Skip to main content
Version: main 🚧

Management access to the virtual cluster

Management access controls who can view, edit, or configure the virtual cluster object in the platform. It is separate from in-cluster access, which governs permissions inside the Kubernetes environment of the virtual cluster.

Default management access​

By default, the following users and roles have management access to a virtual cluster:

  • Global administrators – Access all virtual clusters on the platform.
  • Project administrators – Access all virtual clusters within their assigned projects.
  • Virtual cluster owners – Automatically receive access to the specific virtual cluster they create or own.
  • Users with physical cluster permissions – Any user or team with RBAC permissions on the underlying (physical) cluster and the use verb on the virtualclusterinstances resource in the management.loft.sh API group can access virtual clusters running on that cluster.

Grant management access using the UI​

To extend access to additional users or teams, use the Permissions section for each virtual cluster in the platform UI:

  1. Open the Project dropdown in the top-left corner and select the project that contains the virtual cluster.

  2. Click Virtual Clusters in the sidebar to view the list.

  3. Click Edit on the target virtual cluster.

  4. Open the Permissions tab.

  5. Use the Add permission to field to select the user or team.

  6. If the user or team does not appear, confirm that they have access to the project.

  7. Choose a ClusterRole to assign (e.g., cluster-admin, edit, or view). This role determines the user's Kubernetes permissions inside the virtual cluster.

  8. Click Save changes.

The platform grants the selected user or team management access to the virtual cluster object.

vCluster roles​

vCluster roles define what users and teams can do inside the virtual cluster. Kubernetes RBAC governs this access.

Default cluster role assignment​

By default, the platform assigns the cluster-admin Kubernetes ClusterRole to users with virtual cluster access. This role grants full access in all namespaces.

Change the default cluster role​

Administrators can override the default role in the virtual cluster template or in the virtual cluster configuration.

  1. Open the virtual cluster or template configuration.

  2. Locate the Default Cluster Role field.

  3. Enter a more limited role such as edit or view.

  4. Save the updated configuration.

Define custom role mapping rules​

Use mapping rules to assign specific users or teams to specific cluster roles.

  • A user or team that matches at least one rule does not receive the default role.
  • If multiple rules match, the system assigns all specified roles.
  • If no rule matches, the system assigns the default role.

  1. Open the virtual cluster or template YAML configuration.

  2. Locate or create the access.rules section.

  3. List subjects for each user or team.

  4. Define the ClusterRole for each rule.

  5. Save and apply the configuration.

Example​

apiVersion: management.loft.sh/v1
kind: VirtualCluster
metadata:
  name: example-vcluster
spec:
  defaultClusterRole: cluster-admin
  access:
    rules:
      - subjects:
          - kind: User
            name: Person 1
        clusterRole: edit
      - subjects:
          - kind: Team
            name: DevTeam
        clusterRole: view

In this example:

  • Person 1 receives the edit role.
  • DevTeam receives the view role.
  • Person 1, if part of DevTeam, receives both roles.
  • All other users default to cluster-admin.

Custom mapping rules allow more precise and secure access control inside the virtual cluster.