up in the ui
displayName
required string oidc
required object
OIDC holds oidc authentication configuration
oidc
required object issuerUrl
required string
IssuerURL is the URL the provider signs ID Tokens as. This will be the "iss"
field of all tokens produced by the provider and is used for configuration
discovery.
The URL is usually the provider's URL without a path, for example
"https://accounts.google.com" or "https://login.salesforce.com".
The provider must implement configuration discovery.
See: https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfig
issuerUrl
required string clientId
required string
ClientID the JWT must be issued for, the "sub" field. This plugin only trusts a single
client to ensure the plugin can be used with public providers.
The plugin supports the "authorized party" OpenID Connect claim, which allows
specialized providers to issue tokens to a client for a different client.
See: https://openid.net/specs/openid-connect-core-1_0.html#IDToken
clientId
required string clientSecret
required string
ClientSecret to issue tokens from the OIDC provider
clientSecret
required string redirectURI
required string
loft redirect uri. E.g. https://loft.my.domain/auth/oidc/callback
redirectURI
required string postLogoutRedirectURI
required string
Loft URI to be redirected to after successful logout by OIDC Provider
postLogoutRedirectURI
required string caFile
required string
Path to a PEM encoded root certificate of the provider. Optional
caFile
required string insecureCa
required boolean false
Specify whether to communicate without validating SSL certificates
insecureCa
required boolean false preferredUsername
required string
Configurable key which contains the preferred username claims
preferredUsername
required string loftUsernameClaim
required string
LoftUsernameClaim is the JWT field to use as the user's username.
loftUsernameClaim
required string usernameClaim
required string
UsernameClaim is the JWT field to use as the user's id.
usernameClaim
required string emailClaim
required string
EmailClaim is the JWT field to use as the user's email.
emailClaim
required string usernamePrefix
required string
UsernamePrefix, if specified, causes claims mapping to username to be prefix with
the provided value. A value "oidc:" would result in usernames like "oidc:john".
usernamePrefix
required string groupsClaim
required string
GroupsClaim, if specified, causes the OIDCAuthenticator to try to populate the user's
groups with an ID Token field. If the GroupsClaim field is present in an ID Token the value
must be a string or list of strings.
groupsClaim
required string groups
required string[]
If required groups is non empty, access is denied if the user is not part of at least one
of the specified groups.
groups
required string[] scopes
required string[]
Scopes that should be sent to the server. If empty, defaults to "email" and "profile".
scopes
required string[] getUserInfo
required boolean false
GetUserInfo, if specified, tells the OIDCAuthenticator to try to populate the user's
information from the UserInfo.
getUserInfo
required boolean false groupsPrefix
required string
GroupsPrefix, if specified, causes claims mapping to group names to be prefixed with the
value. A value "oidc:" would result in groups like "oidc:engineering" and "oidc:marketing".
groupsPrefix
required string type
required string
Type of the OIDC to show in the UI. Only for displaying purposes
type
required string clusterAccountTemplates
required object[]
Cluster Account Templates that will be applied for users logging in through this authentication
clusterAccountTemplates
required object[] name
required string
Name of the cluster account template to apply
name
required string sync
required boolean false
Sync defines if Loft should sync changes to the cluster account template
to the cluster accounts and create new accounts if new clusters match the templates.
sync
required boolean false accountName
required string
AccountName is the name of the account that should
be created. Defaults to the user or team kubernetes name.
accountName
required string groupClusterAccountTemplates
required object[]
A mapping between groups and cluster account templates. If the user has a certain group, the cluster
account template will be added during creation
groupClusterAccountTemplates
required object[] group
required string
Group is the name of the group that should be matched
group
required string clusterAccountTemplates
required object[]
Cluster Account Templates that will be applied for users logging in through this authentication
clusterAccountTemplates
required object[] name
required string
Name of the cluster account template to apply
name
required string sync
required boolean false
Sync defines if Loft should sync changes to the cluster account template
to the cluster accounts and create new accounts if new clusters match the templates.
sync
required boolean false accountName
required string
AccountName is the name of the account that should
be created. Defaults to the user or team kubernetes name.
accountName
required string github
required object
Github holds github authentication configuration
github
required object clientId
required string
ClientID holds the github client id
clientId
required string clientSecret
required string
ClientID holds the github client secret
clientSecret
required string redirectURI
required string
RedirectURI holds the redirect URI. Should be https://loft.domain.tld/auth/github/callback
redirectURI
required string orgs
required object[]
Loft queries the following organizations for group information.
