Deploy Kubernetes Proxy Cluster

Last modified on June 9, 2025

Overview

This guide describes how to deploy a proxy cluster in your Kubernetes cluster. If you are trying to install a gateway or relay and not a proxy cluster, see the Nodes in Kubernetes guide.

Prerequisites

To be successful when using this guide, you must meet the following general requirements:

Ensure that you are an Administrator in StrongDM.
Be sure that your Kubernetes cluster(s) is at v1.16 or later and has publicly accessible nodes and stable IPs.
Install the kubectl command-line tool locally to interact with your Kubernetes clusters.
Install Helm 3.0 or later locally.
If you are using Nginx Ingress Controller, manually patch your services to allow TCP and UDP traffic.

Register the Proxy Cluster

You must first register the proxy cluster with StrongDM via the Admin UI and generate an authentication key for it. You will need to give the cluster a name and address.

Unfortunately it is not usually possible to know which external address the cluster will receive from Kubernetes before you deploy it. You should choose one of the following methods to handle the unknown address:

Use a placeholder address for the cluster. After deploying the cluster, determine the address of the load balancer using kubectl get svc and update the cluster configuration in StrongDM to match.
Choose a domain name ahead of time for the cluster address. After deploying the cluster, determine the address of the load balancer using kubectl get svc and manually update your domain records to point to it.
Choose a domain name ahead of time for the cluster address. Use a DNS controller to make Kubernetes automatically point the domain to your proxy cluster.

After choosing a strategy to configure the proxy cluster and update its address, follow these steps to register the cluster.

Log in to the StrongDM Admin UI.
Go to Networking > Proxy Clusters.
Click Add proxy cluster.
For Name, enter a name for the cluster.
For Advertised Address, enter your chosen address and port for the cluster (we recommend port 443; for example, 172.16.50.2:443).
Click Create proxy cluster.
Click Add authentication key. The key appears in a modal. Copy the key and keep it in a secure place.

To generate a key via the CLI, use the sdm admin nodes create-proxy-cluster command.

Manage Kubernetes Proxy Clusters With Helm

To manage deployments of proxy clusters across your Kubernetes cluster, we recommend that you use our Helm charts and leverage the flexibility of Helm.

Install the sdm-proxy Helm chart

You can use the following steps to install proxies with Helm. Note that this example creates a single proxy worker. If you intend to have a proxy cluster with multiple workers, they will need to be behind a load balancer, as described in the Proxy Clusters section.

Create a values.yaml file for use with the Helm chart. You can see a reference schema of the available options in the sdm-proxy GitHub repository values.yaml file or on ArtifactHub for further customization. The minimum values that must be specified in order to create the proxy cluster worker, register it with your organization, and register the cluster as a resource are shown in the following example.

strongdm:
  auth: # StrongDM authentication sources
      clusterKey: "" # SDM_PROXY_CLUSTER_ACCESS_KEY with which this proxy should authenticate itself
      clusterSecret: "" # SDM_PROXY_CLUSTER_SECRET_KEY with which this proxy should authenticate itself
      adminToken: "" # SDM_ADMIN_TOKEN with which to create StrongDM resources
  autoRegisterCluster: # Register this cluster as a resource in StrongDM
    enabled: true

Install the Helm chart. Replace <RELEASE_NAME> with a unique and meaningful name.

helm repo add strongdm https://helm.strongdm.com/stable/
helm install <RELEASE_NAME> strongdm/sdm-proxy -f values.yaml
helm status <RELEASE_NAME>

If you wish, you can verify that the chart created the proxy cluster worker, and that the resource was added to your StrongDM organization with the following methods:
1. You can check that the proxy cluster worker is running in your cluster with kubectl get services.
2. You can check that the cluster is added to StrongDM as a resource by looking in the Admin UI under Resources > Clusters, or by using the CLI (sdm admin clusters list). If you did not specify any settings for your cluster resource, it will be named something based on your chosen <RELEASE_NAME>.

Upgrade the sdm-proxy Helm chart

To upgrade the sdm-proxy Helm chart, run the following command. For more, see the helm upgrade command documentation.

helm upgrade <RELEASE_NAME> strongdm/sdm-proxy --install

The proxies will automatically keep themselves up to date without you needing to upgrade the Helm chart. You only need to upgrade if you want a feature that is only available in a newer version of the sdm-proxy Helm chart.

Uninstall the sdm-proxy Helm chart

You can uninstall the sdm-proxy Helm chart by running the following command. This command removes all Kubernetes components associated with the release and deletes the release. For more, see the helm uninstall reference documentation.

helm uninstall <RELEASE_NAME>

Deploy Kubernetes Proxy Cluster

Overview #

Prerequisites #

Register the Proxy Cluster #

Manage Kubernetes Proxy Clusters With Helm #

Install the sdm-proxy Helm chart #

Upgrade the sdm-proxy Helm chart #

Uninstall the sdm-proxy Helm chart #