Close
logodocs

Add a Kubernetes Cluster

This guide will show you how to manage access to a Kubernetes cluster via the strongDM Admin UI. This process involves creating and configuring a new Cluster in the Admin UI and checking the connection to your Kubernetes API server.

Before You Begin

Ensure that the Kubernetes API server that you will be adding to strongDM is accessible from your strongDM Gateways/Relays. See our guide on Gateways for more information.

Steps

  1. Log in to the Admin UI and select Clusters on the left-hand navigation.

  2. In the upper right-hand section of the screen, click the add cluster button.

  3. In the cluster settings, set:

    1. Display Name: Type in a name for the server (e.g., “k8s-sandbox”); this name will show up in the Admin UI.

      We recommend that you choose a name without spaces because some Kubernetes management interfaces, such as Visual Studio Code, do not function properly with cluster names containing spaces.

    2. Cluster Type: Select Kubernetes.

    3. Hostname: Enter the hostname or IP address of the Kubernetes API server (e.g., “api.kubernetes.example.com”).

      Your Gateways/Relays must be able to connect to the entry you choose for the Hostname. To verify the connection, use the command prompt from the Gateway/Relay server and type the following: $ nc -z <HOSTNAME> port. If your server can connect to this hostname, you'll be able to proceed.

    4. Port: Enter the port (default: 443) to connect to the API server.

      K8s setup 1
      K8s setup 1
    5. Secret Store: Choose where the credentials for this cluster will be stored.

    6. Server CA: Paste the server certificate (plaintext or Base64-encoded), or import a PEM file. You can either generate the server certificate on the API server or get it in Base64 format from your existing Kubernetes configuration (i.e., kubeconfig) file.

      To get the server CA from your kubeconfig file:

      1. Open the CLI and type cat ~/.kube/config to view the contents of the file.

      2. In the file, under - cluster, copy the certificate-authority-data value. That is the server certificate in Base64 encoding.

        - cluster:
        certificate-authority-data: ... SERVER CERT BASE64 ...
    7. Client Certificate: Paste the client certificate (plaintext or Base64-encoded), or import a PEM file. You can either generate the client certificate on the API server or get it in Base64 format from your kubeconfig file.

      To get the client certificate from your kubeconfig file:

      1. From the CLI, type cat ~/.kube/config to view the contents of the file.

      2. In the file, under - name, copy the client-certificate-data value. That is the client certificate in Base64 encoding.

        - name: clusterUser_StrongDM_example
        user:
        client-certificate-data: ... CLIENT CERT BASE64...
    8. Client Key: Paste the client private key (plaintext or Base64-encoded), or import a PEM file. You can either generate the client private key on the API server or get it in Base64 format from your kubeconfig file.

      To get the client private key from your kubeconfig file:

      1. Open the CLI and type cat ~/.kube/config to view the file.

      2. In the file, under - name, copy the client-key-data value. That is the client private key in Base64 encoding.

        - name: clusterUser_StrongDM_example
        user:
        client-key-data: ... CLIENT PRIVATE KEY BASE64...

        When your users connect to this cluster via strongDM, they will have exactly the same rights as the user associated with these keys.

        K8s setup 2
        K8s setup 2
    9. Healthcheck Namespace (Required): If enabled for your organization, this allows you to specify the namespace used for the resource healthcheck. If not specified, the namespace is set to "default." The supplied credentials must have the rights to perform one of the following kubectl commands in the specified namespace: get pods, get deployments, or describe.

After you click the create button, the Admin UI will update and show your new server in a green or yellow state. Green indicates a successful connection. If it is yellow, click the pencil icon to the right of the server to re-open the Connection Details screen. Then click Diagnostics to determine where the connection is failing.

If any errors occur, please copy them into an email and send them to support@strongdm.com.

Previous
Add a GKE Cluster
Next
User Impersonation Mode for Kubernetes