Spaces / Namespaces

Spaces are virtual objects which represent namespaces in a Kubernetes cluster. The advantage of letting engineers work with spaces is that you can give them the permission to list/get/create/delete spaces without having to give them the permission to list/get/create/delete namespaces.

While engineers work with spaces, Loft handles the underlying operations on the actual namespaces and enforces the restrictions that admins define for users, e.g. limting the number of spaces/namespaces.

Create Spaces

Loft UI - Create Space

Creating spaces in the UI is easy but to actually use the space, a cluster user needs a valid kube-context which most non-admin users do not have by default. To get a kube-context limited to a certain space, run the following command using the CLI:

loft use space [SPACE_NAME]
How does it work?

To provide access to a space/namespace, Loft creates a new RBAC role binding for the Loft user. This is done in a way that this user can only access objects within this and other namespaces the user has access to. Then, Loft generates a kube-context using an access key and adds it to the ~/.kube/config file on the user's computer.

Delete Spaces

Loft UI - Delete Space
No Kube-Context Cleanup

This will not clean up the local kube-context you may have for this space. Only when removing a space using the Loft CLI, the local kube-context will also be removed from your ~/.kube/config file.

Share Spaces

Sometimes it may be useful to give others access to one of your spaces. Since Loft's authorization system is based on Kubernetes RBAC, you can simply create a RoleBinding to give other users access. Allowing them to view and edit a namespace and/or resources within this namespace will enable them to see a corresponding space in the UI and also to run loft use space to configure a kube-context for accessing the space using kubectl, helm and other tools.

Loft UI - Share Space

Access Spaces

Accessing an already existing space can be either done by using the Loft CLI or constructing a kube config directly.

Just run the following command in the Loft CLI

loft use space [SPACE_NAME]
How does it work?

To provide access to a space/namespace, Loft creates a new RBAC role binding for the Loft user. This is done in a way that this user can only access objects within this and other namespaces the user has access to. Then, Loft generates a kube-context using an access key and adds it to the ~/.kube/config file on the user's computer.