Cluster Roles Templates

Cluster roles in Loft are defining templates for Kubernetes ClusterRoles that are intended to grant permissions to the clusters connected to Loft. The benefit of using Loft's cluster roles is that they are automatically synchronized to your connected clusters which means that multi-cluster RBAC configuration can be managed from a single source of truth to reduce complexity and management effort.

Configuration

Metadata

Display Name

JSONPath in ClusterRoleTemplate CRD:

 spec.displayName (type: string)

Kubernetes Name

JSONPath in ClusterRoleTemplate CRD:

 metadata.name (type: string)

Description

JSONPath in ClusterRoleTemplate CRD:

 spec.description (type: string)

Labels

JSONPath in ClusterRoleTemplate CRD:

 metadata.labels (type: map[string]string)

Annotations

JSONPath in ClusterRoleTemplate CRD:

 metadata.annotations (type: map[string]string)

ClusterRole Template

RBAC Rules

JSONPath in ClusterRoleTemplate CRD:

 spec.localClusterRoleTemplate.spec.clusterRoleTemplate.rules (type: RBACRule[])

Aggregation

JSONPath in ClusterRoleTemplate CRD:

 spec.localClusterRoleTemplate.spec.clusterRoleTemplate.aggregationRule (type: RBACAggregationRule{})

Labels

JSONPath in ClusterRoleTemplate CRD:

 spec.localClusterRoleTemplate.metadata.labels (type: string[])

Annotations

JSONPath in ClusterRoleTemplate CRD:

 spec.localClusterRoleTemplate.metadata.annotations (type: string[])

Clusters

JSONPath in ClusterRoleTemplate CRD:

 spec.clusters (type: string[])

Access To Cluster Role

JSONPath in ClusterRoleTemplate CRD:

 spec.access (type: Access[])

CRDs

ClusterRoleTemplate

apiVersion	string APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
kind	string Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
	object (io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta) ObjectMeta is metadata that all persisted resources must have, which includes all objects users must create.
	object (com.github.loft-sh.api.pkg.apis.management.v1.ClusterRoleTemplateSpec) ClusterRoleTemplateSpec holds the specification
	object (com.github.loft-sh.api.pkg.apis.management.v1.ClusterRoleTemplateStatus) ClusterRoleTemplateStatus holds the status

{

• "apiVersion": "string",
• "kind": "string",
• "metadata": {

  • "annotations": {

    • "property1": "string",
    • "property2": "string"

    },
  • "clusterName": "string",
  • "creationTimestamp": "2019-08-24T14:15:22Z",
  • "deletionGracePeriodSeconds": 0,
  • "deletionTimestamp": "2019-08-24T14:15:22Z",
  • "finalizers": [

    • "string"

    ],
  • "generateName": "string",
  • "generation": 0,
  • "labels": {

    • "property1": "string",
    • "property2": "string"

    },
  • "managedFields": [

    • {

      • "apiVersion": "string",
      • "fieldsType": "string",
      • "fieldsV1": { },
      • "manager": "string",
      • "operation": "string",
      • "time": "2019-08-24T14:15:22Z"

      }

    ],
  • "name": "string",
  • "namespace": "string",
  • "ownerReferences": [

    • {

      • "apiVersion": "string",
      • "blockOwnerDeletion": true,
      • "controller": true,
      • "kind": "string",
      • "name": "string",
      • "uid": "string"

      }

    ],
  • "resourceVersion": "string",
  • "selfLink": "string",
  • "uid": "string"

  },
• "spec": {

  • "access": [

    • {

      • "subresources": [

        • "string"

        ],
      • "teams": [

        • "string"

        ],
      • "users": [

        • "string"

        ],
      • "verbs": [

        • "string"

        ]

      }

    ],
  • "clusters": [

    • "string"

    ],
  • "description": "string",
  • "displayName": "string",
  • "localClusterRoleTemplate": {

    • "metadata": {

      • "annotations": {

        • "property1": "string",
        • "property2": "string"

        },
      • "clusterName": "string",
      • "creationTimestamp": "2019-08-24T14:15:22Z",
      • "deletionGracePeriodSeconds": 0,
      • "deletionTimestamp": "2019-08-24T14:15:22Z",
      • "finalizers": [

        • "string"

        ],
      • "generateName": "string",
      • "generation": 0,
      • "labels": {

        • "property1": "string",
        • "property2": "string"

        },
      • "managedFields": [

        • {

          • "apiVersion": "string",
          • "fieldsType": "string",
          • "fieldsV1": { },
          • "manager": "string",
          • "operation": "string",
          • "time": "2019-08-24T14:15:22Z"

          }

        ],
      • "name": "string",
      • "namespace": "string",
      • "ownerReferences": [

        • {

          • "apiVersion": "string",
          • "blockOwnerDeletion": true,
          • "controller": true,
          • "kind": "string",
          • "name": "string",
          • "uid": "string"

          }

        ],
      • "resourceVersion": "string",
      • "selfLink": "string",
      • "uid": "string"

      },
    • "spec": {

      • "clusterRoleTemplate": {

        • "aggregationRule": {

          • "clusterRoleSelectors": [

            • {

              • "matchExpressions": [

                • {

                  • "key": null,
                  • "operator": null,
                  • "values": [ ]

                  }

                ],
              • "matchLabels": {

                • "property1": "string",
                • "property2": "string"

                }

              }

            ]

          },
        • "metadata": {

          • "annotations": {

            • "property1": "string",
            • "property2": "string"

            },
          • "clusterName": "string",
          • "creationTimestamp": "2019-08-24T14:15:22Z",
          • "deletionGracePeriodSeconds": 0,
          • "deletionTimestamp": "2019-08-24T14:15:22Z",
          • "finalizers": [

            • "string"

            ],
          • "generateName": "string",
          • "generation": 0,
          • "labels": {

            • "property1": "string",
            • "property2": "string"

            },
          • "managedFields": [

            • {

              • "apiVersion": "string",
              • "fieldsType": "string",
              • "fieldsV1": { },
              • "manager": "string",
              • "operation": "string",
              • "time": "2019-08-24T14:15:22Z"

              }

            ],
          • "name": "string",
          • "namespace": "string",
          • "ownerReferences": [

            • {

              • "apiVersion": "string",
              • "blockOwnerDeletion": true,
              • "controller": true,
              • "kind": "string",
              • "name": "string",
              • "uid": "string"

              }

            ],
          • "resourceVersion": "string",
          • "selfLink": "string",
          • "uid": "string"

          },
        • "rules": [

          • {

            • "apiGroups": [

              • "string"

              ],
            • "nonResourceURLs": [

              • "string"

              ],
            • "resourceNames": [

              • "string"

              ],
            • "resources": [

              • "string"

              ],
            • "verbs": [

              • "string"

              ]

            }

          ]

        },
      • "description": "string",
      • "displayName": "string"

      }

    },
  • "management": true,
  • "owner": {

    • "team": "string",
    • "user": "string"

    }

  },
• "status": {

  • "clusters": [

    • {

      • "displayName": "string",
      • "email": "string",
      • "name": "string",
      • "subject": "string",
      • "username": "string"

      }

    ]

  }

}