Skip to main content
Ankra controls access with roles that you assign at a scope. A role is a set of permissions; a scope decides where those permissions apply - the whole organisation, a single cluster, or a cluster group. A role can also bundle Kubernetes access that Ankra provisions on every cluster in scope, so platform permissions and kubectl access are granted together.
Roles and scoped assignments replace the earlier admin/member split. Existing members keep working: admin and member map onto the new model, and wider roles become available as you adopt them.

How access is decided

An assignment ties a member to a role at a scope. When the role includes Kubernetes access, Ankra reconciles the matching Cluster Access grants onto every cluster the scope resolves to, and keeps them in sync as group membership changes.

Built-in roles

RoleIntended for
ownerFull control of the organisation, including billing and ownership transfer
adminManage members, roles, clusters, and settings
operatorDay-to-day operations across clusters and stacks
memberUse the platform; create and manage resources
viewerRead-only access to organisation resources
read-onlyStrict read-only
You can also define custom roles that bundle a specific permission set and, optionally, a Kubernetes access level provisioned across the assignment’s scope.

Scopes

ScopeApplies to
OrganisationEvery cluster and resource in the organisation
ClusterA single named cluster
Cluster groupEvery cluster that a group resolves to
Assign the narrowest scope that fits. A support engineer who only triages one team’s clusters gets a viewer (or operator) role on that team’s cluster group, not the whole organisation.

Cluster groups

A cluster group is a named set of clusters used as an assignment scope. Groups can be:
  • Static - you pin specific clusters as members.
  • Dynamic - a label selector evaluated against cluster labels, so clusters join and leave the group automatically as their labels change.
Manage groups under Organisation → Settings → Cluster Groups. A preview shows exactly which clusters a group currently resolves to before you use it in an assignment.

Assigning a role

1

Open Roles & Access

Go to Organisation → Settings and open Roles (and Cluster Groups if you need a group scope).
2

Pick a member and role

Choose an organisation member, then a built-in or custom role.
3

Choose the scope

Assign at the organisation, a single cluster, or a cluster group.
4

Save

Ankra applies the assignment immediately. If the role bundles Kubernetes access, it reconciles the grants onto every cluster in scope.
From the CLI:
# List built-in and custom roles
ankra org roles

# Manage cluster groups
ankra org cluster-groups list
ankra org cluster-groups create --name prod --selector env=production
ankra org cluster-groups preview prod

# Assign, list, and revoke roles at a scope
ankra org assign [email protected] --role operator --cluster-group prod
ankra org assignments [email protected]
ankra org unassign <assignment-id>

Audit log

Every access change - invitations, role assignments, cluster-group edits, revocations - is recorded in the organisation Audit Log under Organisation → Settings → Audit Log, so you can see who changed what and when.

Cluster Access

Scoped, SSO-backed kubectl access.

Organisations

Invite and manage members.

Organisation Settings

Configure organisation-wide behaviour.

API Tokens

Scope tokens to a permission allowlist.