Deploy Kubernetes Proxy Cluster

Overview #

This guide describes how to deploy a proxy cluster in your Kubernetes cluster.

Prerequisites #

To be successful when using this guide, you must meet the following general requirements:

• Ensure that you are an Administrator in StrongDM.
• Be sure that your Kubernetes cluster(s) is at v1.16 or later and has publicly accessible nodes and stable IPs.
• Install the kubectl command-line tool locally to interact with your Kubernetes clusters.
• Install Helm 3.0 or later locally.
• If you are using Nginx Ingress Controller, manually patch your services to allow TCP and UDP traffic.

Register the Proxy Cluster #

You must first register the proxy cluster with StrongDM via the Admin UI and generate an authentication key for it. You will need to give the cluster a name and address. Unfortunately it is not usually possible to know which external address the cluster will receive from Kubernetes before you deploy it. You should choose one of the following methods to handle the unknown address:

• Use a placeholder address for the cluster. After deploying the cluster, determine the address of the load balancer using kubectl get svc and update the cluster configuration in StrongDM to match.
• Choose a domain name ahead of time for the cluster address. After deploying the cluster, determine the address of the load balancer using kubectl get svc and manually update your domain records to point to it.
• Choose a domain name ahead of time for the cluster address. Use a DNS controller to make Kubernetes automatically point the domain to your proxy cluster.

After choosing a strategy to configure the proxy cluster and update its address, follow these steps to register the cluster.

1. Log in to the StrongDM Admin UI.
2. Go to Networking > Proxy Clusters.
3. Click Add proxy cluster.
4. For Name, enter a name for the cluster.
5. For Advertised Address, enter your chosen address and port for the cluster (we recommend port 443; for example, 172.16.50.2:443).
6. Click Create proxy cluster.
7. Click Add authentication key. The key appears in a modal. Copy the key and keep it in a secure place.

To generate a key via the CLI, use the sdm admin nodes create-proxy-cluster command.

Manage Kubernetes Proxy Clusters With Helm #

To manage deployments of proxy clusters across your Kubernetes cluster, we recommend that you use our Helm charts. leverage the flexibility of Helm, we created charts to deploy your StrongDM proxies across your Kubernetes clusters.

Install the sdm-proxy Helm chart #

You can use the following steps to install proxies with Helm.

1. Create a secret in your Kubernetes cluster containing the access key and secret key you created while registering the proxy cluster:

   kubectl create secret generic proxy-cluster-key --from-literal=SDM_PROXY_CLUSTER_ACCESS_KEY=$accessKey --from-literal=SDM_PROXY_CLUSTER_SECRET_KEY=$secretKey
   

2. Optionally download values.yaml and customize it for your needs.
3. Install the Helm chart. Replace <RELEASE_NAME> with a unique and meaningful name.

   helm repo add strongdm https://helm.strongdm.com/stable/
   helm install <RELEASE_NAME> strongdm/sdm-proxy # optional: -f values.yaml
   helm status <RELEASE_NAME>
   

Upgrade the sdm-proxy Helm chart #

To upgrade the sdm-proxy Helm chart, run the following command. For more, see the helm upgrade command documentation.

helm upgrade <RELEASE_NAME> strongdm/sdm-proxy --install

Uninstall the sdm-proxy Helm chart #

You can uninstall the sdm-proxy Helm chart by running the following command. This command removes all Kubernetes components associated with the release and deletes the release. For more, see the helm uninstall reference documentation.

helm uninstall <RELEASE_NAME>