Kubernetes Nodes

Last modified on May 22, 2025

Overview

This guide describes how to create a node (gateway or relay) in your Kubernetes cluster. You can follow the manual approach or optionally use the Helm chart method to install your node. If you’re interested in using a proxy cluster rather than a gateway or relay, see the Proxy Clusters in Kubernetes guide.

Prerequisites

To be successful when using this guide, you must meet the following general requirements:

  • Ensure that you are an Administrator in StrongDM.
  • Be sure that your Kubernetes cluster(s) is at version 1.16 or later and has publicly accessible nodes and stable IPs.
  • Install the kubectl command-line tool locally to interact with your Kubernetes clusters.
  • If you are using Nginx Ingress Controller, manually patch your services to allow TCP and UDP traffic.
  • If you are using Helm to manage your node, install Helm 3.0 or later locally.

Manage Kubernetes Nodes With Helm

StrongDM has a Helm chart that can be used to create a node within your cluster, register it with your StrongDM organization, and then register the cluster itself as a resource in your StrongDM organization as well. All you need to do this is to have an admin token that gives you permission to create nodes and cluster resources.

  1. Create a values.yaml file for use with the Helm chart. You can see a reference schema of the available options in the sdm-relay GitHub repository values.yaml file or on ArtifactHub for further customization. The minimum values that must be specified in order to create the node, register it with your organization, and register the cluster as a resource are shown in the following example.
strongdm:
  auth: # StrongDM authentication sources
    adminToken: "" # Specify an admin token to allow the chart to create and register your node
  autoCreateNode: # create/register the node in StrongDM, using the SDM_ADMIN_TOKEN
    enabled: true
  autoRegisterCluster: # register this cluster as a resource in StrongDM
    enabled: true
  1. Install the Helm chart. Replace <RELEASE_NAME> with a unique and meaningful name.

    helm repo add strongdm https://helm.strongdm.com/stable/
    helm install <RELEASE_NAME> strongdm/sdm-relay -f values.yaml
    helm status <RELEASE_NAME>
    
  2. If you wish, you can verify that the chart created the node, and that the node and resource were added to your StrongDM organization with the following methods:

    1. You can check that the node is running in your cluster with kubectl get services, which should output something similar to the following, with an sdm-relay-service running:
    NAME                TYPE        CLUSTER-IP      EXTERNAL-IP   PORT(S)           AGE
    kubernetes          ClusterIP   10.96.0.1       <none>        443/TCP           21h
    sdm-relay-service   NodePort    10.104.132.14   <none>        30001:30001/TCP   21h
    
    1. You can check that the node is added to StrongDM by looking in the Admin UI under Networking > Gateways or Networking > Relays, or by using the CLI (sdm admin nodes list). If you did not specify any settings for your node, it will be named something random, but the IP will match your cluster.
    2. You can check that the cluster is added to StrongDM as a resource by looking in the Admin UI under Resources > Clusters, or by using the CLI (sdm admin clusters list). If you did not specify any settings for your cluster resource, it will be named something based on your chosen <RELEASE_NAME>.

Upgrade the sdm-relay Helm chart

To upgrade the sdm-relay Helm chart, run the following command. For more, see the helm upgrade command documentation.

helm upgrade <RELEASE_NAME> strongdm/sdm-relay

Uninstall the sdm-relay Helm chart

You can uninstall the sdm-relay Helm chart by running the following command. This command removes all Kubernetes components associated with the release and deletes the release. For more, see the helm uninstall reference documentation.

helm uninstall <RELEASE_NAME>

Create a Node Manually

In some circumstances, you may wish to deploy a gateway or relay in a Kubernetes cluster without using Helm. You will need to create a gateway token or relay token in StrongDM, install your node and configure it in your cluster, and then verify that it is connected to StrongDM.

Create a token

To successfully set up your Kubernetes node, you must first create the gateway or relay in the Admin UI and generate a token for it.

Create a gateway token

To create a gateway token, follow these steps.

  1. Log in to the Admin UI.
  2. Go to Networking > Gateways.
  3. Click Add gateway.
  4. For Name, enter a name for the gateway.
  5. For Advertised Host, enter the IP address or host that the gateway listens on.
  6. For Advertised Port, set the port (default 5000) for the service to listen on.
  7. Click Create gateway and the gateway token appears in a modal.
  8. Copy the token and keep it in a secure place.