Group claims are formatted as "(org):(team)".
For example if a user is part of the "engineering" team of the "coreos"
org, the group claim would include "coreos:engineering".
If orgs are specified in the config then user MUST be a member of at least one of the specified orgs to
authenticate with loft.
orgs
required object[] name
required string
Organization name in github (not slug, full name). Only users in this github
organization can authenticate.
name
required string teams
required string[]
Names of teams in a github organization. A user will be able to
authenticate if they are members of at least one of these teams. Users
in the organization can authenticate if this field is omitted from the
config file.
teams
required string[] hostName
required string
Required ONLY for GitHub Enterprise.
This is the Hostname of the GitHub Enterprise account listed on the
management console. Ensure this domain is routable on your network.
hostName
required string rootCA
required string
ONLY for GitHub Enterprise. Optional field.
Used to support self-signed or untrusted CA root certificates.
rootCA
required string clusterAccountTemplates
required object[]
Cluster Account Templates that will be applied for users logging in through this authentication
clusterAccountTemplates
required object[] name
required string
Name of the cluster account template to apply
name
required string sync
required boolean false
Sync defines if Loft should sync changes to the cluster account template
to the cluster accounts and create new accounts if new clusters match the templates.
sync
required boolean false accountName
required string
AccountName is the name of the account that should
be created. Defaults to the user or team kubernetes name.
accountName
required string groupClusterAccountTemplates
required object[]
A mapping between groups and cluster account templates. If the user has a certain group, the cluster
account template will be added during creation
groupClusterAccountTemplates
required object[] group
required string
Group is the name of the group that should be matched
group
required string clusterAccountTemplates
required object[]
Cluster Account Templates that will be applied for users logging in through this authentication
clusterAccountTemplates
required object[] name
required string
Name of the cluster account template to apply
name
required string sync
required boolean false
Sync defines if Loft should sync changes to the cluster account template
to the cluster accounts and create new accounts if new clusters match the templates.
sync
required boolean false accountName
required string
AccountName is the name of the account that should
be created. Defaults to the user or team kubernetes name.
accountName
required string gitlab
required object
Gitlab holds gitlab authentication configuration
gitlab
required object clientId
required string
Gitlab client id
clientId
required string clientSecret
required string
Gitlab client secret
clientSecret
required string redirectURI
required string
Redirect URI
redirectURI
required string baseURL
required string
BaseURL is optional, default = https://gitlab.com
baseURL
required string groups
required string[]
Optional groups whitelist, communicated through the "groups" scope.
If groups
is omitted, all of the user's GitLab groups are returned.
If groups
is provided, this acts as a whitelist - only the user's GitLab groups that are in the configured groups
below will go into the groups claim. Conversely, if the user is not in any of the configured groups
, the user will not be authenticated.
groups
required string[] groups
is omitted, all of the user's GitLab groups are returned.
If groups
is provided, this acts as a whitelist - only the user's GitLab groups that are in the configured groups
below will go into the groups claim. Conversely, if the user is not in any of the configured groups
, the user will not be authenticated.clusterAccountTemplates
required object[]
Cluster Account Templates that will be applied for users logging in through this authentication
clusterAccountTemplates
required object[] name
required string
Name of the cluster account template to apply
name
required string sync
required boolean false
Sync defines if Loft should sync changes to the cluster account template
to the cluster accounts and create new accounts if new clusters match the templates.
sync
required boolean false accountName
required string
AccountName is the name of the account that should
be created. Defaults to the user or team kubernetes name.
accountName
required string groupClusterAccountTemplates
required object[]
A mapping between groups and cluster account templates. If the user has a certain group, the cluster
account template will be added during creation
groupClusterAccountTemplates
required object[] group
required string
Group is the name of the group that should be matched
group
required string clusterAccountTemplates
required object[]
Cluster Account Templates that will be applied for users logging in through this authentication
clusterAccountTemplates
required object[] name
required string
Name of the cluster account template to apply
name
required string sync
required boolean false
Sync defines if Loft should sync changes to the cluster account template
to the cluster accounts and create new accounts if new clusters match the templates.
sync
required boolean false accountName
required string
AccountName is the name of the account that should
be created. Defaults to the user or team kubernetes name.
