Dataiku Setup with multi-tenant Amazon EKS cluster
Background: I am trying to create an infra setup, where Dataiku runs on a multi-tenant EKS cluster(For cost tracking).
Most of the setup is clear, but I want to know how the configuration should be mapped.
Use case, So let's say we have 40 users, of which there are 4 groups with 10 users mapped with each group. Now how does multi-tenancy comes into the picture?
Can we have a namespace for each user, if yes then what is the exact configuration we have to do(Both from Dataiku and EKS Side), how is iam role mapped with user
Can we have a namespace for each group, if yes then what is the exact configuration we have to do(Both from Dataiku and EKS Side), how is iam role mapped with group.
Also if I have multiple EKS Cluster, how is isolation done i.e. would all EKS be visible to everyone, do we have option to list only those cluster they have access on, how is access managed
Answers
-
Alexandru Dataiker, Dataiku DSS Core Designer, Dataiku DSS ML Practitioner, Dataiku DSS Adv Designer, Registered Posts: 1,226 Dataiker
Hi @Bharat
,1) You can have a namespace for each group or even user. Variable expansion is supported.
Use patterns like : ns-${dssUserLogin} , you can also auto-create the namespace if it doesn't exist.
So no configuration would be required on the DSS, if you want to track cost per namespace then follow the steps here: https://aws.amazon.com/blogs/containers/how-to-track-costs-in-multi-tenant-amazon-eks-clusters-using-kubecost/
2) You have multiple configurations restricted per group pointing to different kubectl context( if multiple clusters are needed) - https://kubernetes.io/docs/tasks/access-application-cluster/configure-access-multiple-clusters/
Only users from a specific group under "usable by" would be able to use the configuration. Only Admins can create configurations so regular users wouldn't be able to use the EKS cluster beyond the configurations they have access to.
Each Managed EKS cluster added in DSS would have an IAM Role there is no mapping done between the user's groups and EKS clusters if that's what you are asking you would have to create your own mapping between DSS groups and Clusters and Containerized execution configs.