Self-Service Namespaces in Loft

Spaces are virtual resources that represent regular Kubernetes namespaces. Typically, non-admin users to not have the permission to list, create or delete namespaces in a shared Kubernetes clusters. That's why Loft adds the space resource to Kubernetes. Spaces are not stored in etcd but rather abstract from regular namespaces. Deleting a space will effectively delete the underlying namespace, for example. In turn, any labels and annotations set on a namespace will show up on the corresponding space as well.

Working with Spaces

Space and namespaces are directly coupled via a 1:1 relationship. But unlike with namespaces, it is safe to give non-admin users the permission to create and manage their own spaces.

Create Spaces

UI

1. Go to the Projects view using the menu on the left
2. Click on Spaces and the button
3. In the popup select the space template and click the button
4. Optional: Select a cluster where to create the space in. If no cluster is specified, Loft will automatically select one for you.
5. Specify a name of the space at the top and optionally configure the template parameters and space access.
6. Click on the button

7. Retrieve a kube-context for this space using Loft CLI:

   loft use space [space-name] --project my-project

info

The Kubernetes namespace in the underlying cluster this space points to usually has a different name than the space inside the project to avoid conflicts, you can adjust the space name pattern within a project.

CLI

To create a space using Loft CLI, run:

loft create space [space-name] --project my-project

Template

If you omit specifying a template, Loft will automatically select one for you (if there is a default template in the project specified) or prompt you to select a template.

Kube-Context

Running loft create space will automatically add a kube-context to your kube-config file, so you can immediately run kubectl commands right after creating a space.

Delete Spaces

UI

1. In the Spaces view, hover over the row of the space that you want to delete.
2. While hovering over the row, you will see buttons appear on the right in the Actions column
3. Click on the button to Delete the space

CLI

loft delete space [space-name]

Kube-Context

Deleting spaces with Loft CLI has the advantage that Loft CLI will also delete the kube-context for this space from your local kube-config file to keep everything cleaned up.

List Spaces

UI

To see a list of spaces, go to the Spaces view using the main menu on the left.

Spaces & Namespaces

If you are admin in one of the clusters connected to Loft, you will have permission to view all namespaces in the cluster. Since spaces and namespaces have a 1:1 relationship and Loft is often relying on regular Kubernetes RBAC, you will be able to see all namespaces in the Spaces view rather than just namespaces created via Loft.

CLI

Run this command using Loft CLI to get a list of all spaces you have access to across all clusters:

loft list spaces

Kube-Context

If you want to retrieve a kube-context for any of your spaces, run:

loft use space [space-name]

Sleep Mode

With sleep mode, you can put Kubernetes namespaces to sleep which means that Loft will set replicas: 0 for all replica-controlled resources such as Deployments and StatefulSets. This means that Kubernetes will delete all pods but the entire configuration of resources within the namespace is still there.

Start Sleep (manual)

UI

1. In the Spaces view, hover over the row of the space that you want to put to sleep
2. While hovering over the row, you will see buttons appear on the right in the Actions column
3. Click on the button to put the space to Sleep
4. Notice how the Status column shows that the space is now sleeping.

CLI

To put a space to sleep using Loft CLI, run:

loft sleep space [name]

Automatic Wakeup

Note that the space will automatically wake up again, once you run a kubectl command within the space.

Wake up space

UI

1. In the Spaces view, hover over the Status column of the space that you want to put to sleep
2. While hovering over the row, you will see a tooltip appear that provide information about the sleep state of this space
3. Click on the button to wakeup the space
4. Notice how the Status column shows that the space is now Active again.

CLI

To wake up a sleeping space using Loft CLI, run:

loft wakeup space [name]

Automatic Sleep Mode (individual space)

1. In the Spaces view, hover over space that you want to configure automatic sleep mode for
2. While hovering over the row, you will see buttons appear on the right in the Actions column
3. Click on the button to Edit the space
4. In the drawer that appears on the right, expand the Sleep Mode section
5. Use the Sleep After Inactivity field to specify the Time (in minutes) to wait before putting the space to sleep if there is no more user activity in this namespace
6. On the very bottom, click on the button to save the changes

Scheduled Sleep & Wake-Up (individual space)

1. In the Spaces view, hover over space that you want to configure automatic sleep mode for
2. While hovering over the row, you will see buttons appear on the right in the Actions column
3. Click on the button to Edit the space
4. In the drawer that appears on the right, expand the Sleep Mode section
5. Expand the Sleep & Wake-Up Schedule section
6. Use the Sleep Schedule field and/or the Wake-Up Schedule field to specify the Conjob Times when the respective namespace should be put to sleep or woken up
7. On the very bottom, click on the button to save the changes

Enforce Sleep Mode For All Spaces Created By User/Team

1. Go to the Clusters view using the menu on the left
2. Switch to the Space Constraints tab

3. Option A: Hover over the space constraints object that you want to configure automatic sleep mode with and click on the button to Edit an existing space constraints object

   Option B: Click the button to create a new space constraints object

4. In the drawer that appears on the right, expand the Enforce Space Settings section
5. Use the Sleep After Inactivity field to specify the Time (in minutes) to wait before putting the space to sleep if there is no more user activity in this namespace
6. On the very bottom, click on the or button to save the changes
7. Switch to the Cluster Access tab
8. Hover over the cluster access of the user or team that you want to configure automatic sleep mode for and click on the button to Edit the cluster access
9. In the drawer that appears on the right, expand the Restrictions section
10. Use the Enforce Space Constraints field to select the Space Constraint you edited or created in Step 3 above
11. On the very bottom, click on the button to update the cluster access

Test with Impersonation

After following the steps above, all spaces created using the cluster access in step 7 will now enforce sleep mode. You can test this behavior by impersonating a user that uses this cluster access.