accountName
required string google
required object
Google holds google authentication configuration
google
required object clientId
required string
Google client id
clientId
required string clientSecret
required string
Google client secret
clientSecret
required string redirectURI
required string
loft redirect uri. E.g. https://loft.my.domain/auth/google/callback
redirectURI
required string scopes
required string[]
defaults to "profile" and "email"
scopes
required string[] hostedDomains
required string[]
Optional list of whitelisted domains
If this field is nonempty, only users from a listed domain will be allowed to log in
hostedDomains
required string[] groups
required string[]
Optional list of whitelisted groups
If this field is nonempty, only users from a listed group will be allowed to log in
groups
required string[] serviceAccountFilePath
required string
Optional path to service account json
If nonempty, and groups claim is made, will use authentication from file to
check groups with the admin directory api
serviceAccountFilePath
required string adminEmail
required string
Required if ServiceAccountFilePath
The email of a GSuite super user which the service account will impersonate
when listing groups
adminEmail
required string clusterAccountTemplates
required object[]
Cluster Account Templates that will be applied for users logging in through this authentication
clusterAccountTemplates
required object[] name
required string
Name of the cluster account template to apply
name
required string sync
required boolean false
Sync defines if Loft should sync changes to the cluster account template
to the cluster accounts and create new accounts if new clusters match the templates.
sync
required boolean false accountName
required string
AccountName is the name of the account that should
be created. Defaults to the user or team kubernetes name.
accountName
required string groupClusterAccountTemplates
required object[]
A mapping between groups and cluster account templates. If the user has a certain group, the cluster
account template will be added during creation
groupClusterAccountTemplates
required object[] group
required string
Group is the name of the group that should be matched
group
required string clusterAccountTemplates
required object[]
Cluster Account Templates that will be applied for users logging in through this authentication
clusterAccountTemplates
required object[] name
required string
Name of the cluster account template to apply
name
required string sync
required boolean false
Sync defines if Loft should sync changes to the cluster account template
to the cluster accounts and create new accounts if new clusters match the templates.
sync
required boolean false accountName
required string
AccountName is the name of the account that should
be created. Defaults to the user or team kubernetes name.
accountName
required string microsoft
required object
Microsoft holds microsoft authentication configuration
microsoft
required object clientId
required string
Microsoft client id
clientId
required string clientSecret
required string
Microsoft client secret
clientSecret
required string redirectURI
required string
loft redirect uri. Usually https://loft.my.domain/auth/microsoft/callback
redirectURI
required string tenant
required string
tenant configuration parameter controls what kinds of accounts may be authenticated in loft.
By default, all types of Microsoft accounts (consumers and organizations) can authenticate in loft via Microsoft.
To change this, set the tenant parameter to one of the following:
common - both personal and business/school accounts can authenticate in loft via Microsoft (default)
consumers - only personal accounts can authenticate in loft
organizations - only business/school accounts can authenticate in loft
tenant uuid or tenant name - only accounts belonging to specific tenant identified by either tenant uuid or tenant name can authenticate in loft
tenant
required string groups
required string[]
It is possible to require a user to be a member of a particular group in order to be successfully authenticated in loft.
groups
required string[] onlySecurityGroups
required boolean false
configuration option restricts the list to include only security groups. By default all groups (security, Office 365, mailing lists) are included.
onlySecurityGroups
required boolean false useGroupsAsWhitelist
required boolean false
Restrict the groups claims to include only the user’s groups that are in the configured groups
useGroupsAsWhitelist
required boolean false clusterAccountTemplates
required object[]
Cluster Account Templates that will be applied for users logging in through this authentication
clusterAccountTemplates
required object[] name
required string
Name of the cluster account template to apply
name
required string sync
required boolean false
Sync defines if Loft should sync changes to the cluster account template
to the cluster accounts and create new accounts if new clusters match the templates.
sync
required boolean false accountName
required string
AccountName is the name of the account that should
be created. Defaults to the user or team kubernetes name.
accountName
required string groupClusterAccountTemplates
required object[]
A mapping between groups and cluster account templates. If the user has a certain group, the cluster
account template will be added during creation
groupClusterAccountTemplates
required object[] group
required string
Group is the name of the group that should be matched
group
required string clusterAccountTemplates
required object[]
Cluster Account Templates that will be applied for users logging in through this authentication
clusterAccountTemplates
required object[] name
required string
Name of the cluster account template to apply
name
required string sync
required boolean false
Sync defines if Loft should sync changes to the cluster account template
to the cluster accounts and create new accounts if new clusters match the templates.
sync
required boolean false accountName
required string
AccountName is the name of the account that should
be created. Defaults to the user or team kubernetes name.
accountName
required string saml
required object
SAML holds saml authentication configuration
saml
required object redirectURI
required string
If the response assertion status value contains a Destination element, it
must match this value exactly.
