在 AWS 上有多个账户的 Kubernetes?
[英]Kubernetes on AWS with multiple accounts?
问题描述
I wonder if it is possible to run a single EKS cluster within one AWS account and give access to it (entire or specific namespaces) to another one?
我想知道是否可以在一个 AWS 账户中运行单个 EKS 集群并将对它(整个或特定命名空间)的访问权限授予另一个账户?
Here's a scenario: In my company we have multiple customers and host their systems within AWS.这是一个场景:在我的公司,我们有多个客户并在 AWS 中托管他们的系统。 We'd like to setup AWS Organization structure with subaccounts per customer (+ maybe separate account for prod and test).我们想为每个客户设置带有子账户的 AWS 组织结构(+ 可能是用于生产和测试的单独账户)。 Some of the customers are already being migrated to Kubernetes so we need EKS cluster.一些客户已经迁移到 Kubernetes,所以我们需要 EKS 集群。 Now, setting separate clusters for each customers would not be cost effective - partially because it would generate over 100USD for each control plane, partially because we would need to have separate node groups for each customer which would decrease benefits of scale.现在,为每个客户设置单独的集群并不划算——部分原因是它会为每个控制平面生成超过 100 美元,部分原因是我们需要为每个客户设置单独的节点组,这会降低规模效益。 For this reason I thought of setting a single EKS cluster and give access to it to subaccounts created for customers.出于这个原因,我想设置一个单独的 EKS 集群并将其访问权限授予为客户创建的子账户。 Can I achieve this?我能做到这一点吗? And how to do it relatively simple?以及怎么做比较简单?
1 个解决方案
解决方案1
1 已采纳 2019-11-01 07:16:18
Follow these steps按着这些次序
- You can create separate namespace for each customer rather creating a separate cluster.您可以为每个客户创建单独的命名空间,而不是创建单独的集群。
- Define resource quota at namespace level and manage the resources.在命名空间级别定义资源配额并管理资源。
- Create RBAC roles and rolebindings to control access at namespace level for each customer.创建 RBAC 角色和角色绑定以控制每个客户在命名空间级别的访问。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.