Add an AKS Cluster
This guide describes how to manage access to an Azure Kubernetes Service (AKS) cluster via the strongDM Admin UI. This process involves creating and configuring a new cluster in the Admin UI and checking the connection to your Azure-managed API server.
Prerequisites
Ensure that the API server you intend to add to strongDM is accessible from your strongDM gateways or relays. See our guide on Gateways for more information.
Steps
Log in to the Admin UI and go to Infrastructure > Clusters.
Click the Add cluster button.
In the dialog that appears, set the following configuration properties:
AKS Cluster Setup Display Name (Required): Enter a meaningful name for this resource, such as
aks-sandbox
. This name displays throughout strongDM. Do not include special characters like quotes (") or angle brackets (< or >).Some Kubernetes management interfaces, such as Visual Studio Code, do not function properly with cluster names containing spaces. If you run into problems, please choose a name without spaces for this field.
Cluster Type (Required): Select AKS.
Hostname (Required): Enter the hostname or IP address of the API server, such as
api.aks.example.com
. It is imperative that the relay server can connect to the entry you choose for Hostname. To verify the connection, log in to the relay server, and from a command prompt, type$ nc -z <HOSTNAME> port
. If your relay can connect to this hostname, you can proceed.Port (Required): Enter the port (default: 443) to connect to the API server.
Port Override: After a resource is created, the port override is automatically generated. A value between 1024-59999 is assigned as long as it is not used by another resource. You can optionally overwrite it with your own preferred port later in the Port Overrides settings. Note that after specifying the port override number, you must also update the kubectl configuration. See section Port Overrides for more information.
Secret Store: If a Secret Store integration is configured, select where the credentials for this cluster are stored.
Server CA (Required): Paste the server certificate (plaintext or Base64-encoded), or import a PEM file. You can either generate the server certificate on the API server or get it in Base64 format from your existing Kubernetes configuration (kubeconfig) file.
To get the server CA from your kubeconfig file:
- Open the CLI and type
cat ~/.kube/config
to view the file. - In the file, under
- cluster
, copy thecertificate-authority-data
value. That is the server certificate in Base64 encoding.
- Open the CLI and type
Client Certificate (Required): Paste the client certificate (plaintext or Base64-encoded), or import a .PEM file. You can either generate the client certificate on the API server or get it in Base64 format from your existing Kubernetes configuration (kubeconfig) file.
To get the client certificate from your kubeconfig file:
- From the CLI, type
cat ~/.kube/config
to view the file. - In the file, under
- name
, copy theclient-certificate-data
value. That is the client certificate in Base64 encoding.
- From the CLI, type
Client Key (Required): Paste the client key (plaintext or Base64-encoded), or import a .PEM file. You can either generate the client key on the API server or get it in Base64 format from your existing Kubernetes configuration (kubeconfig) file.
To get the client key from your kubeconfig file:
Open the CLI and type
cat ~/.kube/config
to view the file.In the file, under
- name
, copy theclient-key-data
value. That is the private client key in Base64 encoding.When your users connect to this cluster via strongDM, they have exactly the same rights as the user associated with these keys.
Healthcheck Namespace (Optional): If enabled for your organization, you can use this field to specify the namespace used for the resource healthcheck. The supplied credentials must have the rights to perform one of the following
kubectl
commands in the specified namespace:get pods
,get deployments
, ordescribe namespace
. If you do not specify a namespace, this field defaults todefault
.Authentication (Required): Select either Leased Credential (the default model to access the cluster) or Remote Identities (to use the Remote Identities of strongDM users to access the cluster).
Healthcheck Username (Required): If Authentication is set to Remote Identities, enter the username that should be used to verify strongDM's connection to it. Note that the username must already exist on the target cluster.
Resource Tags (Optional): Assign tags to the resource by entering key-value pairs in the format
<KEY>=<VALUE>
, such asenv=dev
.
Click the create button.
The Admin UI updates and shows your new server in a green or yellow state. Green indicates a successful connection. If it is yellow, click the pencil icon to the right of the server to reopen the Connection Details screen. Then click Diagnostics to determine where the connection is failing.
If any errors occur, please copy them into an email and send them to support@strongdm.com.