Skip to main content

Impersonate

To test configurations and permissions, vCluster Platform provides a feature to impersonate users within the vCluster Platform UI and see everything through the eyes of a specific users. This is very useful if you want to check if a user has permissions to access an object.

Enable Impersonation

To enable impersonation, make sure the user has appropriate permissions, only vCluster Platform management admins and users that have the management role Impersonator assigned, can impersonate other users.

  1. Select the Users field on the left menu bar.

  2. In the user row you want to impersonate, select Impersonate

  3. To stop impersonation, either press Logout or click on the Stop Impersonation button at the top.

Example Cluster Access And Impersonation

The following is a very basic example of using impersonation to validate a users access. This is a somewhat contrived example for demonstration purposes! For your production deployments make sure you are taking advantage of Projects when considering your RBAC strategy!

1. Create Test User

vCluster Platform lets you connect a variety of SSO providers for authentication but for the sake of simplicity, let's just manually create a user to learn more about vCluster Platform's cluster access features:

  1. Select the Users field on the left menu bar.

  2. Click the button.

  3. In the drawer that appears from the right, give your new user a name of Anna by replacing the 'my-user' placeholder name, or by updating the manifest YAML 'metadata. name' field.

  4. Click on the button.

  5. Close the popup using the button

100% Kubernetes Native

Remember: Everything you do in vCluster Platform UI, including creating a user, is effectively a kubectl command under the hood. So, everything you do in this guide creates or changes objects in your cluster and you could also manage these actions via kubectl or any kind of GitOps tool.

2. Impersonate User

vCluster Platform allows admins with appropriate RBAC permissions to impersonate users. Let's try this to see how vCluster Platform UI would look like for our newly created user:

  1. Select the Users field on the left menu bar.

  2. Find the user Anna in the list of users. Hover over the blue drop down arrow in the Display Name column and click on the

    button to Impersonate the user.

  3. In the popup, click on the button to confirm that you want to start impersonation.

  4. After impersonation has started, go to the Clusters view using the main menu on the left.

  5. Verify that Anna has no access to any clusters (this user should not see any clusters listed in the Clusters display pane).

You can also use the vCluster CLI as the impersonated user, to do this, simply run the following command while the impersonation is active.

vcluster login localhost:9898 --insecure    # or use your loft.domain.tld instead of localhost, and ideally with a valid SSL cert and without the --insecure flag

You can verify the login and print your user information via:

vcluster login

3. Configure Cluster Access

Let's give our test user Anna access to one of the clusters connected to this vCluster Platform instance:

  1. If you are still impersonating, click

  2. Go to the Clusters view using the main menu on the left

  3. Switch to the tab Cluster Access

  4. Click on the button

  5. Use the field Display Name and enter a Name for the cluster access

  6. In the Users & Teams section, make sure the Users tab is selected because we want to give an individual user access to a cluster

  7. Use the field Select Individual Users and select the User(s) you want to create this cluster access for

  8. In the Clusters section, either select All Clusters or the specific cluster that you want to make accessible for the user(s) you selected in the previous step

  9. Click the button at the bottom of the drawer

Single Sign-On + Cluster Access

You can connect a variety of SSO providers to vCluster Platform. To automatically give users access to clusters based on their SSO user groups, you can switch to the Team Members tab to grant cluster access for each member of a team (e.g. for each member of a group in Active Directory, Okta, SAML, etc.), check out the SSO Group Sync section for more details.

4. Verify Cluster Access

After configuring the cluster access for test user Anna, let's verify that she can access the cluster:

  1. Select the Users field on the left menu bar.

  2. Find the user Anna in the list of users. Hover over the blue drop down arrow in the Display Name column and click on the

    button to Impersonate the user.

  3. In the popup, click on the button to confirm that you want to start impersonation.

  4. After impersonation has started, go to the Clusters view using the main menu on the left.

  5. Verify that Anna now has access to the clusters specified in the previous step.

Next Steps

With access to a cluster, users can typically:

vCluster Platform allows you to: