Kubernetes Management Beta

When a Kubernetes cluster is added to StrongDM, the credentials used when adding the cluster to StrongDM dictate what users are able to access when connecting to the cluster through StrongDM. Clusters with complex sets of groups, roles, and levels of access can result in the need to add many resources to StrongDM for same cluster, with each using different credentials to allow a different level of access.

These complications can be lessened by understanding the architecture of the Kubernetes cluster being added to StrongDM. The use of Identity Aliases can be paired with this information to result in the users of your cluster getting the right amount of access at the right time.

Resource Discovery #

If a Kubernetes resource is added to StrongDM and configured to enable Resource Discovery, StrongDM continuously discovers information about the groups and roles within that Kubernetes cluster. When a user visits the Discovery tab for that cluster in the Admin UI, the latest available information is displayed.

The following items are discovered within the cluster:

• Subjects (users, groups, and service accounts)
• RoleBindings and ClusterRoleBindings
• Namespaces
• Roles and ClusterRoles
• Rules (including Labels and annotations)

This information is made available to admins in the Admin UI, by visiting Resources > Clusters and clicking the particular resource, then the Discovery tab. In the Discovery tab, admins are able to view a list of subjects that is searchable by name and kind. When a subject is selected, the panel to the right displays a list of Roles and ClusterRoles that are associated with the subject, and the details of each Role, including an option to view rules associated with that Role as well.

Discovery is very quick, usually within moments of changes being made within the cluster. If the connection to the cluster is lost due to networking issues, the discovery information is lost within a few hours, but is reacquired when the cluster becomes available again.

Configure clusters to discover resources #

When a Kubernetes cluster is added as a resource to your StrongDM organization, an option can be enabled called Enable Resource Discovery. Checking this box in the Admin UI is all that is required to begin automatically discovery within the cluster. If your cluster is configured in StrongDM to use Identity Sets, you also need to add a Discovery Username to the configuration settings, which is the Kubernetes user that you wish automatic discovery to occur with. For clusters set up with leased credentials, the leased credentials are used.

Discovery also requires that you set up a ClusterRole and apply it to the Kubernetes user that is used for discovery, with the following rules:

rules:
  - apiGroups: [""]
    resources: ["namespaces", "serviceaccounts"]
    verbs: ["list", "get", "watch"]
  - apiGroups: ["rbac.authorization.k8s.io"]
    resources: ["roles", "rolebindings", "clusterroles", "clusterrolebindings"]
    verbs: ["list", "get", "watch"]

These rules are the minimum needed for discoverability across the cluster and could be adjusted further based on the discretion of the Kubernetes admin to add further permissions, narrow the scope to particular namespaces, or make other similar alterations.

Kubernetes discovery information #

In the Admin UI, under Resources > Clusters and in the details view for the cluster you created, you can see that there is a Discovery tab. The information presented in that tab is what was able to be discovered about your cluster given the connection information and credentials for the cluster, and the discovery username you provided. In the left panel there is a list of subjects (users, groups, and service accounts). If the list of subjects is long, it can be filtered by type or searching for strings in the subject names.

When you select a subject, the Kubernetes Roles associated with that subject are presented on the right. If the list of Roles associated with that subject is too long, it can also be searched or filtered by namespace. Each Role listed has a View Rules button, which will expand a table of information about Rules from the selected Role.