Quotas & Space Constraints
A key aspect of Loft is establishing secure multi-tenancy when sharing clusters among multiple users and teams. To guarantee fair use for every tenant and to isolate tenants from each other, Loft provides two features:
- Quotas which define aggregated resource limits for users and/or teams (e.g. max 5 spaces, max 12 GB memory)
- Space Constraints which define resources and other configurations that will be enforced for each space a user or a team creates using Loft (e.g. required labels and annotations, or resources such as a NetworkPolicy or LimitRange in each namespace)
Quotas
- Go to the Clusters view using the menu on the left
- Switch to the Cluster Access tab
- Hover over the cluster access that you want to apply the quota to and click on the button to Edit the cluster access
- In the drawer that appears on the right, expand the section
- Use the Enforce Quota field to specify quotas, e.g. you can limit the number of spaces by adding the line spaces: 3 to this quota specification
- On the very bottom, click on the button to save the changes
Test with Impersonation
After following the steps above, all spaces created using the cluster access in step 7 will now enforce this quota. You can test this behavior by impersonating a user that uses this cluster access.
Space Constraints
Space Constraints allow you to define restrictions for namespaces such as enforced resources that will be deployed to each new namespace a user creates (e.g. NetworkPolicies) or other enforced settings such as mandatory labels, annotations, or any sleep mode configurations.