Now that users can authenticate with Loft, the question is how they get access to the clusters you connected in step 2 of this setup guide.
In Loft, access to a cluster is defined by a cluster account. A cluster account is an object created in each connected cluster that references a user or team and defines which access and restrictions apply. Every one of these clusters can run in a different availability zone or even in a different cloud platform etc. So, you can connect, for example, EKS clusters from AWS and GKE clusters from Google Cloud and then give people access depending on what they need to work with.
That means that if a user signs in via single sign-on for the first time, they will not automatically have access to any clusters and cannot do anything.
There are 2 ways you can create cluster accounts for your users:
- Manually creating and managing cluster accounts for each user in each cluster
- Automatically create accounts for every new user using Account Templates
Both approaches are not mutually exclusive and are generally used in combination. Most Loft admins configure 2. and then manually edit accounts when needed, e.g. give users access to a newly connected cluster, change limits on a per-user basis, etc.
1. Manual Account Management
Accounts are defined on a per-cluster basis, i.e. if a user needs access to 3 clusters, they will need 3 accounts, one for each cluster.
Users in Loft do not automatically have access to clusters. To give a user access to a cluster, you need to create an account for this user within the cluster.
2. Automation via Account Templates
Loft provides a CRD called ClusterAccountTemplate which allows you to automatically create cluster accounts for users when they are being created or edited.
2.1 Use Default Account Templates
Loft provides 2 default account templates:
loft-all-cluster-defaultwhich gives a user access to ALL connected clusters
loft-all-cluster-adminwhich gives a user admin access to ALL connected clusters
You can view and edit these template by navigating to
Users > Account Templates.
- Manual Add/Edit User
- Single Sign-On (SSO)
loft-all-cluster-default is marked as default template to be used for new users. That means that when you add a new user manually via the UI (not using SSO) and you do not remove this template before creating the user, this template will be applied and the user will get access to all connected clusters.
You can mark additional templates to be selected by default by adding the label
loft.sh/default-template: "true" to the Kubernetes ClusterAccounteTemplate object.
2.2 Custom Account Templates
Besides the two default ClusterAccountTemplates, you can add your own templates, e.g. for giving users access to only a specific set of clusters based on their groups. Learn more about adding your own custom ClusterAccountTemplates here.