I have an EKS cluster with ASG. I want to restrict pods that are in the specific name space to connect to specific RDS services.
Is this available in AWS, is there any suggestions how to do so?
Looking for best practices that are already running in production.
I don’t believe there is a way to whitelist just a single namespace in order to access your RDS instance. This is mainly because clusters are shared and AWS services don’t really understand what kubernetes namespace is.
In order to achieve connectivity you can have a private vpc peering or a publicly available RDS on which you are going to whitelist elastic IP attached to VPC NAT gateway. I would strongly advise you use private vpc peering and then you at least know that connections are private.
Finally, RDS access is going to be allowed for entire cluster as you can’t really limit it to a single set of resources. However, because your RDS requires user credentials to access any data inside I don’t believe that it is such a big issue to have your cluster whitelisted against RDS.