Add an EKS Cluster
This guide will show you how to manage access to an Amazon Elastic Kubernetes Service (EKS) cluster via the strongDM Admin UI. Adding an EKS cluster takes place in both the Admin UI and in the AWS Management Console.
Prerequisites
Before you begin, ensure that the EKS endpoint you are connecting is accessible from one of your strongDM Gateways or Relays. See our guide on Gateways for more information.
Steps
Get the AWS username and access credentials
- In the AWS Management Console, go to Identity and Access Management (IAM) > Users and create a new access key ID and secret access key for the IAM user who will be accessing the EKS cluster. It does not need any specific rights.
- While you're at it, copy the User Amazon Resource Name (ARN) because you will need it later.
Grant that user the ability to interact with your cluster
- While authenticated to the cluster using your existing connection method, run the following command to edit the
aws-auth
ConfigMap (YML file) within Kubernetes:$ kubectl edit -n kube-system configmap/aws-auth
- Copy the following snippet and paste it into the file under the
data:
heading:
mapUsers: |- userarn: <USER_ARN>/<USERNAME>username: <USERNAME>groups:- <GROUP>
In that snippet, do the following:
- Replace
<USER_ARN>
with the ARN of the IAM user you created. - Replace
<USERNAME>
with the IAM username. - Under
groups:
, specify the appropriate group for the permissions level you want this strongDM connection to have (see Kubernetes Roles for more details).
Example:
- Replace
mapUsers: |- userarn: arn:aws:iam::123456789012:user/aliceglickusername: aliceglickgroups:- system:masters
In the YML file, the indentation is critically important. If the indentation is wrong, the Edit command won't give you an error message, but the change will fail. Note that mapUsers
should be at the same indent level as mapRoles
in that file.
- Save the file and exit your text editor.
Add your EKS cluster in strongDM
Log in to the Admin UI and select Clusters on the left-hand navigation.
Click the add cluster button.
Specify the cluster settings:
EKS setup 1 Display Name (Required): Enter a display name for this cluster (e.g., "eks-sandbox"). This name is how the cluster will be shown in the Admin UI.
Some Kubernetes management interfaces, such as Visual Studio Code, do not function properly with cluster names containing spaces. If you run into problems, please choose a name without spaces for this field.
Cluster Type (Required): Select Elastic Kubernetes Service.
Endpoint (Required): Enter the API server endpoint of the EKS cluster in the format
<id>.<region>.eks.amazonaws.com
(e.g.,A95FBC180B680B58A6468EF360D16E96.yl4.us-west-2.eks.amazonaws.com
). It's imperative that this endpoint can be reached from the Gateway/Relay. To verify this, hop on the Gateway/Relay server, and from a command prompt, type:$ nc -z <YOUR_ENDPOINT> 443
. If your Gateway or Relay can connect to this hostname, you will be able to proceed.Secret Store: If a secret store integration is configured, select where the credentials for this cluster will be stored.
Access Key ID (Required): Enter the access key ID from the AWS key pair that you created in step 1 (e.g.,
AKIAIOSFODNN7EXAMPLE
).Secret Access Key (Required): Enter the secret access key from the AWS key pair that you created in Step 1 (e.g.,
wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
).When your users connect to this cluster, they will have exactly the rights permitted by this AWS key pair. See AWS documentation for more information.
Server CA (Required): Paste the server certificate (plaintext or Base64-encoded), or import a PEM file.
Cluster Name (Required): Enter the name of the EKS cluster.
Region (Required): Enter the region of the EKS cluster (e.g., "us-west-1").
Healthcheck Namespace (Optional): If enabled for your organization, you can use this field to specify the namespace used for the resource healthcheck. If you do not specify a namespace, this field defaults to
default
.Assume Role ARN (Optional): Provide the role ARN (e.g.,
arn:aws:iam::000000000000:role/RoleName
) to allow users accessing this resource to assume a role using AWS AssumeRole functionality.Assume Role External ID (Optional): Provide the external ID if leveraging an external ID to users assuming a role from another account. Note that this is optional, but if used, it must be used in conjunction with Assume Role ARN. See the AWS documentation on using external IDs for more information.
Resource Tags (Optional): Assign resource tags to this cluster by entering key-value pairs in the format
<KEY>=<VALUE>
(e.g.,region=us-west-1
).
Click the create button.
The Admin UI will update and show your new server in a green or yellow state. Green indicates a successful connection. If it is yellow, click the pencil icon to the right of the server to re-open the Connection Details screen. Then click Diagnostics to determine where the connection is failing.
If any errors occur, please copy them into an email and send to support@strongdm.com.