PingOne Privilege

Configuring AWS Elastic Kubernetes Service (Amazon EKS) access

The specific steps to configure your Amazon EKS clusters to allow access management through the PingOne Privilege platform depend on the cluster’s authentication mode.

After an EKS cluster and its namespaces are created in AWS and the parent AWS account is onboarded to PingOne Privilege, you can manage access to Kubernetes objects at a granular level.

PingOne Privilege supports clusters that use the following EKS authentication modes:

  • EKS API

  • EKS API & aws-auth ConfigMap

  • aws-auth ConfigMap only

Configuring ConfigMap-only authentication

If your EKS cluster relies exclusively on the aws-auth ConfigMap for authentication, you must add the PingOne Privilege cross-account IAM role to this ConfigMap. By default, only the cluster’s creator has permission to modify this configuration.

  1. In the PingOne Privilege admin console in the sidebar go to Clouds.

  2. In the tile for the target AWS Account, click More Info.

  3. Copy the Assume Role ARN.

  4. From a terminal with kubectl access to your EKS cluster, open the aws-auth ConfigMap for editing:

    kubectl edit -n kube-system configmap/aws-auth

  5. In the editor, add the copied role ARN to the mapRoles section. Grant it system:masters permissions.

    apiVersion: v1
kind: ConfigMap
metadata:
  name: aws-auth
  namespace: kube-system
data:
  mapRoles: |
    - rolearn: <YOUR_COPIED_ARN_HERE>
      username: procyon-admin:{{SessionName}}
      groups:
        - system:masters
  mapUsers: |
    - userarn: <...>
      username: <...>

  6. Save and close the file to apply the changes.

  7. In the PingOne Privilege admin console, on the Resources tab, click Rescan.

  8. After the rescan completes, in the sidebar, go to Targets.

  9. Find the newly discovered cluster, click More Info and use the Manage toggle to onboard it. Learn more in Onboarding target resources.

Configuring EKS API-based authentication

If your EKS cluster is configured to use the EKS API for authentication (either exclusively or in combination with the ConfigMap), no additional kubectl configuration is required.

  1. In the PingOne Privilege admin console, on your AWS account’s Resource tab, click Rescan.

  2. After the rescan completes, go to Targets.

  3. Find the newly discovered cluster, click More Info and use the Manage toggle to onboard it. Learn more in Onboarding target resources.

Additional considerations

Private clusters

If your EKS cluster is in a private VPC with no inbound internet access, you must deploy a PingOne Privilege gateway or relay within the same VPC.

Learn more in Gateways and relays.

Default permissions

By default, an administrative user is granted the ProcyonKubeCtlView permission. After connecting to the PingOne Privilege platform using the agent, the user can view the Kubernetes context in their local ~/.kube/config file.