0

I have a kubernetes cluster where projects from many customers are running. Each customer has its own namespace. Projects are managed. This means customers have no access to the cluster.

Each project is implemented on a PHP + MySQL stack.

I'm using Calico as networking provider for the cluster.

I want to provide some customers with a external VPS with ssh access (a pure VPS, not a part of the kubernetes cluster). This VPS should be allowed to connect with the services (MySQL) on the customer namespace (onl.

Is it possible to achieve something like this by using Calico or by any other mean?

Manel R. Doménech
  • 173
  • 1
  • 15
  • you want this VPS to be a part of the cluster or you just want users on that VPS to be able to see some data or consume it somehow? – aurelius Jan 08 '19 at 16:01
  • It's all about security. I want the VPS be "isolated" from other customers resources. The customer should be able to login with SSH and have network connectivity to some resources (preferably the ones on a defined namespace), like a MySQL service. The fact the VPS is or not part of the cluster it's not relevant to me. The main idea is that that machine should be the only access point for the customer to some resources in the cluster. I was thinking about some low level networking solution with Calico, but at the moment I've not the required knowledge for that. – Manel R. Doménech Jan 09 '19 at 13:17
  • my idea would be to create a service account that has access only to that particular namespace. Using RBAC you will have to install kubectl to that VPS and the users on that server will only have access to particular namespace. If this does seem like a solution to you I can try to test it in lab. – aurelius Jan 16 '19 at 15:16

0 Answers0