Deploy Kubernetes Proxy Cluster
Last modified on June 9, 2025
Overview
This guide describes how to deploy a proxy cluster in your Kubernetes cluster. If you are trying to install a gateway or relay and not a proxy cluster, see the Nodes in Kubernetes guide.
Prerequisites
To be successful when using this guide, you must meet the following general requirements:
- Ensure that you are an Administrator in StrongDM.
- Be sure that your Kubernetes cluster(s) is at v1.16 or later and has publicly accessible nodes and stable IPs.
- Install the
kubectl
command-line tool locally to interact with your Kubernetes clusters. - Install Helm 3.0 or later locally.
- If you are using Nginx Ingress Controller, manually patch your services to allow TCP and UDP traffic.
Register the Proxy Cluster
You must first register the proxy cluster with StrongDM via the Admin UI and generate an authentication key for it. You will need to give the cluster a name and address.
Unfortunately it is not usually possible to know which external address the cluster will receive from Kubernetes before you deploy it. You should choose one of the following methods to handle the unknown address:
- Use a placeholder address for the cluster. After deploying the cluster, determine the address of the load balancer using
kubectl get svc
and update the cluster configuration in StrongDM to match. - Choose a domain name ahead of time for the cluster address. After deploying the cluster, determine the address of the load balancer using
kubectl get svc
and manually update your domain records to point to it. - Choose a domain name ahead of time for the cluster address. Use a DNS controller to make Kubernetes automatically point the domain to your proxy cluster.
After choosing a strategy to configure the proxy cluster and update its address, follow these steps to register the cluster.
- Log in to the StrongDM Admin UI.
- Go to Networking > Proxy Clusters.
- Click Add proxy cluster.
- For Name, enter a name for the cluster.
- For Advertised Address, enter your chosen address and port for the cluster (we recommend port 443; for example,
172.16.50.2:443
). - Click Create proxy cluster.
- Click Add authentication key. The key appears in a modal. Copy the key and keep it in a secure place.
To generate a key via the CLI, use the sdm admin nodes create-proxy-cluster command.
Manage Kubernetes Proxy Clusters With Helm
To manage deployments of proxy clusters across your Kubernetes cluster, we recommend that you use our Helm charts and leverage the flexibility of Helm.
Install the sdm-proxy Helm chart
You can use the following steps to install proxies with Helm. Note that this example creates a single proxy worker. If you intend to have a proxy cluster with multiple workers, they will need to be behind a load balancer, as described in the Proxy Clusters section.
- Create a
values.yaml
file for use with the Helm chart. You can see a reference schema of the available options in thesdm-proxy
GitHub repository values.yaml file or on ArtifactHub for further customization. The minimum values that must be specified in order to create the proxy cluster worker, register it with your organization, and register the cluster as a resource are shown in the following example.
strongdm:
auth: # StrongDM authentication sources
clusterKey: "" # SDM_PROXY_CLUSTER_ACCESS_KEY with which this proxy should authenticate itself
clusterSecret: "" # SDM_PROXY_CLUSTER_SECRET_KEY with which this proxy should authenticate itself
adminToken: "" # SDM_ADMIN_TOKEN with which to create StrongDM resources
autoRegisterCluster: # Register this cluster as a resource in StrongDM
enabled: true
Install the Helm chart. Replace
<RELEASE_NAME>
with a unique and meaningful name.helm repo add strongdm https://helm.strongdm.com/stable/ helm install <RELEASE_NAME> strongdm/sdm-proxy -f values.yaml helm status <RELEASE_NAME>
If you wish, you can verify that the chart created the proxy cluster worker, and that the resource was added to your StrongDM organization with the following methods:
- You can check that the proxy cluster worker is running in your cluster with
kubectl get services
. - You can check that the cluster is added to StrongDM as a resource by looking in the Admin UI under Resources > Clusters, or by using the CLI (
sdm admin clusters list
). If you did not specify any settings for your cluster resource, it will be named something based on your chosen<RELEASE_NAME>
.
- You can check that the proxy cluster worker is running in your cluster with
Upgrade the sdm-proxy Helm chart
To upgrade the sdm-proxy Helm chart, run the following command. For more, see the helm upgrade command documentation.
helm upgrade <RELEASE_NAME> strongdm/sdm-proxy --install
Uninstall the sdm-proxy Helm chart
You can uninstall the sdm-proxy Helm chart by running the following command. This command removes all Kubernetes components associated with the release and deletes the release. For more, see the helm uninstall reference documentation.
helm uninstall <RELEASE_NAME>