Platform annotations and labels reference
This page documents the well-known annotations and labels in the loft.sh namespace used by vCluster Platform for managing clusters, projects, spaces, users, teams, and integrations.
Cluster management
These annotations configure connected clusters in vCluster Platform.
loft.sh/cluster-uid
Type: Annotation
Example: loft.sh/cluster-uid: "a1b2c3d4-e5f6-7890-abcd-ef1234567890"
Used on: Cluster
Set by: Platform
The unique identifier assigned to this cluster by vCluster Platform. Used internally for cluster identification and correlation.
loft.sh/cluster-name
Type: Annotation
Example: loft.sh/cluster-name: "production-east"
Used on: NetworkPeer, Agent resources
Set by: Platform
Identifies the cluster name for network peer and agent resources.
loft.sh/display-name
Type: Annotation
Example: loft.sh/display-name: "Production East US"
Used on: Cluster, Project, Team, User
Set by: User-configurable
A human-readable display name shown in the platform UI. Can be different from the resource's actual name.
loft.sh/ingress-suffix
Type: Annotation
Example: loft.sh/ingress-suffix: "vclusters.example.com"
Used on: Cluster
Set by: User-configurable
Sets the domain suffix for vCluster ingress access points on this cluster. Required for external vCluster access.
loft.sh/cluster-domain
Type: Annotation
Example: loft.sh/cluster-domain: "cluster.local"
Used on: Cluster
Set by: User-configurable
Specifies the cluster's internal DNS domain. Defaults to cluster.local.
loft.sh/cluster-domain-target
Type: Annotation
Example: loft.sh/cluster-domain-target: "192.168.1.100"
Used on: Cluster
Set by: User-configurable
Specifies the target address for cluster domain resolution.
loft.sh/direct-cluster-endpoint
Type: Annotation
Example: loft.sh/direct-cluster-endpoint: "https://cluster.example.com:6443"
Used on: Cluster
Set by: User-configurable
Specifies a direct endpoint for the cluster, enabling clients to connect directly instead of routing through the platform.
loft.sh/direct-cluster-endpoint-insecure
Type: Annotation
Example: loft.sh/direct-cluster-endpoint-insecure: "true"
Used on: Cluster
Set by: User-configurable
When true, allows insecure TLS connections to the direct cluster endpoint.
loft.sh/derp-endpoint
Type: Annotation
Example: loft.sh/derp-endpoint: "derp.example.com"
Used on: Cluster
Set by: User-configurable
Specifies a publicly accessible DERP relay endpoint for this cluster.
loft.sh/derp-endpoint-insecure
Type: Annotation
Example: loft.sh/derp-endpoint-insecure: "true"
Used on: Cluster
Set by: User-configurable
When true, allows insecure connections to the DERP relay endpoint.
loft.sh/streaming-connection-idle-timeout
Type: Annotation
Example: loft.sh/streaming-connection-idle-timeout: "4h"
Used on: Cluster
Set by: User-configurable
Sets the idle timeout for streaming connections (exec, port-forward, logs) to this cluster.
loft.sh/cluster-access
Type: Annotation
Example: loft.sh/cluster-access: "direct"
Used on: Cluster
Set by: Platform
Indicates the access method configured for this cluster.
loft.sh/skip-direct-connection
Type: Annotation
Example: loft.sh/skip-direct-connection: "true"
Used on: Cluster
Set by: User-configurable
When true, forces connections through the platform proxy even when direct connection is available.
loft.sh/cluster-role-cluster
Type: Label
Example: loft.sh/cluster-role-cluster: "true"
Used on: ClusterRole
Set by: Platform
Marks a ClusterRole as applicable at the cluster level.
loft.sh/cluster-role-management
Type: Label
Example: loft.sh/cluster-role-management: "true"
Used on: ClusterRole
Set by: Platform
Marks a ClusterRole as a management role for the platform.
loft.sh/account-cluster-role
Type: Label
Example: loft.sh/account-cluster-role: "true"
Used on: ClusterRole
Set by: Platform
Marks a ClusterRole as available for account-level assignment.
loft.sh/space-cluster-role
Type: Label
Example: loft.sh/space-cluster-role: "true"
Used on: ClusterRole
Set by: Platform
Marks a ClusterRole as available for space-level assignment.
loft.sh/cluster-account-template
Type: Label
Example: loft.sh/cluster-account-template: "default-template"
Used on: ClusterAccountTemplate
Set by: Platform
Identifies the cluster account template.
loft.sh/account-templates-ignore-clusters
Type: Annotation
Example: loft.sh/account-templates-ignore-clusters: "cluster1,cluster2"
Used on: User, Team
Set by: User-configurable
Comma-separated list of clusters where account templates should not be applied for this user or team.
loft.sh/agent-values
Type: Annotation
Example: loft.sh/agent-values: '{"resources":{"limits":{"cpu":"1"}}}'
Used on: Cluster
Extra Helm values applied to the agent deployment on this cluster.
loft.sh/cluster-ignore-agent
Type: Annotation
Example: loft.sh/cluster-ignore-agent: "true"
Used on: Cluster
Set by: User-configurable
When true, disables agent deployment on this cluster.
loft.sh/cluster-ignore-kiosk
Type: Annotation
Example: loft.sh/cluster-ignore-kiosk: "true"
Used on: Cluster
Set by: User-configurable
When true, disables kiosk functionality on this cluster.
loft.sh/direct-cluster-endpoint-ca-data
Type: Annotation
Example: loft.sh/direct-cluster-endpoint-ca-data: "LS0tLS1CRUdJTi..."
