Requesting access

Before you start

• You have a research role (faculty, postdoc, graduate student, staff, or external collaborator) under a PI at a CFI-eligible Canadian institution.
• You have read What is Kestrel? and confirmed Kestrel is the right fit for your workload.
• You do not need a UVic affiliation or a UVic institutional login — Kestrel is an Alliance service operated on Arbutus by UVic RCS; researchers across Canada access it through their Alliance CCDB accounts.

Who can get a tenant

Access on Kestrel is organized around Cloud RAPs — Alliance Resource Allocation Projects for cloud workloads on Arbutus. Each Cloud RAP maps to exactly one Capsule Tenant, 1:1, with the tenant name matching the RAP’s POSIX group name.

Every tenant is owned by the PI holding the Cloud RAP. The PI is any faculty member at a CFI-eligible Canadian institution — not a UVic-only restriction. If you are a graduate student, postdoc, research staff, or external collaborator, you get access to Kestrel by being sponsored onto your PI’s Cloud RAP, not by asking RCS directly.

There are three kinds of Cloud RAP a PI can hold:

• def-profname — the default Cloud RAP allocated via Alliance RAS (Rapid Access Service). Most PIs starting out on Kestrel have this.
• crg-profname-xx — a RAC Cloud RAP, allocated via the annual Alliance Resource Allocation Competition for larger allocations.
• cpp-profname-xx — a Cloud Persistent RAP, for long-running persistent cloud infrastructure.

HPC RAPs (rrg-*, rpp-*) are a different family — they back Alliance HPC scheduler submission on Cedar, Graham, Narval, etc., and do not back Kestrel tenants. If your PI only has an HPC RAP, they will need to apply for a Cloud RAP before you can use Kestrel.

The access flow

The end-to-end flow to get your kubectl working on Kestrel is five steps:

1. Register at ccdb.alliancecan.ca if you do not already have an Alliance CCDB account. Faculty at CFI-eligible Canadian institutions get auto-approved; graduate students, postdocs, staff, and external collaborators request a sponsored role under their PI and wait for the PI to confirm the sponsorship in CCDB.

2. Confirm your PI has a Cloud RAP on Arbutus. Ask them. If they don’t have one yet, they apply via the Alliance cloud project and RAS request form — either via RAS (default Cloud RAP) or by applying to RAC in the annual competition window. This step is on the PI, not on you; RCS cannot create a Cloud RAP for a PI who has not applied for one. Questions about the allocation form itself are an Alliance matter — contact Alliance cloud support at cloud@tech.alliancecan.ca, not UVic RCS (this is the Alliance allocation contact, separate from the Kestrel-access contact in Step 4).

3. Ask your PI to add you to the Cloud RAP in CCDB. This is a critical step. The PI logs into ccdb.alliancecan.ca, opens their Cloud RAP, and adds your CCRI to the RAP’s user list. Alliance LDAP propagates the change to Keycloak’s upstream directory.

4. Request Kestrel access from UVic RCS. Kestrel is currently in a limited rollout — having a Cloud RAP on Arbutus does not automatically grant Kestrel access. Once your PI has a Cloud RAP, contact UVic RCS (Jeff Albert, jralbert@uvic.ca; see Support) to request access to Kestrel. RCS will provision a tenant matching your Cloud RAP project name.

5. Run kubelogin once. With your tenant provisioned and LDAP membership propagated, your next OIDC login through Keycloak returns an id_token containing the Cloud RAP’s group name in the groups claim, the kube-apiserver recognizes you as a tenant owner, and kubectl get ns returns the namespaces under your tenant prefix. See Install kubelogin for the install matrix and first-login walkthrough.

Cloud RAPs do not auto-add sponsored users

This is the single most common “why can’t I access my tenant?” question on Kestrel. Alliance HPC RAPs (rrg-*, rpp-*) automatically include every sponsored user under the PI. Cloud RAPs do not. Your PI must explicitly add you to the Cloud RAP in CCDB before Kestrel will let you in — being in their CCDB roster is not enough. If you just finished kubelogin and kubectl get ns returns nothing from your tenant, the first thing to check is whether your PI has added you.

Where to ask for help

Route questions to whichever layer the question is about:

• CCDB account issues (role approval stuck, missing CCRI, RAP application questions, Alliance allocation competitions) — accounts@tech.alliancecan.ca. This is an Alliance service and RCS cannot resolve it for you.
• Kestrel-specific issues (tenant provisioning after your PI has a Cloud RAP, kubelogin broken against the Kestrel cluster, cluster-specific errors) — open a ticket with UVic Research Computing Services. The internal triage path is documented in Triage.

If you are not sure which layer a problem belongs to, start with the RCS ticket — they will redirect to Alliance if the issue is CCDB-level.

Expected timeline

• CCDB registration for a brand-new account: faculty auto-approval is immediate; sponsored role approval depends on how fast the sponsoring PI clicks the approval. Allow 1–2 business days if your PI is unavailable.
• Cloud RAP application via RAS: usually same day to next business day once the PI opens the request. RAC applications run on a yearly cycle — if your PI does not already have a Cloud RAP, expect weeks-to-months unless RAS suffices.
• PI adds you to the Cloud RAP: the CCDB operation itself is instant; Alliance LDAP propagation is usually immediate but can take a few minutes.
• First Kestrel kubelogin: immediate once LDAP has propagated.
• Tenant provisioning on the Kestrel side, if your PI’s Cloud RAP is new and has not yet been attached to a Capsule Tenant: RCS operator review, same day to next business day. Open a ticket with RCS if your PI has a Cloud RAP but you cannot see any namespaces after a successful kubelogin.

What to do after you have access

• Install kubelogin and complete your first OIDC login against Keycloak.
• Walk through Your first deployment end-to-end against your tenant. It takes under an hour and exercises every layer of the stack.
• If you get stuck, the Triage page has the first places to check. The deeper catalog lives under troubleshooting.

A self-serve provisioning portal is planned but not yet available — see Self-serve portal. Until it ships, the CCDB-based flow above is the only path.