Adding an EKS cluster will take place in both the Admin UI and in the AWS console for the cluster you’re adding to the strongDM network.
Before beginning, ensure that the EKS endpoint you’re connecting is accessible from one of your strongDM gateways or relays. For more information on setting up gateways, see this guide.
Generate an Access Key ID and Secret Access Key in AWS. It does not need any specific rights, but you will need the user ARN in Step 4.
While authenticated to the cluster already using your existing connection method, run this:
$ kubectl edit -n kube-system configmap/aws-auth. This will bring up a text editor with a YML file.
In that file, add the following under the
data: heading. Please note: the indentation is CRITICALLY IMPORTANT. If the indentation is wrong the edit command won’t give you an error message, but the change will fail. (
mapUsers should be at the same indent level as
mapRoles in that file.) Replace the
userarn value with the ARN of the IAM user you created, and the
username value with the username. Under groups, select the appropriate group for the permissions level you want this SDM connection to have (see here for more details).
mapUsers: | - userarn: arn:aws:iam::xxxxxxxxxx:user/usernamehere username: usernamehere groups: - system:masters
Login to the Admin UI at https://app.strongdm.com and choose Servers on the left hand navigation.
In the upper right hand section of the screen, click the ‘add server’ button. Under ‘Server Type’ select Amazon Elastic Kubernetes Service.
Type in a Display Name. This is how the server will show up in the Admin UI—in this case,
Note: Some Kubernetes management interfaces, such as Visual Studio Code, do not function properly with cluster names containing spaces. If you run into problems, please choose a name without spaces for this field.
Enter the endpoint of the EKS cluster. It’s imperative that this endpoint can be reached from the gateway/relay. To verify this, hop on the gateway/relay server, and from a command prompt, type:
$ nc -z <YOUR_ENDPOINT> 443
If your gateway or relay can connect to this hostname, you’ll be able to proceed—in this case,
Enter the Access Key ID and Secret Access Key from from step 2 above.
NOTE: When your users connect to this cluster, they will have exactly the rights permitted by this AWS keypair. See this Amazon document for more information.
Enter the Server CA, Cluster Name, and Region of the EKS cluster in the remainings fields. All this information is available on the main cluster information page in the AWS console.
Click the ‘create’ button. Once this is done, the Admin UI will update and show your new server in a green or yellow state. If yellow, click the ‘pencil’ icon to right of the server to re-open the ‘Connection Details’ screen then click ‘Diagnostics’ to determine where the connection is failing.
If any errors occur, please copy them into an email and send to firstname.lastname@example.org.