Self-Service Namespaces in Loft
Spaces are virtual resources that represent regular Kubernetes namespaces. Typically, non-admin users to not have the permission to list, create or delete namespaces in a shared Kubernetes clusters. That's why Loft adds the space resource to Kubernetes. Spaces are not stored in etcd but rather abstract from regular namespaces. Deleting a space will effectively delete the underlying namespace, for example. In turn, any labels and annotations set on a namespace will show up on the corresponding space as well.
Working with Spaces
Space and namespaces are directly coupled via a 1:1 relationship. But unlike with namespaces, it is safe to give non-admin users the permission to create and manage their own spaces.
Create Spaces
- UI
- CLI
- kubectl
- Go to the Spaces view using the menu on the left
- Click on the button
- Use the field Kubernetes Name to define the name of this space and optionally specify other settings
- Click on the button at the very bottom
Retrieve a kube-context for this space using Loft CLI:
loft use space [space-name]
To create a space using Loft CLI, run:
loft create space [space-name]
Kube-Context
Running loft create space
will automatically add a kube-context to your kube-config file, so you can immediately run kubectl
commands right after creating a space.
If you do not have a kube-context for the cluster where this space should be created in, you can set up a kube-context using:
loft use cluster [cluster-name]
Create a file named
space.yaml
with the following content:apiVersion: cluster.loft.sh/v1
kind: Space
metadata:
name: space-name # Set the name for your space hereCreate the space using kubectl:
kubectl apply -f space.yaml
Retrieve a kube-context for this space using Loft CLI:
loft use space [space-name]
Delete Spaces
- UI
- CLI
- kubectl
- In the Spaces view, hover over the row of the space that you want to delete.
- While hovering over the row, you will see buttons appear on the right in the Actions column
- Click on the button to Delete the space
loft delete space [space-name]
Kube-Context
Deleting spaces with Loft CLI has the advantage that Loft CLI will also delete the kube-context for this space from your local kube-config file to keep everything cleaned up.
If you do not have a kube-context for the cluster where this space is located in, you can set up a kube-context using:
loft use cluster [cluster-name]
Delete the space using kubectl:
kubectl delete space [space-name]
# Alternatively:
# kubectl delete -f space.yaml
List Spaces
- UI
- CLI
- kubectl
To see a list of spaces, go to the Spaces view using the main menu on the left.
Spaces & Namespaces
If you are admin in one of the clusters connected to Loft, you will have permission to view all namespaces in the cluster. Since spaces and namespaces have a 1:1 relationship and Loft is often relying on regular Kubernetes RBAC, you will be able to see all namespaces in the Spaces view rather than just namespaces created via Loft.
Run this command using Loft CLI to get a list of all spaces you have access to across all clusters:
loft list spaces
Kube-Context
If you want to retrieve a kube-context for any of your spaces, run:
loft use space [space-name]
If you do not have a kube-context for the cluster where you want to list spaces in, you can set up a kube-context using:
loft use cluster [cluster-name]
Run this kubectl command to get a list of spaces:
kubectl get spaces
Sleep Mode
With sleep mode, you can put Kubernetes namespaces to sleep which means that Loft will set replicas: 0
for all replica-controlled resources such as Deployments
and StatefulSets
. This means that Kubernetes will delete all pods but the entire configuration of resources within the namespace is still there.
Start Sleep (manual)
- UI
- CLI
- In the Spaces view, hover over the row of the space that you want to put to sleep
- While hovering over the row, you will see buttons appear on the right in the Actions column
- Click on the button to put the space to Sleep
- Notice how the Status column shows that the space is now sleeping.
To put a space to sleep using Loft CLI, run:
loft sleep space [name]
Automatic Wakeup
Note that the space will automatically wake up again, once you run a kubectl command within the space.
Wake up space
- UI
- CLI
- kubectl
- In the Spaces view, hover over the Status column of the space that you want to put to sleep
- While hovering over the row, you will see a tooltip appear that provide information about the sleep state of this space
- Click on the button to wakeup the space
- Notice how the Status column shows that the space is now Active again.
To wake up a sleeping space using Loft CLI, run:
loft wakeup space [name]
To wake up a sleeping space using kubectl, run:
kubectl get pods # or any other kubectl command within the namespace
Automatic Sleep Mode (individual space)
- In the Spaces view, hover over space that you want to configure automatic sleep mode for
- While hovering over the row, you will see buttons appear on the right in the Actions column
- Click on the button to Edit the space
- In the drawer that appears on the right, expand the section
- Use the Sleep After Inactivity field to specify the Time (in minutes) to wait before putting the space to sleep if there is no more user activity in this namespace
- On the very bottom, click on the button to save the changes
Scheduled Sleep & Wake-Up (individual space)
- In the Spaces view, hover over space that you want to configure automatic sleep mode for
- While hovering over the row, you will see buttons appear on the right in the Actions column
- Click on the button to Edit the space
- In the drawer that appears on the right, expand the section
- Expand the section
- Use the Sleep Schedule field and/or the Wake-Up Schedule field to specify the Conjob Times when the respective namespace should be put to sleep or woken up
- On the very bottom, click on the button to save the changes
Enforce Sleep Mode For All Spaces Created By User/Team
- Go to the Clusters view using the menu on the left
- Switch to the Space Constraints tab
Option A: Hover over the space constraints object that you want to configure automatic sleep mode with and click on the button to Edit an existing space constraints object
Option B: Click the button to create a new space constraints object
- In the drawer that appears on the right, expand the section
- Use the Sleep After Inactivity field to specify the Time (in minutes) to wait before putting the space to sleep if there is no more user activity in this namespace
- On the very bottom, click on the or button to save the changes
- Switch to the Cluster Access tab
- Hover over the cluster access of the user or team that you want to configure automatic sleep mode for and click on the button to Edit the cluster access
- In the drawer that appears on the right, expand the section
- Use the Enforce Space Constraints field to select the Space Constraint you edited or created in Step 3 above
- On the very bottom, click on the button to update the cluster access
Test with Impersonation
After following the steps above, all spaces created using the cluster access in step 7 will now enforce sleep mode. You can test this behavior by impersonating a user that uses this cluster access.
Auto-Delete
Loft lets you configure an auto-delete for namespaces that have not been used for a certain period of time (inactivity).
Configure Auto-Delete Timeout (individual space)
- In the Spaces view, hover over space that you want to configure auto-delete for
- While hovering over the row, you will see buttons appear on the right in the Actions column
- Click on the button to Edit the space
- In the drawer that appears on the right, expand the section
- Use the Delete After Inactivity field to specify the Time (in minutes) to wait before putting the space to sleep if there is no more user activity involving this namespace
- On the very bottom, click on the button to save the changes
Enforce Auto-Delete Timeout For All Space Created By User/Team
- Go to the Clusters view using the menu on the left
- Switch to the Space Constraints tab
Option A: Hover over the space constraints object that you want to configure auto-delete with and click on the button to Edit an existing space constraints object
Option B: Click the button to create a new space constraints object
- In the drawer that appears on the right, expand the section
- Use the Delete After Inactivity field to specify the Time (in minutes) to wait before deleting the space if there is no more user activity in this namespace
- On the very bottom, click on the or button to save the changes
- Switch to the Cluster Access tab
- Hover over the cluster access of the user or team that you want to enforce auto-delete for and click on the button to Edit the cluster access
- In the drawer that appears on the right, expand the section
- Use the Enforce Space Constraints field to select the Space Constraint you edited or created in Step 3 above
- On the very bottom, click on the button to update the cluster access
Test with Impersonation
After following the steps above, all spaces created using the cluster access in step 7 will now enforce this auto-delete behavior. You can test this behavior by impersonating a user that uses this cluster access.
