Impersonate
To test configurations and permissions, vCluster Platform provides a feature to impersonate users within the vCluster Platform UI and see everything through the eyes of a specific users. This is very useful if you want to check if a user has permissions to access an object.
Enable Impersonation
To enable impersonation, make sure the user has appropriate permissions, only vCluster Platform management
admins and users that have the management role Impersonator
assigned, can impersonate other users.
Select the Users field on the left menu bar.
In the user row you want to impersonate, select Impersonate
To stop impersonation, either press Logout or click on the Stop Impersonation button at the top.
Example Cluster Access And Impersonation
The following is a very basic example of using impersonation to validate a users access. This is a somewhat contrived example for demonstration purposes. For your production deployments make sure you are taking advantage of Projects when considering your RBAC strategy.
1. Create Test User
vCluster Platform lets you connect a variety of SSO providers for authentication but for the sake of simplicity, let's just manually create a user to learn more about vCluster Platform's cluster access features:
Select the Users field on the left menu bar.
Click the button.
In the drawer that appears from the right, give your new user a name of Anna by replacing the 'my-user' placeholder name, or by updating the manifest YAML 'metadata. name' field.
Click on the button.
Close the popup using the button
Remember: Everything you do in vCluster Platform UI, including creating a user, is effectively a kubectl command under the hood. So, everything you do in this guide creates or changes objects in your cluster and you could also manage these actions via kubectl or any kind of GitOps tool.
2. Impersonate User
vCluster Platform allows admins with appropriate RBAC permissions to impersonate users. Let's try this to see how vCluster Platform UI would look like for our newly created user:
Select the Users field on the left menu bar.
Find the user
Anna
in the list of users. Hover over the blue drop down arrow in the Display Name column and click on thebutton to Impersonate the user.
In the popup, click on the button to confirm that you want to start impersonation.
After impersonation has started, go to the Clusters view using the main menu on the left.
Verify that Anna has no access to any clusters (this user should not see any clusters listed in the Clusters display pane).
You can also use the vCluster CLI as the impersonated user, to do this, simply run the following command while the impersonation is active.
vcluster login localhost:9898 --insecure # or use your loft.domain.tld instead of localhost, and ideally with a valid SSL cert and without the --insecure flag
You can verify the login and print your user information via:
vcluster login
3. Configure Cluster Access
Let's give our test user Anna access to one of the clusters connected to this vCluster Platform instance:
From the project drop-down menu (top left corner), select the project you'd like to create the virtual cluster in.
Click on Virtual Clusters.
Click the button.
In the pop-up box, select your template from the template drop down menu.
[Optional] Select the cluster in which to create the virtual cluster.
[Optional] Add a name for your virtual cluster.
Click the to continue.
Retrieve a kube-context for a virtual cluster using the CLI:
vcluster connect [vcluster-name] --project [project-name] --driver platform
You can connect a variety of SSO providers to vCluster Platform. To automatically give users access to clusters based on their SSO user groups, you can switch to the Team Members tab to grant cluster access for each member of a team (e.g. for each member of a group in Active Directory, Okta, SAML, etc.), check out the SSO Group Sync section for more details.
4. Verify Cluster Access
After configuring the cluster access for test user Anna, let's verify that she can access the cluster:
Select the Users field on the left menu bar.
Find the user Anna in the list of users. Hover over the blue drop down arrow in the Display Name column and click on the
button to Impersonate the user.
In the popup, click on the button to confirm that you want to start impersonation.
After impersonation has started, go to the Clusters view using the main menu on the left.
Verify that Anna now has access to the clusters specified in the previous step.
With access to a cluster, users can typically:
vCluster Platform allows you to: