Skip to main content
Version: 3.4

Install Loft

Using Loft CLI is the preferred way to deploy Loft to a Kubernetes cluster. If you decide later on you want to manage your Loft instance via GitOps, you may export the applied Kubernetes manifests or Helm chart configuration and store this data in a git repository.

1. Download and Install Loft CLI

Use one of the following commands to download the Loft CLI binary from GitHub:

curl -L -o loft "" && sudo install -c -m 0755 loft /usr/local/bin

Alternatively, you can download the binary for your platform from the GitHub Releases page and add this binary to your PATH.

2. Deploy Loft

Make sure you are using the correct kube-context via kubectl config current-context and then run:

loft start

The CLI will ask for your email address to create the admin user and then deploy Loft to your cluster.


Your Loft pod is not starting or the UI is not showing up? View our Troubleshooting Guide if you have any issues.

Open Ports in VPC Networks

Since loft installs webhooks and api server extensions into the cluster, the kubernetes master needs to be able to communicate with the loft pod. In private GKE clusters the kubernetes master and nodes for example are not in the same subnetwork and cannot communicate directly with each other on every port. Hence, you need to ensure that there is a firewall rule that allows incoming traffic from the kubernetes master network to the tcp ports:

  • 9443 (loft agent webhook)
  • 8443 (loft agent api service extension -
  • 9444 (loft api service extension -

3. Login

While loft start is running in the background, open a second terminal window and sign in via the CLI:

loft login https://localhost:9898  --insecure     # See `loft start` output for login credentials

This command will open the browser where you can sign in using the login data shown in the output of loft start.

Accept Untrusted Certificate

Since Loft generates a self-signed SSL certificate, you need to run loft login with the --insecure flag and once the browser opens, you will also need to accept the untrusted self-signed certificate before the login page will show up. Once you connect a domain to Loft later on, you can use your own, valid certificates or have one provisioned via cert-manager.