kubectl access are granted together.
Roles and scoped assignments replace the earlier admin/member split. Existing members keep working:
admin and member map onto the new model, and wider roles become available as you adopt them.How access is decided
An assignment ties a member to a role at a scope. When the role includes Kubernetes access, Ankra reconciles the matching Cluster Access grants onto every cluster the scope resolves to, and keeps them in sync as group membership changes.Built-in roles
| Role | Intended for |
|---|---|
owner | Full control of the organisation, including billing and ownership transfer |
admin | Manage members, roles, clusters, and settings |
operator | Day-to-day operations across clusters and stacks |
member | Use the platform; create and manage resources |
viewer | Read-only access to organisation resources |
read-only | Strict read-only |
Scopes
| Scope | Applies to |
|---|---|
| Organisation | Every cluster and resource in the organisation |
| Cluster | A single named cluster |
| Cluster group | Every cluster that a group resolves to |
Cluster groups
A cluster group is a named set of clusters used as an assignment scope. Groups can be:- Static - you pin specific clusters as members.
- Dynamic - a label selector evaluated against cluster labels, so clusters join and leave the group automatically as their labels change.
Assigning a role
Open Roles & Access
Go to Organisation → Settings and open Roles (and Cluster Groups if you need a group scope).
Audit log
Every access change - invitations, role assignments, cluster-group edits, revocations - is recorded in the organisation Audit Log under Organisation → Settings → Audit Log, so you can see who changed what and when.Related
Cluster Access
Scoped, SSO-backed kubectl access.
Organisations
Invite and manage members.
Organisation Settings
Configure organisation-wide behaviour.
API Tokens
Scope tokens to a permission allowlist.