UAA Scopes for Enterprise PKS Users

Page last updated:

This topic describes User Account and Authentication (UAA) scopes that a UAA admin can assign to VMware Enterprise PKS users.

Overview

UAA is the identity management service for Enterprise PKS.

By assigning UAA scopes, you grant users the ability to create, manage, and audit Kubernetes clusters in Enterprise PKS.

A UAA admin user can assign the following UAA scopes to Enterprise PKS users:

  • pks.clusters.admin: Accounts with this scope can create and access all clusters.
  • pks.clusters.manage: Accounts with this scope can create and access their own clusters.
  • pks.clusters.admin.read: Accounts with this scope can access any information about all clusters except for cluster credentials.

You can assign these scopes to individual users, external identity provider groups, or clients for automation purposes.

UAA Scopes

Each UAA scope grants Enterprise PKS users a set of permissions for creating, managing, and auditing Enterprise PKS-provisioned Kubernetes clusters. For information about the permissions, see the table below.

Operation pks.clusters.
admin
pks.clusters.
manage
pks.clusters.
admin.read
Create, update, resize, and delete a cluster Yes. Can create, modify, and delete all clusters. Yes. Can create, modify, and delete only their own clusters. No. Cannot create, modify, and delete clusters.
Get cluster credentials Yes. Can retrieve cluster credentials for all clusters. Yes. Can retrieve cluster credentials only for their own clusters. No. Cannot retrieve cluster credentials.
Upgrade clusters Yes. Can upgrade all clusters. Yes. Can upgrade only their own clusters. No. Cannot upgrade clusters.
List clusters Yes. Can list all clusters. Yes. Can list only their own clusters. Yes. Can list all clusters.
View cluster details Yes. Can view cluster details for all clusters. Yes. Can view cluster details only for their own clusters. Yes. Can view cluster details for all clusters.
Create and delete a compute profile Yes. Can create and delete compute profiles. No. Cannot create and delete compute profiles. No. Cannot create and delete compute profiles.
Create and delete a network profile Yes. Can create and delete network profiles. No. Cannot create and delete network profiles. No. Cannot create and delete network profiles.
Create and delete a Kubernetes profile Yes. Can create, modify, and delete all Kubernetes profiles. Yes. Can create, modify, and delete only their own Kubernetes profiles. No. Cannot create and delete Kubernetes profiles.
Create, update, and delete a quota Yes. Can create, update, and delete quotas. No. Cannot create, update, and delete quotas. No. Cannot create, update, and delete quotas.
List Enterprise PKS plans Yes. Can list all available plans. Yes. Can list all available plans. Yes. Can list all available plans.

To assign UAA scopes in Enterprise PKS, follow the instructions in Managing Enterprise PKS Users with UAA.


Please send any feedback you have to pks-feedback@pivotal.io.