To generate a gateway token via the CLI instead, see sdm admin relay create-gateway.

On macOS, there is an additional step: encode the resulting token in Base64 using echo -n [token-string] | base64. PowerShell and Windows commands may differ. If you generated the token from the CLI, it may contain a trailing \n character, which you have to remove before passing it through base64.

Create a relay token

To register the node and create a relay token, follow these steps.

  1. Log in to the Admin UI.
  2. Go to Networking > Relays.
  3. Click Add relay.
  4. For Name, enter a name for the relay.
  5. Click Create relay.
  6. Copy the token and keep it in a secure place.

To generate a relay token via the CLI instead, see sdm admin relay create.

On macOS, there is an additional step: encode the resulting token in Base64 using echo -n [token-string] | base64. PowerShell and Windows commands may differ. If you generated the token from the CLI, it may contain a trailing \n character, which you have to remove before passing it through base64.

Create your node

Once you have a valid token, you can continue with the steps in this section to manually create your Kubernetes gateway or relay.

  1. Follow the steps to create a token.

  2. Create the YAML manifest for your Kubernetes node. Use the following content, replacing [token-in-base64] with your Base64-encoded token.

    kind: Secret
    apiVersion: v1
    metadata:
      name: sdm-relay-secret
    type: Opaque
    data:
      token: [token-in-base64]
    ---
    kind: Deployment
    apiVersion: apps/v1
    metadata:
      name: sdm-relay-deployment
      labels:
        app: sdm-relay
    spec:
      replicas: 1 # must always be 1.
      selector:
        matchLabels:
          app: sdm-relay
      template:
        metadata:
          labels:
            app: sdm-relay
        spec:
        # You may use node affinity to ensure that these containers are only
        # deployed to publicly visible nodes.
        # This doesn't work with fargate profiles
        #      affinity:
        #        nodeAffinity:
        #          requiredDuringSchedulingIgnoredDuringExecution:
        #            nodeSelectorTerms:
        #            - matchExpressions:
        #              - key: alpha.eksctl.io/nodegroup-name
        #                operator: In
        #                values:
        #                - ng-1
          containers:
          - name: sdm-relay
            image: public.ecr.aws/strongdm/relay:latest
            imagePullPolicy: Always
            env:
            - name: SDM_ORCHESTRATOR_PROBES
              value: ":9090"
            - name: SDM_RELAY_TOKEN
              valueFrom:
                secretKeyRef:
                  name: sdm-relay-secret
                  key: token
            livenessProbe:
              httpGet:
                path: /liveness
                port: 9090
              initialDelaySeconds: 25
              timeoutSeconds: 10
              periodSeconds: 15
              failureThreshold: 5
    ---
    

    If you are setting up a relay, that is the end of the config file. If you are setting up a gateway, you also need the next snippet added to your YAML manifest.

    kind: Service
    apiVersion: v1
    metadata:
      name: sdm-relay-service
      labels:
        app: sdm-relay
    spec:
      type: "NodePort"
      selector:
        app: sdm-relay
      ports:
        - name: gateway
          # or relay
          port: 30001
          targetPort: 5000
          nodePort: 30001
          # You may use externalIPs as a way to get a stable IP configuration.
          # then map 80.11.12.10 to sdmrelay.mycompany.com
      externalIPs:
        - 34.220.97.45
    
  3. Create the deployment and activate your gateway. You may have to specify a directory for the YAML file.

    kubectl create -f name-of-gateway-file.yml
    
  4. Verify the node is running. Your node appears in the list of running services.

    kubectl get services
    
    NAME                TYPE        CLUSTER-IP      EXTERNAL-IP   PORT(S)           AGE
    kubernetes          ClusterIP   10.96.0.1       <none>        443/TCP           21h
    sdm-relay-service   NodePort    10.104.132.14   <none>        30001:30001/TCP   21h
    
  5. Log in to the Admin UI. Go to Networking > Gateways (or Networking > Relays). The node you created appears online with a heartbeat. Click Details to view additional information.

    Gateway List in Admin UI
    Gateway List in Admin UI