PingOne Privilege

Configuring GCP GKE access

This topic describes the required configurations within your Google Cloud Platform (GCP) project to allow PingOne Privilege to discover and manage your Google Kubernetes Engine (GKE) clusters.

The process involves verifying service account permissions, configuring role-based access control (RBAC) on the GKE cluster, and then rescanning your GCP account in PingOne Privilege.

Verifying identity and access management (IAM) permissions

First, ensure the service account used to onboard your GCP project to PingOne Privilege has the necessary permissions.

  1. In the Google Cloud Console, go to IAM & Admin > IAM.

  2. Find the service account associated with your PingOne Privilege integration.

  3. Verify that the service account has the Kubernetes Engine Admin role. If it doesn’t, edit the principal’s permissions and add this role.

Configuring GKE security for RBAC

Next, configure the GKE cluster’s security settings to use Google Groups for RBAC. This allows PingOne Privilege to manage access.

  1. In the Google Cloud Console, go to Kubernetes Engine > Clusters.

  2. Select the desired GKE cluster in the list.

  3. Click the Security tab for the cluster.

  4. In the Google Groups for RBAC section, click Edit.

  5. Add the following Google Group email address: group@pgcp.cloud.

  6. Save the changes.

Onboarding the cluster in PingOne Privilege

After completing the configuration in the GCP console, rescan your account in PingOne Privilege to discover the cluster.

  1. In the PingOne Privilege admin console, go to Clouds.

  2. Click the Google GCP icon, find your cloud account, and click More Info.

  3. Go to the Resources tab and click Rescan.

After the rescan is complete, the GKE cluster will be available to manage under the Targets menu.