terraform-aws-eks-blueprints icon indicating copy to clipboard operation
terraform-aws-eks-blueprints copied to clipboard

Published 20 hours ago verified publisher icon aws-ia

[FEATURE] what if one application team use two namespace?

Open Hokwang opened this issue 2 years ago • 2 comments

Please describe your question here

Hi,

I have few questions.

Q1. In my case, there are one app dev team and one platform team, app dev team use two namespace, How can I do?

I think you need to make one more depth like,

application_teams = {
  "team1" = {
    "namespace1" = {
      "label"
      "quota"
    }
    "namespace2" = {
      "label"
      "quota"
    }
  }
}

so that you can

  • create one cluster_role for team1
  • use team1 to cluster_role_binding's Group name.
  • create one irsa for team
  • in this case, create only cluster role, not role, and create role bindings for each namespaces.

Q2. when I want to add more rules in role, for example, there's no "pods/log" so I want to add this. But now, your aws-eks-teams module does not support this.

Q3. there's no managed_policy_arns in aws_iam_role.team_sa_irsa so I can't attach policy easily.

[Y] Yes, I have checked the repo for existing issues before raising this question

Hokwang avatar Jun 19 '22 14:06 Hokwang

@Zvikan Could you review this FR? How to update teams module?

Hokwang avatar Jun 22 '22 02:06 Hokwang

Thank you @Hokwang , I see 3 feature requests here in one issue, ideally I personally would prefer to have those as individual issues but lets continue with this for now:

1 - Agree, the overall Teams module started as an easy out-of-the-box example to get started doing multi tenancy and we love to see you and other customers like it and want more way to customize it to your needs, the only callout I have here is to remember we need to keep things customized with great high standards defaults to still keep that easy "out-of-the-box" experience.

2 - Agree and same as above, right now we've defined very static k8s role for every team that we believe a team should have access, but this will never be true for every customer, therefore we need to provide a good standard default with the ability to customize and change (add/remove/adjust).

3 - I see you already worked on https://github.com/aws-ia/terraform-aws-eks-blueprints/pull/691 , we can continue the discussion there (Thank you again for creating the PR!!)

Zvikan avatar Jun 27 '22 15:06 Zvikan

this is referenced in the re-design issue #842 so closing out to clear things up

bryantbiggs avatar Jan 10 '23 14:01 bryantbiggs