Works with any Kubernetes cluster

Loft works with all major Kubernetes distributions. Once you connect a cluster, Loft will install a lightweight control plane into the cluster which provides everything you need to create isolated development sandboxes.

Isolated Namespaces

Loft lets you build a self-service Kubernetes platform that enables developer teams to create isolated Kubernetes namespaces called Spaces. While creating a Space, Loft takes care of setting up the required RBAC rules, network policies, resource quotas, security policies etc.

  • 1
    Connect Clusters

    Run the connect cluster command and choose the kube-context of the cluster you want to connect.

    devspace connect cluster

  • 2
    Add Users & Configure Limits

    In the admin UI of Loft, you can create invite links, manage users and set user permissions.

  • 3
    Create Spaces On-Demand

    Cluster users can now create spaces whenever they need them, as long as they stay within their limits.

    devspace create space my-test-space

    Loft ensures that everyone stays within their limits and no one breaks out of their spaces.

5 Reasons

Why Cloud-Native Teams Choose Loft

#1 On-Demand Namespaces

Loft provisions and isolates namespaces on-demand

Instead of provisioning separate clusters for developers, DevSpace Cloud allows you to share Kubernetes clusters. After connecting a cluster to Loft, admins can add cluster users and configure their limits. Within these limits, cluster users can now create spaces on-demand whenever they need them.

devspace create space my-app

Create Isolated Namespaces

  • On-Demand Provisioning via CLI or UI

    With Loft, namespace provisioning becomes self-service for developers.

  • Automatic Kube-Context Setup

    During the 'create space' command, the CLI configures a kube-context for every newly created namespace, so developers can use tools like kubectl and helm.

  • Secure Isolation

    Every namespace created through Loft is by default completely isolated from the rest of the cluster.

    Questions? Chat with us
#2 Secure Multi-Tenancy

Loft securely isolates users and namespaces in shared clusters

Authentication

While users interact directly with the Kubernetes clusters, Loft creates and manages the access tokens for cluster users that work within isolated Spaces.

  • Auth Provider Plugin

    When running a kubectl command in the kube-context of a Space, kubectl will retrieve an auth token from DevSpace which is by default configured as auth plugin for the context.

  • 2-Factor Authentication via GitHub

    Loft supports oAuth, so users can sign in with their GitHub account (SASL is coming soon).

Want to learn more? Schedule a Demo

Authorization

Loft sets up service accounts and Role-Based Access Control (RBAC) rules to ensure that cluster users cannot break out of their namespaces.

  • Separate Service Accounts

    To ensure that users cannot break out of their Spaces, Loft creates a separate service account for each user of a Space.

  • Strict RBAC Rules

    By default, Loft sets up RBAC rules that make sure developers cannot run operations outside of their namespaces.

Network Isolation

To make sure that developers can work within their namespaces without issues, Loft isolates the network traffic for each Space.

  • Cross-Namespace Traffic Restrictions

    By default, containers in different Spaces cannot communicate with each other unless the cluster admins configures this explicitly.

  • Auto-Ingress & Hostname Validation

    Loft can automatically provision unique ingress hostnames for developers (if needed). Admins configure which other hostnames can be used by developers and Loft will ensure these rules using hostname validation.

Admission Control

Loft installs Open Policy Agent (OPA) into connected clusters to check every resource that a user creates using kubectl or other tools. This allows DevSpaceCloud to allow, reject or modify resources according to the admission policies defined by the cluster admins.

  • Strict Default Policies

    Loft provides a variety of best-practice admission policies for high security standards.

  • Custom Policies using OPA

    Loft allows admins to define their own admission checks using custom rules enforced by OPA.

Questions? Chat with us
#3 Powerful Admin UI

Loft provides a UI for managing cluster users and their permissions

  • Cluster Management

    Check the cluster status, install, configure or upgrade cluster services (e.g. ingress controller, cert manager, OPA Gatekeeper etc.) with just a click.

  • User Management

    View users, their permissions, their Spaces as well as the utilization of these Spaces.

  • Invite Links

    Create and send invite links to add new users.

  • Spaces Management

    Add or remove Spaces for cluster users. View all Spaces of cluster users (including log streaming for all pods). Pause Spaces to reduce cluster cost.

  • User & Space Limits

    Configure user permissions and Space limits for individual cluster users or groups of them (using bulk operations).

Want to learn more? Schedule a Demo
#4 Extensive Customization

The entire business logic of Loft is fully customizable

We know that every team has their own compliance rules and security guidelines. Loft is built for customization and provides over 50 different configuration options for restricting cluster access and for limiting users and Spaces. And for additional customization, Loft lets you define admission control rules using Open Policy Agent and even allows you to modify the entire control logic of Loft, which is written in admission control policies as well.

Here are some of the rules which most users might want to use or customize:

  • Custom Ingress Annotations

    Adds annotations to each ingress that is being created.

  • Ingress Hostname Validation

    Restricts the user to a list or pattern of allowed hostnames.

  • Pod Security

    Rejects privileged pods, hostNetwork access and more.

  • Pod Resource Limits

    Sets default resource limits for pods without limits and makes sure users do not exceed their resource limits.

Questions? Chat with us
#5 Lower Cluster Cost

Loft pauses namespaces when developers are not using them

Sleep Mode

Because Loft is involved during the token exchange when a user runs any kubectl command, it knows when users have not been sending any requests for a while. Loft provides a sleep mode option, which pauses namespaces after a certain period of time.

  • Automatically Pause Spaces

    Loft scales down the replica sets within a namespace if it detects that the user has not been working for a while (inactivity detection).

  • Automatically Resume Spaces

    If a Space is paused, the entire configuration is still there, only the replica number is set to 0. If Loft receives the first request again, it resumes the Space by restoring the old number of replicas.

  • Customize Inactivity Detection

    Loft allows you to configure how inactivity will be detected. This can even be configured differently on a per-user or on a per-Space basis.

Questions? Chat with us

Pricing

We host Loft and the Kubernetes clusters for you.

Demo

$0
1 Namespace
1 CPU Core
2 GB Memory
10 GB Storage
SIGN UP

We sponsor free Kubernetes namespaces in our managed clusters, so you can evaluate Loft.

Connect your own cluster

We host Loft and you connect your own clusters to it.

Personal

$0
1 Cluster
3 Cluster Users
Sign Up

No credit card required.

Team

$20
per user
per month
Clusters
Cluster Users
Sign Up
Schedule a Demo

Not sure about connecting your cluster?

Contact us

For more information about features and pricing, see www.loft.sh.

Self-Service Namespaces
Secure Multi-Tenacy
Virtual Clusters
Enterprise Auth
via LDAP, OAuth, SAML
GET LOFT

loft offers the same features as loft but additionally lets you customize everything with Kubernetes CRDs and provides virtual clusters as well as enterprise authentication integrations with GitLab, GitHub, SAML 2.0, LDAP and more.

Install loft for FREE

Do you have any questions about loft / Loft on-premise?

Contact us

The term "DevSpace" is a registered trademark of the provider of this site. All other trademarks and names referenced in this site are property of their respective owners.