Your company is developing applications that are deployed on Google Kubernetes Engine (GKE)
Each team manages a different application.
You need to create the development and production environments for each team, while minimizing costs.
Different teams should not be able to access other teams' environments.
What should you do?
Click on the arrows to vote for the correct answer
A. B. C. D.D.
https://kubernetes.io/docs/reference/access-authn-authz/rbac/The correct answer is B. Create one GCP Project per team. In each project, create a cluster with a Kubernetes namespace for Development and one for Production. Grant the teams IAM access to their respective clusters.
Explanation:
Google Kubernetes Engine (GKE) is a managed Kubernetes service that allows you to deploy, manage, and scale containerized applications on Google Cloud Platform (GCP). GKE enables you to create isolated environments for different teams in your organization while minimizing costs.
Option A: Create one GCP Project per team. In each project, create a cluster for Development and one for Production. Grant the teams IAM access to their respective clusters. This option will result in high costs as each team will have its own cluster for development and production, and it will also be difficult to manage and monitor multiple clusters. Additionally, IAM access management can be complicated, and there may be a risk of cross-team access to other teams' clusters.
Option B: Create one GCP Project per team. In each project, create a cluster with a Kubernetes namespace for Development and one for Production. Grant the teams IAM access to their respective clusters. This option provides a more cost-effective and manageable solution. Each team will have its own project and its own Kubernetes namespace for development and production, which will enable the teams to isolate their workloads from each other. IAM access can be managed at the project level, making it easier to manage and monitor access.
Option C: Create a Development and a Production GKE cluster in separate projects. In each cluster, create a Kubernetes namespace per team, and then configure Identity Aware Proxy so that each team can only access its own namespace. This option is also a viable solution but may be more complex to manage than option B. Identity Aware Proxy (IAP) can be used to restrict access to specific namespaces, but this requires additional configuration and management overhead. Additionally, managing multiple projects and clusters can result in higher costs.
Option D: Create a Development and a Production GKE cluster in separate projects. In each cluster, create a Kubernetes namespace per team, and then configure Kubernetes Role-based access control (RBAC) so that each team can only access its own namespace. This option is similar to option C but uses Kubernetes Role-based access control (RBAC) instead of IAP for access control. While RBAC is a powerful access control mechanism, it can be complex to configure and manage. Additionally, managing multiple projects and clusters can result in higher costs.
In summary, option B provides the most cost-effective and manageable solution, with each team having its own project and Kubernetes namespace for development and production, and IAM access management can be managed at the project level.