| Enterprise | ||||
|---|---|---|---|---|
| Available in these plans | Free | Dev | Prod | Scale |
| Least Privilege Mode | ||||
Overview
Platform configs are the content in the values.yaml under the config section. It controls the behavior of the vCluster Platform after it is installed on the host
cluster. You can also configure the content in vCluster Platform UI via Admin > Config.
UI vs config sectionβ
After the deployment, the behavior of the platform can be configured by the config section of the values.yaml or Admin > Config in vCluster Platform UI.
When using values.yaml, you should add the configuration under the config section of the vcluster-platform chart's values.yaml.
For example:
config:
vault:
enabled: true
However, when using vCluster Platform UI, you can directly only add the configuration content.
vault:
enabled: true
Manage sensitive informationβ
Many configuration options require sensitive information such as API keys or tokens. Rather than storing these directly in your values.yaml file, use environment variable placeholders.
Use secret referencesβ
Store sensitive values in a Kubernetes secret and reference it in your configuration using envValueFrom:
# Secret references
envValueFrom:
CLIENT_ID:
secretKeyRef:
name: github-auth-secret
key: client_id
CLIENT_SECRET:
secretKeyRef:
name: github-auth-secret
key: client_secret
# Platform configuration
config:
auth:
github:
clientId: $CLIENT_ID
clientSecret: $CLIENT_SECRET
redirectURI: https://my-platform.example.com/auth/github/callback
Configure custom HTTP headersβ
You can configure the platform to add custom HTTP headers to all API responses. This is useful for security-related headers or when integrating with specific environments.
config:
auth:
customHttpHeaders:
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block
Content-Security-Policy: default-src 'self'
Referenceβ
The complete list of platform configuration fields is as follows:
auth object β
Authentication holds the information for authentication
auth object βoidc object β
OIDC holds oidc authentication configuration
oidc object βissuerUrl string β
IssuerURL is the URL the provider signs ID Tokens as. This will be the "iss"
field of all tokens produced by the provider and is used for configuration
discovery.
The URL is usually the provider's URL without a path, for example
"https://accounts.google.com" or "https://login.salesforce.com".
The provider must implement configuration discovery.
See: https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfig
issuerUrl string βclientId string β
ClientID the JWT must be issued for, the "sub" field. This plugin only trusts a single
client to ensure the plugin can be used with public providers.
The plugin supports the "authorized party" OpenID Connect claim, which allows
specialized providers to issue tokens to a client for a different client.
See: https://openid.net/specs/openid-connect-core-1_0.html#IDToken
clientId string βclientSecret string β
ClientSecret to issue tokens from the OIDC provider
clientSecret string βredirectURI string β
loft redirect uri. E.g. https://loft.my.domain/auth/oidc/callback
redirectURI string βpostLogoutRedirectURI string β
Loft URI to be redirected to after successful logout by OIDC Provider
postLogoutRedirectURI string βcaFile string β
Path to a PEM encoded root certificate of the provider. Optional
caFile string βinsecureCa boolean β
Specify whether to communicate without validating SSL certificates
insecureCa boolean βpreferredUsername string β
Configurable key which contains the preferred username claims
preferredUsername string βloftUsernameClaim string β
LoftUsernameClaim is the JWT field to use as the user's username.
loftUsernameClaim string βusernameClaim string β
UsernameClaim is the JWT field to use as the user's id.
usernameClaim string βemailClaim string β
EmailClaim is the JWT field to use as the user's email.
emailClaim string βallowedExtraClaims string[] β
AllowedExtraClaims are claims of interest that are not part of User by default but may be provided by the OIDC provider.
allowedExtraClaims string[] βusernamePrefix string β
UsernamePrefix, if specified, causes claims mapping to username to be prefix with
the provided value. A value "oidc:" would result in usernames like "oidc:john".
usernamePrefix string βgroupsClaim string β
GroupsClaim, if specified, causes the OIDCAuthenticator to try to populate the user's
groups with an ID Token field. If the GroupsClaim field is present in an ID Token the value
must be a string or list of strings.
groupsClaim string βgroups string[] β
If required groups is non empty, access is denied if the user is not part of at least one
of the specified groups.
groups string[] βscopes string[] β
Scopes that should be sent to the server. If empty, defaults to "email" and "profile".
scopes string[] βgetUserInfo boolean β
GetUserInfo, if specified, tells the OIDCAuthenticator to try to populate the user's
information from the UserInfo.
getUserInfo boolean βgroupsPrefix string β
GroupsPrefix, if specified, causes claims mapping to group names to be prefixed with the
value. A value "oidc:" would result in groups like "oidc:engineering" and "oidc:marketing".
groupsPrefix string βtype string β
Type of the OIDC to show in the UI. Only for displaying purposes
type string βresource string β
Resource, if specified, is the value that is set for the "resource" URL parameter when making a request to the /token endpoint of the
OIDC provider.
resource string βgithub object β
Github holds github authentication configuration
github object βclientId string β
ClientID holds the github client id
clientId string βclientSecret required string β
ClientID holds the github client secret
clientSecret required string βredirectURI required string β
RedirectURI holds the redirect URI. Should be https://loft.domain.tld/auth/github/callback
redirectURI required string βorgs object[] β
Loft queries the following organizations for group information.
Group claims are formatted as "(org):(team)".
For example if a user is part of the "engineering" team of the "coreos"
org, the group claim would include "coreos:engineering".
If orgs are specified in the config then user MUST be a member of at least one of the specified orgs to
authenticate with loft.
orgs object[] βname string β
Organization name in github (not slug, full name). Only users in this github
organization can authenticate.
name string βteams string[] β
Names of teams in a github organization. A user will be able to
authenticate if they are members of at least one of these teams. Users
in the organization can authenticate if this field is omitted from the
config file.
teams string[] βhostName string β
Required ONLY for GitHub Enterprise.
This is the Hostname of the GitHub Enterprise account listed on the
management console. Ensure this domain is routable on your network.
hostName string βrootCA string β
ONLY for GitHub Enterprise. Optional field.
Used to support self-signed or untrusted CA root certificates.
rootCA string βgitlab object β
Gitlab holds gitlab authentication configuration
gitlab object βclientId required string β
Gitlab client id
clientId required string βclientSecret required string β
Gitlab client secret
clientSecret required string βredirectURI required string β
Redirect URI
redirectURI required string βbaseURL string β
BaseURL is optional, default = https://gitlab.com
baseURL string βgroups string[] β
Optional groups whitelist, communicated through the "groups" scope.
If groups is omitted, all of the user's GitLab groups are returned.
If groups is provided, this acts as a whitelist - only the user's GitLab groups that are in the configured groups below will go into the groups claim. Conversely, if the user is not in any of the configured groups, the user will not be authenticated.
groups string[] βgroups is omitted, all of the user's GitLab groups are returned.
If groups is provided, this acts as a whitelist - only the user's GitLab groups that are in the configured groups below will go into the groups claim. Conversely, if the user is not in any of the configured groups, the user will not be authenticated.google object β
Google holds google authentication configuration
google object βclientId required string β
Google client id
clientId required string βclientSecret required string β
Google client secret
clientSecret required string βredirectURI required string β
loft redirect uri. E.g. https://loft.my.domain/auth/google/callback
redirectURI required string βscopes string[] β
defaults to "profile" and "email"
scopes string[] βhostedDomains string[] β
Optional list of whitelisted domains
If this field is nonempty, only users from a listed domain will be allowed to log in
hostedDomains string[] βgroups string[] β
Optional list of whitelisted groups
If this field is nonempty, only users from a listed group will be allowed to log in
groups string[] βserviceAccountFilePath string β
Optional path to service account json
If nonempty, and groups claim is made, will use authentication from file to
check groups with the admin directory api
serviceAccountFilePath string βadminEmail string β
Required if ServiceAccountFilePath
The email of a GSuite super user which the service account will impersonate
when listing groups
adminEmail string βmicrosoft object β
Microsoft holds microsoft authentication configuration
microsoft object βclientId required string β
Microsoft client id
clientId required string βclientSecret required string β
Microsoft client secret
clientSecret required string βredirectURI required string β
loft redirect uri. Usually https://loft.my.domain/auth/microsoft/callback
redirectURI required string βtenant string β
tenant configuration parameter controls what kinds of accounts may be authenticated in loft.
By default, all types of Microsoft accounts (consumers and organizations) can authenticate in loft via Microsoft.
To change this, set the tenant parameter to one of the following:
common - both personal and business/school accounts can authenticate in loft via Microsoft (default)
consumers - only personal accounts can authenticate in loft
organizations - only business/school accounts can authenticate in loft
tenant uuid or tenant name - only accounts belonging to specific tenant identified by either tenant uuid or tenant name can authenticate in loft
tenant string βgroups string[] β
It is possible to require a user to be a member of a particular group in order to be successfully authenticated in loft.
groups string[] βonlySecurityGroups boolean β
configuration option restricts the list to include only security groups. By default all groups (security, Office 365, mailing lists) are included.
onlySecurityGroups boolean βuseGroupsAsWhitelist boolean β
Restrict the groups claims to include only the userβs groups that are in the configured groups
useGroupsAsWhitelist boolean βsaml object β
SAML holds saml authentication configuration
saml object βredirectURI string β
If the response assertion status value contains a Destination element, it
must match this value exactly.
Usually looks like https://your-loft-domain/auth/saml/callback
redirectURI string βssoURL string β
SSO URL used for POST value.
ssoURL string βcaData string β
CAData is a base64 encoded string that holds the ca certificate for validating the signature of the SAML response.
Either CAData, CA or InsecureSkipSignatureValidation needs to be defined.
caData string βusernameAttr string β
Name of attribute in the returned assertions to map to username
usernameAttr string βemailAttr string β
Name of attribute in the returned assertions to map to email
emailAttr string βgroupsAttr string β
Name of attribute in the returned assertions to map to groups
groupsAttr string βca string β
CA to use when validating the signature of the SAML response.
ca string βinsecureSkipSignatureValidation boolean β
Ignore the ca cert
insecureSkipSignatureValidation boolean βentityIssuer string β
When provided Loft will include this as the Issuer value during AuthnRequest.
It will also override the redirectURI as the required audience when evaluating
AudienceRestriction elements in the response.
entityIssuer string βssoIssuer string β
Issuer value expected in the SAML response. Optional.
ssoIssuer string βgroupsDelim string β
If GroupsDelim is supplied the connector assumes groups are returned as a
single string instead of multiple attribute values. This delimiter will be
used split the groups string.
groupsDelim string βallowedGroups string[] β
List of groups to filter access based on membership
allowedGroups string[] βfilterGroups boolean β
If used with allowed groups, only forwards the allowed groups and not all
groups specified.
filterGroups boolean βnameIDPolicyFormat string β
Requested format of the NameID. The NameID value is is mapped to the ID Token
'sub' claim.
This can be an abbreviated form of the full URI with just the last component. For
example, if this value is set to "emailAddress" the format will resolve to:
urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
If no value is specified, this value defaults to:
urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
nameIDPolicyFormat string βpassword object β
Password holds password authentication relevant information
password object βdisabled boolean β
If true login via password is disabled
disabled boolean βconnectors object[] β
Connectors are optional additional connectors for Loft.
connectors object[] βid string β
ID is the id that should show up in the url
id string βdisplayName string β
DisplayName is the name that should show up in the ui
displayName string βoidc object β
OIDC holds oidc authentication configuration
oidc object βissuerUrl string β
IssuerURL is the URL the provider signs ID Tokens as. This will be the "iss"
field of all tokens produced by the provider and is used for configuration
discovery.
The URL is usually the provider's URL without a path, for example
"https://accounts.google.com" or "https://login.salesforce.com".
The provider must implement configuration discovery.
See: https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfig
issuerUrl string βclientId string β
ClientID the JWT must be issued for, the "sub" field. This plugin only trusts a single
client to ensure the plugin can be used with public providers.
The plugin supports the "authorized party" OpenID Connect claim, which allows
specialized providers to issue tokens to a client for a different client.
See: https://openid.net/specs/openid-connect-core-1_0.html#IDToken
clientId string βclientSecret string β
ClientSecret to issue tokens from the OIDC provider
clientSecret string βredirectURI string β
loft redirect uri. E.g. https://loft.my.domain/auth/oidc/callback
redirectURI string βpostLogoutRedirectURI string β
Loft URI to be redirected to after successful logout by OIDC Provider
postLogoutRedirectURI string βcaFile string β
Path to a PEM encoded root certificate of the provider. Optional
caFile string βinsecureCa boolean β
Specify whether to communicate without validating SSL certificates
insecureCa boolean βpreferredUsername string β
Configurable key which contains the preferred username claims
preferredUsername string βloftUsernameClaim string β
LoftUsernameClaim is the JWT field to use as the user's username.
loftUsernameClaim string βusernameClaim string β
UsernameClaim is the JWT field to use as the user's id.
usernameClaim string βemailClaim string β
EmailClaim is the JWT field to use as the user's email.
emailClaim string βallowedExtraClaims string[] β
AllowedExtraClaims are claims of interest that are not part of User by default but may be provided by the OIDC provider.
allowedExtraClaims string[] βusernamePrefix string β
UsernamePrefix, if specified, causes claims mapping to username to be prefix with
the provided value. A value "oidc:" would result in usernames like "oidc:john".
usernamePrefix string βgroupsClaim string β
GroupsClaim, if specified, causes the OIDCAuthenticator to try to populate the user's
groups with an ID Token field. If the GroupsClaim field is present in an ID Token the value
must be a string or list of strings.
groupsClaim string βgroups string[] β
If required groups is non empty, access is denied if the user is not part of at least one
of the specified groups.
groups string[] βscopes string[] β
Scopes that should be sent to the server. If empty, defaults to "email" and "profile".
scopes string[] βgetUserInfo boolean β
GetUserInfo, if specified, tells the OIDCAuthenticator to try to populate the user's
information from the UserInfo.
getUserInfo boolean βgroupsPrefix string β
GroupsPrefix, if specified, causes claims mapping to group names to be prefixed with the
value. A value "oidc:" would result in groups like "oidc:engineering" and "oidc:marketing".
groupsPrefix string βtype string β
Type of the OIDC to show in the UI. Only for displaying purposes
type string βresource string β
Resource, if specified, is the value that is set for the "resource" URL parameter when making a request to the /token endpoint of the
OIDC provider.
resource string βgithub object β
Github holds github authentication configuration
github object βclientId string β
ClientID holds the github client id
clientId string βclientSecret required string β
ClientID holds the github client secret
clientSecret required string βredirectURI required string β
RedirectURI holds the redirect URI. Should be https://loft.domain.tld/auth/github/callback
redirectURI required string βorgs object[] β
Loft queries the following organizations for group information.
Group claims are formatted as "(org):(team)".
For example if a user is part of the "engineering" team of the "coreos"
org, the group claim would include "coreos:engineering".
If orgs are specified in the config then user MUST be a member of at least one of the specified orgs to
authenticate with loft.
orgs object[] βname string β
Organization name in github (not slug, full name). Only users in this github
organization can authenticate.
name string βteams string[] β
Names of teams in a github organization. A user will be able to
authenticate if they are members of at least one of these teams. Users
in the organization can authenticate if this field is omitted from the
config file.
teams string[] βhostName string β
Required ONLY for GitHub Enterprise.
This is the Hostname of the GitHub Enterprise account listed on the
management console. Ensure this domain is routable on your network.
hostName string βrootCA string β
ONLY for GitHub Enterprise. Optional field.
