Skip to main content

Manage Access for a Namespace

Namespace access can be managed through the 'Permissions' section inside the namespace drawer. There are a couple of special cases:

  1. Global Loft Admins & Project Admins have access and can change all namespaces within a project.
  2. Virtual Cluster owners always have access and can change their namespaces.
  3. Every user or team within the management cluster that has the RBAC permission on the resource "spaceinstances" in api group "management.loft.sh" for the verb "use" can access the namespace.

How does Access within a namespace work?

Every user or team that has access to a namespace gets automatically the default cluster role assigned within the namespace. By default, this is loft-cluster-space-admin. The default cluster role can be either changed in the namespace template or on the namespace object itself.

Besides the default rule you can define extra rules on the namespace or template that map a user or team to another cluster role. As soon as one rule matches a user or team, the default cluster role is not assigned. If multiple rules match a user, all the cluster roles defined in the rules are assigned.

Grant Access to a Namespace

  1. Go to the Projects view using the menu on the left

  2. Click on Namespaces and click on the Edit link on a namespace.

  3. In the drawer select the 'Permissions' section.

  4. Select the user or team you want to grant permissions in the 'User or Team' select. If you don't see the user or team you want to grant access in there, make sure they have project access.

  5. Specify the cluster-role you want to assign the user or team within the namespace.

  6. Click on the button at the very bottom