Used on: Cluster
Set by: User-configurable
Base64-encoded CA certificate data for the direct cluster endpoint.
Project management
These labels and annotations are used on project resources and project-owned namespaces.
loft.sh/project
Type: Label
Example: loft.sh/project: "team-alpha"
Used on: Namespace, VirtualClusterInstance, SpaceInstance
Set by: Platform
Identifies the vCluster Platform project that owns this resource.
loft.sh/project-namespace
Type: Annotation
Example: loft.sh/project-namespace: "loft-p-team-alpha"
Used on: Various resources
Set by: Platform
The namespace where project resources are stored.
loft.sh/project-role
Type: Label
Example: loft.sh/project-role: "true"
Used on: ClusterRole
Set by: User-configurable
Marks a ClusterRole as available for use as a project role. Required for ClusterRoles to appear in project member role selection.
loft.sh/project-cluster-quota
Type: Label
Example: loft.sh/project-cluster-quota: "team-alpha-quota"
Used on: ResourceQuota
Set by: Platform
Links a ResourceQuota to a project's cluster quota.
loft.sh/project-user-cluster-quota
Type: Label
Example: loft.sh/project-user-cluster-quota: "user-quota"
Used on: ResourceQuota
Set by: Platform
Links a ResourceQuota to a per-user quota within a project.
Space management
These annotations and labels are used on spaces (namespaces) managed by the platform.
loft.sh/space-instance-name
Type: Label
Example: loft.sh/space-instance-name: "dev-space"
Used on: Namespace
Set by: Platform
The name of the SpaceInstance that created this namespace.
loft.sh/space-instance-namespace
Type: Label
Example: loft.sh/space-instance-namespace: "loft-p-default"
Used on: Namespace
Set by: Platform
The namespace containing the SpaceInstance resource.
loft.sh/space-instance-project
Type: Label
Example: loft.sh/space-instance-project: "default"
Used on: Namespace
Set by: Platform
The project that owns the SpaceInstance.
loft.sh/owned
Type: Label
Example: loft.sh/owned: "true"
Used on: Namespace
Set by: Platform
Indicates that this namespace is owned by a specific user or team.
loft.sh/space-constraints
Type: Label
Example: loft.sh/space-constraints: "restricted"
Used on: Namespace
Set by: Platform
Identifies the space constraints applied to this namespace.
loft.sh/space-constraints-status
Type: Annotation
Example: loft.sh/space-constraints-status: "applied"
Used on: Namespace
Set by: Platform
Status of space constraints application.
loft.sh/space-objects
Type: Annotation
Example: loft.sh/space-objects: '{"configmaps":["config1"]}'
Used on: Namespace
Set by: Platform
JSON object tracking space template objects created in this namespace.
loft.sh/space-objects-status
Type: Annotation
Example: loft.sh/space-objects-status: "synced"
Used on: Namespace
Set by: Platform
Status of space objects synchronization.
loft.sh/disable-space-creation
Type: Annotation
Example: loft.sh/disable-space-creation: "true"
Used on: Cluster
Set by: User-configurable
When true, disables direct space creation on this cluster. Spaces must be created through projects.
loft.sh/created-by
Type: Annotation
Example: loft.sh/created-by: "devpod-workspace-instance-abc123"
Used on: Namespace
Set by: Platform
Identifies which resource created this namespace. Used to determine if the namespace should be deleted when the creator is deleted.
vCluster instance management
These labels and annotations are used on vCluster instances managed by the platform.
loft.sh/vcluster-instance-name
Type: Label
Example: loft.sh/vcluster-instance-name: "dev-vcluster"
Used on: Namespace, Pod
Set by: Platform
The name of the VirtualClusterInstance that created this vCluster.
loft.sh/vcluster-instance-namespace
Type: Label
Example: loft.sh/vcluster-instance-namespace: "loft-p-default"
Used on: Namespace, Pod
Set by: Platform
The namespace containing the VirtualClusterInstance resource.
loft.sh/vcluster-instance-project
Type: Label
Example: loft.sh/vcluster-instance-project: "default"
Used on: Namespace, Pod
Set by: Platform
The project that owns the VirtualClusterInstance.
