Loft provides different authentication mechanisms including password-based authentication and several single sign-on (SSO) options.


Add Users


Create User

Loft UI - Create User

Send Invite Link To User (optional)

If you did not specify a password for the user in step 1, Loft will automatically generate an invite link with a one-time access token for this user. If you send these invite links to your users, they will be logged in and asked to change their password.

Reset Passwords

Loft UI - Reset Password

Delete Users

Loft UI - Delete User

Delete a user using kubectl:

# IMPORTANT: Make sure to switch to the context of the Loft management cluster!
kubectl delete user [USER_NAME]
Data Loss

Deleting a user will also delete all cluster accounts that are owned solely by this user. Deleting these accounts in turn will also delete other related objects such as account quotas and spaces.

Disable Users

Its possible to disable users that will prevent them from accessing Loft. You can disable an user in the UI under the Users tab. Disabled users will not be able to login anymore and all there currently active sessions will be terminated. However, all spaces, accounts and other user related objects will not be changed.

Disable User
Disable an User in Loft

Cluster Roles

Loft provides an ClusterRole named loft-management-admin that can be assigned to users. This role will allow users to manage all Loft-related ressources within the Loft cluster, i.e. user, cluster, team etc.

Loft UI - Loft ClusterRoles

Image Pull Secrets

Image pull secrets can be used to automatically login users to specified container image registries as soon as they run loft login (no locally installed docker needed).

Creating a shared image pull secret is very similar to creating an image pull secret in kubernetes itself:

On your computer, you must authenticate with a registry in order to grant other users or teams access to it:

docker login [optional-docker-registry]

When prompted, enter your Docker username and password.

The login process creates or updates a config.json file that holds an authorization token.

View the config.json file:

cat ~/.docker/config.json

The output contains a section similar to this:

"auths": {
"": {
"auth": "c3R...zE2"

Note: If you use a Docker credentials store, you won't see that auth entry but a credsStore entry with the name of the store as value.

With that information you can create a shared loft secret.

Create Secret
Create a shared secret with docker credentials

Note: The actual name of the shared secret or key name do not matter and can be chosen freely.

Next, you can configure a user or team to use that image pull secret, by editing the Image Pull Secrets section of the user or team.

Assign Secret
Assign the shared secret to an user

Then press 'Update'. If the user will now login, he will also login into the specified container registry:

$ loft login
[info] If the browser does not open automatically, please navigate to
[done] √ Successfully logged into loft at
[done] √ Successfully logged into docker registry 'docker hub'
User or Team need view access

In order for the user to login with an image pull secret, the user or the team need to have access to view the shared secret, otherwise they will not be able to login into the container registry. You can change the access to a shared secret in the Secrets > YOUR-SECRET > Access tab.