Used to support self-signed or untrusted CA root certificates.
rootCA string βgitlab object β
Gitlab holds gitlab authentication configuration
gitlab object βclientId required string β
Gitlab client id
clientId required string βclientSecret required string β
Gitlab client secret
clientSecret required string βredirectURI required string β
Redirect URI
redirectURI required string βbaseURL string β
BaseURL is optional, default = https://gitlab.com
baseURL string βgroups string[] β
Optional groups whitelist, communicated through the "groups" scope.
If groups is omitted, all of the user's GitLab groups are returned.
If groups is provided, this acts as a whitelist - only the user's GitLab groups that are in the configured groups below will go into the groups claim. Conversely, if the user is not in any of the configured groups, the user will not be authenticated.
groups string[] βgroups is omitted, all of the user's GitLab groups are returned.
If groups is provided, this acts as a whitelist - only the user's GitLab groups that are in the configured groups below will go into the groups claim. Conversely, if the user is not in any of the configured groups, the user will not be authenticated.google object β
Google holds google authentication configuration
google object βclientId required string β
Google client id
clientId required string βclientSecret required string β
Google client secret
clientSecret required string βredirectURI required string β
loft redirect uri. E.g. https://loft.my.domain/auth/google/callback
redirectURI required string βscopes string[] β
defaults to "profile" and "email"
scopes string[] βhostedDomains string[] β
Optional list of whitelisted domains
If this field is nonempty, only users from a listed domain will be allowed to log in
hostedDomains string[] βgroups string[] β
Optional list of whitelisted groups
If this field is nonempty, only users from a listed group will be allowed to log in
groups string[] βserviceAccountFilePath string β
Optional path to service account json
If nonempty, and groups claim is made, will use authentication from file to
check groups with the admin directory api
serviceAccountFilePath string βadminEmail string β
Required if ServiceAccountFilePath
The email of a GSuite super user which the service account will impersonate
when listing groups
adminEmail string βmicrosoft object β
Microsoft holds microsoft authentication configuration
microsoft object βclientId required string β
Microsoft client id
clientId required string βclientSecret required string β
Microsoft client secret
clientSecret required string βredirectURI required string β
loft redirect uri. Usually https://loft.my.domain/auth/microsoft/callback
redirectURI required string βtenant string β
tenant configuration parameter controls what kinds of accounts may be authenticated in loft.
By default, all types of Microsoft accounts (consumers and organizations) can authenticate in loft via Microsoft.
To change this, set the tenant parameter to one of the following:
common - both personal and business/school accounts can authenticate in loft via Microsoft (default)
consumers - only personal accounts can authenticate in loft
organizations - only business/school accounts can authenticate in loft
tenant uuid or tenant name - only accounts belonging to specific tenant identified by either tenant uuid or tenant name can authenticate in loft
tenant string βgroups string[] β
It is possible to require a user to be a member of a particular group in order to be successfully authenticated in loft.
groups string[] βonlySecurityGroups boolean β
configuration option restricts the list to include only security groups. By default all groups (security, Office 365, mailing lists) are included.
onlySecurityGroups boolean βuseGroupsAsWhitelist boolean β
Restrict the groups claims to include only the userβs groups that are in the configured groups
useGroupsAsWhitelist boolean βsaml object β
SAML holds saml authentication configuration
saml object βredirectURI string β
If the response assertion status value contains a Destination element, it
must match this value exactly.
Usually looks like https://your-loft-domain/auth/saml/callback
redirectURI string βssoURL string β
SSO URL used for POST value.
ssoURL string βcaData string β
CAData is a base64 encoded string that holds the ca certificate for validating the signature of the SAML response.
Either CAData, CA or InsecureSkipSignatureValidation needs to be defined.
caData string βusernameAttr string β
Name of attribute in the returned assertions to map to username
usernameAttr string βemailAttr string β
Name of attribute in the returned assertions to map to email
emailAttr string βgroupsAttr string β
Name of attribute in the returned assertions to map to groups
groupsAttr string βca string β
CA to use when validating the signature of the SAML response.
ca string βinsecureSkipSignatureValidation boolean β
Ignore the ca cert
insecureSkipSignatureValidation boolean βentityIssuer string β
When provided Loft will include this as the Issuer value during AuthnRequest.
It will also override the redirectURI as the required audience when evaluating
AudienceRestriction elements in the response.
entityIssuer string βssoIssuer string β
Issuer value expected in the SAML response. Optional.
ssoIssuer string βgroupsDelim string β
If GroupsDelim is supplied the connector assumes groups are returned as a
single string instead of multiple attribute values. This delimiter will be
used split the groups string.
groupsDelim string βallowedGroups string[] β
List of groups to filter access based on membership
allowedGroups string[] βfilterGroups boolean β
If used with allowed groups, only forwards the allowed groups and not all
groups specified.
filterGroups boolean βnameIDPolicyFormat string β
Requested format of the NameID. The NameID value is is mapped to the ID Token
'sub' claim.
This can be an abbreviated form of the full URI with just the last component. For
example, if this value is set to "emailAddress" the format will resolve to:
urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
If no value is specified, this value defaults to:
urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
nameIDPolicyFormat string βdisableTeamCreation boolean β
Prevents from team creation for the new groups associated with the user at the time of logging in through sso,
Default behaviour is false, this means that teams will be created for new groups.
disableTeamCreation boolean βdisableUserCreation boolean β
DisableUserCreation prevents the SSO connectors from creating a new user on a users initial signin through sso.
Default behaviour is false, this means that a new user object will be created once a user without
a Kubernetes user object logs in.
disableUserCreation boolean βaccessKeyMaxTTLSeconds integer β
AccessKeyMaxTTLSeconds is the global maximum lifespan of an accesskey in seconds.
Leaving it 0 or unspecified will disable it.
Specifying 2592000 will mean all keys have a Time-To-Live of 30 days.
accessKeyMaxTTLSeconds integer βloginAccessKeyTTLSeconds integer β
LoginAccessKeyTTLSeconds is the time in seconds an access key is kept
until it is deleted.
Leaving it unspecified will default to 20 days.
Setting it to zero will disable the ttl.
Specifying 2592000 will mean all keys have a default Time-To-Live of 30 days.
loginAccessKeyTTLSeconds integer βcustomHttpHeaders object β
CustomHttpHeaders are additional headers that should be set for the authentication endpoints
customHttpHeaders object βgroupsFilters string[] β
GroupsFilters is a regex expression to only save matching sso groups into the user resource
groupsFilters string[] βoidc object β
DEPRECATED: Configure the OIDC clients using either the OIDC Client UI or a secret. By default, vCluster Platform as an OIDC Provider is enabled but does not function without OIDC clients.
oidc object βenabled boolean β
If true indicates that loft will act as an OIDC server
enabled boolean βwildcardRedirect boolean β
If true indicates that loft will allow wildcard '*' in client redirectURIs
wildcardRedirect boolean βclients object[] β
The clients that are allowed to request loft tokens
clients object[] βname string β
The client name
name string βclientId string β
The client id of the client
clientId string βclientSecret string β
The client secret of the client
clientSecret string βredirectURIs required string[] β
A registered set of redirect URIs. When redirecting from dex to the client, the URI
requested to redirect to MUST match one of these values, unless the client is "public".
redirectURIs required string[] βapps object β
Apps holds configuration around apps
apps object βnoDefault boolean β
If this option is true, loft will not try to parse the default apps
noDefault boolean βrepositories object[] β
These are additional repositories that are parsed by loft
repositories object[] βname string β
Name is the name of the repository
name string βurl string β
URL is the repository url
url string βusername string β
Username of the repository
username string βpassword string β
Password of the repository
password string βinsecure boolean β
Insecure specifies if the chart should be retrieved without TLS
verification
insecure boolean βpredefinedApps object[] β
Predefined apps that can be selected in the Spaces ) Space menu
predefinedApps object[] βchart string β
Chart holds the repo/chart name of the predefined app
chart string βinitialVersion string β
InitialVersion holds the initial version of this app.
This version will be selected automatically.
initialVersion string βinitialValues string β
InitialValues holds the initial values for this app.
The values will be prefilled automatically. There are certain
placeholders that can be used within the values that are replaced
by the loft UI automatically.
initialValues string βclusters string[] β
Holds the cluster names where to display this app
clusters string[] βtitle string β
Title is the name that should be displayed for the predefined app.
If empty the chart name is used.
title string βiconUrl string β
IconURL specifies an url to the icon that should be displayed for this app.
If none is specified the icon from the chart metadata is used.
iconUrl string βreadmeUrl string β
ReadmeURL specifies an url to the readme page of this predefined app. If empty
an url will be constructed to artifact hub.
readmeUrl string βaudit object β
Audit holds audit configuration
audit object βenabled boolean β
If audit is enabled and incoming api requests will be logged based on the supplied policy.
enabled boolean βdisableAgentSyncBack boolean β
If true, the agent will not send back any audit logs to Loft itself.
disableAgentSyncBack boolean βlevel integer β
Level is an optional log level for audit logs. Cannot be used together with policy
level integer βpolicy object β
The audit policy to use and log requests. By default loft will not log anything
policy object βrules object[] β
Rules specify the audit Level a request should be recorded at.
A request may match multiple rules, in which case the FIRST matching rule is used.
The default audit level is None, but can be overridden by a catch-all rule at the end of the list.
PolicyRules are strictly ordered.
rules object[] βlevel required string β
The Level that requests matching this rule are recorded at.
level required string βusers string[] β
The users (by authenticated user name) this rule applies to.
An empty list implies every user.
users string[] βuserGroups string[] β
The user groups this rule applies to. A user is considered matching
if it is a member of any of the UserGroups.
An empty list implies every user group.
userGroups string[] βverbs string[] β
The verbs that match this rule.
An empty list implies every verb.
verbs string[] βresources object[] β
Resources that this rule matches. An empty list implies all kinds in all API groups.
resources object[] βgroup string β
Group is the name of the API group that contains the resources.
The empty string represents the core API group.
group string βresources string[] β
Resources is a list of resources this rule applies to.
For example:
'pods' matches pods.
'pods/log' matches the log subresource of pods.
'' matches all resources and their subresources.
'pods/' matches all subresources of pods.
'*/scale' matches all scale subresources.
If wildcard is present, the validation rule will ensure resources do not
overlap with each other.
An empty list implies all resources and subresources in this API groups apply.
resources string[] βresourceNames string[] β
ResourceNames is a list of resource instance names that the policy matches.
Using this field requires Resources to be specified.
An empty list implies that every instance of the resource is matched.
resourceNames string[] βnamespaces string[] β
Namespaces that this rule matches.
The empty string "" matches non-namespaced resources.
An empty list implies every namespace.
namespaces string[] βnonResourceURLs string[] β
NonResourceURLs is a set of URL paths that should be audited.
s are allowed, but only as the full, final step in the path.
Examples:
"/metrics" - Log requests for apiserver metrics
"/healthz" - Log all health checks
nonResourceURLs string[] βomitStages string[] β
OmitStages is a list of stages for which no events are created. Note that this can also
be specified policy wide in which case the union of both are omitted.
An empty list means no restrictions will apply.
omitStages string[] βrequestTargets string[] β
RequestTargets is a list of request targets for which events are created.
An empty list implies every request.
requestTargets string[] βclusters string[] β
Clusters that this rule matches. Only applies to cluster requests.
If this is set, no events for non cluster requests will be created.
An empty list means no restrictions will apply.
clusters string[] βomitStages string[] β
OmitStages is a list of stages for which no events are created. Note that this can also
be specified per rule in which case the union of both are omitted.
omitStages string[] βdataStoreEndpoint string β
DataStoreEndpoint is an endpoint to store events in.
dataStoreEndpoint string βdataStoreTTL integer β
DataStoreMaxAge is the maximum number of hours to retain old log events in the datastore
dataStoreTTL integer βpath string β
The path where to save the audit log files. This is required if audit is enabled. Backup log files will
be retained in the same directory.
path string βmaxAge integer β
MaxAge is the maximum number of days to retain old log files based on the
timestamp encoded in their filename. Note that a day is defined as 24
hours and may not exactly correspond to calendar days due to daylight
savings, leap seconds, etc. The default is not to remove old log files
based on age.
maxAge integer βmaxBackups integer β
MaxBackups is the maximum number of old log files to retain. The default
is to retain all old log files (though MaxAge may still cause them to get
deleted.)
maxBackups integer βmaxSize integer β
MaxSize is the maximum size in megabytes of the log file before it gets
rotated. It defaults to 100 megabytes.
maxSize integer βcompress boolean β
Compress determines if the rotated log files should be compressed
using gzip. The default is not to perform compression.
compress boolean βloftHost string β
LoftHost holds the domain where the loft instance is hosted. This should not include https or http. E.g. loft.my-domain.com
loftHost string βprojectNamespacePrefix string β
ProjectNamespacePrefix holds the prefix for loft project namespaces. Omitted defaults to "p-"
projectNamespacePrefix string βdevPodSubDomain string β
DEPRECATED: DevPodSubDomain holds a subdomain in the following form *.workspace.my-domain.com
DevPodSubDomain holds a subdomain in the following form *.workspace.my-domain.com
devPodSubDomain string βuiSettings object β
UISettings holds the settings for modifying the Loft user interface
uiSettings object βloftVersion string β
LoftVersion holds the current loft version
loftVersion string βlogoURL string β
LogoURL is url pointing to the logo to use in the vCluster Platform UI. This path must be accessible for clients accessing
the vCluster Platform UI!
logoURL string βfaviconURL string β
FaviconURL is url pointing to the favicon to use in the vCluster Platform UI. This path must be accessible for clients accessing
the vCluster Platform UI!
faviconURL string βsmallLogoURL string β
SmallLogoURL is url pointing to the small logo to use in the vCluster Platform UI. This path must be accessible for clients accessing
the vCluster Platform UI!
smallLogoURL string βlogoBackgroundColor string β
LogoBackgroundColor is the color value (ex: "#12345") to use as the background color for the logo
logoBackgroundColor string βlegalTemplate string β
LegalTemplate is a text (html) string containing the legal template to prompt to users when authenticating to Loft
legalTemplate string βprimaryColor string β
PrimaryColor is the color value (ex: "#12345") to use as the primary color
primaryColor string βsidebarColor string β
SidebarColor is the color value (ex: "#12345") to use for the sidebar
sidebarColor string βaccentColor string β
AccentColor is the color value (ex: "#12345") to use for the accent
accentColor string βcustomCss string[] β
CustomCSS holds URLs with custom css files that should be included when loading the UI
customCss string[] βcustomJavaScript string[] β
CustomJavaScript holds URLs with custom js files that should be included when loading the UI
customJavaScript string[] βnavBarButtons object[] β
NavBarButtons holds extra nav bar buttons
navBarButtons object[] βposition string β
Position holds the position of the button, can be one of:
TopStart, TopEnd, BottomStart, BottomEnd. Defaults to BottomEnd
position string βtext string β
Text holds text for the button
text string βlink string β
Link holds the link of the navbar button
link string βicon string β
Icon holds the url of the icon to display
icon string βexternalURLs object β
External URLs that can be called from the UI
externalURLs object βblock boolean β
Block determines if requests to external URLs from the UI should be blocked
block boolean βallow string[] β
Allow specifies which external URLs can be called. In addition to the predefined modules,
- "vcluster" (license page, feature descriptions, ...)
- "gtm" (google tag manager)
- "featurebase" (changelog)
any URL can be added to this list. This will allow the UI to make any request to this URL.
This is only active when Block is true.
allow string[] βvault object β
VaultIntegration holds the vault integration configuration
vault object βenabled boolean β
Enabled indicates if the Vault Integration is enabled for the project -- this knob only
enables the syncing of secrets to or from Vault, but does not setup Kubernetes authentication
methods or Kubernetes secrets engines for vclusters.
enabled boolean βaddress string β
Address defines the address of the Vault instance to use for this project.
Will default to the VAULT_ADDR environment variable if not provided.
address string βVAULT_ADDR environment variable if not provided.skipTLSVerify boolean β
SkipTLSVerify defines if TLS verification should be skipped when connecting to Vault.
skipTLSVerify boolean βnamespace string β
Namespace defines the namespace to use when storing secrets in Vault.
namespace string βauth object β
Auth defines the authentication method to use for this project.
auth object βtoken string β
Token defines the token to use for authentication.
token string βtokenSecretRef object β
TokenSecretRef defines the Kubernetes secret to use for token authentication.
Will be used if token is not provided.
Secret data should contain the token key.
tokenSecretRef object βtoken is not provided.token key.name string β
Name of the referent.
This field is effectively required, but due to backwards compatibility is
allowed to be empty. Instances of this type with an empty value here are
almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
TODO: Drop kubebuilder:default when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896.
name string βkubebuilder:default when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896.key required string β
The key of the secret to select from. Must be a valid secret key.
key required string βoptional boolean β
Specify whether the Secret or its key must be defined
optional boolean βsyncInterval string β
SyncInterval defines the interval at which to sync secrets from Vault.
Defaults to 1m.
See https://pkg.go.dev/time#ParseDuration for supported formats.
syncInterval string β1m.
See https://pkg.go.dev/time#ParseDuration for supported formats.disableConfigEndpoint boolean β
DisableLoftConfigEndpoint will disable setting config via the UI and config.management.loft.sh endpoint
disableConfigEndpoint boolean βauthenticateVersionEndpoint boolean β
AuthenticateVersionEndpoint will force authentication for the '/version' endpoint. Will only work with vCluster v0.27 & later
authenticateVersionEndpoint boolean βcloud object β
Cloud holds the settings to be used exclusively in vCluster Cloud based
environments and deployments.
cloud object βreleaseChannel string β
ReleaseChannel specifies the release channel for the cloud configuration.
This can be used to determine which updates or versions are applied.
releaseChannel string βmaintenanceWindow object β
MaintenanceWindow specifies the maintenance window for the cloud configuration.
This is a structured representation of the time window during which maintenance can occur.
maintenanceWindow object βdayOfWeek string β
DayOfWeek specifies the day of the week for the maintenance window.
It should be a string representing the day, e.g., "Monday", "Tuesday", etc.
dayOfWeek string βtimeWindow string β
TimeWindow specifies the time window for the maintenance.
It should be a string representing the time range in 24-hour format, in UTC, e.g., "02:00-03:00".
timeWindow string βcostControl object β
CostControl holds the settings related to the Cost Control ROI dashboard and its metrics gathering infrastructure
costControl object βenabled boolean β
Enabled specifies whether the ROI dashboard should be available in the UI, and if the metrics infrastructure
that provides dashboard data is deployed
enabled boolean βglobal object β
Global are settings for globally managed components
global object βmetrics object β
Metrics these settings apply to metric infrastructure used to aggregate metrics across all connected clusters
metrics object βreplicas integer β
Replicas is the number of desired replicas.
replicas integer βresources object β
Resources are compute resource required by the metrics backend
resources object βlimits object β
Limits describes the maximum amount of compute resources allowed.
More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
limits object βrequests object β
Requests describes the minimum amount of compute resources required.
If Requests is omitted for a container, it defaults to Limits if that is explicitly specified,
otherwise to an implementation-defined value. Requests cannot exceed Limits.
More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
requests object βclaims object[] β
Claims lists the names of resources, defined in spec.resourceClaims,
that are used by this container.
This field depends on the
DynamicResourceAllocation feature gate.
This field is immutable. It can only be set for containers.
claims object[] βname required string β
Name must match the name of one entry in pod.spec.resourceClaims of
the Pod where this field is used. It makes that resource available
inside a container.
name required string βrequest string β
Request is the name chosen for a request in the referenced claim.
If empty, everything from the claim is made available, otherwise
only the result of this request.
request string βretention string β
Retention is the metrics data retention period. Default is 1y
retention string βstorage object β
storage object βstorageClass string β
StorageClass the storage class to use when provisioning the metrics backend's persistent volume
If set to "-" or "" dynamic provisioning is disabled
If set to undefined or null (the default), the cluster's default storage class is used for provisioning
storageClass string βsize string β
Size the size of the metrics backend's persistent volume
size string βcluster object β
Cluster are settings for each cluster's managed components. These settings apply to all connected clusters
unless overridden by modifying the Cluster's spec
cluster object βmetrics object β
Metrics are settings applied to metric infrastructure in each connected cluster. These can be overridden in
individual clusters by modifying the Cluster's spec
metrics object βreplicas integer β
Replicas is the number of desired replicas.
replicas integer βresources object β
Resources are compute resource required by the metrics backend
resources object βlimits object β
Limits describes the maximum amount of compute resources allowed.
More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
limits object βrequests object β
Requests describes the minimum amount of compute resources required.