vcluster.loft.sh/managed-by
Type: Label
Example: vcluster.loft.sh/managed-by: "loft"
Used on: vCluster resources
Set by: Platform
Indicates that this vCluster is managed by vCluster Platform.
vcluster.loft.sh/vcluster-name
Type: Label
Example: vcluster.loft.sh/vcluster-name: "my-vcluster"
Used on: vCluster pods and resources
Set by: Platform
The name of the vCluster.
vcluster.loft.sh/vcluster-namespace
Type: Label
Example: vcluster.loft.sh/vcluster-namespace: "vcluster-my-vcluster"
Used on: vCluster pods and resources
Set by: Platform
The namespace where the vCluster is deployed.
vcluster.loft.sh/fake-node
Type: Label
Example: vcluster.loft.sh/fake-node: "true"
Used on: Node
Set by: Platform
Identifies nodes that are virtual/fake nodes created by vCluster.
vcluster.loft.sh/dynamic-node-pool
Type: Label
Example: vcluster.loft.sh/dynamic-node-pool: "default-pool"
Used on: Node
Set by: Platform
Identifies the dynamic node pool this node belongs to.
vcluster.loft.sh/control-plane-endpoint
Type: Annotation
Example: vcluster.loft.sh/control-plane-endpoint: "https://vcluster.example.com:443"
Used on: VirtualClusterInstance
Set by: Platform
The control plane endpoint for accessing this vCluster.
vcluster.loft.sh/object-imported
Type: Annotation
Example: vcluster.loft.sh/object-imported: "true"
Used on: Various resources
Set by: Platform
Indicates that this resource was imported into a vCluster.
loft.sh/hpm-enabled
Type: Annotation
Example: loft.sh/hpm-enabled: "true"
Used on: VirtualClusterInstance
Set by: User-configurable
Enables the Host Path Mapper for this vCluster instance.
loft.sh/skip-helm-deploy
Type: Annotation
Example: loft.sh/skip-helm-deploy: "true"
Used on: VirtualClusterInstance
Set by: User-configurable
Skips Helm deployment for this vCluster. Use when managing vCluster deployment externally.
loft.sh/database-vcluster
Type: Label
Example: loft.sh/database-vcluster: "my-vcluster"
Used on: Secret
Set by: Platform
Links a database secret to a specific vCluster.
virtualcluster.loft.sh/latest-version
Type: Annotation
Example: virtualcluster.loft.sh/latest-version: "0.20.0"
Used on: VirtualClusterInstance
Set by: Platform
Stores the latest available vCluster version for upgrade notifications.
vcluster.loft.sh/kubernetes-name
Type: Annotation
Example: vcluster.loft.sh/kubernetes-name: "node-claim-xyz"
Used on: NodeClaim
Set by: Platform
Identifies the Kubernetes node name associated with this node claim.
Sleep mode configuration
These annotations configure sleep mode behavior.
loft.sh/sleep-mode
Type: Annotation
Example: loft.sh/sleep-mode: "true"
Used on: Namespace, VirtualClusterInstance
Set by: Platform
Indicates that sleep mode is enabled for this resource.
loft.sh/sleep-mode-replicas
Type: Annotation
Example: loft.sh/sleep-mode-replicas: "3"
Used on: Deployment, StatefulSet
Set by: Platform
Stores the original replica count before sleep mode scaled down the workload.
Sleep mode annotations (sleepmode.loft.sh)
These annotations in the sleepmode.loft.sh namespace control sleep mode behavior for namespaces and vCluster instances.
sleepmode.loft.sh/sleep-after
Type: Annotation
Example: sleepmode.loft.sh/sleep-after: "3600"
Used on: Namespace, VirtualClusterInstance
Set by: User-configurable
Specifies the number of seconds of inactivity after which the namespace or vCluster should automatically sleep.
sleepmode.loft.sh/delete-after
Type: Annotation
Example: sleepmode.loft.sh/delete-after: "86400"
Used on: Namespace, VirtualClusterInstance
Set by: User-configurable
Specifies the number of seconds of inactivity after which the namespace or vCluster should be automatically deleted.
sleepmode.loft.sh/sleep-schedule
Type: Annotation
Example: sleepmode.loft.sh/sleep-schedule: "0 20 * * *"
Used on: Namespace, VirtualClusterInstance
Set by: User-configurable
Specifies a cron schedule for when the namespace or vCluster should automatically sleep. Uses standard cron format.
sleepmode.loft.sh/wakeup-schedule
Type: Annotation
Example: sleepmode.loft.sh/wakeup-schedule: "0 8 * * 1-5"
Used on: Namespace, VirtualClusterInstance
Set by: User-configurable
Specifies a cron schedule for when the namespace or vCluster should automatically wake up.
sleepmode.loft.sh/timezone
Type: Annotation
Example: sleepmode.loft.sh/timezone: "America/New_York"
Used on: Namespace, VirtualClusterInstance
Set by: User-configurable
Specifies the timezone for scheduled sleep and wakeup operations. Accepts IANA timezone names. Defaults to UTC.
