Skip to main content
Version: main 🚧

Impersonate

To test configurations and permissions, vCluster Platform provides a feature to impersonate users within the vCluster Platform UI and see everything through the eyes of a specific users. This is very useful if you want to check if a user has permissions to access an object.

Enable impersonation​

To enable impersonation, make sure the user has appropriate permissions, only vCluster Platform management admins and users that have the management role Impersonator assigned, can impersonate other users.

  1. Go to Access & Secrets > Users & Roles.

  2. In the user row you want to impersonate, select Impersonate

  3. To stop impersonation, either press Logout or click the Stop Impersonation button at the top.

Example cluster access and impersonation​

The following is a very basic example of using impersonation to validate a users access. This is a somewhat contrived example for demonstration purposes. For your production deployments make sure you are taking advantage of Projects when considering your RBAC strategy.

1. Create test user​

vCluster Platform lets you connect a variety of SSO providers for authentication but for the sake of simplicity, manually create a user to learn more about vCluster Platform's cluster access features:

  1. Go to Access & Secrets > Users & Roles.

  2. Click the button.

  3. In the configuration sheet that opens, give your new user a name of Anna by replacing the 'my-user' placeholder name, or by updating the manifest YAML 'metadata. name' field.

  4. Click the button.

  5. Close the popup using the button

100% Kubernetes Native

Remember: Everything you do in vCluster Platform UI, including creating a user, is effectively a kubectl command under the hood. So, everything you do in this guide creates or changes objects in your cluster and you could also manage these actions using kubectl or any kind of GitOps tool.

2. Impersonate user​

vCluster Platform allows admins with appropriate RBAC permissions to impersonate users. This demonstrates how vCluster Platform UI appears for the newly created user:

  1. Go to Access & Secrets > Users & Roles.

  2. Find the user Anna in the list of users and click the

    button to Impersonate the user.

  3. In the popup, click the button to confirm that you want to start impersonation.

  4. After impersonation has started, go to Infrastructure > Control Plane Clusters.

  5. Verify that Anna has no access to any clusters (this user should not see any clusters listed in the Clusters display pane).

You can also use the vCluster CLI as the impersonated user, to do this, simply run the following command while the impersonation is active.

vcluster platform login localhost:9898 --insecure # or use your loft.domain.tld instead of localhost, and ideally with a valid SSL cert and without the --insecure flag

You can verify the login and print your user information by running:

vcluster platform login

3. Configure cluster access​

Give the test user Anna access to one of the clusters connected to this vCluster Platform instance:

  1. From the project drop-down menu (top left corner), select the project you'd like to create the tenant cluster in.

  2. Click on Tenant Clusters.

  3. Click the button.

  4. The system redirects you to the configure virtual cluster page. Select your template:

    • If your project has "require template" enabled, choose from a list of available templates

    • If not, click to select your template

  5. Follow the steps in the UI to create the virtual cluster.

  6. Retrieve a kube-context for a virtual cluster using the CLI:

    vcluster connect [vcluster-name] --project [project-name] --driver platform
Single Sign-On + Cluster Access

You can connect a variety of SSO providers to vCluster Platform. To automatically give users access to clusters based on their SSO user groups, you can switch to the Team Members tab to grant cluster access for each member of a team (for example, a group in Active Directory, Okta, or SAML), see the SSO Group Sync section for more details.

4. Verify cluster access​

After configuring the cluster access for test user Anna, verify that she can access the cluster:

  1. Go to Access & Secrets > Users & Roles.

  2. Find the user Anna in the list of users and click the

    button to Impersonate the user.

  3. In the popup, click the button to confirm that you want to start impersonation.

  4. After impersonation has started, go to Infrastructure > Control Plane Clusters.

  5. Verify that Anna now has access to the clusters specified in the previous step.

Next Steps

With access to a cluster, users can typically:

vCluster Platform allows you to: