Add a Kubernetes Cluster

Last modified on October 4, 2023

This guide describes how to manage access to a Kubernetes cluster via the StrongDM Admin UI. This process involves creating and configuring a new cluster in the Admin UI and checking the connection to your Kubernetes API server.

Prerequisites

Ensure that the Kubernetes API server that you are adding to StrongDM is accessible from your StrongDM gateways or relays. See our guide on nodes for more information.

Add Your Kubernetes Cluster in StrongDM

  1. Log in to the Admin UI and go to Infrastructure > Clusters.

  2. Click the Add cluster button.

  3. Select Kubernetes as the Server Type and set other resource properties to configure how the StrongDM relay connects.

    Google Kubernetes Engine Cluster Setup in Admin UI
    Google Kubernetes Engine Cluster Setup in Admin UI
  4. Click Create to save the resource.

The Admin UI updates and shows your new cluster in a green or yellow state. Green indicates a successful connection. If it is yellow, click the pencil icon to the right of the server to reopen the Connection Details screen. Then click Diagnostics to determine where the connection is failing.

Resource properties

Configuration properties are visible when you add a Cluster Type or when you click to view the cluster’s settings. The following table describes the settings available for your Kubernetes cluster.

PropertyRequirementDescription
Display NameRequiredMeaningful name to display the resource throughout StrongDM; exclude special characters like quotes (") or angle brackets (< or >)
Server TypeRequiredSelect Kubernetes
HostnameRequiredHostname or IP address of the Kubernetes API server, such as api.kubernetes.example.com; relay server should be able to connect to your Kubernetes API server
PortRequiredPort to connect to the API server; default port value 443
Bind InterfaceRead onlyAutomatically generated IP address value in the 127.0.0.1 to 127.255.255.254 IP address range; default is 127.0.0.1; preferred bind interface value can be modified later under Settings > Port Overrides
Port OverrideRead onlyAutomatically generated with a value between 1024 to 59999 as long as that port is not used by another resource; preferred port can be modified later under Settings > Port Overrides; after specifying the port override number, you must also update the kubectl configuration, which you can learn more about in section Port Overrides
Secret StoreOptionalCredential store location; defaults to Strong Vault; to learn more, see Secret Store options
Server CARequiredPasted server certificate (plaintext or Base64-encoded), or imported PEM file; you can either generate the server certificate on the API server or get it in Base64 format from your existing Kubernetes configuration (kubeconfig) file
Client CertificateRequiredPasted client certificate (plaintext or Base64-encoded), or imported PEM file; you can either generate the client certificate on the API server or get it in Base64 format from your existing Kubernetes configuration (kubeconfig) file
Client KeyRequiredPasted client key (plaintext or Base64-encoded) or imported PEM file; you can either generate the client key on the API server or get it in Base64 format from your existing Kubernetes configuration (kubeconfig) file
Healthcheck NamespaceOptionalIf enabled for your organization, the namespace used for the resource healthcheck; defaults to default if empty; supplied credentials must have the rights to perform one of the following kubectl commands in the specified namespace: get pods, get deployments, or describe namespace
AuthenticationRequiredAuthentication method to access the cluster; select either Leased Credential (default) or Remote Identities (to use the Remote Identities of StrongDM users to access the cluster)
Healthcheck UsernameRequiredIf Authentication is set to Remote Identities, the username that should be used to verify StrongDM’s connection to it; username must already exist on the target cluster
Resource TagsOptionalResource tags consisting of key-value pairs <KEY>=<VALUE> (for example, env=dev)

How to get the server CA from your kubeconfig file

  1. Open the CLI and type cat ~/.kube/config to view the contents of the file.
  2. In the file, under - cluster, copy the certificate-authority-data value. That is the server certificate in Base64 encoding.
  - cluster:
  certificate-authority-data: ... SERVER CERT BASE64 ...

How to get the client certificate from your kubeconfig file

  1. From the CLI, type cat ~/.kube/config to view the contents of the file.
  2. In the file, under - name, copy the client-certificate-data value. That is the client certificate in Base64 encoding.
  - name: clusterUser_StrongDM_example
  user:
  client-certificate-data: ... CLIENT CERT BASE64...

How to get the client key from your kubeconfig file

  1. Open the CLI and type cat ~/.kube/config to view the file.
  2. In the file, under - name, copy the client-key-data value. That is the client private key in Base64 encoding.
  - name: clusterUser_StrongDM_example
  user:
  client-key-data: ... CLIENT PRIVATE KEY BASE64...

Secret Store options

By default, server credentials are stored in StrongDM. However, these credentials can also be saved in a secrets management tool.

Non-StrongDM options appear in the Secret Store dropdown menu if they are created under Network > Secret Stores. When you select another Secret Store type, its unique properties display. For more details, see Configure Secret Store Integrations.