Auto-Delete

Loft lets you configure an auto-delete for namespaces that have not been used for a certain period of time (inactivity).

Configure Auto-Delete Timeout (individual space)

1. In the Spaces view, hover over space that you want to configure auto-delete for
2. While hovering over the row, you will see buttons appear on the right in the Actions column
3. Click on the button to Edit the space
4. In the drawer that appears on the right, expand the Sleep Mode section
5. Use the Delete After Inactivity field to specify the Time (in minutes) to wait before putting the space to sleep if there is no more user activity involving this namespace
6. On the very bottom, click on the button to save the changes

Enforce Auto-Delete Timeout For All Space Created By User/Team

1. Go to the Clusters view using the menu on the left
2. Switch to the Space Constraints tab

3. Option A: Hover over the space constraints object that you want to configure auto-delete with and click on the button to Edit an existing space constraints object

   Option B: Click the button to create a new space constraints object

4. In the drawer that appears on the right, expand the Enforce Space Settings section
5. Use the Delete After Inactivity field to specify the Time (in minutes) to wait before deleting the space if there is no more user activity in this namespace
6. On the very bottom, click on the or button to save the changes
7. Switch to the Cluster Access tab
8. Hover over the cluster access of the user or team that you want to enforce auto-delete for and click on the button to Edit the cluster access
9. In the drawer that appears on the right, expand the Restrictions section
10. Use the Enforce Space Constraints field to select the Space Constraint you edited or created in Step 3 above
11. On the very bottom, click on the button to update the cluster access

Test with Impersonation

After following the steps above, all spaces created using the cluster access in step 7 will now enforce this auto-delete behavior. You can test this behavior by impersonating a user that uses this cluster access.

Space Templates

Loft allows you to create templates for spaces. Unlike Space Constraints which are enforced for a space, space templates are optional templates that a user can choose to apply when creating a space.

Common use cases for space templates may be:

• Adding development tooling to a namespace
• Deploying pre-populated databases with test data
• Equipping new namespaces with optional credentials such as image pull secrets

Security Templates

Do not use space templates for setting up security-related resources such as NetworkPolicies or LimitRanges. Instead, use Space Constraints to enforce tenant isolation and other security measures.

1. Create Space Template

1. Go to the Spaces view using the menu on the left
2. Switch to the Space Templates tab
3. Click the button to create a new space template
4. In the drawer that appears on the right, use the field Display Name to specify a Name for your space template
5. Specify sleep mode settings as well as enforced labels and annotations for the spaces that will be created from this template
6. Expand the Deploy Apps section to specify which apps should be deployed as part of this template
7. On the very bottom, click on the button to create this space template

2. Use Space Template To Create A Space

UI

1. Go to the Spaces view using the menu on the left
2. Click on the button
3. Use the field Space Template to select a template to use for creating this space
4. Use the field Display Name to define the name of this space and optionally specify other settings
5. Click on the button at the very bottom

6. Retrieve a kube-context for this space using Loft CLI:

   loft use space [space-name]

CLI

When creating a space from the Loft CLI, you will need to provide the name of the project in which to deploy the space, and the name of template to use:

loft create space [vcluster-name] --project [project-name] --template [template-name]

Space Constraints

Space Constraints allow you to define restrictions for namespaces such as enforced resources that will be deployed to each new namespace a user creates (e.g. NetworkPolicies) or other enforced settings such as mandatory labels, annotations, or any sleep mode configurations.

1. Create Space Constraints

1. Go to the Clusters view using the menu on the left
2. Switch to the Space Constraints tab
3. Click the button to create a new space constraints object
4. In the drawer that appears on the right, use the field Display Name to specify a Name for your space constraints object
5. Expand the Enforce Resources section to specify manifests that should be deployed to and enforced in each namespace that is affected by these space constraints
6. Expand the Enforce Space Settings section to specify other space settings such as sleep mode, auto-delete, labels and annotations that should be enforced for each namespace that is affected by these space constraints
7. On the very bottom, click on the button to create this space constraints object

2. Enforce Space Constraints For Users & Teams

1. Go to the Clusters view using the menu on the left
2. Switch to the Cluster Access tab
3. Hover over the cluster access that you want to apply these space constraints to and click on the button to Edit the cluster access
4. In the drawer that appears on the right, expand the Restrictions section
5. Use the Enforce Space Constraints field to select the Space Constraint that you want to enforce for all spaces created using this cluster access
6. On the very bottom, click on the or button to save the changes
7. Switch to the Cluster Access tab
8. Hover over the cluster access of the user or team that you want to configure automatic sleep mode for and click on the button to Edit the cluster access
9. In the drawer that appears on the right, expand the Restrictions section
10. Use the Enforce Space Constraints field to select the Space Constraint you edited or created in Step 3 above
11. On the very bottom, click on the button to save the changes

Test with Impersonation

After following the steps above, all spaces created using the cluster access in step 7 will now enforce these space constraints. You can test this behavior by impersonating a user that uses this cluster access.

Access Permissions

Loft makes it easy to give other users or even entire teams access to one of your namespaces.

UI

1. Go to the Projects view using the menu on the left
2. Click on Spaces and click on the Edit link on a space.
3. In the drawer select the 'Permissions' section.
4. Select the user or team you want to grant permissions in the 'User or Team' select. If you don't see the user or team you want to grant access in there, make sure they have project access.
5. Specify the cluster-role you want to assign the user or team within the space.
6. Click on the button at the very bottom

CLI

To give someone access to a space using Loft CLI, run:

loft share space [optional:name] --user other-user --project my-project