Configuring AWS Elastic Kubernetes Service (Amazon EKS) access

After you onboard an AWS account to PingOne Privilege, you can manage access to your EKS clusters and namespaces at a granular level.

If an EKS cluster is configured to use the EKS API for authentication in combination with the aws-auth ConfigMap, PingOne Privilege automatically falls back to using the EKS API.

Onboard the cluster in PingOne Privilege

In the PingOne Privilege admin console, on your AWS account’s Resource tab, click Rescan.
After the rescan completes, go to Targets.
Find the newly discovered cluster, click More Info, and enable the Manage toggle to onboard it. For more details, see Onboarding target resources.

Additional considerations

Private clusters

If your EKS cluster is in a private VPC with no inbound internet access, you must deploy a PingOne Privilege gateway or relay within the same VPC. Learn more in Configure network infrastructure.

Default permissions

By default, an administrative user is granted the ProcyonKubeCtlView permission. After connecting to PingOne Privilege using the agent, the user’s Kubernetes context will be automatically available in their local ~/.kube/config file.