Skip to main content
Version: v4.5 Stable

Manage Allowed Templates

Allowed templates are the templates that project members are allowed to use when creating resources in a project.

Security best practices​

By default, vCluster Platform requires templates for non-admin users to create virtual clusters. This default exists because creating virtual clusters without templates can pose security risks.

Why templates matter for security

When users create virtual clusters without a template, they have full control over the vCluster configuration. Misconfigured settings can allow users to:

  • Access host cluster resources they should not have access to through sync settings
  • Sync sensitive resources from the host cluster into the virtual cluster
  • Create resources in the host namespace that affect other workloads
  • Deploy arbitrary resources to the host namespace using experimental.deploy.host, which inherits the platform's permissions and can create role bindings or cluster role bindings
  • Access the host namespace through Namespace Objects and Namespace Apps, which deploy resources directly to the host cluster

Recommendations​

  1. Keep templates required: The default requireTemplate setting ensures non-admin users can only create virtual clusters from pre-approved templates. Do not disable this setting unless you trust all project members with full vCluster configuration access.

  2. Use hardened templates: Configure templates with restricted sync settings. See security hardening for guidance on creating secure templates.

  3. Review allowed templates carefully: Only add templates to a project that have been reviewed for security implications. Avoid using "All Templates" unless all available templates are appropriately secured.

  4. Limit admin access: Only grant project admin or platform admin roles to users who need the ability to create virtual clusters without templates.

Add templates​

Only project admins or global admins can add more templates to a project.

  1. Select the project you'd like to configure using the drop down menu. Click on Settings.

  2. Click on Allowed Templates.

  3. Select which resource you want to add more templates to.

  4. In the "Allowed" section, click the input and select the name of the template to add. If you wish to change this manually, you may edit the YAML directly.

  5. Once all project options have been specified, click the .

All Templates

Instead of adding every template, a special selection named All Templates can be used to give all templates of the platform to the project. Use this option with caution.

Set a default template​

A default template can be selected for a project, so that the template is automatically selected when creating the resource. The default template is not enforced during resource creation.

  1. Select the project you'd like to configure using the drop down menu. Click on Settings.

  2. Click on Allowed Templates.

  3. Select which resource you want to set a default template.

  4. Select the name of the template to set the default template. If you wish to change this manually, you may edit the YAML directly.

  5. Once all project options have been specified, click the .

Advanced: Setting a Namespace Pattern​

When creating a resource, it can be repetitive to specify a spec.clusterRef. namespace in each resource. Namespace patterns provide a template to use when creating namespaces for resources. These can be used to save time or enforce a naming convention.

For example, the namespace pattern {{.Values.loft.project}}-{{.Values.loft.name}} would result in a namespace with name my-project-space-1 being created for the space instance named space-1 for a project named my-project.

  1. Select the project you'd like to configure using the drop down menu. Click on Settings.

  2. Click on Allowed Templates.

  3. Expand the Advanced Options section.

  4. Click on the Namespace Pattern input and enter a namespace pattern. If you wish to change this manually, you may edit the YAML directly.

  5. Once all project options have been specified, click the .

Available variables for virtual clusters​

The variables available for templating namespacePattern.virtualCluster are:

  • .Values.loft.user.name: The name of the owner, if the owner is a user
  • .Values.loft.team.name: The name of the owner, if the owner is a team
  • .Values.loft.name: The name of the space or virtual cluster instance
  • .Values.loft.project: The name of the project
  • .Values.loft.space: The name of the space containing the virtual cluster
  • .Values.loft.cluster: The name of the connected cluster the space is scheduled to
  • .Values.loft.virtualClusterName: The name of the virtual cluster
  • .Values.loft.virtualClusterNamespace: The name of the space containing the virtual cluster

Available variables for spaces​

The variables available for templating namespacePattern.space are:

  • .Values.loft.user.name: The name of the owner, if the owner is a user
  • .Values.loft.team.name: The name of the owner, if the owner is a team
  • .Values.loft.name: The name of the space or virtual cluster instance
  • .Values.loft.project: The name of the project
  • .Values.loft.cluster: The name of the connected cluster the space is scheduled to