sleepmode.loft.sh/force
Type: Annotation
Example: sleepmode.loft.sh/force: "true"
Used on: Namespace, VirtualClusterInstance
Set by: User-configurable
Forces the namespace or vCluster to sleep immediately, regardless of activity.
sleepmode.loft.sh/force-duration
Type: Annotation
Example: sleepmode.loft.sh/force-duration: "3600"
Used on: Namespace, VirtualClusterInstance
Set by: User-configurable
Forces sleep for a specific duration in seconds. After this period, normal activity tracking resumes. Set to 0 for indefinite sleep until manually woken.
sleepmode.loft.sh/exclude
Type: Annotation
Example: sleepmode.loft.sh/exclude: "true"
Used on: Deployment, StatefulSet, ReplicaSet, Pod
Set by: User-configurable
Excludes this workload from sleep mode. When the namespace sleeps, this workload continues running.
sleepmode.loft.sh/ignore-all
Type: Annotation
Example: sleepmode.loft.sh/ignore-all: "true"
Used on: Namespace, VirtualClusterInstance
Set by: User-configurable
Ignores all activity when determining whether the namespace or vCluster should sleep.
sleepmode.loft.sh/ignore-ingresses
Type: Annotation
Example: sleepmode.loft.sh/ignore-ingresses: "true"
Used on: Namespace, VirtualClusterInstance
Set by: User-configurable
Ignores ingress requests when determining activity. Useful when the namespace receives automated health checks that should not prevent sleep.
sleepmode.loft.sh/ignore-groups
Type: Annotation
Example: sleepmode.loft.sh/ignore-groups: "apps,batch"
Used on: Namespace, VirtualClusterInstance
Set by: User-configurable
Ignores requests to specific API groups when determining activity. Comma-separated list of API group names.
sleepmode.loft.sh/ignore-vclusters
Type: Annotation
Example: sleepmode.loft.sh/ignore-vclusters: "true"
Used on: Namespace
Set by: User-configurable
Ignores vCluster-related requests when determining namespace activity.
sleepmode.loft.sh/ignore-resources
Type: Annotation
Example: sleepmode.loft.sh/ignore-resources: "pods,configmaps"
Used on: Namespace, VirtualClusterInstance
Set by: User-configurable
Ignores requests to specific resource types when determining activity. Comma-separated list of resource names.
sleepmode.loft.sh/ignore-verbs
Type: Annotation
Example: sleepmode.loft.sh/ignore-verbs: "get,list,watch"
Used on: Namespace, VirtualClusterInstance
Set by: User-configurable
Ignores requests with specific HTTP verbs when determining activity. Comma-separated list.
sleepmode.loft.sh/ignore-resource-verbs
Type: Annotation
Example: sleepmode.loft.sh/ignore-resource-verbs: "pods.core=get list,deployments.apps=get"
Used on: Namespace, VirtualClusterInstance
Set by: User-configurable
Ignores specific verb combinations for specific resources. Format: resource.group=verb1 verb2, resource2.group=verb3.
sleepmode.loft.sh/ignore-resource-names
Type: Annotation
Example: sleepmode.loft.sh/ignore-resource-names: "pods.core=monitoring-pod,configmaps.core=config1"
Used on: Namespace, VirtualClusterInstance
Set by: User-configurable
Ignores requests to specific named resources. Format: resource.group=name1 name2.
sleepmode.loft.sh/ignore-active-connections
Type: Annotation
Example: sleepmode.loft.sh/ignore-active-connections: "true"
Used on: Namespace, VirtualClusterInstance
Set by: User-configurable
Ignores active connections (such as kubectl exec or kubectl port-forward) when determining whether to sleep. Allows sleep even with open connections.
sleepmode.loft.sh/ignore-user-agents
Type: Annotation
Example: sleepmode.loft.sh/ignore-user-agents: "kube-probe/*,prometheus/*"
Used on: Namespace, VirtualClusterInstance
Set by: User-configurable
Ignores requests from specific user agents. Supports trailing wildcards. Comma-separated list.
sleepmode.loft.sh/disable-ingress-wakeup
Type: Annotation
Example: sleepmode.loft.sh/disable-ingress-wakeup: "true"
Used on: Namespace, VirtualClusterInstance
Set by: User-configurable
Disables automatic wakeup from ingress traffic. When set, the namespace or vCluster remains asleep even when receiving ingress requests.
sleepmode.loft.sh/disable-metrics-tracking
Type: Annotation
Example: sleepmode.loft.sh/disable-metrics-tracking: "true"
Used on: Namespace, VirtualClusterInstance
Set by: User-configurable
Disables metrics-based activity tracking. Only API server activity is tracked.