Usually looks like https://your-loft-domain/auth/saml/callback
redirectURI
required string ssoURL
required string
SSO URL used for POST value.
ssoURL
required string caData
required string
CAData is a base64 encoded string that holds the ca certificate for validating the signature of the SAML response.
Either CAData, CA or InsecureSkipSignatureValidation needs to be defined.
caData
required string usernameAttr
required string
Name of attribute in the returned assertions to map to username
usernameAttr
required string emailAttr
required string
Name of attribute in the returned assertions to map to email
emailAttr
required string groupsAttr
required string
Name of attribute in the returned assertions to map to groups
groupsAttr
required string ca
required string
CA to use when validating the signature of the SAML response.
ca
required string insecureSkipSignatureValidation
required boolean false
Ignore the ca cert
insecureSkipSignatureValidation
required boolean false entityIssuer
required string
When provided Loft will include this as the Issuer value during AuthnRequest.
It will also override the redirectURI as the required audience when evaluating
AudienceRestriction elements in the response.
entityIssuer
required string ssoIssuer
required string
Issuer value expected in the SAML response. Optional.
ssoIssuer
required string groupsDelim
required string
If GroupsDelim is supplied the connector assumes groups are returned as a
single string instead of multiple attribute values. This delimiter will be
used split the groups string.
groupsDelim
required string allowedGroups
required string[]
List of groups to filter access based on membership
allowedGroups
required string[] filterGroups
required boolean false
If used with allowed groups, only forwards the allowed groups and not all
groups specified.
filterGroups
required boolean false nameIDPolicyFormat
required string
Requested format of the NameID. The NameID value is is mapped to the ID Token
'sub' claim.
This can be an abbreviated form of the full URI with just the last component. For
example, if this value is set to "emailAddress" the format will resolve to:
urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
If no value is specified, this value defaults to:
urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
nameIDPolicyFormat
required string urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
disableTeamCreation
required boolean false
Prevents from team creation for the new groups associated with the user at the time of logging in through sso,
Default behaviour is false, this means that teams will be created for new groups.
disableTeamCreation
required boolean false accessKeyMaxTTLSeconds
required integer
AccessKeyMaxTTLSeconds is the global maximum lifespan of an accesskey in seconds.
Leaving it 0 or unspecified will disable it.
Specifying 2592000 will mean all keys have a Time-To-Live of 30 days.
accessKeyMaxTTLSeconds
required integer loginAccessKeyTTLSeconds
required integer
LoginAccessKeyTTLSeconds is the time in seconds an access key is kept
until it is deleted.
Leaving it unspecified will default to 20 days.
Setting it to zero will disable the ttl.
Specifying 2592000 will mean all keys have a default Time-To-Live of 30 days.
loginAccessKeyTTLSeconds
required integer customHttpHeaders
required object
CustomHttpHeaders are additional headers that should be set for the authentication endpoints
customHttpHeaders
required object oidc
required object
OIDC holds oidc provider relevant information
oidc
required object enabled
required boolean true
If true indicates that loft will act as an OIDC server
enabled
required boolean true wildcardRedirect
required boolean true
If true indicates that loft will allow wildcard '*' in client redirectURIs
wildcardRedirect
required boolean true clients
required object[]
The clients that are allowed to request loft tokens
clients
required object[] name
required string
The client name
name
required string clientId
required string
The client id of the client
clientId
required string clientSecret
required string
The client secret of the client
clientSecret
required string redirectURIs
required string[]
A registered set of redirect URIs. When redirecting from dex to the client, the URI
requested to redirect to MUST match one of these values, unless the client is "public".
redirectURIs
required string[] apps
required object
Apps holds configuration around apps
apps
required object noDefault
required boolean false
If this option is true, loft will not try to parse the default apps
noDefault
required boolean false repositories
required object[]
These are additional repositories that are parsed by loft
repositories
required object[] name
required string
Name is the name of the repository
name
required string url
required string
URL is the repository url
url
required string username
required string
Username of the repository
username
required string password
required string
Password of the repository
password
required string insecure
required boolean false
Insecure specifies if the chart should be retrieved without TLS
verification
insecure
required boolean false predefinedApps
required object[]
Predefined apps that can be selected in the Spaces ) Space menu
predefinedApps
required object[] chart
required string
Chart holds the repo/chart name of the predefined app
chart
required string initialVersion
required string
InitialVersion holds the initial version of this app.
