Create multiple namespaces within single ApplicationTeam

[delta549]

Describe the feature

I can't seem to find a graceful way to specify multiple namespace creations and attach this to a single team. This proposal suggests a change to the namespace TeamProps and underlying functionality to create a namespace based on a provided string[] of namespace names. These will be created following the usual process, but can be accessed by the overall team.

export class TeamAwesome extends ApplicationTeam {
    constructor(app: App) {
        super({
            name: "team-awesome",
            users: [
                new ArnPrincipal(`arn:aws:iam::${YOUR_IAM_ACCOUNT}:user/user1`),  
                new ArnPrincipal(`arn:aws:iam::${YOUR_IAM_ACCOUNT}:user/user2`)
            ],
            namespace: "my-namespace" // <--- Single namespace associated with team
        });
    }
}

Use Case

The impact:

This would be incredibly useful for larger organisations which may have teams that wish to use multiple namespaces associated to a single team. Even the ability to specify a dev namespace per team member for small testable depoyments.

The outcome:

The optional namespaces array (when added) will create an eks-blueprints compliant namespace for every array entry. These namespaces will be associated to the team and attach to all users.

Proposed Solution

Example new ApplicationTeam:

export class TeamAwesome extends ApplicationTeam {
    constructor(app: App) {
        super({
            name: "team-awesome",
            users: [
                new ArnPrincipal(`arn:aws:iam::${YOUR_IAM_ACCOUNT}:user/user1`),  
                new ArnPrincipal(`arn:aws:iam::${YOUR_IAM_ACCOUNT}:user/user2`)
            ],
            namespaces: ["namespace-one", "namespace-two", "namespace-three"] // <--- Instead of specifying one namespace?
        });
    }
}

Other Information

No response

Acknowledgements

• [ ] I may be able to implement this feature request

CDK version used

2.174.0

EKS Blueprints Version

1.16.3

Node.js Version

20.16.0

Environment details (OS name and version, etc.)

Ubuntu 24.04.1

[shapirov103]

@delta549 thank you for your feedback. Let me share someinfo to make sure we consider all the implications. In addition to the cluster access, the namespace that we create for the team is used for 1/ service accounts to access external resources with the specified policies and 2/ secrets (e.g. with CSI secret store). These are namespace resources.

The question to answer here is whether we need to duplicate these resources across the namespaces as well. It is one option, however, I can see how these service accounts/policies and secrets can be different per namespace. If we go down that path we will have to allow passing those per namespace as well.

The team itself is a set of IAM users or a particular role userRoleArn that is shared by a set of users. In the current setup you can create a team of users as an array of users or define a userRole for each team and create multiple team objects with different namespaces passing the same set of principals to each but retaining a way to have different service accounts and secrets in each.

For a larger enterprise, it may be reasonable to create a subclass of a team, like DevTeam that captures access policies and guardrails and then instantiate it with some naming convention as many times as you need, e.g. "team-A-prod", "team-A-sandbox", "team-A-experiment1".

Another approach is to introduce a clear separation of concerns between team and its workloads. In this case, the team construct can have an array of workloads under it containing namespace, service account, secrets, etc. This becomes and new type of a team, as we will need to preserve compatibility.

[github-actions[bot]]

This issue has been automatically marked as stale because it has been open 60 days with no activity. Remove stale label or comment or this issue will be closed in 10 days

[emre141]

Hi,

I have similar problem to define multiple namespace for each multiple team. For example I want to define team-a, team-b, team-c which has got its own namespace namespace-a, namespace-b, namespace-c so I could not define to use ApplicationTeam class default TeamProps because TeamProps has got namespace as string rather than as array. I just overcome the use case as below complex team definition that was duplicated the code block for each team

export class ApplicationTeamFactory {
    static createTeam(app: App, name: string, userRoleArn: string, namespace: string, serviceAccountName: string): ApplicationTeam {
        return new ApplicationTeam({
            name: name,
            userRoleArn: userRoleArn,
            namespace: namespace,
            serviceAccountName: serviceAccountName,
                    });
    }
}

const team-a = ApplicationTeamFactory.createTeam(app, "team-a", "arn:aws:iam::805085686841:role/team-a", "namespace-a", "serviceaccount-a");
const team-b = ApplicationTeamFactory.createTeam(app, "team-b", "arn:aws:iam::805085686841:role/team-b", "namespace-b", "serviceaccount-b");
const team-c = ApplicationTeamFactory.createTeam(app, "team-c", "arn:aws:iam::805085686841:role/team-c", "namespace-c", "serviceaccount-c");

So If I want to define 100+ team for large enterprise use case I need to duplicate the constant defintion of each team to achieve each team has its own namespace.

So I would like to use single rolearn for each team and for each namespace , serviceaccount rather than multiple role definition to assume by different team member to avoid duplication on the AWS IAM role definition because of the rolearn is required only user access rather than Kubernetes RBAC assignment.

Multiple RoleARN definition

arn:aws:iam::805085686841:role/team-a
arn:aws:iam::805085686841:role/team-b
arn:aws:iam::805085686841:role/team-b

Single RoleArn

arn:aws:iam::805085686841:role/developer

If I use single role for each team definition its not working as expected.

Second feature request the current application team RBAC mapping (role and rolebinding) has got only following permissions

URL: https://github.com/awslabs/cdk-eks-blueprints/blob/main/lib/teams/default-team-roles.ts

            {
                apiVersion: "rbac.authorization.k8s.io/v1",
                kind: "Role",
                metadata: {
                    namespace: namespace,
                    name: namespace-team-role
                },
                rules: [
                    {
                        apiGroups: [
                            ""
                        ],
                        resources: [
                            "pods"
                        ],
                        verbs: [
                            "get",
                            "list"
                        ]
                    },
                    {
                        apiGroups: [
                            "apps"
                        ],
                        resources: [
                            "deployments",
                            "daemonsets",
                            "statefulsets",
                            "replicasets"
                        ],
                        verbs: [
                            "get",
                            "list"
                        ]
                    },
                    {
                        apiGroups: [
                            "batch"
                        ],
                        resources: [
                            "jobs"
                        ],
                        verbs: [
                            "get",
                            "list"
                        ]
                    }
                ]
            }

But I want to override this default role as different verb, resources , apiGroups like namespace wide full permission, Is it possible to open new feature request for this changes ?