Open ID Connect (OIDC) supports authentication for Amazon Web Services (AWS) Elastic Kubernetes Service (EKS) clusters. You can configure PingOne as an identity provider (IdP) to provide strong user authentication to your EKS clusters.
Integrating OpenID Connect (OIDC) within AWS EKS involves creating a PingOne OIDC application and configuring the kubectl CLI for OIDC.
You can use the PingOne IdP as an alternative, or in addition, to AWS Identity and Access Management (IAM). With this feature, you can manage user access to your cluster by leveraging an existing identity management life cycle through your OIDC identity provider.
The features and benefits of this configuration are:
- Centralized Authentication Policy
- User authentication to the EKS can leverage the centralized PingOne Identity Provider policy.
- Extended Multi-Factor Authentication
- By using PingOne, strong multi-factor authentication can be extended to your EKS user authentication.
- Strengthened security using PingOne Protect
- By analyzing multiple risk signals, PingOne Protect can identify anomalous activity to block attacks or require strong authentication methods, providing a greater level of assurance of your users’ identities.
Components
- PingOne for Enterprise
- AWS EKS cluster 1.6+
- Kubelogin plugin for kubectl (https://github.com/int128/kubelogin)
Before you begin
Make sure you have the following:
- A basic understanding of OIDC and OAuth 2.0 protocols
- An understanding of JSON Web Tokens
- A local installation of AWD CLI for configuring the OIDC integration within Amazon EKS
- AWS CLI installed and configured to the existing AWS EKS Cluster
- A PingOne for Enterprise account (https://www.pingidentity.com/en/trials/p14e-trial.html)
For more information, see Integrate an OIDC application.