This version will be selected automatically.
initialVersion
required string initialValues
required string
InitialValues holds the initial values for this app.
The values will be prefilled automatically. There are certain
placeholders that can be used within the values that are replaced
by the loft UI automatically.
initialValues
required string clusters
required string[]
Holds the cluster names where to display this app
clusters
required string[] title
required string
Title is the name that should be displayed for the predefined app.
If empty the chart name is used.
title
required string iconUrl
required string
IconURL specifies an url to the icon that should be displayed for this app.
If none is specified the icon from the chart metadata is used.
iconUrl
required string readmeUrl
required string
ReadmeURL specifies an url to the readme page of this predefined app. If empty
an url will be constructed to artifact hub.
readmeUrl
required string audit
required object
Audit holds audit configuration
audit
required object enabled
required boolean false
If audit is enabled and incoming api requests will be logged based on the supplied policy.
enabled
required boolean false disableAgentSyncBack
required boolean false
If true, the agent will not send back any audit logs to Loft itself.
disableAgentSyncBack
required boolean false level
required integer
Level is an optional log level for audit logs. Cannot be used together with policy
level
required integer policy
required object
The audit policy to use and log requests. By default loft will not log anything
policy
required object rules
required object[]
Rules specify the audit Level a request should be recorded at.
A request may match multiple rules, in which case the FIRST matching rule is used.
The default audit level is None, but can be overridden by a catch-all rule at the end of the list.
PolicyRules are strictly ordered.
rules
required object[] level
required string
The Level that requests matching this rule are recorded at.
level
required string users
required string[]
The users (by authenticated user name) this rule applies to.
An empty list implies every user.
users
required string[] userGroups
required string[]
The user groups this rule applies to. A user is considered matching
if it is a member of any of the UserGroups.
An empty list implies every user group.
userGroups
required string[] verbs
required string[]
The verbs that match this rule.
An empty list implies every verb.
verbs
required string[] resources
required object[]
Resources that this rule matches. An empty list implies all kinds in all API groups.
resources
required object[] group
required string
Group is the name of the API group that contains the resources.
The empty string represents the core API group.
group
required string resources
required string[]
Resources is a list of resources this rule applies to.
For example:
'pods' matches pods.
'pods/log' matches the log subresource of pods.
'' matches all resources and their subresources.
'pods/' matches all subresources of pods.
'*/scale' matches all scale subresources.
If wildcard is present, the validation rule will ensure resources do not
overlap with each other.
An empty list implies all resources and subresources in this API groups apply.
resources
required string[] resourceNames
required string[]
ResourceNames is a list of resource instance names that the policy matches.
Using this field requires Resources to be specified.
An empty list implies that every instance of the resource is matched.
resourceNames
required string[] namespaces
required string[]
Namespaces that this rule matches.
The empty string "" matches non-namespaced resources.
An empty list implies every namespace.
namespaces
required string[] nonResourceURLs
required string[]
NonResourceURLs is a set of URL paths that should be audited.
s are allowed, but only as the full, final step in the path.
Examples:
"/metrics" - Log requests for apiserver metrics
"/healthz" - Log all health checks
nonResourceURLs
required string[] omitStages
required string[]
OmitStages is a list of stages for which no events are created. Note that this can also
be specified policy wide in which case the union of both are omitted.
An empty list means no restrictions will apply.
omitStages
required string[] requestTargets
required string[]
RequestTargets is a list of request targets for which events are created.
An empty list implies every request.
requestTargets
required string[] clusters
required string[]
Clusters that this rule matches. Only applies to cluster requests.
If this is set, no events for non cluster requests will be created.
An empty list means no restrictions will apply.
clusters
required string[] omitStages
required string[]
OmitStages is a list of stages for which no events are created. Note that this can also
be specified per rule in which case the union of both are omitted.
omitStages
required string[] dataStoreEndpoint
required string
DataStoreEndpoint is an endpoint to store events in.
dataStoreEndpoint
required string dataStoreTTL
required integer
DataStoreMaxAge is the maximum number of hours to retain old log events in the datastore
dataStoreTTL
required integer path
required string
The path where to save the audit log files. This is required if audit is enabled. Backup log files will
be retained in the same directory.
path
required string maxAge
required integer
MaxAge is the maximum number of days to retain old log files based on the
timestamp encoded in their filename. Note that a day is defined as 24
hours and may not exactly correspond to calendar days due to daylight
savings, leap seconds, etc. The default is not to remove old log files
based on age.
