This site will be decommissioned on December 31st 2024. After that date content will be available at techdocs.broadcom.com.

This topic describes User Account and Authentication (UAA) scopes that a UAA admin can assign to VMware Tanzu Kubernetes Grid Integrated Edition (TKGI) users.

Overview

UAA is the identity management service for Tanzu Kubernetes Grid Integrated Edition. By assigning UAA scopes, you grant users the ability to create, manage, and audit Kubernetes clusters in Tanzu Kubernetes Grid Integrated Edition.

A UAA admin user can assign the following UAA scopes to Tanzu Kubernetes Grid Integrated Edition users:

  • pks.clusters.admin: Accounts with this scope can create and access all clusters.
  • pks.clusters.manage: Accounts with this scope can create and access their own clusters.
  • pks.clusters.admin.read: Accounts with this scope can access any information about all clusters except for cluster credentials.

You can assign these scopes to individual users, external identity provider groups, or clients for automation purposes.

UAA Scopes

Each UAA scope grants Tanzu Kubernetes Grid Integrated Edition users a set of permissions for creating, managing, and auditing Tanzu Kubernetes Grid Integrated Edition-provisioned Kubernetes clusters. For information about the permissions, see the table below.

Operation pks.clusters.
admin
pks.clusters.
manage
pks.clusters.
admin.read
Create, update, resize, and delete a cluster Yes. Can create, modify, and delete all clusters. Yes. Can create, modify, and delete only their own clusters. No. Cannot create, modify, and delete clusters.
Get cluster credentials Yes. Can retrieve cluster credentials for all clusters. Yes. Can retrieve cluster credentials only for their own clusters. No. Cannot retrieve cluster credentials.
Upgrade clusters Yes. Can upgrade all clusters. Yes. Can upgrade only their own clusters. No. Cannot upgrade clusters.
List clusters Yes. Can list all clusters. Yes. Can list only their own clusters. Yes. Can list all clusters.
View cluster details Yes. Can view cluster details for all clusters. Yes. Can view cluster details only for their own clusters. Yes. Can view cluster details for all clusters.
Create and delete a compute profile Yes. Can create and delete compute profiles. No. Cannot create and delete compute profiles. No. Cannot create and delete compute profiles.
Create and delete a network profile Yes. Can create and delete network profiles. No. Cannot create and delete network profiles. No. Cannot create and delete network profiles.
Create and delete a Kubernetes profile Yes. Can create, modify, and delete all Kubernetes profiles. Yes. Can create, modify, and delete only their own Kubernetes profiles. No. Cannot create and delete Kubernetes profiles.
Create, update, and delete a quota Yes. Can create, update, and delete quotas. No. Cannot create, update, and delete quotas. No. Cannot create, update, and delete quotas.
List Tanzu Kubernetes Grid Integrated Edition plans Yes. Can list all available plans. Yes. Can list all available plans. Yes. Can list all available plans.

To assign UAA scopes in Tanzu Kubernetes Grid Integrated Edition, follow the instructions in Managing Tanzu Kubernetes Grid Integrated Edition Users with UAA.

check-circle-line exclamation-circle-line close-line
Scroll to top icon