Overview
This example uses AWS Control Tower for a multi account setup. Each environment is separately contained in its own aws account but share the same IAM. The accounts are connected using a transit gateway that is controlled through a separate account as well and acts as the single point of contact to the on prem network the structure of your network can have a significant pricing impact. The connection to the on site network is ensured through a dedicated line and through a VPN fallback.
This simple setup is a minimal setup for using a hybrid approach.
Readiness
Payload wise this approach is 1:1 shiftable to the cloud if you deploy on a on-premise openshift. In general you should strive for a kubernetes version agnostic setup.