Skip to main content
Version: 2.0 (Latest)

Self-Service Namespaces in Loft

Spaces are virtual resources that represent regular Kubernetes namespaces. Typically, non-admin users to not have the permission to list, create or delete namespaces in a shared Kubernetes clusters. That's why Loft adds the space resource to Kubernetes. Spaces are not stored in etcd but rather abstract from regular namespaces. Deleting a space will effectively delete the underlying namespace, for example. In turn, any labels and annotations set on a namespace will show up on the corresponding space as well.

flowchart LR; CLI("<code>loft create space dev-anna</code>") --> Loft kubectl("<code>kubectl apply -f space.yaml</code>") --> Loft Loft("<img src='/docs/media/loft-logo.svg' width='60' height='30' />") Loft --> Namespace("<pre>apiVersion: v1 kind: Namespace metadata: name: dev-anna ...</pre>") class CLI,kubectl code class Namespace yaml class Loft loft

Working with Spaces

Space and namespaces are directly coupled via a 1:1 relationship. But unlike with namespaces, it is safe to give non-admin users the permission to create and manage their own spaces.

Create Spaces

To create a space using Loft CLI, run:

loft create space [space-name]
Kube-Context

Running loft create space will automatically add a kube-context to your kube-config file, so you can immediately run kubectl commands right after creating a space.

Delete Spaces
loft delete space [space-name]
Kube-Context

Deleting spaces with Loft CLI has the advantage that Loft CLI will also delete the kube-context for this space from your local kube-config file to keep everything cleaned up.

List Spaces

To see a list of spaces, go to the Spaces view using the main menu on the left.

Spaces & Namespaces

If you are admin in one of the clusters connected to Loft, you will have permission to view all namespaces in the cluster. Since spaces and namespaces have a 1:1 relationship and Loft is often relying on regular Kubernetes RBAC, you will be able to see all namespaces in the Spaces view rather than just namespaces created via Loft.

Sleep Mode

With sleep mode, you can put Kubernetes namespaces to sleep which means that Loft will set replicas: 0 for all replica-controlled resources such as Deployments and StatefulSets. This means that Kubernetes will delete all pods but the entire configuration of resources within the namespace is still there.

Start Sleep (manual)
  1. In the Spaces view, hover over the row of the space that you want to put to sleep
  2. While hovering over the row, you will see buttons appear on the right in the Actions column
  3. Click on the button to put the space to Sleep
  4. Notice how the Status column shows that the space is now sleeping.
Automatic Wakeup

Note that the space will automatically wake up again, once you run a kubectl command within the space.

Wake up space
  1. In the Spaces view, hover over the Status column of the space that you want to put to sleep
  2. While hovering over the row, you will see a tooltip appear that provide information about the sleep state of this space
  3. Click on the button to wakeup the space
  4. Notice how the Status column shows that the space is now Active again.
Automatic Sleep Mode (individual space)
  1. In the Spaces view, hover over space that you want to configure automatic sleep mode for
  2. While hovering over the row, you will see buttons appear on the right in the Actions column
  3. Click on the button to Edit the space
  4. In the drawer that appears on the right, expand the Sleep Mode section
  5. Use the Sleep After Inactivity field to specify the Time (in minutes) to wait before putting the space to sleep if there is no more user activity in this namespace
  6. On the very bottom, click on the button to save the changes
Scheduled Sleep & Wake-Up (individual space)
  1. In the Spaces view, hover over space that you want to configure automatic sleep mode for
  2. While hovering over the row, you will see buttons appear on the right in the Actions column
  3. Click on the button to Edit the space
  4. In the drawer that appears on the right, expand the Sleep Mode section
  5. Expand the Sleep & Wake-Up Schedule section
  6. Use the Sleep Schedule field and/or the Wake-Up Schedule field to specify the Conjob Times when the respective namespace should be put to sleep or woken up
  7. On the very bottom, click on the button to save the changes
Enforce Sleep Mode For All Spaces Created By User/Team
  1. Go to the Clusters view using the menu on the left
  2. Switch to the Space Constraints tab
  3. Option A: Hover over the space constraints object that you want to configure automatic sleep mode with and click on the button to Edit an existing space constraints object

    Option B: Click the button to create a new space constraints object

  4. In the drawer that appears on the right, expand the Enforce Space Settings section
  5. Use the Sleep After Inactivity field to specify the Time (in minutes) to wait before putting the space to sleep if there is no more user activity in this namespace
  6. On the very bottom, click on the or button to save the changes
  7. Switch to the Cluster Access tab
  8. Hover over the cluster access of the user or team that you want to configure automatic sleep mode for and click on the button to Edit the cluster access
  9. In the drawer that appears on the right, expand the Restrictions section
  10. Use the Enforce Space Constraints field to select the Space Constraint you edited or created in Step 3 above
  11. On the very bottom, click on the button to update the cluster access
Test with Impersonation

After following the steps above, all spaces created using the cluster access in step 7 will now enforce sleep mode. You can test this behavior by impersonating a user that uses this cluster access.

