Quotas & Space Constraints
A key aspect of Loft is establishing secure multi-tenancy when sharing clusters among multiple users and teams. To guarantee fair use for every tenant and to isolate tenants from each other, Loft provides two features:
- Quotas which define aggregated resource limits for users and/or teams (e.g. max 5 spaces, max 12 GB memory)
- Space Constraints which define resources and other configurations that will be enforced for each space a user or a team creates using Loft (e.g. required labels and annotations, or resources such as a NetworkPolicy or LimitRange in each namespace)
Quotas
- Go to the Clusters view using the menu on the left
- Switch to the Cluster Access tab
- Hover over the cluster access that you want to apply the quota to and click on the button to Edit the cluster access
- In the drawer that appears on the right, expand the section
- Use the Enforce Quota field to specify quotas, e.g. you can limit the number of spaces by adding the line spaces: 3 to this quota specification
- On the very bottom, click on the button to save the changes
Test with Impersonation
After following the steps above, all spaces created using the cluster access in step 7 will now enforce this quota. You can test this behavior by impersonating a user that uses this cluster access.
Space Constraints
Space Constraints allow you to define restrictions for namespaces such as enforced resources that will be deployed to each new namespace a user creates (e.g. NetworkPolicies) or other enforced settings such as mandatory labels, annotations, or any sleep mode configurations.
1. Create Space Constraints
- Go to the Clusters view using the menu on the left
- Switch to the Space Constraints tab
- Click the button to create a new space constraints object
- In the drawer that appears on the right, use the field Display Name to specify a Name for your space constraints object
- Expand the section to specify manifests that should be deployed to and enforced in each namespace that is affected by these space constraints
- Expand the section to specify other space settings such as sleep mode, auto-delete, labels and annotations that should be enforced for each namespace that is affected by these space constraints
- On the very bottom, click on the button to create this space constraints object
2. Enforce Space Constraints For Users & Teams
- Go to the Clusters view using the menu on the left
- Switch to the Cluster Access tab
- Hover over the cluster access that you want to apply these space constraints to and click on the button to Edit the cluster access
- In the drawer that appears on the right, expand the section
- Use the Enforce Space Constraints field to select the Space Constraint that you want to enforce for all spaces created using this cluster access
- On the very bottom, click on the or button to save the changes
- Switch to the Cluster Access tab
- Hover over the cluster access of the user or team that you want to configure automatic sleep mode for and click on the button to Edit the cluster access
- In the drawer that appears on the right, expand the section
- Use the Enforce Space Constraints field to select the Space Constraint you edited or created in Step 3 above
- On the very bottom, click on the button to save the changes
Test with Impersonation
After following the steps above, all spaces created using the cluster access in step 7 will now enforce these space constraints. You can test this behavior by impersonating a user that uses this cluster access.
Enforce Sleep Mode & Auto Delete
Enforce Sleep Mode For All Spaces Created By User/Team
- Go to the Clusters view using the menu on the left
- Switch to the Space Constraints tab
Option A: Hover over the space constraints object that you want to configure automatic sleep mode with and click on the button to Edit an existing space constraints object
Option B: Click the button to create a new space constraints object
- In the drawer that appears on the right, expand the section
- Use the Sleep After Inactivity field to specify the Time (in minutes) to wait before putting the space to sleep if there is no more user activity in this namespace
- On the very bottom, click on the or button to save the changes
- Switch to the Cluster Access tab
- Hover over the cluster access of the user or team that you want to configure automatic sleep mode for and click on the button to Edit the cluster access
- In the drawer that appears on the right, expand the section
- Use the Enforce Space Constraints field to select the Space Constraint you edited or created in Step 3 above
- On the very bottom, click on the button to update the cluster access
Test with Impersonation
After following the steps above, all spaces created using the cluster access in step 7 will now enforce sleep mode. You can test this behavior by impersonating a user that uses this cluster access.