If Requests is omitted for a container, it defaults to Limits if that is explicitly specified,
otherwise to an implementation-defined value. Requests cannot exceed Limits.
More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
requests object βclaims object[] β
Claims lists the names of resources, defined in spec.resourceClaims,
that are used by this container.
This field depends on the
DynamicResourceAllocation feature gate.
This field is immutable. It can only be set for containers.
claims object[] βname required string β
Name must match the name of one entry in pod.spec.resourceClaims of
the Pod where this field is used. It makes that resource available
inside a container.
name required string βrequest string β
Request is the name chosen for a request in the referenced claim.
If empty, everything from the claim is made available, otherwise
only the result of this request.
request string βretention string β
Retention is the metrics data retention period. Default is 1y
retention string βstorage object β
storage object βstorageClass string β
StorageClass the storage class to use when provisioning the metrics backend's persistent volume
If set to "-" or "" dynamic provisioning is disabled
If set to undefined or null (the default), the cluster's default storage class is used for provisioning
storageClass string βsize string β
Size the size of the metrics backend's persistent volume
size string βopencost object β
OpenCost are settings applied to OpenCost deployments in each connected cluster. These can be overridden in
individual clusters by modifying the Cluster's spec
opencost object βreplicas integer β
Replicas is the number of desired replicas.
replicas integer βresources object β
Resources are compute resource required by the OpenCost backend
resources object βlimits object β
Limits describes the maximum amount of compute resources allowed.
More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
limits object βrequests object β
Requests describes the minimum amount of compute resources required.
If Requests is omitted for a container, it defaults to Limits if that is explicitly specified,
otherwise to an implementation-defined value. Requests cannot exceed Limits.
More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
requests object βclaims object[] β
Claims lists the names of resources, defined in spec.resourceClaims,
that are used by this container.
This field depends on the
DynamicResourceAllocation feature gate.
This field is immutable. It can only be set for containers.
claims object[] βname required string β
Name must match the name of one entry in pod.spec.resourceClaims of
the Pod where this field is used. It makes that resource available
inside a container.
name required string βrequest string β
Request is the name chosen for a request in the referenced claim.
If empty, everything from the claim is made available, otherwise
only the result of this request.
request string βsettings object β
Settings specify price-related settings that are taken into account for the ROI dashboard calculations.
settings object βpriceCurrency string β
PriceCurrency specifies the currency.
priceCurrency string βaverageCPUPricePerNode object β
AvgCPUPricePerNode specifies the average CPU price per node.
averageCPUPricePerNode object βprice number β
Price specifies the price.
price number βtimePeriod string β
TimePeriod specifies the time period for the price.
timePeriod string βaverageRAMPricePerNode object β
AvgRAMPricePerNode specifies the average RAM price per node.
averageRAMPricePerNode object βprice number β
Price specifies the price.
price number βtimePeriod string β
TimePeriod specifies the time period for the price.
timePeriod string βplatformDB object β
PlatformDB holds the settings related to the postgres database that platform uses to store data
platformDB object βstorageClass string β
StorageClass sets the storage class for the PersistentVolumeClaim used by the platform database statefulSet.
storageClass string βimageBuilder object β
ImageBuilder holds the settings related to the image builder
imageBuilder object βenabled boolean β
Enabled specifies whether the remote image builder should be available.
If it's not available building ad-hoc images from a devcontainer.json is not supported
enabled boolean βreplicas integer β
Replicas is the number of desired replicas.
replicas integer βresources object β
Resources are compute resource required by the buildkit containers
resources object βlimits object β
Limits describes the maximum amount of compute resources allowed.
More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
limits object βrequests object β
Requests describes the minimum amount of compute resources required.
If Requests is omitted for a container, it defaults to Limits if that is explicitly specified,
otherwise to an implementation-defined value. Requests cannot exceed Limits.
More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
requests object βclaims object[] β
Claims lists the names of resources, defined in spec.resourceClaims,
that are used by this container.
This field depends on the
DynamicResourceAllocation feature gate.
This field is immutable. It can only be set for containers.
claims object[] βname required string β
Name must match the name of one entry in pod.spec.resourceClaims of
the Pod where this field is used. It makes that resource available
inside a container.
name required string βrequest string β
Request is the name chosen for a request in the referenced claim.
If empty, everything from the claim is made available, otherwise
only the result of this request.
request string βdatabase object β
Database represents the database connection settings when deploying the platform with an embedded Kubernetes backed by kine
database object βenabled boolean β
Enabled defines if the database should be used.
enabled boolean βdataSource string β
DataSource is the kine dataSource to use for the database. This depends on the database format.
This is optional for the external database. Examples:
- mysql: mysql://username:password@tcp(hostname:3306)/k3s
- postgres: postgres://username:password@hostname:5432/k3s
dataSource string βidentityProvider string β
IdentityProvider is the kine identity provider to use when generating temporary authentication tokens for enhanced security.
This is optional for the external database. Examples:
- aws: RDS IAM Authentication
identityProvider string βkeyFile string β
KeyFile is the key file to use for the database. This is optional.
keyFile string βcertFile string β
CertFile is the cert file to use for the database. This is optional.
certFile string βcaFile string β
CaFile is the ca file to use for the database. This is optional.
caFile string βextraArgs string[] β
ExtraArgs are additional arguments to pass to Kine.
extraArgs string[] β