Auto-Delete

Loft lets you configure an auto-delete for namespaces that have not been used for a certain period of time (inactivity).

Configure Auto-Delete Timeout (individual space)
  1. In the Spaces view, hover over space that you want to configure auto-delete for
  2. While hovering over the row, you will see buttons appear on the right in the Actions column
  3. Click on the button to Edit the space
  4. In the drawer that appears on the right, expand the Sleep Mode section
  5. Use the Delete After Inactivity field to specify the Time (in minutes) to wait before putting the space to sleep if there is no more user activity involving this namespace
  6. On the very bottom, click on the button to save the changes
Enforce Auto-Delete Timeout For All Space Created By User/Team
  1. Go to the Clusters view using the menu on the left
  2. Switch to the Space Constraints tab
  3. Option A: Hover over the space constraints object that you want to configure auto-delete with and click on the button to Edit an existing space constraints object

    Option B: Click the button to create a new space constraints object

  4. In the drawer that appears on the right, expand the Enforce Space Settings section
  5. Use the Delete After Inactivity field to specify the Time (in minutes) to wait before deleting the space if there is no more user activity in this namespace
  6. On the very bottom, click on the or button to save the changes
  7. Switch to the Cluster Access tab
  8. Hover over the cluster access of the user or team that you want to enforce auto-delete for and click on the button to Edit the cluster access
  9. In the drawer that appears on the right, expand the Restrictions section
  10. Use the Enforce Space Constraints field to select the Space Constraint you edited or created in Step 3 above
  11. On the very bottom, click on the button to update the cluster access
Test with Impersonation

After following the steps above, all spaces created using the cluster access in step 7 will now enforce sleep mode. You can test this behavior by impersonating a user that uses this cluster access.

Space Templates

Loft allows you to create templates for spaces. Unlike Space Constraints which are enforced for a space, space templates are optional templates that a user can choose to apply when creating a space.

Common use cases for space templates may be:

  • Adding development tooling to a namespace
  • Deploying pre-populated databases with test data
  • Equipping new namespaces with optional credentials such as image pull secrets
Security Templates

Do not use space templates for setting up security-related resources such as NetworkPolicies or LimitRanges. Instead, use Space Constraints to enforce tenant isolation and other security measures.

1. Create Space Template
  1. Go to the Spaces view using the menu on the left
  2. Switch to the Space Templates tab
  3. Click the button to create a new space template
  4. In the drawer that appears on the right, use the field Display Name to specify a Name for your space template
  5. Specify sleep mode settings as well as enforced labels and annotations for the spaces that will be created from this template
  6. Expand the Deploy Apps section to specify which apps should be deployed as part of this template
  7. On the very bottom, click on the button to create this space template
2. Create Space Using Space Template

To use a space template to create a space using Loft CLI, run:

loft create space [space-name] --template [template-name]
Kube-Context

Running loft create space will automatically add a kube-context to your kube-config file, so you can immediately run kubectl commands right after creating a space.

Space Constraints

Space Constraints allow you to define restrictions for namespaces such as enforced resources that will be deployed to each new namespace a user creates (e.g. NetworkPolicies) or other enforced settings such as mandatory labels, annotations, or any sleep mode configurations.

1. Create Space Constraints
  1. Go to the Clusters view using the menu on the left
  2. Switch to the Space Constraints tab
  3. Click the button to create a new space constraints object
  4. In the drawer that appears on the right, use the field Display Name to specify a Name for your space constraints object
  5. Expand the Enforce Resources section to specify manifests that should be deployed to and enforced in each namespace that is affected by these space constraints
  6. Expand the Enforce Space Settings section to specify other space settings such as sleep mode, auto-delete, labels and annotations that should be enforced for each namespace that is affected by these space constraints
  7. On the very bottom, click on the button to create this space constraints object
2. Enforce Space Constraints For Users & Teams
  1. Go to the Clusters view using the menu on the left
  2. Switch to the Cluster Access tab
  3. Hover over the cluster access that you want to apply these space constraints to and click on the button to Edit the cluster access
  4. In the drawer that appears on the right, expand the Restrictions section
  5. Use the Enforce Space Constraints field to select the Space Constraint that you want to enforce for all spaces created using this cluster access
  6. On the very bottom, click on the or button to save the changes
  7. Switch to the Cluster Access tab
  8. Hover over the cluster access of the user or team that you want to configure automatic sleep mode for and click on the button to Edit the cluster access
  9. In the drawer that appears on the right, expand the Restrictions section
  10. Use the Enforce Space Constraints field to select the Space Constraint you edited or created in Step 3 above
  11. On the very bottom, click on the button to save the changes
Test with Impersonation

After following the steps above, all spaces created using the cluster access in step 7 will now enforce sleep mode. You can test this behavior by impersonating a user that uses this cluster access.

Access Permissions

Loft makes it easy to give other users or even entire teams access to one of your namespaces.

To give someone access to a virtual cluster using Loft CLI, run:

loft share vcluster