Sleep mode status annotations
These annotations are set by the platform to indicate sleep mode status. They are read-only.
sleepmode.loft.sh/last-activity
Type: Annotation (read-only)
Example: sleepmode.loft.sh/last-activity: "1706745600"
Used on: Namespace, VirtualClusterInstance
Set by: Platform
Unix timestamp of the last detected activity. Set automatically by the platform.
sleepmode.loft.sh/sleeping-since
Type: Annotation (read-only)
Example: sleepmode.loft.sh/sleeping-since: "1706745600"
Used on: Namespace, VirtualClusterInstance
Set by: Platform
Unix timestamp of when the namespace or vCluster entered sleep mode. Present only when sleeping.
sleepmode.loft.sh/sleep-type
Type: Annotation (read-only)
Example: sleepmode.loft.sh/sleep-type: "inactivitySleep"
Used on: Namespace, VirtualClusterInstance
Set by: Platform
Indicates how sleep was triggered. Values: inactivitySleep, forcedSleep, forcedDurationSleep, scheduledSleep.
sleepmode.loft.sh/scheduled-sleep
Type: Annotation (read-only)
Example: sleepmode.loft.sh/scheduled-sleep: "1706832000"
Used on: Namespace, VirtualClusterInstance
Set by: Platform
Unix timestamp of the next scheduled sleep based on the sleep schedule.
sleepmode.loft.sh/scheduled-wakeup
Type: Annotation (read-only)
Example: sleepmode.loft.sh/scheduled-wakeup: "1706774400"
Used on: Namespace, VirtualClusterInstance
Set by: Platform
Unix timestamp of the next scheduled wakeup based on the wakeup schedule.
sleepmode.loft.sh/endpoint-slices
Type: Annotation
Example: sleepmode.loft.sh/endpoint-slices: '[{"addressType":"IPv4","endpoints":[...]}]'
Used on: EndpointSlice
Set by: Platform
Stores the original endpoint slice configuration to be restored when the namespace or vCluster wakes up.
sleepmode.loft.sh/endpoints-subsets
Type: Annotation
Example: sleepmode.loft.sh/endpoints-subsets: '[{"addresses":[{"ip":"10.0.0.1"}],"ports":[{"port":80}]}]'
Used on: Endpoints
Set by: Platform
Stores the original endpoint subsets to be restored when the namespace or vCluster wakes up.
sleepmode.loft.sh/service-selector
Type: Annotation
Example: sleepmode.loft.sh/service-selector: '{"app":"my-app"}'
Used on: Service
Set by: Platform
Stores the original service selector to be restored when the namespace or vCluster wakes up.
sleepmode.loft.sh/service-ports
Type: Annotation
Example: sleepmode.loft.sh/service-ports: '[{"name":"http","port":80,"targetPort":8080}]'
Used on: Service
Set by: Platform
Stores the original service ports to be restored when the namespace or vCluster wakes up.
sleepmode.loft.sh/target-service-name
Type: Annotation
Example: sleepmode.loft.sh/target-service-name: "my-app"
Used on: Service
Set by: Platform
Specifies the target service name for sleep mode wakeup redirection.
sleepmode.loft.sh/target-service-namespace
Type: Annotation
Example: sleepmode.loft.sh/target-service-namespace: "default"
Used on: Service
Set by: Platform
Specifies the target service namespace if the service is in a different namespace.
sleepmode.loft.sh/target-service-port
Type: Annotation
Example: sleepmode.loft.sh/target-service-port: "8080"
Used on: Service
Set by: Platform
Specifies the target service port. Can be a port name or port number.
sleepmode.loft.sh/istio-virtual-service-http-routes
Type: Annotation
Example: sleepmode.loft.sh/istio-virtual-service-http-routes: '[{"route":[{"destination":{"host":"my-service"}}]}]'
Used on: VirtualService (Istio)
Set by: Platform
Stores the original Istio VirtualService HTTP routes to be restored when waking up.
sleepmode.loft.sh/istio-virtual-service-sleeping
Type: Annotation
Example: sleepmode.loft.sh/istio-virtual-service-sleeping: "true"
Used on: VirtualService (Istio)
Set by: Platform
Indicates that the Istio VirtualService should continue reconciling to sleep mode or be restored when removed.
User and team management
These labels and annotations are used on user and team resources.
loft.sh/user
Type: Label
Example: loft.sh/user: "john-doe"
Used on: Namespace, VirtualClusterInstance, SpaceInstance, AccessKey
Set by: Platform
Identifies the user that owns this resource.
loft.sh/team
Type: Label
Example: loft.sh/team: "platform-team"
Used on: Namespace, VirtualClusterInstance, SpaceInstance, AccessKey
Set by: Platform
Identifies the team that owns this resource.
loft.sh/last-activity
Type: Annotation
Example: loft.sh/last-activity: "1706745600"
Used on: User
Set by: Platform
Unix timestamp of the user's last activity in the platform.
loft.sh/custom-data
Type: Annotation
Example: loft.sh/custom-data: '{"department":"engineering"}'
Used on: User
Set by: User-configurable
Custom JSON data attached to a user. Can be used for external integrations.
