Close
logodocs

Add an EKS Cluster

This guide will show you how to manage access to an Amazon Elastic Kubernetes Service (EKS) cluster via the strongDM Admin UI. Adding an EKS cluster takes place in both the Admin UI and in the AWS Management Console.

Prerequisites

Before you begin, ensure that the EKS endpoint you are connecting is accessible from one of your strongDM Gateways or Relays. See our guide on Gateways for more information.

Steps

Get the AWS username and access credentials

  1. In the AWS Management Console, go to Identity and Access Management (IAM) > Users and create a new access key ID and secret access key for the IAM user who will be accessing the EKS cluster. It does not need any specific rights.
  2. While you're at it, copy the User Amazon Resource Name (ARN) because you will need it later.

Grant that user the ability to interact with your cluster

  1. While authenticated to the cluster using your existing connection method, run the following command to edit the aws-auth ConfigMap (YML file) within Kubernetes:
    $ kubectl edit -n kube-system configmap/aws-auth
  2. Copy the following snippet and paste it into the file under the data: heading:
mapUsers: |
- userarn: <USER_ARN>/<USERNAME>
username: <USERNAME>
groups:
- <GROUP>
  1. In that snippet, do the following:

    1. Replace <USER_ARN> with the ARN of the IAM user you created.
    2. Replace <USERNAME> with the IAM username.
    3. Under groups:, specify the appropriate group for the permissions level you want this strongDM connection to have (see Kubernetes Roles for more details).

    Example:

mapUsers: |
- userarn: arn:aws:iam::123456789012:user/aliceglick
username: aliceglick
groups:
- system:masters

In the YML file, the indentation is critically important. If the indentation is wrong, the Edit command won't give you an error message, but the change will fail. Note that mapUsers should be at the same indent level as mapRoles in that file.

  1. Save the file and exit your text editor.

Add your EKS cluster in strongDM

  1. Log in to the Admin UI and select Clusters on the left-hand navigation.

  2. Click the add cluster button.

  3. Specify the cluster settings:

    EKS setup 1
    EKS setup 1

    • Display Name (Required): Enter a display name for this cluster (e.g., "eks-sandbox"). This name is how the cluster will be shown in the Admin UI.

      Some Kubernetes management interfaces, such as Visual Studio Code, do not function properly with cluster names containing spaces. If you run into problems, please choose a name without spaces for this field.

    • Cluster Type (Required): Select Elastic Kubernetes Service.

    • Endpoint (Required): Enter the API server endpoint of the EKS cluster in the format <id>.<region>.eks.amazonaws.com (e.g., A95FBC180B680B58A6468EF360D16E96.yl4.us-west-2.eks.amazonaws.com). It's imperative that this endpoint can be reached from the Gateway/Relay. To verify this, hop on the Gateway/Relay server, and from a command prompt, type: $ nc -z <YOUR_ENDPOINT> 443. If your Gateway or Relay can connect to this hostname, you will be able to proceed.

    • Secret Store: If a secret store integration is configured, select where the credentials for this cluster will be stored.

    • Access Key ID (Required): Enter the access key ID from the AWS key pair that you created in step 1 (e.g., AKIAIOSFODNN7EXAMPLE).

    • Secret Access Key (Required): Enter the secret access key from the AWS key pair that you created in Step 1 (e.g., wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY).

      When your users connect to this cluster, they will have exactly the rights permitted by this AWS key pair. See AWS documentation for more information.

    • Server CA (Required): Paste the server certificate (plaintext or Base64-encoded), or import a PEM file.

    • Cluster Name (Required): Enter the name of the EKS cluster.

    • Region (Required): Enter the region of the EKS cluster (e.g., "us-west-1").

    • Healthcheck Namespace (Optional): If enabled for your organization, you can use this field to specify the namespace used for the resource healthcheck. If you do not specify a namespace, this field defaults to default.

    • Assume Role ARN (Optional): Provide the role ARN (e.g., arn:aws:iam::000000000000:role/RoleName) to allow users accessing this resource to assume a role using AWS AssumeRole functionality.

    • Assume Role External ID (Optional): Provide the external ID if leveraging an external ID to users assuming a role from another account. Note that this is optional, but if used, it must be used in conjunction with Assume Role ARN. See the AWS documentation on using external IDs for more information.

    • Resource Tags (Optional): Assign resource tags to this cluster by entering key-value pairs in the format <KEY>=<VALUE> (e.g., region=us-west-1).

    You can find information about your cluster in the AWS Management Console on your EKS cluster’s General configuration page.

    Example EKS Cluster General Configuration in AWS
    Example EKS Cluster General Configuration in AWS
  4. Click the create button.

The Admin UI will update and show your new server in a green or yellow state. Green indicates a successful connection. If it is yellow, click the pencil icon to the right of the server to re-open the Connection Details screen. Then click Diagnostics to determine where the connection is failing.

If any errors occur, please copy them into an email and send to support@strongdm.com.

Previous
Add an AKS Cluster
Next
Add a Google Kubernetes Engine Cluster