Users, Accounts & Quotas

There are 3 important access control concepts in loft:

  • Users can sign into loft using a password or using OpenID Connect1 = authentication
  • Accounts define the permissions of users within a certain cluster = authorization
  • Account Quota define resource limits for an account across all spaces within a cluster2
1 Supported auth providers include: GitHub, GitLab, LDAP, SAML 2.0, Google, Microsoft2 Think of a Kubernetes ResourceQuota but aggregated across namespaces

Add Users

loft UI - Create User
Send Invite Link

If you do not set a password for the user, loft will generate an access key for the user and display an invite link which you can send to the user to sign in and define a password for their user.

Create Cluster Acccounts

Users in loft do not automatically have access to clusters. To give a user access to a cluster, you need to create an account for this user within the cluster.

loft UI - Create Account
Copy Cluster Accounts

When creating a new user, loft offers the option to copy cluster accounts from an existing user. You could also create a "template user," configure all cluster accounts and quotas for this template user, and then add the rest of your team by copying the accounts when adding the users.

Create Account Quotas

Account quotas are like Kubernetes resource quotas but they are aggregated across namespaces, i.e. if you specify a limit such as limits.memory: 8Gi, the user can use up to 8Gi of memory across all the spaces owned by the account that the quota is defined for.

Account quotas can be created for any existing cluster account and as part of the process of updating and creating cluster accounts when using the UI.

loft UI - Create Account Quota

Space Limit & Metadata

While account quotas are mainly concerning resources that users are creating inside their spaces, you can also restrict the creation of spaces itself.

If you open the form to create or edit a cluster account, you will see the section "Space Creation Settings" which provides the following options:

  • Space Limit to set a maximum number of namespaces for this account
  • Timeout for Automatic Sleep Mode to enable automatic sleep mode after a certain period of inactivity
  • Enforce Templates to specify templates which will be instantiated when creating a space with this account
  • Labels & Annotations to specify metadata which should be set when creating a space3
3 While users are generally able to define their own labels and annotations, loft will make sure that the enforced labels and annotations cannot be overwritten.
loft UI - Change Space Creation Settings