Cluster Access & Accounts
In Loft, access to a cluster is defined by a cluster account. A cluster account is an object created in each connected cluster that references a user or team and defines which access and restrictions apply. Every one of these clusters can run in a different availability zone or even in a different cloud platform etc. So, you can connect, for example, EKS clusters from AWS and GKE clusters from Google Cloud and then give people access depending on what they need to work with.
Managing Accounts
Create Accounts
Users in Loft do not automatically have access to clusters. To give a user access to a cluster, you need to create an account for this user within the cluster.
- UI
- kubectl
Create file account.yaml
:
apiVersion: tenancy.kiosk.sh/v1alpha1
kind: Account
metadata:
name: johns-account
labels:
# the kubernetes name of the
# loft user you want to create
# the account for
loft.sh/user: my-loft-user
# loft.sh/team: my-loft-team
spec:
# Subjects should be empty since loft
# will sync the subjects automatically
# from the user or team
subjects: []
Create the account using kubectl
:
# IMPORTANT: Make sure to switch to the context of the connected cluster!
kubectl apply -f account.yaml
Space Creation Settings
- UI
- kubectl
If you open the form to create or edit a cluster account, you will see the section "Space Creation Settings" which provides the following options:
- Space Limit to set a maximum number of namespaces for this account
- Timeout for Automatic Sleep Mode to enable automatic sleep mode after a certain period of inactivity
- Enforce Templates to specify templates which will be instantiated when creating a space with this account
- Labels & Annotations to specify metadata which should be set when creating a space3
Create file account.yaml
:
apiVersion: tenancy.kiosk.sh/v1alpha1
kind: Account
metadata:
name: johns-account
spec:
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: User
name: john # References the `spec.subject` defined in the User object
space:
clusterRole: loft-cluster-space-default
limit: 5
spaceTemplate:
metadata:
creationTimestamp: null
labels:
some-label: some-value
annotations:
# automatically start sleep mode after 1h
sleepmode.loft.sh/sleep-after: '3600'
Create the account using kubectl
:
# IMPORTANT: Make sure to switch to the context of the connected cluster!
kubectl apply -f account.yaml
Delete Accounts
- UI
- kubectl
Delete an account using kubectl
:
# IMPORTANT: Make sure to switch to the context of the connected cluster!
kubectl delete account [ACCOUNT_NAME]
Data Loss
Deleting an account will also delete:
- all AccountQuotas created for the account
- all spaces owned by the account
- all RBAC objects associated with the account and its spaces
Deletion of these objects will be handled by Kubernetes OwnerReferences.
Account Templates
Loft provides a CRD called ClusterAccountTemplate which allows you to automatically create cluster accounts for users or tea,s when they are being created or edited.