Skip to main content
Version: 2.0 (Latest)

Configure Cluster Access in Loft

The core feature of Loft is to enable users to get self-service access to Kubernetes and allow them to create isolated namespaces and virtual clusters whenever they need them.

flowchart LR; CLI(Loft CLI / UI) --> Loft kubectl(kubectl, helm, ...) --> Loft Loft("<img src='/docs/media/loft-logo.svg' width='60' height='30' />") Loft -- uses --> ClusterAccess(Cluster Access) ClusterAccess --> ClusterA(Kubernetes Cluster A) ClusterAccess --> ClusterB(Kubernetes Cluster B) ClusterAccess --> ClusterC(Kubernetes Cluster ...) class Loft loft

This page will show you how to:

  1. Create a Test User
  2. Impersonate this user
  3. Switch back to our admin role and give the user access to a Kubernetes cluster
  4. Use impersonation again to verify the user's access to the cluster

1. Create Test User

Loft lets you connect a variety of SSO providers for authentication but for the sake of simplicity, let's just manually create a user to learn more about Loft's cluster access features:

  1. Go to the Users view using the main menu on the left
  2. Click on the button
  3. Use the field Display Name to enter the value Anna
  4. Click on the button at the very bottom
  5. Close the popup using the button
100% Kubernetes Native

Remember: Everything you do in Loft UI, including creating a user, is effectively a kubectl command under the hood. So, everything you do in this guide creates or changes objects in your cluster and you could also manage these actions via kubectl or any kind of GitOps tool.

2. Impersonate User

Loft allows admins with appropriate RBAC permissions to impersonate users. Let's try this to see how Loft UI would look like for our newly created user:

  1. In the Users view, hover over the row with user Anna
  2. While hovering over the row, you will see buttons appear on the right in the Actions column
  3. Click on the button to Impersonate the user
  4. In the popup, click on the button to confirm that you want to start impersonation
  5. After impersonation has started, go to the Clusters view using the main menu on the left
  6. Verify that Anna has no access to any clusters

To also use Loft CLI as the impersonated user, you can run the following command while impersonation is active:

loft login localhost:9898 --insecure    # or use your loft.domain.tld instead of localhost, and ideally with a valid SSL cert and without the --insecure flag

You can verify the login and print your user information via:

loft login

3. Configure Cluster Access

Let's give our test user Anna access to one of the clusters connected to this Loft instance:

  1. If you are still impersonating, click
  2. Go to the Clusters view using the main menu on the left
  3. Switch to the tab Cluster Access
  4. Click on the button
  5. Use the field Display Name and enter the value Anna
  6. In the Users & Teams section, make sure the Users tab is selected because we want to give an individual user access to a cluster
  7. Use the field Select Individual Users and select user Anna
  8. In the Clusters section, either select All Clusters or the specific cluster that you want to give Anna access to
  9. Click the button at the bottom of the drawer
Single Sign-On + Cluster Access

You can connect a variety of SSO providers to Loft. To automatically give users access to clusters based on their SSO user groups, you can switch to the Team Members tab to grant cluster access for each member of a team (e.g. for each member of a group in Active Directory, Okta, SAML, etc.)

4. Verify Cluster Access

After configuring the cluster access for test user Anna, let's verify that she can access the cluster:

  1. Go to the Users view using the main menu on the left
  2. Hover over the row with user Anna and click on the button to Impersonate the user
  3. In the popup, click on the button to confirm that you want to start impersonation
  4. Go to the Clusters view using the main menu on the left
  5. Verify that Anna now has access to the clusters you specified in her cluster access
Next Steps

With access to a cluster, users can typically:

Loft allows you to: