Merge branch 'docs/k8s-proxy-scope' into 'master'

Document `k8s_proxy` scope for PATs, PrATs and GATs See merge request https://gitlab.com/gitlab-org/gitlab/-/merge_requests/131774 Merged-by: Phillip Wells <pwells@gitlab.com> Approved-by: Hunter Stewart <hustewart@gitlab.com> Reviewed-by: Phillip Wells <pwells@gitlab.com> Co-authored-by: Timo Furrer <tfurrer@gitlab.com>

Merge branch 'docs/k8s-proxy-scope' into 'master'
7611a706 · Phillip Wells · 32b061f9 · 03ddd721 · 7611a706 · 7611a706
--- a/doc/integration/oauth_provider.md
+++ b/doc/integration/oauth_provider.md
@@ -85,6 +85,8 @@ The user authorization step is automatically skipped for this application.
 ## View all authorized applications
+> `k8s_proxy` [introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/422408) in GitLab 16.4 [with a flag](../administration/feature_flags.md) named `k8s_proxy_pat`. Enabled by default.
 To see all the application you've authorized with your GitLab credentials:
 1. On the left sidebar, select your avatar.
@@ -95,7 +97,7 @@ The GitLab OAuth 2 applications support scopes, which allow application to perfo
 different actions. See the following table for all available scopes.
 | Scope              | Description |
-| ------------------ | ----------- |
+|--------------------| ----------- |
 | `api`              | Grants complete read/write access to the API, including all groups and projects, the container registry, and the package registry. |
 | `read_user`        | Grants read-only access to the authenticated user's profile through the /user API endpoint, which includes username, public email, and full name. Also grants access to read-only API endpoints under /users. |
 | `read_api`         | Grants read access to the API, including all groups and projects, the container registry, and the package registry. |
@@ -108,6 +110,7 @@ different actions. See the following table for all available scopes.
 | `profile`          | Grants read-only access to the user's profile data using [OpenID Connect](openid_connect_provider.md). |
 | `email`            | Grants read-only access to the user's primary email address using [OpenID Connect](openid_connect_provider.md). |
 | `create_runner`    | Grants permission to create runners. |
+| `k8s_proxy`        | Grants permission to perform Kubernetes API calls using the agent for Kubernetes. |
 At any time you can revoke any access by selecting **Revoke**.

--- a/doc/user/group/settings/group_access_tokens.md
+++ b/doc/user/group/settings/group_access_tokens.md
@@ -138,6 +138,8 @@ token.revoke!
 ## Scopes for a group access token
+> `k8s_proxy` [introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/422408) in GitLab 16.4 [with a flag](../../../administration/feature_flags.md) named `k8s_proxy_pat`. Enabled by default.
 The scope determines the actions you can perform when you authenticate with a group access token.
 | Scope              | Description                                                                                                                                                                      |
@@ -150,6 +152,7 @@ The scope determines the actions you can perform when you authenticate with a gr
 | `write_repository` | Grants read and write access (pull and push) to all repositories within a group.                                                                                                 |
 | `create_runner`    | Grants permission to create runners in a group.                                                                                                                                  |
 | `ai_features`      | Grants permission to perform API actions for GitLab Duo.                                                                                                                         |
+| `k8s_proxy`        | Grants permission to perform Kubernetes API calls using the agent for Kubernetes in a group.                                                                                     |
 ## Enable or disable group access token creation

--- a/doc/user/profile/personal_access_tokens.md
+++ b/doc/user/profile/personal_access_tokens.md
@@ -104,7 +104,8 @@ To view the last time a token was used:
 ## Personal access token scopes
-> Personal access tokens no longer being able to access container or package registries [introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/387721) in GitLab 16.0.
+> - Personal access tokens no longer being able to access container or package registries [introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/387721) in GitLab 16.0.
+> - `k8s_proxy` [introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/422408) in GitLab 16.4 [with a flag](../../administration/feature_flags.md) named `k8s_proxy_pat`. Enabled by default.
 A personal access token can perform actions based on the assigned scopes.
@@ -121,6 +122,7 @@ A personal access token can perform actions based on the assigned scopes.
 | `admin_mode`       | Grants permission to perform API actions as an administrator, when Admin Mode is enabled. ([Introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/107875) in GitLab 15.8.) |
 | `create_runner`    | Grants permission to create runners. |
 | `ai_features`      | Grants permission to perform API actions for GitLab Duo. |
+| `k8s_proxy`        | Grants permission to perform Kubernetes API calls using the agent for Kubernetes.                                                                                   |
 WARNING:
 If you enabled [external authorization](../admin_area/settings/external_authorization.md), personal access tokens cannot access container or package registries. If you use personal access tokens to access these registries, this measure breaks this use of these tokens. Disable external authorization to use personal access tokens with container or package registries.

--- a/doc/user/project/settings/project_access_tokens.md
+++ b/doc/user/project/settings/project_access_tokens.md
@@ -79,6 +79,8 @@ To revoke a project access token:
 ## Scopes for a project access token
+> `k8s_proxy` [introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/422408) in GitLab 16.4 [with a flag](../../../administration/feature_flags.md) named `k8s_proxy_pat`. Enabled by default.
 The scope determines the actions you can perform when you authenticate with a project access token.
 NOTE:
@@ -94,6 +96,7 @@ See the warning in [create a project access token](#create-a-project-access-toke
 | `write_repository` | Grants read and write access (pull and push) to the repository.                                                                                                 |
 | `create_runner`    | Grants permission to create runners in the project.                                                                                                             |
 | `ai_features`      | Grants permission to perform API actions for GitLab Duo.                                                                                                        |
+| `k8s_proxy`        | Grants permission to perform Kubernetes API calls using the agent for Kubernetes in the project.                                                                                     |
 ## Enable or disable project access token creation