loft.sh/create-account
Type: Annotation
Example: loft.sh/create-account: "true"
Used on: User
Set by: User-configurable
When true, automatically creates an account for this user.
loft.sh/previous-email
Type: Annotation
Example: loft.sh/previous-email: "old@example.com"
Used on: User
Set by: Platform
Stores the user's previous email address after an email change.
loft.sh/notification-email
Type: Annotation
Example: loft.sh/notification-email: "alerts@example.com"
Used on: User
Set by: User-configurable
Alternate email address for platform notifications.
loft.sh/notification-email-change-time
Type: Annotation
Example: loft.sh/notification-email-change-time: "1706745600"
Used on: User
Set by: Platform
Unix timestamp when the notification email was last changed.
SSO and authentication
These annotations relate to single sign-on and authentication.
loft.sh/single-sign-on
Type: Annotation
Example: loft.sh/single-sign-on: "true"
Used on: User, Team
Set by: Platform
Indicates that this user or team was created through SSO.
loft.sh/sso-provider
Type: Annotation
Example: loft.sh/sso-provider: "github"
Used on: User, Team
Set by: Platform
Identifies the SSO provider that created this user or team.
RBAC and access control
These labels and annotations control role-based access.
loft.sh/admin
Type: Label
Example: loft.sh/admin: "true"
Used on: ClusterRoleBinding
Set by: Platform
Marks a ClusterRoleBinding as granting admin privileges.
loft.sh/aggregate-to-admin
Type: Label
Example: loft.sh/aggregate-to-admin: "true"
Used on: ClusterRole
Set by: User-configurable
Aggregates this ClusterRole's permissions into the admin role.
loft.sh/aggregate-to-view
Type: Label
Example: loft.sh/aggregate-to-view: "true"
Used on: ClusterRole
Set by: User-configurable
Aggregates this ClusterRole's permissions into the view role.
loft.sh/default-template
Type: Label
Example: loft.sh/default-template: "true"
Used on: VirtualClusterTemplate, SpaceTemplate, ClusterAccountTemplate
Set by: User-configurable
Marks this template as the default when no template is specified.
loft.sh/default-role
Type: Label
Example: loft.sh/default-role: "true"
Used on: ClusterRole
Set by: User-configurable
Marks this ClusterRole as the default role assigned to new users.
loft.sh/management-default-role
Type: Label
Example: loft.sh/management-default-role: "true"
Used on: ClusterRole
Set by: User-configurable
Marks this ClusterRole as the default management role.
loft.sh/management-namespace
Type: Label
Example: loft.sh/management-namespace: "loft"
Used on: Namespace
Set by: Platform
Identifies the namespace containing platform management resources.
rbac.loft.sh/auto-update
Type: Annotation
Example: rbac.loft.sh/auto-update: "true"
Used on: ClusterRole, ClusterRoleBinding
Set by: Platform
When true, allows the platform to automatically update this RBAC resource.
rbac.loft.sh/generation
Type: Annotation
Example: rbac.loft.sh/generation: "5"
Used on: ClusterRole, ClusterRoleBinding
Set by: Platform
Tracks the generation number for RBAC reconciliation.
Access keys
These labels identify access key purposes and associations.
loft.sh/cluster
Type: Label
Example: loft.sh/cluster: "production"
Used on: AccessKey
Set by: Platform
Associates this access key with a specific cluster agent.
loft.sh/vcluster
Type: Label
Example: loft.sh/vcluster: "my-vcluster"
Used on: AccessKey
Set by: Platform
Associates this access key with a specific vCluster.
loft.sh/runner
Type: Label
Example: loft.sh/runner: "ci-runner"
Used on: AccessKey
Set by: Platform
Associates this access key with a specific runner.
loft.sh/control-plane-access-key
Type: Label
Example: loft.sh/control-plane-access-key: "true"
Used on: AccessKey
Set by: Platform
Identifies this access key as used for control plane communication.
loft.sh/vcluster-node
Type: Label
Example: loft.sh/vcluster-node: "true"
Used on: AccessKey
Set by: Platform
Identifies this access key as used for vCluster node registration.
Integrations
These annotations and labels configure external integrations.
loft.sh/import-argocd
Type: Label
Example: loft.sh/import-argocd: "true"
Used on: VirtualClusterInstance, Cluster
Set by: User-configurable
Enables ArgoCD integration for this vCluster or cluster. When set, the platform automatically registers this cluster/vCluster with ArgoCD.
loft.sh/connector-type
Type: Label
Example: loft.sh/connector-type: "rancher"
Used on: Connector
Set by: Platform
Identifies the type of external connector (rancher, etc.).
loft.sh/made-by-connector
Type: Annotation
Example: loft.sh/made-by-connector: "rancher-connector"
Used on: Cluster
Set by: Platform
Indicates this cluster was imported by an external connector.
loft.sh/is-imported
Type: Annotation
Example: loft.sh/is-imported: "true"
Used on: Cluster, VirtualClusterInstance
Set by: Platform
Indicates this resource was imported into the platform rather than created by it.
Networking
These annotations configure network-related features.
loft.sh/network-peer-type
Type: Annotation
Example: loft.sh/network-peer-type: "tailscale"
Used on: NetworkPeer
Set by: Platform
Identifies the type of network peer connection.
loft.sh/network-peer-tags
Type: Annotation
Example: loft.sh/network-peer-tags: "tag:production,tag:us-east"
Used on: NetworkPeer
Set by: User-configurable
Tailscale tags for this network peer.
loft.sh/network-peer-routes
Type: Annotation
Example: loft.sh/network-peer-routes: "10.0.0.0/8,172.16.0.0/12"
Used on: NetworkPeer
Set by: User-configurable
Routes to advertise for this network peer.
loft.sh/allowed-hostname
Type: Annotation
Example: loft.sh/allowed-hostname: "cluster.internal"
Used on: AccessKey
Set by: User-configurable
Restricts this access key to connections from specific hostnames.
loft.sh/allowed-peers
Type: Annotation
Example: loft.sh/allowed-peers: "peer1,peer2"
Used on: AccessKey
Set by: User-configurable
Restricts this access key to connections from specific network peers.
loft.sh/coordinator-instance-id
Type: Annotation
Example: loft.sh/coordinator-instance-id: "coord-123"
Used on: NetworkPeer
Set by: Platform
Identifies the coordination instance for distributed networking.
loft.sh/ingress-mirror
Type: Annotation
Example: loft.sh/ingress-mirror: "true"
Used on: Ingress
Set by: Platform
Marks this ingress as a mirror of another ingress resource managed by the platform.
Shared and project secrets
These annotations and labels are used for secret management.
loft.sh/sharedsecret-name
Type: Label
Example: loft.sh/sharedsecret-name: "database-creds"
Used on: Secret
Set by: Platform
The name of the shared secret this secret was created from.
loft.sh/sharedsecret-namespace
Type: Label
Example: loft.sh/sharedsecret-namespace: "loft-default-p-default-s-default"
Used on: Secret
Set by: Platform
The namespace where the source shared secret is stored.
loft.sh/disable-sync
Type: Annotation
Example: loft.sh/disable-sync: "true"
Used on: Secret
Set by: User-configurable
When set, prevents the platform from syncing this secret from a shared secret.
loft.sh/project-secret
Type: Label
Example: loft.sh/project-secret: "true"
Used on: Secret
Set by: Platform
Marks this secret as a synced instance of a project secret.
loft.sh/project-secret-name
Type: Annotation
Example: loft.sh/project-secret-name: "api-keys"
Used on: Secret
Set by: Platform
The name of the project secret this secret was created from.
loft.sh/project-secret-description
Type: Annotation
Example: loft.sh/project-secret-description: "API keys for external services"
Used on: ProjectSecret
Set by: User-configurable
Human-readable description of the project secret.
loft.sh/project-secret-displayname
Type: Annotation
Example: loft.sh/project-secret-displayname: "External API Keys"
Used on: ProjectSecret
Set by: User-configurable
Display name for the project secret shown in the UI.
loft.sh/project-secret-owner
Type: Annotation
Example: loft.sh/project-secret-owner: "user:john-doe"
Used on: ProjectSecret
Set by: Platform
Identifies the owner of this project secret.
loft.sh/project-secret-access
Type: Annotation
Example: loft.sh/project-secret-access: "project"
Used on: ProjectSecret
Set by: User-configurable
Access scope for the project secret.
Applications
These labels are used for application management.
loft.sh/app
Type: Label
Example: loft.sh/app: "nginx"
Used on: Helm release resources
Set by: Platform
Identifies resources belonging to a platform-managed application.
loft.sh/system-app
Type: Label
Example: loft.sh/system-app: "true"
Used on: Application resources
Set by: Platform
Marks this application as a system application managed by the platform.
loft.sh/extra-recommended-apps
Type: Annotation
Example: loft.sh/extra-recommended-apps: "prometheus,grafana"
Used on: Cluster
Set by: User-configurable
Comma-separated list of additional recommended applications for this cluster.
loft.sh/app-name
Type: Annotation
Example: loft.sh/app-name: "nginx-ingress"
Used on: HelmRelease
Set by: Platform
Indicates that this Helm release was deployed via the platform app store.
loft.sh/app-version
Type: Annotation
Example: loft.sh/app-version: "1.2.3"
Used on: HelmRelease
Set by: Platform
Specifies the version of the platform app that was deployed.
loft.sh/url
Type: Annotation
Example: loft.sh/url: "https://charts.example.com/stable"
Used on: HelmRelease
Set by: Platform
Specifies the Helm repository URL from which the release was deployed.
loft.sh/insecure-skip-tls
Type: Annotation
Example: loft.sh/insecure-skip-tls: "true"
Used on: HelmRelease
Set by: User-configurable
When true, skips TLS certificate verification during Helm operations.