Space Templates
Loft allows you to create templates for spaces. Unlike Space Constraints which are enforced for a space, space templates are optional templates that a user can choose to apply when creating a space.
Common use cases for space templates may be:
- Adding development tooling to a namespace
- Deploying pre-populated databases with test data
- Equipping new namespaces with optional credentials such as image pull secrets
Security Templates
Do not use space templates for setting up security-related resources such as NetworkPolicies or LimitRanges. Instead, use Space Constraints to enforce tenant isolation and other security measures.
1. Create Space Template
- Go to the Spaces view using the menu on the left
- Switch to the Space Templates tab
- Click the button to create a new space template
- In the drawer that appears on the right, use the field Display Name to specify a Name for your space template
- Specify sleep mode settings as well as enforced labels and annotations for the spaces that will be created from this template
- Expand the section to specify which apps should be deployed as part of this template
- On the very bottom, click on the button to create this space template
2. Use Space Template To Create A Space
- UI
- CLI
- Go to the Spaces view using the menu on the left
- Click on the button
- Use the field Space Template to select a template to use for creating this space
- Use the field Display Name to define the name of this space and optionally specify other settings
- Click on the button at the very bottom
Retrieve a kube-context for this space using Loft CLI:
loft use space [space-name]
To use a space template to create a space using Loft CLI, run:
loft create space [space-name] --template [template-name]
Kube-Context
Running loft create space
will automatically add a kube-context to your kube-config file, so you can immediately run kubectl
commands right after creating a space.
Space Constraints
Space Constraints allow you to define restrictions for namespaces such as enforced resources that will be deployed to each new namespace a user creates (e.g. NetworkPolicies) or other enforced settings such as mandatory labels, annotations, or any sleep mode configurations.
1. Create Space Constraints
- Go to the Clusters view using the menu on the left
- Switch to the Space Constraints tab
- Click the button to create a new space constraints object
- In the drawer that appears on the right, use the field Display Name to specify a Name for your space constraints object
- Expand the section to specify manifests that should be deployed to and enforced in each namespace that is affected by these space constraints
- Expand the section to specify other space settings such as sleep mode, auto-delete, labels and annotations that should be enforced for each namespace that is affected by these space constraints
- On the very bottom, click on the button to create this space constraints object
2. Enforce Space Constraints For Users & Teams
- Go to the Clusters view using the menu on the left
- Switch to the Cluster Access tab
- Hover over the cluster access that you want to apply these space constraints to and click on the button to Edit the cluster access
- In the drawer that appears on the right, expand the section
- Use the Enforce Space Constraints field to select the Space Constraint that you want to enforce for all spaces created using this cluster access
- On the very bottom, click on the or button to save the changes
- Switch to the Cluster Access tab
- Hover over the cluster access of the user or team that you want to configure automatic sleep mode for and click on the button to Edit the cluster access
- In the drawer that appears on the right, expand the section
- Use the Enforce Space Constraints field to select the Space Constraint you edited or created in Step 3 above
- On the very bottom, click on the button to save the changes
Test with Impersonation
After following the steps above, all spaces created using the cluster access in step 7 will now enforce these space constraints. You can test this behavior by impersonating a user that uses this cluster access.
Access Permissions
Loft makes it easy to give other users or even entire teams access to one of your namespaces.
- UI
- CLI
- In the Spaces view, hover over space that you want to give someone access to
- While hovering over the row, you will see buttons appear on the right in the Actions column
- Click on the button to Edit the space
- In the drawer that appears on the right, expand the section
- Use the Who should have access to this Space? field to select all Users/Teams who should get access to this space
OPTIONAL: To limit the access of any of the selected users or team to this space, expand the Space Admin role to another appropriate role for each user or team if needed
section and use the selectors to change the- On the very bottom, click on the button to save the changes
To give someone access to a space using Loft CLI, run:
loft share space [optional:name]