CAUTION: Reset of kiosk Cluster Roles
Because of permission changes (see below), Loft will reset the following cluster roles in a connected cluster automatically:
- loft-cluster-space-default
- loft-cluster-extra-space-admin-rules
- loft-cluster-authenticated
If you have made changes manually to these cluster roles, please backup these changes before upgrading Loft and reapply them afterwards.
🚀 kiosk & direct cluster endpoint is now loft-agent
From this version onwards, Loft will deploy Loft agent instead of kiosk into connected clusters. Loft agent bundles kiosk, the direct cluster endpoint functionality and other loft specific functionality into a single pod, which allows us to keep the footprint and complexity of Loft lower. If you already have kiosk installed, Loft will automatically migrate the current kiosk installation to Loft agent in all of your connected clusters.
Since Loft agent is now also able to function as direct cluster endpoint, this means there is no separate chart or installation required anymore for using this functionality.
🚀 Permission Changes & Self-Service Clusters, Users, Teams etc.
We added an option to each Loft management CRD that allows you to specify additional users or teams that can access the corresponding object. This means it is now a lot easier to let teams and users create their own objects in a self-services way in the management cluster (like clusters, users, account cluster templates etc.), which they can also manage access to without needing RBAC access to modify cluster roles or bindings directly.
In addition, we added several predefined cluster roles that can be assigned to users and teams through the Loft UI, such as cluster creator, cluster admin, apps creator etc.
🚀 User Impersonation
You are now able to impersonate users through the Loft UI. This is an easy way to debug or explore Loft as another user without actually having to log in as that user. Only users or teams that have the appropriate impersonation rights are allowed to impersonate other users.
🚀 Team Access Keys
You can now create access keys for teams and use them for the Loft CLI as login credentials (loft login ... --access-key TEAM_ACCESS_KEY
). This allows you to manage access more broadly and independent of users.
🚀 Access Key Scopes
Access keys for users and teams can now be scoped to certain actions, such as accessing a single cluster, namespace within a cluster or access to a virtual cluster. This can be configured through the Loft UI in Profile > Access Keys, Users > Access Keys or Teams > Access Keys.
🚀 Apps
Apps and predefined apps for the Loft UI apps views can now be configured through a new app CRD and managed through the Loft UI. An app can either target an existing Helm chart or be custom defined Kubernetes manifests. These manifests can also include helm syntax and are deployed as helm releases, so you'll get version control for these apps out of the box as well. Furthermore apps can be shown as predefined for certain users or teams in one of the apps views in Clusters > Overview, Spaces > Apps or Virtual Clusters > apps.
🚀 Space & Virtual Cluster Templates
You are now able to define space or virtual cluster templates, that define how a certain space or virtual cluster should get deployed. In each template you can define what apps should get automatically deployed on creation which makes it possible to create environment templates for different use cases.
You can also define default space and virtual cluster templates for connected clusters.
Other changes
- api: user & teams access and memberships are now cleaned up automatically on deletion
- api: virtual cluster persistent volume claims are now cleaned up automatically on deletion
- api: added support for Kubernetes v1.22.0
- api: updated vcluster version to v0.4.0
- api: cluster account templates can now specify single clusters instead of a cluster label selector
- ui: new access to virtual cluster space section to modify virtual cluster access more easily
- ui: you can now manage the access keys of all users via the Users view
- ui: new apps view in virtual clusters
- ui: apps can now be rolled back
- ui: default space and virtual cluster templates can now be defined in the cluster edit drawer
- ui: virtual cluster values do not have to include the vcluster image or service CIDR anymore and this will be filled in automatically by Loft
- ui: improved the responsiveness of the virtual clusters view
- cli: improved output in pipelines
- cli: new flag
--template
forloft create vcluster
andloft create space
to specify a template to use