Cleanup and finalizers
These finalizers and labels control resource cleanup behavior.
loft.sh/cleanup
Type: Finalizer
Example: finalizers: ["loft.sh/cleanup"]
Used on: Various resources
Set by: Platform
General cleanup finalizer ensuring proper resource deletion.
loft.sh/cleanup-management
Type: Finalizer
Example: finalizers: ["loft.sh/cleanup-management"]
Used on: Cluster, Project
Set by: Platform
Ensures management resources are cleaned up when the parent resource is deleted.
loft.sh/cleanup-workload
Type: Finalizer
Example: finalizers: ["loft.sh/cleanup-workload"]
Used on: VirtualClusterInstance, SpaceInstance
Set by: Platform
Ensures workload resources are cleaned up when deleted.
loft.sh/cleanup-rancher
Type: Finalizer
Example: finalizers: ["loft.sh/cleanup-rancher"]
Used on: Cluster
Set by: Platform
Ensures Rancher integration resources are cleaned up.
loft.sh/cleanup-connectors
Type: Finalizer
Example: finalizers: ["loft.sh/cleanup-connectors"]
Used on: Cluster
Set by: Platform
Ensures connector resources are cleaned up.
loft.sh/cleanup-nodes
Type: Finalizer
Example: finalizers: ["loft.sh/cleanup-nodes"]
Used on: Cluster
Set by: Platform
Ensures dynamically provisioned nodes are cleaned up.
loft.sh/cleanup-cloud-resources
Type: Finalizer
Example: finalizers: ["loft.sh/cleanup-cloud-resources"]
Used on: Cluster
Set by: Platform
Ensures cloud provider resources are cleaned up.
loft.sh/cleanup-identity-provider
Type: Finalizer
Example: finalizers: ["loft.sh/cleanup-identity-provider"]
Used on: SSO configuration
Set by: Platform
Ensures identity provider resources are cleaned up.
DevPod workspaces
These annotations and labels are used on DevPod workspace resources.
loft.sh/workspace-id
Type: Label
Example: loft.sh/workspace-id: "workspace-abc123"
Used on: DevPodWorkspaceInstance resources
Set by: Platform
Identifies the workspace ID for a DevPod workspace.
loft.sh/workspace-uid
Type: Label
Example: loft.sh/workspace-uid: "a1b2c3d4-e5f6-7890-abcd-ef1234567890"
Used on: DevPodWorkspaceInstance resources
Set by: Platform
Identifies the unique workspace UID for a DevPod workspace.
loft.sh/workspace-picture
Type: Annotation
Example: loft.sh/workspace-picture: "https://example.com/avatar.png"
Used on: DevPodWorkspaceInstance
Set by: User-configurable
Specifies the picture URL displayed for the DevPod workspace in the UI.
loft.sh/workspace-source
Type: Annotation
Example: loft.sh/workspace-source: "https://github.com/user/repo"
Used on: DevPodWorkspaceInstance
Set by: Platform
Specifies the source repository or location for the DevPod workspace.
loft.sh/devpod-clients
Type: Annotation
Example: loft.sh/devpod-clients: '["client-1","client-2"]'
Used on: NetworkPeer
Set by: Platform
Lists the active DevPod clients connected to a workspace network peer.
loft.sh/migrated
Type: Annotation
Example: loft.sh/migrated: "true"
Used on: DevPodWorkspaceInstance
Set by: Platform
Indicates that the workspace requires migration, which involves recreating the workspace and updating the provider.
loft.sh/node-claim
Type: Annotation
Example: loft.sh/node-claim: "node-claim-xyz"
Used on: NodeEnvironment
Set by: Platform
Associates this node environment with a specific node claim.
Drift detection
These annotations control drift detection behavior.
drift.loft.sh/force-check
Type: Annotation
Example: drift.loft.sh/force-check: "true"
Used on: VirtualClusterInstance, SpaceInstance
Set by: User-configurable
Forces an immediate drift check on this resource.
Miscellaneous
These annotations are used for various platform features.
loft.sh/version
Type: Annotation
Example: loft.sh/version: "4.0.0"
Used on: Platform configuration
Set by: Platform
The platform version that last modified this resource.
loft.sh/warn-deletion
Type: Annotation
Example: loft.sh/warn-deletion: "true"
Used on: Cluster, Project, VirtualClusterInstance
Set by: User-configurable
Enables a deletion warning in the UI for this resource.
loft.sh/non-deletable
Type: Annotation
Example: loft.sh/non-deletable: "true"
Used on: Various resources
Set by: User-configurable
Prevents deletion of this resource through the platform API and UI.
loft.sh/platform-db-applied-time
Type: Annotation
Example: loft.sh/platform-db-applied-time: "1706745600"
Used on: Platform database resources
Set by: Platform
Timestamp of when database migrations were last applied.