Manage Access for a Namespace
Namespace access can be managed through the 'Permissions' section inside the namespace configuration sheet. There are a couple of special cases:
- Global Admins & Project Admins have access and can change all namespaces within a project.
- Tenant Cluster owners always have access and can change their namespaces.
- Every user or team within the management cluster that has the RBAC permission on the resource "spaceinstances" in api group "management.loft.sh" for the verb "use" can access the namespace.
How does Access within a namespace work?​
Every user or team that has access to a namespace gets automatically the default cluster role assigned within the namespace. By default, this is loft-cluster-space-admin.
The default cluster role can be either changed in the namespace template or on the namespace object itself.
Besides the default rule you can define extra rules on the namespace or template that map a user or team to another cluster role. As soon as one rule matches a user or team, the default cluster role is not assigned. If multiple rules match a user, all the cluster roles defined in the rules are assigned.
Grant Access to a Namespace​
- UI
- CLI
Select the project from the project selector at the top left, then click Namespaces.
Click on the namespace you want to share.
In the configuration sheet that opens, click the Permissions tab.
Select the user or team you want to grant permissions in the 'User or Team' select. If you don't see the user or team you want to grant access in there, make sure they have project access.
Specify the cluster-role you want to assign the user or team within the namespace.
Click the button.
To give someone access to a namespace using vCluster CLI, run:
vcluster platform share namespace [optional:name] --user other-user --project my-project