Add a Kubernetes (Pod Identity) Cluster

Last modified on March 13, 2025

This guide describes how to manage access to a Kubernetes (Pod Identity) cluster via the StrongDM Admin UI. This process involves creating and configuring a new cluster in the Admin UI and checking the connection to your Kubernetes API server.

The Kubernetes (Pod Identity) resource type is a unique resource type that can be added to and accessed using StrongDM without exposing the underlying cluster’s private keys outside the cluster. This resource type is designed to work with clusters that already have a StrongDM relay running inside a pod on the cluster.

Resource Setup

The Kubernetes (Pod Identity) resource type requires some preliminary setup on the cluster. Pod Identity works by running a StrongDM relay in a pod within your cluster. When the relay is set up within your cluster using the StrongDM relay Helm chart, it registers itself with StrongDM as a relay. Once the relay is registered, it can access the hosting cluster directly.

Note that because the relay sits within the cluster, from any relay’s perspective, the address of any hosting cluster is always kubernetes.default.svc. In order for StrongDM to differentiate between different Pod Identity clusters, the CA certificate of the cluster is required.

To set up your cluster, follow these steps:

  1. Use the StrongDM relay Helm chart to install a relay in a pod within your cluster.
  2. Verify the relay’s registration with StrongDM using the Admin UI (Networking > Relays) or the CLI (sdm admin nodes list).
  3. Create a Pod Identity cluster resource using the Admin UI (Resources > Clusters) or the CLI (sdm admin cluster add k8spodidentity), making sure to provide the cluster’s CA certificate as an argument.
  4. Grant access to the new resource to your StrongDM account via a role or temporary access grant and test access. Doing so grants you the same level of Kubernetes access as the pod that the relay sits in.

Managing Your Kubernetes Cluster in the StrongDM Admin UI

You can manage your cluster in the Admin UI. Log in to the StrongDM Admin UI and go to Infrastructure > Clusters. Here you can see a list of all of your clusters.

The Admin UI updates and shows your new cluster in a green or yellow state. Green indicates a successful connection. If the state is yellow, click the pencil icon to the right of the server to reopen the Connection Details screen. Then click Diagnostics to determine where the connection is failing.

You can select your Kubernetes (Pod Identity) cluster to edit its configuration.

Resource properties

Configuration properties are visible when you add a Cluster Type or when you click to view the cluster’s settings. The following table describes the settings available for your Kubernetes cluster.

PropertyRequirementDescription
Display NameRequiredMeaningful name to display the resource throughout StrongDM; exclude special characters like quotes (") or angle brackets (< or >)
Cluster TypeRequiredSelect Kubernetes
Port OverrideRead onlyAutomatically generated with a value between 1024 to 59999 as long as that port is not used by another resource; preferred port can be modified later under Settings > Port Overrides; after specifying the port override number, you must also update the kubectl configuration, which you can learn more about in section Port Overrides
Secret StoreOptionalCredential store location; defaults to Strong Vault; to learn more, see the Secret Store section
Server CARequiredPasted server certificate (plaintext or Base64-encoded), or imported PEM file; you can either generate the server certificate on the API server or get it in Base64 format from your existing Kubernetes configuration (kubeconfig) file
Healthcheck NamespaceOptionalIf enabled for your organization, the namespace used for the resource healthcheck; defaults to default if empty; supplied credentials must have the rights to perform one of the following kubectl commands in the specified namespace: get pods, get deployments, or describe namespace
Resource TagsOptionalResource tags consisting of key-value pairs <KEY>=<VALUE> (for example, env=dev)

Display name

Some Kubernetes management interfaces, such as Visual Studio Code, do not function properly with cluster names containing spaces. If you run into problems, please choose a Display Name without spaces.

Client credentials

When your users connect to this cluster via StrongDM, they initially have exactly the same rights to the cluster as the pod that the relay sits in. Be sure to consider this prior to setup.

Server CA

How to get the Server CA from your kubeconfig file:

  1. Open the CLI and type cat ~/.kube/config to view the contents of the file.
  2. In the file, under - cluster, copy the certificate-authority-data value. That is the server certificate in Base64 encoding.
  - cluster:
  certificate-authority-data: ... SERVER CERT BASE64 ...

Secret Store

By default, server credentials are stored in StrongDM. Alternatively, save these credentials in a secrets management tool.

Non-StrongDM options appear in the Secret Store dropdown if they are created under Settings Credential Management. When you select another Secret Store type, it displays its unique properties. For more details, see Configure Secret Store Integrations.

Top