PKS API Authentication
Page last updated:
This topic describes how the VMware Enterprise PKS API works with User Account and Authentication (UAA) to manage authentication and authorization in your Enterprise PKS deployment.
You use the UAA Command Line Interface (UAAC) to target the UAA server and request an access token for the UAA admin user. If your request is successful, the UAA server returns the access token. The UAA admin access token authorizes you to make requests to the PKS API using the PKS CLI and grant cluster access to new or existing users.
When a user with cluster access logs in to the PKS CLI, the CLI requests an access token for the user from the UAA server.
If the request is successful, the UAA server returns an access token to the PKS CLI.
When the user runs PKS CLI commands, for example,
pks clusters, the CLI sends the request to the PKS API server and includes the user’s UAA token.
The PKS API sends a request to the UAA server to validate the user’s token.
If the UAA server confirms that the token is valid, the PKS API uses the cluster information from the PKS broker to respond to the request.
For example, if the user runs
pks clusters, the CLI returns a list of the clusters that the user is authorized to manage.
The PKS API server and the UAA server use different port numbers on the control plane VM.
For example, if your PKS API domain is
api.pks.example.com, you can reach your PKS API and UAA servers at the following URLs:
Refer to Ops Manager > Enterprise PKS tile > PKS API > API Hostname (FQDN) for your PKS API domain.
Load balancer implementations differ by deployment environment. For Enterprise PKS deployments on GCP, AWS, or vSphere without NSX-T, you configure a load balancer to access the PKS API when you install the Enterprise PKS tile. For example, see Configuring PKS API Load Balancer.
For overview information about load balancers in Enterprise PKS, see Load Balancers in Enterprise PKS Deployments without NSX-T.
Please send any feedback you have to firstname.lastname@example.org.