Add an EKS Cluster
Adding an EKS cluster will take place in both the Admin UI and in the AWS console for the cluster you're adding to the strongDM network.
Before beginning, ensure that the EKS endpoint you're connecting is accessible from one of your strongDM gateways or relays. See our guide on Gateways for more information.
Generate an Access Key ID and Secret Access Key in AWS. It does not need any specific rights, but you will need the user ARN in Step 4.
While authenticated to the cluster already using your existing connection method, run this:
$ kubectl edit -n kube-system configmap/aws-auth. This will bring up a text editor with a YML file.
In that file, add the following under the
data:heading. Please note: the indentation is CRITICALLY IMPORTANT. If the indentation is wrong the edit command won't give you an error message, but the change will fail. (
mapUsersshould be at the same indent level as
mapRolesin that file.) Replace the
userarnvalue with the ARN of the IAM user you created, and the
usernamevalue with the username. Under groups, select the appropriate group for the permissions level you want this SDM connection to have (see Kubernetes Roles for more details).mapUsers: |- userarn: arn:aws:iam::xxxxxxxxxx:user/usernamehereusername: usernameheregroups:- system:masters
Login to the Admin UI and select Clusters on the left hand navigation.
In the upper right hand section of the screen, click the 'add cluster' button. Under 'Cluster Type' select Amazon Elastic Kubernetes Service.
Type in a Display Name. This is how the cluster will show up in the Admin UI.
Some Kubernetes management interfaces, such as Visual Studio Code, do not function properly with cluster names containing spaces. If you run into problems, please choose a name without spaces for this field.
Enter the endpoint of the EKS cluster. It's imperative that this endpoint can be reached from the gateway/relay. To verify this, hop on the gateway/relay server, and from a command prompt, type:
$ nc -z <YOUR_ENDPOINT> 443If your gateway or relay can connect to this hostname, you'll be able to proceed---in this case,
Enter the Access Key ID and Secret Access Key from from step 2 above.
When your users connect to this cluster, they will have exactly the rights permitted by this AWS key pair. See this Amazon document for more information.
Enter the Server CA, Cluster Name, and Region of the EKS cluster in the remainings fields. All this information is available on the main cluster information page in the AWS console.
Assume Role ARN (Optional). You may allow users accessing this resource to assume a role using the AWS AssumeRole functionality by providing the Role ARN in this field.
External ID (Optional). If leveraging an External ID to users assuming a role from another account, you may provide that in this field. Note that this is optional, but if used must be in conjunction with Assume Role ARN. See the AWS Documentation on using External IDs for more information.
Healthcheck Namespace (Required): If enabled for your organization, this allows you to specify the namespace used for the resource healthcheck. If not specified, the namespace is set to "default." The supplied credentials must have the rights to perform one of the following
kubectlcommands in the specified namespace:
get deployments, or
Click the create button. Once this is done, the Admin UI will update and show your new server in a green or yellow state. If yellow, click the pencil icon to right of the server to re-open the Connection Details screen then click Diagnostics to determine where the connection is failing.
If any errors occur, please copy them into an email and send to firstname.lastname@example.org.