Add Limits & Isolation

There are 3 concepts in Loft that allow you to restrict or limit a user's account within a cluster:

  • Account Quotas define resource limits for an account across all namespaces of an account within a cluster1
  • Space Creation Settings define max number of namespaces a user can create, sleep mode and other options
  • Templates which can be enforced when creating a namespace (e.g. NetworkPolicies, LimitRanges etc.)
1 Think of a Kubernetes ResourceQuota but aggregated across namespaces of an account.

Create Account Quotas

Account quotas are like Kubernetes resource quotas but they are aggregated across namespaces, i.e. if you specify a limit such as limits.memory: 8Gi, the user can use up to 8Gi of memory across all the spaces owned by the account that the quota is defined for.

Account quotas can be created for any existing cluster account and as part of the process of updating and creating cluster accounts when using the UI.

Loft UI - Create Account Quota

Space Limit & Metadata

While account quotas are mainly concerning resources that users are creating inside their spaces, you can also restrict the creation of spaces itself.

If you open the form to create or edit a cluster account, you will see the section "Space Creation Settings" which provides the following options:

  • Space Limit to set a maximum number of namespaces for this account
  • Timeout for Automatic Sleep Mode to enable automatic sleep mode after a certain period of inactivity
  • Enforce Templates to specify templates which will be instantiated when creating a space with this account
  • Labels & Annotations to specify metadata which should be set when creating a space3
3 While users are generally able to define their own labels and annotations, Loft will make sure that the enforced labels and annotations cannot be overwritten.
Loft UI - Change Space Creation Settings

Templates

Templates define Kubernetes manifests or Helm charts that you want to deploy to every namespace that a user creates when using their cluster account. This allows you to isolate namespaces and enforce security policies for each namespace.

Create Templates

Loft provides 2 default templates which will be added to each connected cluster:

  • loft-limit-range for an example of a LimitRange
  • loft-network-policy for an example of a NetworkPolicy

You can edit these template if you want to or you can create your own templates as shown below.

Loft UI - Create Template

Enforce Templates

One of the most popular use cases for templates is to ensure cluster security and enforce isolation among users and spaces. However, creating a Template per se does nothing at all if you do not enforce the template.

You can enforce that certain templates are always applied to namespaces when they are being created by adding these templates as part of the "Space Creation Settings" of an account. See the examples below for instructions.

Loft UI - Enforce Template

Additional Security

While Templates are great for namespace-level enforcement of security policies, it is stongly recommended to add cluster-wide security resources as well.

One example of such a security resource would be a PodSecurityPolicy that should be added to each connected cluster. You can use the following example to get started:

apiVersion: extensions/v1beta1
kind: PodSecurityPolicy
metadata:
name: strict-policy
spec:
allowPrivilegeEscalation: false
fsGroup:
rule: RunAsAny
hostPorts:
- max: 0
min: 0
runAsUser:
rule: RunAsAny
seLinux:
rule: RunAsAny
supplementalGroups:
rule: RunAsAny
volumes:
- secret
- configMap
- emptyDir
- downwardAPI
- persistentVolumeClaim