Team Management to support different personas and features

Question

Team Management to support different personas and features

Closed this issue 8 months ago · 13 comments

Community Note

Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
If you are interested in working on this issue or have submitted a pull request, please leave a comment

What is the outcome that you are trying to reach?

The current team management module does not provide flexibility for the team to provide customized feature to create different RBAC roles/IAM roles for different personas, it is not very easy to be used.

We would like to provide flexibility for the team management to provide additional IAM Roles/RBAC roles, cross-account assume roles, network policies bootstrapped for each namespace.

Describe the solution you would like

We would like the solution to cater for users inputting parameters to enable additional personas and features mentioned above

Describe alternatives you have considered

N/A

Additional context

Answer 1 · 2023-08-02T11:22:48.000Z

are you referring to gaps in the current implementation at https://github.com/aws-ia/terraform-aws-eks-blueprints-teams?

Answer 2 · 2023-09-02T00:18:19.000Z

This issue has been automatically marked as stale because it has been open 30 days
with no activity. Remove stale label or comment or this issue will be closed in 10 days

Answer 3 · 2023-09-04T00:36:23.000Z

are you referring to gaps in the current implementation at https://github.com/aws-ia/terraform-aws-eks-blueprints-teams?

@bryantbiggs yes it is.

Answer 4 · 2023-10-05T00:19:45.000Z

This issue has been automatically marked as stale because it has been open 30 days
with no activity. Remove stale label or comment or this issue will be closed in 10 days

Answer 5 · 2023-10-05T00:50:47.000Z

@bryantbiggs do you have any updates on this ?

Answer 6 · 2023-10-24T10:54:41.000Z

@bryantbiggs @askulkarni2 fyi... Please let us know whether you need any other info.

Answer 7 · 2023-10-24T20:52:45.000Z

hey @haofeif - do you have more info on patterns or configurations that the module currently doesn't support? Perhaps if we can see some examples of whats trying to be created, we can work backwards to figure out what can or cannot be supported, or perhaps there are alternate routes to reach those outcomes.

Answer 8 · 2023-10-26T14:01:46.000Z

Yes @bryantbiggs. For instance, in the current team management repo, if users would like to add customization ( i.e. providing flexibility like provide additional personas for IAM Roles/RBAC roles other than just the read-only and namespace admin roles, it is not supported.

Other features that are currently not supported including customization like cross-account assume roles (as usually the multi-tenancy cluster is hosted in a central AWS account, while tenants are accessing via their own accounts where they host their own RDS, S3 and other AWS resources) , network policies bootstrapped for each namespace . it is not possible in the current module as they are all hard coded.

For instance, below is the tenant/team definition

{
    "tenant1": {
      "aws_account_ids": [
        "509164722760"
      ],
      "compute_quota": {
        "requests.cpu": "1000m",
        "requests.memory": "12Gi",
        "limits.cpu": "2000m",
        "limits.memory": "12Gi"
      },
      "labels": {
        "bsbcc": "example",
        "appname": "example",
        "testingNewLabel": "blah"
      },
      "object_quota": { 
        "pods": "10",
        "secrets": "10",
        "services": "10"
      }
    },
    "tenant2": {
      "aws_account_ids": [
        "509164722760"
      ],
      "compute_quota": {
        "requests.cpu": "1000m",
        "requests.memory": "12Gi",
        "limits.cpu": "2000m",
        "limits.memory": "12Gi"
      },
      "labels": {
        "bsbcc": "example",
        "appname": "example",
        "testingNewLabel": "blah2"
      },
      "object_quota": { 
        "pods": "10",
        "secrets": "10",
        "services": "10"
      }
    }
  }

Which has the account info added in as the cross-account access.

Our team has developed our code which we are happy to contribute as a PR (we showed it to @askulkarni2 a couple months ago hence creating this issue post our conversations)

Answer 9 · 2023-10-26T15:00:26.000Z

if you have any code that is publicly available, we'd be happy to take a look to better understand the ask

Answer 10 · 2023-11-26T00:22:21.000Z

This issue has been automatically marked as stale because it has been open 30 days
with no activity. Remove stale label or comment or this issue will be closed in 10 days

Answer 11 · 2023-12-07T00:20:52.000Z

Issue closed due to inactivity.

Answer 12 · 2024-01-07T00:23:38.000Z

This issue has been automatically marked as stale because it has been open 30 days
with no activity. Remove stale label or comment or this issue will be closed in 10 days

Answer 13 · 2024-01-18T00:21:24.000Z

Issue closed due to inactivity.