PingOne Privilege

Configuring Azure AKS access

This topic describes the required configurations within the Azure portal to allow PingOne Privilege to discover and manage your Azure Kubernetes Service (AKS) clusters. The process involves configuring the cluster’s authentication method and assigning the necessary roles to the PingOne Privilege connector application.

Step 1: Configure authentication on the AKS Cluster

First, configure your AKS cluster to use Microsoft Entra ID for authentication while still allowing local accounts.

  1. In the Azure portal, navigate to your Kubernetes services.

  2. Select your target AKS cluster to open its management blade.

  3. In the sidebar under Settings, select Security configuration.

  4. In Authentication and authorization, select Microsoft Entra ID authentication with Azure RBAC.

  5. Ensure the Kubernetes local accounts checkbox is also enabled.

    This allows PingOne Privilege to manage access.

  6. Click Apply to save the changes.

Step 2: Assign IAM roles to the connector app

Next, grant the PingOne Privilege connector application the required permissions to manage the cluster.

These steps might not be necessary if the connector app already inherits the required roles from its subscription-level permissions.

  1. From the AKS cluster’s management blade, go to Access control (IAM).

  2. Click Add > Add role assignment.

  3. On the Role tab, search for and select the role.

  4. On the Members tab, click Select members, search for your PingOne Privilege Connector App, and select it.

  5. Click Review + assign to complete the assignment.

  6. Repeat this process to assign the following two roles:

    • Azure Kubernetes Service Cluster Admin Role

    • Azure Kubernetes Service RBAC Cluster Admin

Step 3: Onboard the cluster in PingOne Privilege

After completing the configuration in the Azure portal, rescan your Azure account in PingOne Privilege to discover the cluster.

  1. In the PingOne Privilege admin console, go to Cloud > Clouds.

  2. Find your Azure account and click More Info.

  3. Go to the Resources tab and click Rescan.

Validation

After the rescan is complete, the AKS cluster will be available to manage.

  1. In the PingOne Privilege admin console, go to Access Management > Targets.

  2. Find the newly discovered cluster, click More Info, and enable the Manage toggle to onboard it.

The AKS cluster is now managed by PingOne Privilege.