Skip to main content
Version: 3.0 (beta)

Users

Core functionality of Loft is giving other people self-service access to Kubernetes clusters. Everyone who should get access to a Kubernetes cluster, must be an authenticated user in Loft.

Working with Users

Create User (manual)

Loft lets you connect a variety of SSO providers for authentication but you can also manually create users who can sign in via username and password:

Create a User
  1. Go to the Users view using the main menu on the left
  2. Click on the button
  3. Use the field Display Name to enter the Username for your user
  4. Click on the button at the very bottom
  5. Close the popup using the button

Impersonate User

Loft allows admins with appropriate RBAC permissions to impersonate users.

Impersonate User
  1. In the Users view, hover over the row with the User who you want to impersonate
  2. While hovering over the row, you will see buttons appear on the right in the Actions column
  3. Click on the button to Impersonate the user
  4. In the popup, click on the button to confirm that you want to start impersonation
  5. Whenver you want to switch back to your regular user, click the button on the right-hand side of the impersonation banner at the top of the page

To use Loft CLI as the impersonated user, you can run the following command while impersonation is active:

loft login localhost:9898 --insecure    # or use your loft.domain.tld instead of localhost, and ideally with a valid SSL cert and without the --insecure flag

You can verify the login and print your user information via:

loft login

Configuration

Metadata

Display Name

JSONPath in User CRD:
 spec.displayName (type: string)

Kubernetes Name

JSONPath in User CRD:
 metadata.name (type: string)

Labels

JSONPath in User CRD:
 metadata.labels (type: map[string]string)

Annotations

JSONPath in User CRD:
 metadata.annotations (type: map[string]string)

User Information

Username

JSONPath in User CRD:
 spec.username (type: string)

Email

JSONPath in User CRD:
 spec.email (type: string)

Password

JSONPath in User CRD:
 spec.passwordRef (type: SecretRef)

Team Memberships

JSONPath in Team CRD:
 $team.spec.users (type: string[])

Advanced Options

Kubernetes Groups

JSONPath in User CRD:
 spec.groups (type: string[])

Cluster Roles

JSONPath in User CRD:
 spec.clusterRoles (type: ClusterRoleRef[])

Image Pull Secrets

JSONPath in User CRD:
 spec.imagePullSecrets (type: SecretRef[])

Access To User

JSONPath in User CRD:
 spec.access (type: Access[])

CRDs

User

apiVersion
string

APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources

kind
string

Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds

object (io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta)

ObjectMeta is metadata that all persisted resources must have, which includes all objects users must create.

object (com.github.loft-sh.api.pkg.apis.management.v1.UserSpec)
object (com.github.loft-sh.api.pkg.apis.management.v1.UserStatus)

UserStatus holds the status of an user

{
  • "apiVersion": "string",
  • "kind": "string",
  • "metadata": {
    },
  • "spec": {
    },
  • "status": {
    }
}