Skip to main content
CoreWeave organizations and users map directly to CKS through IAM roles and Kubernetes RBAC. This page summarizes how platform-level identity concepts apply within CKS.

CKS users

CKS designates two IAM roles that correspond to the platform user types. The following sections describe each role.

CKS administrators

CKS administrators have the CKS Admin IAM role. This role grants broad access to cluster management, including creating clusters, managing API Access Tokens, configuring SAML SSO, and viewing metrics and logs.

CKS viewers

CKS viewers have the CKS Viewer IAM role. This role grants limited permissions, which administrators must allocate.

CKS user permissions

In addition to the preceding IAM roles, CKS uses Kubernetes RBAC to scope what users can do inside a cluster. Within a CKS cluster, CKS defines user permissions as follows:
  • Read permissions let the user use all watch, get, and list verbs on cluster resources within their cluster.
  • Write permissions let the user create and patch cluster resources within their cluster.
For the full permissions model, see IAM Access Policies and Legacy User Permissions.

Organization IDs in CKS

CKS uses Organization IDs to enforce tenant isolation. All interactions with CKS filter users using their Org ID, and CKS scopes all cluster requests to Org IDs.
Last modified on June 10, 2026