Add Cluster Accounts

Now that users can authenticate with Loft, the question is how they get access to the clusters you connected in step 2 of this setup guide.

In Loft, access to a cluster is defined by a cluster account. A cluster account is an object created in each connected cluster that references a user or team and defines which access and restrictions apply. Every one of these clusters can run in a different availability zone or even in a different cloud platform etc. So, you can connect, for example, EKS clusters from AWS and GKE clusters from Google Cloud and then give people access depending on what they need to work with.

Loft Concepts - Accounts

That means that if a user signs in via single sign-on for the first time, they will not automatically have access to any clusters and cannot do anything.

There are 2 ways you can create cluster accounts for your users:

1. Manually creating and managing cluster accounts for each user in each cluster
2. Automatically create accounts for every new user using Account Templates

Both approaches are not mutually exclusive and are generally used in combination. Most Loft admins configure 2. and then manually edit accounts when needed, e.g. give users access to a newly connected cluster, change limits on a per-user basis, etc.

1. Manual Account Management

Accounts are defined on a per-cluster basis, i.e. if a user needs access to 3 clusters, they will need 3 accounts, one for each cluster.

Users in Loft do not automatically have access to clusters. To give a user access to a cluster, you need to create an account for this user within the cluster.

• UI
• kubectl

Loft UI - Create Account

2. Automation via Account Templates

Loft provides a CRD called ClusterAccountTemplate which allows you to automatically create cluster accounts for users when they are being created or edited.

2.1 Use Default Account Templates

Loft provides 2 default account templates:

• loft-all-cluster-default which gives a user access to ALL connected clusters
• loft-all-cluster-admin which gives a user admin access to ALL connected clusters

You can view and edit these template by navigating to Users > Account Templates.

• Manual Add/Edit User
• Single Sign-On (SSO)

The template loft-all-cluster-default is marked as default template to be used for new users. That means that when you add a new user manually via the UI (not using SSO) and you do not remove this template before creating the user, this template will be applied and the user will get access to all connected clusters.

Loft UI - Apply Cluster Account Templates

You can mark additional templates to be selected by default by adding the label loft.sh/default-template: "true" to the Kubernetes ClusterAccounteTemplate object.

2.2 Custom Account Templates

Besides the two default ClusterAccountTemplates, you can add your own templates, e.g. for giving users access to only a specific set of clusters based on their groups. Learn more about adding your own custom ClusterAccountTemplates here.