maxAge
required integer maxBackups
required integer
MaxBackups is the maximum number of old log files to retain. The default
is to retain all old log files (though MaxAge may still cause them to get
deleted.)
maxBackups
required integer maxSize
required integer
MaxSize is the maximum size in megabytes of the log file before it gets
rotated. It defaults to 100 megabytes.
maxSize
required integer compress
required boolean false
Compress determines if the rotated log files should be compressed
using gzip. The default is not to perform compression.
compress
required boolean false loftHost
required string
LoftHost holds the domain where the loft instance is hosted. This should not include https or http. E.g. loft.my-domain.com
loftHost
required string devPodSubDomain
required string
DevPodSubDomain holds a subdomain in the following form *.workspace.my-domain.com
devPodSubDomain
required string uiSettings
required object
UISettings holds the settings for modifying the Loft user interface
uiSettings
required object loftVersion
required string
LoftVersion holds the current loft version
loftVersion
required string logoURL
required string
LogoURL is url pointing to the logo to use in the Loft UI. This path must be accessible for clients accessing
the Loft UI!
logoURL
required string logoBackgroundColor
required string
LogoBackgroundColor is the color value (ex: "#12345") to use as the background color for the logo
logoBackgroundColor
required string legalTemplate
required string
LegalTemplate is a text (html) string containing the legal template to prompt to users when authenticating to Loft
legalTemplate
required string primaryColor
required string
PrimaryColor is the color value (ex: "#12345") to use as the primary color
primaryColor
required string sidebarColor
required string
SidebarColor is the color value (ex: "#12345") to use for the sidebar
sidebarColor
required string accentColor
required string
AccentColor is the color value (ex: "#12345") to use for the accent
accentColor
required string customCss
required string[]
CustomCSS holds URLs with custom css files that should be included when loading the UI
customCss
required string[] customJavaScript
required string[]
CustomJavaScript holds URLs with custom js files that should be included when loading the UI
customJavaScript
required string[] navBarButtons
required object[]
NavBarButtons holds extra nav bar buttons
navBarButtons
required object[] position
required string
Position holds the position of the button, can be one of:
TopStart, TopEnd, BottomStart, BottomEnd. Defaults to BottomEnd
position
required string text
required string
Text holds text for the button
text
required string link
required string
Link holds the link of the navbar button
link
required string icon
required string
Icon holds the url of the icon to display
icon
required string vault
required object
VaultIntegration holds the vault integration configuration
vault
required object enabled
required boolean false
Enabled indicates if the Vault Integration is enabled for the project -- this knob only
enables the syncing of secrets to or from Vault, but does not setup Kubernetes authentication
methods or Kubernetes secrets engines for vclusters.
enabled
required boolean false address
required string
Address defines the address of the Vault instance to use for this project.
Will default to the VAULT_ADDR
environment variable if not provided.
address
required string VAULT_ADDR
environment variable if not provided.skipTLSVerify
required boolean false
SkipTLSVerify defines if TLS verification should be skipped when connecting to Vault.
skipTLSVerify
required boolean false namespace
required string
Namespace defines the namespace to use when storing secrets in Vault.
namespace
required string auth
required object
Auth defines the authentication method to use for this project.
auth
required object token
required string
Token defines the token to use for authentication.
token
required string tokenSecretRef
required object
TokenSecretRef defines the Kubernetes secret to use for token authentication.
Will be used if token
is not provided.
Secret data should contain the token
key.
tokenSecretRef
required object token
is not provided.token
key.name
required string
Name of the referent.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
TODO: Add other useful fields. apiVersion, kind, uid?
name
required string key
required string
The key of the secret to select from. Must be a valid secret key.
key
required string optional
required boolean false
Specify whether the Secret or its key must be defined
optional
required boolean false syncInterval
required string
SyncInterval defines the interval at which to sync secrets from Vault.
Defaults to 1m.
See https://pkg.go.dev/time#ParseDuration for supported formats.
syncInterval
required string 1m.
See https://pkg.go.dev/time#ParseDuration for supported formats.How does Audit Logging work for Direct Cluster Endpoints?
If the direct cluster endpoint feature is enabled, Loft audit configuration is synced to each agent and each Loft agent will propagate audit events that it receives back to the central Loft instance, which then logs it as a regular audit event. Such "propagated" events can be identified through the annotations.audit.loft.sh/sent-by-agent
identifier in an audit event.
You can disable event sync back from the agent to the central loft instance via the audit config option disableAgentSyncBack
.