Overview
The platform uses Kubernetes role-based access control (RBAC) to manage access for platform resources and objects, including platform Custom Resource Definitions (CRDs) and virtual clusters.
RBAC manages user and team permissions by assigning them roles that specify what actions they can perform. These permissions are applied using ClusterRoleBindings, which connect a specific role to a user or team, which defines their access across platform resources and virtual clusters.
Depending on the scope of access, these bindings are created in one of three types of clusters:
| Cluster Type | Description |
|---|---|
| Local cluster | The cluster where the platform is installed. |
| Connected host cluster | A cluster that hosts virtual clusters. |
| vCluster | A certified Kubernetes distribution managed virtually. |
To learn more about the platform’s resource types, see the API resources.
You can also review the glossary of terms that relate to RBAC.
RBAC terms to know
| Component | Description | Relationship |
|---|---|---|
| User | Individual identity that can access the system | Can be assigned roles directly or through team membership. |
| Team | Logical grouping of users with shared access rights | Simplifies permission management by allowing role assignment to multiple users. |
| Group | SSO identity provider attribute | Maps external identity groups to platform Teams for automatic assignment. |
| ClusterRoleTemplate | Defines reusable permission sets | Extends Kubernetes RBAC with platform resources |
| Project | Primary boundary for access control | Contains resources and defines which users/teams can access clusters and templates |
| Project Role | Special role with loft.sh/project-role: "true" label | Available in UI for assignment within projects |
| Permission Level | Degree of access granted | Ranges from view-only to full administrative control |
| Security Layer | Components of defense-in-depth approach | Includes identity management, RBAC policies, namespace isolation, and network policies |
| Virtual Cluster | Isolated Kubernetes environment | Provides full API compatibility while sharing infrastructure |
| Namespace | Enhanced namespace with management capabilities | Offers more granular control than standard Kubernetes namespaces |
RBAC architecture​
The platform architecture supports multi-level RBAC enforcement by distributing responsibility across different clusters. Each type of cluster enforces a specific scope of permissions based on the location and role of the resource.
The platform manages permissions through ClusterRoleBindings. Users and teams are assigned roles that define their access levels. These roles connect to actual permissions through ClusterRoleBindings.