This topic describes User Account and Authentication (UAA) scopes that a UAA admin can assign to VMware Tanzu Kubernetes Grid Integrated Edition (TKGI) users.
UAA is the identity management service for Tanzu Kubernetes Grid Integrated Edition. By assigning UAA scopes, you grant users the ability to create, manage, and audit Kubernetes clusters in Tanzu Kubernetes Grid Integrated Edition.
A UAA admin user can assign the following UAA scopes to Tanzu Kubernetes Grid Integrated Edition users:
pks.clusters.admin
: Accounts with this scope can create and access all clusters.pks.clusters.manage
: Accounts with this scope can create and access their own clusters.pks.clusters.admin.read
: Accounts with this scope can access any information about all clusters except for cluster credentials.You can assign these scopes to individual users, external identity provider groups, or clients for automation purposes.
Each UAA scope grants Tanzu Kubernetes Grid Integrated Edition users a set of permissions for creating, managing, and auditing Tanzu Kubernetes Grid Integrated Edition-provisioned Kubernetes clusters. For information about the permissions, see the table below.
Operation | pks.clusters. |
pks.clusters. |
pks.clusters. |
---|---|---|---|
Create, update, resize, and delete a cluster | Yes. Can create, modify, and delete all clusters. | Yes. Can create, modify, and delete only their own clusters. | No. Cannot create, modify, and delete clusters. |
Get cluster credentials | Yes. Can retrieve cluster credentials for all clusters. | Yes. Can retrieve cluster credentials only for their own clusters. | No. Cannot retrieve cluster credentials. |
Upgrade clusters | Yes. Can upgrade all clusters. | Yes. Can upgrade only their own clusters. | No. Cannot upgrade clusters. |
List clusters | Yes. Can list all clusters. | Yes. Can list only their own clusters. | Yes. Can list all clusters. |
View cluster details | Yes. Can view cluster details for all clusters. | Yes. Can view cluster details only for their own clusters. | Yes. Can view cluster details for all clusters. |
Create and delete a compute profile | Yes. Can create and delete compute profiles. | No. Cannot create and delete compute profiles. | No. Cannot create and delete compute profiles. |
Create and delete a network profile | Yes. Can create and delete network profiles. | No. Cannot create and delete network profiles. | No. Cannot create and delete network profiles. |
Create and delete a Kubernetes profile | Yes. Can create, modify, and delete all Kubernetes profiles. | Yes. Can create, modify, and delete only their own Kubernetes profiles. | No. Cannot create and delete Kubernetes profiles. |
Create, update, and delete a quota | Yes. Can create, update, and delete quotas. | No. Cannot create, update, and delete quotas. | No. Cannot create, update, and delete quotas. |
List Tanzu Kubernetes Grid Integrated Edition plans | Yes. Can list all available plans. | Yes. Can list all available plans. | Yes. Can list all available plans. |
To assign UAA scopes in Tanzu Kubernetes Grid Integrated Edition, follow the instructions in Managing Tanzu Kubernetes Grid Integrated Edition Users with UAA.