Add an EKS Cluster

Last modified on September 7, 2022

This guide describes how to manage access to an Amazon Elastic Kubernetes Service (EKS) cluster via the strongDM Admin UI. Adding an EKS cluster takes place in both the Admin UI and in the AWS Management Console.

Prerequisites

Before you begin, ensure that the EKS endpoint you are connecting is accessible from one of your strongDM gateways or relays. See our guide on Gateways for more information.

Steps

Get the AWS username and access credentials

  1. In the AWS Management Console, go to Identity and Access Management (IAM) > Users and create a new access key ID and secret access key for the IAM user who will be accessing the EKS cluster. It does not need any specific rights.
  2. While you’re at it, copy the User Amazon Resource Name (ARN) because you will need it later.

Grant that user the ability to interact with your cluster

  1. While authenticated to the cluster using your existing connection method, run the following command to edit the aws-auth ConfigMap (YML file) within Kubernetes:
    $ kubectl edit -n kube-system configmap/aws-auth

  2. Copy the following snippet and paste it into the file under the data: heading:

        mapUsers: |
          - userarn: <USER_ARN>/<USERNAME>
            username: <USERNAME>
            groups:
              - <GROUP>
    
  3. In that snippet, do the following:

    1. Replace <USER_ARN> with the ARN of the IAM user you created.
    2. Replace <USERNAME> with the IAM username.
    3. Under groups:, specify the appropriate group for the permissions level you want this strongDM connection to have (see Kubernetes Roles for more details).

    Example:

      mapUsers: |
        - userarn: arn:aws:iam::123456789012:user/aliceglick
          username: aliceglick
          groups:
            - system:masters
    
  4. Save the file and exit your text editor.

Add your EKS cluster in strongDM

  1. Log in to the Admin UI and go to Infrastructure > Clusters.

  2. Click the Add cluster button.

  3. Specify the cluster settings:

    EKS setup 1
    EKS setup 1
    1. Display Name (Required): Enter a meaningful name for this resource, such as eks-sandbox. This name displays throughout strongDM. Do not include special characters like quotes (") or angle brackets (< or >).
    1. Cluster Type (Required): Select Elastic Kubernetes Service.

    2. Endpoint (Required): Enter the API server endpoint of the EKS cluster in the format <ID>.<REGION>.eks.amazonaws.com, such as A95FBC180B680B58A6468EF360D16E96.yl4.us-west-2.eks.amazonaws.com. It is imperative that this endpoint can be reached from the gateway or relay. To verify this, hop on the gateway or relay server, and from a command prompt, type $ nc -z <YOUR_ENDPOINT> 443. If your gateway or relay can connect to this hostname, you can proceed.

    3. Port Override: After a resource is created, the port override is automatically generated. A value between 1024-59999 is assigned as long as it is not used by another resource. You can optionally overwrite it with your own preferred port later in the Port Overrides settings. Note that after specifying the port override number, you must also update the kubectl configuration. See section Port Overrides for more information.

    4. Secret Store: If a Secret Store integration is configured, select where the credentials for this cluster are stored.

    5. Access Key ID (Required): Enter the access key ID, such as AKIAIOSFODNN7EXAMPLE, from the AWS key pair that you created in Step 1.

    6. Secret Access Key (Required): Enter the secret access key, such as wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY, from the AWS key pair that you created in Step 1.

    7. Server CA (Required): Paste the server certificate (plaintext or Base64-encoded), or import a .PEM file.

    8. Cluster Name (Required): Enter the name of the EKS cluster.

    9. Region (Required): Enter the region of the EKS cluster, such as us-west-1.

    10. Authentication (Required): Select either Leased Credential (the default model to access the cluster) or Remote Identities (to use the Remote Identities of strongDM users to access the cluster).

    11. Healthcheck Username (Required): If Authentication is set to Remote Identities, enter the username that should be used to verify strongDM’s connection to it. Note that the username must already exist on the target cluster.

    12. Healthcheck Namespace (Optional): If enabled for your organization, this field allows you to specify the namespace used for the resource healthcheck. The supplied credentials must have the rights to perform one of the following kubectl commands in the specified namespace: get pods, get deployments, or describe. If not specified, the namespace is set to default.

    13. Assume Role ARN (Optional): Provide the role ARN, such as arn:aws:iam::000000000000:role/RoleName, to allow users accessing this resource to assume a role using AWS AssumeRole functionality.

    14. Assume Role External ID (Optional): Provide the external ID if leveraging an external ID to users assuming a role from another account. Note that this is optional, but if used, it must be used in conjunction with Assume Role ARN. See the AWS documentation on using external IDs for more information.

    15. Resource Tags (Optional): Assign resource tags to this cluster by entering key-value pairs in the format <KEY>=<VALUE>, such as region=us-west-1.

You can find information about your cluster in the AWS Management Console on your EKS cluster’s General configuration page.

Example EKS Cluster General Configuration in AWS
Example EKS Cluster General Configuration in AWS
  1. Click the create button.

The Admin UI updates and shows your new server in a green or yellow state. Green indicates a successful connection. If it is yellow, click the pencil icon to the right of the server to reopen the Connection Details screen. Then click Diagnostics to determine where the connection is failing.

If any errors occur, please copy them into an email and send them to support@strongdm.com.

Top