StrongDM Client Containers in Kubernetes With Helm

Last modified on March 1, 2023


This guide provides instructions to add the StrongDM native client container to your Kubernetes cluster. We will focus on using Helm charts to accomplish this goal. For more, read about the benefits of using Helm.


To successfully follow the steps in this guide, you must meet the following general requirements:

  • Ensure that you are an Administrator in StrongDM.
  • Have a running Kubernetes cluster with publicly accessibly nodes and stable IPs.
  • Install the kubectl command-line tool to interact with your Kubernetes clusters.
  • Obtain a valid StrongDM service token.
  • Run a Kubernetes cluster v1.16+.
  • Install Helm 3.0+ and Git locally.
  • If you are using Nginx Ingress Controller, manually patch your services to allow TCP and UDP traffic.

Create a Service Token

Use the steps below to create a service token in the Admin UI. Service tokens allow programmatic access to StrongDM resources. For more, see Service Accounts.

  1. Go to the Admin UI and select Users from the main navigation.
  2. Click Add Service.
  3. Enter a name for the service account. User information, such as name or email address, is not necessary since service accounts facilitate machine-to-machine communication.
  4. Click Create service account.
  5. A modal appears with the service token. Copy the token and set it aside, being careful to capture every character. You need it again in the next step.
  6. On macOS, encode the resulting token in base64 using echo -n [token-string] | base64. PowerShell and Windows commands may differ.

Install the sdm-client Helm Chart

To leverage the flexibility of Helm, we created charts to deploy your StrongDM client container across your Kubernetes clusters. For more, see our StrongDM charts repository. You can use the following steps to install the client container with Helm.

  1. Follow the steps to create a service token. You need this token in step 4.

  2. Add the StrongDM chart repository.

    helm repo add strongdm

    The output confirms the chart was added:

    "strongdm" has been added to your repositories
  3. To obtain the chart deployment files, clone the StrongDM charts repository. You need to complete this for the next step.

  4. Go to the cloned local copy of the StrongDM charts repository created in the previous step. It contains a local copy of the sdm-client values.yaml file that can be used as a template.

  5. Open this local values.yaml file to view and configure chart parameters listed in the following table. Make sure to add the Base64-encoded value of the service token you generated.

    .global.service.typeOptionalClusterIPDetermines the kind of service to run, for example ClusterIP or Loadbalancer
    .global.secret.tokenRequiredNoneIncludes the Base64-encoded value of the service token generated in the Admin UI
    .global.deployment.replicasOptional1Shows the number of container replicas to run for the deployment the location to pull the image for the StrongDM client; this can be any repository or a local image (for example, sdm-custom-image:latest)
    .global.deployment.tagRequiredlatestAssigns tags for the image used for the StrongDM client
    .global.deployment.imagePullPolicyRequiredAlwaysShows the policy for pulling a new image from the repo
    .global.deployment.portsOptionalNoneIndicates the port the service listens on; ports coincide with the port you expose from StrongDM
    .configmap.SDM_DOCKERIZEDOptionaltrueSends logs automatically to STDOUT when set to true, overriding settings in the Admin UI
  6. Install the chart archive. Replace <RELEASE_NAME> with a unique and meaningful value to help track package deployments and releases. The value after the -f flag includes the path or URL to your YAML file. To learn more, see the helm install reference documentation.

    helm install <RELEASE_NAME> strongdm/sdm-client -f myvalues.yaml
    NAME: sdm-client-070722
    LAST DEPLOYED: Thu Jul  7 16:50:24 2022
    NAMESPACE: default
    STATUS: deployed
    TEST SUITE: None
    Thank you for installing sdm-client using helm. If you run into any errors please reach out to
    Your release is named sdm-client-070722.
    To learn more about the release, try:
    helm status sdm-client-070722
    helm get all sdm-client-070722
  7. Confirm the StrongDM client is running in your cluster:

    kubectl get all
    NAME                                                      READY      STATUS          RESTARTS     AGE
    pod/sdm-client-070722-deployment-b954bdfb8-bjtzk          1/1        Running         0            4m42s
    pod/sdm-gateway-070722-deployment-847fcf75f9-c7854        1/1        Running         0            6h35m
    NAME                                                      TYPE       CLUSTER-IP      EXTERNAL-IP  PORT(S)             AGE
    service/kubernetes                                        ClusterIP      <none>       443/TCP             45h
    service/sdm-client-070722-svc                             ClusterIP  <none>       15432/TCP,15433/TCP 4m42s
    service/sdm-gateway-070722-svc                            NodePort   <none>       30001:30001/TCP     6h35m
    NAME                                                      READY      UP-TO-DATE      AVAILABLE    AGE
    deployment.apps/sdm-client-070722-deployment              1/1        1               1            4m43s
    deployment.apps/sdm-gateway-070722-deployment             1/1        1               1            6h35m
    NAME                                                      DESIRED    CURRENT         READY        AGE
    replicaset.apps/sdm-client-070722-deployment-b954bdfb8    1          1               1            4m43s
    replicaset.apps/sdm-gateway-070722-deployment-847fcf75f9  1          1               1            6h35m

Upgrade the sdm-client Helm chart

To upgrade the sdm-client Helm chart, run the following command. For more, see the helm upgrade command documentation.

helm upgrade <RELEASE_NAME> strongdm/sdm-client --install

Uninstall the sdm-client Helm chart

You can uninstall the Helm chart by running the following command. This command removes all Kubernetes components associated with the release and deletes the release. For more, see the helm uninstall reference documentation.

helm uninstall <RELEASE_NAME>

If any errors occur, please contact for help.