CKS Viewer, CKS Admin, and others) attached to their access policies. There is no per-cluster scoping in this model.
For per-cluster scoping, configure a cluster to use Unmanaged Authentication. Each cluster has its own auth endpoint that you connect to your own identity provider through OIDC, Kubernetes Service Account tokens, or a webhook, giving you control over which identities can authenticate to that specific cluster. Unmanaged auth can be enabled on existing clusters without recreating them. For setup, see Implement Unmanaged Authentication.
For stronger separation between groups of clusters, contact support about using multiple organizations.
Administrator Authentication & Access