Skip to main content
Version: main 🚧

Management access to the tenant cluster

Management access controls who can view, edit, or configure the tenant cluster object in the platform. It is separate from in-cluster access, which governs permissions inside the Kubernetes environment of the tenant cluster.

Default management access​

By default, the following users and roles have management access to a tenant cluster:

  • Global administrators—Access all tenant clusters on the platform.
  • Project administrators—Access all tenant clusters within their assigned projects.
  • Tenant cluster owners—Automatically receive access to the specific tenant cluster they create or own.
  • Users with physical cluster permissions—Any user or team with RBAC permissions on the underlying (physical) cluster and the use verb on the virtualclusterinstances resource in the management.loft.sh API group can access tenant clusters running on that cluster.

Grant management access using the UI​

To extend access to additional users or teams, use the Permissions section for each tenant cluster in the platform UI:

  1. Open the Project dropdown in the top-left corner and select the project that contains the tenant cluster.

  2. Click Tenant Clusters in the sidebar to view the list.

  3. Click Edit on the target tenant cluster.

  4. Open the Permissions tab.

  5. Use the Add permission to field to select the user or team.

  6. If the user or team does not appear, confirm that they have access to the project.

  7. Choose a ClusterRole to assign (e.g., cluster-admin, edit, or view). This role determines the user's Kubernetes permissions inside the tenant cluster.

  8. Click Save changes.

The platform grants the selected user or team management access to the tenant cluster object.

vCluster roles​

vCluster roles define what users and teams can do inside the tenant cluster. Kubernetes RBAC governs this access.

Default cluster role assignment​

By default, the platform assigns the cluster-admin Kubernetes ClusterRole to users with tenant cluster access. This role grants full access in all namespaces.

Change the default cluster role​

Administrators can override the default role in the tenant cluster template or in the tenant cluster configuration.

  1. Open the tenant cluster or template configuration.

  2. Locate the Default Cluster Role field.

  3. Enter a more limited role such as edit or view.

  4. Save the updated configuration.

Define custom role mapping rules​

Use mapping rules to assign specific users or teams to specific cluster roles.

  • A user or team that matches at least one rule does not receive the default role.
  • If multiple rules match, the system assigns all specified roles.
  • If no rule matches, the system assigns the default role.

  1. Open the tenant cluster or template YAML configuration.

  2. Locate or create the access.rules section.

  3. List subjects for each user or team.

  4. Define the ClusterRole for each rule.

  5. Save and apply the configuration.

Example​

apiVersion: management.loft.sh/v1
kind: VirtualCluster
metadata:
  name: example-vcluster
spec:
  defaultClusterRole: cluster-admin
  access:
    rules:
      - subjects:
          - kind: User
            name: Person 1
        clusterRole: edit
      - subjects:
          - kind: Team
            name: DevTeam
        clusterRole: view

In this example:

  • Person 1 receives the edit role.
  • DevTeam receives the view role.
  • Person 1, if part of DevTeam, receives both roles.
  • All other users default to cluster-admin.

Custom mapping rules allow more precise and secure access control inside the tenant cluster.