Google Cloud Platform

cluster

environment

comment

dev-gcp

development

prod-gcp

production

publicly accessible

labs-gcp

development

publicly accessible

In GCP, we do not operate with a zone model like with the on-premise clusters. Instead, we rely on a zero trust model with a service mesh. The only thing we differentiate on a cluster level is development and production.

The applications running in GCP need access policy rules defined for every other service they receive requests from or sends requests to.

To access the GCP clusters, see Access.

Accessing the application

Access is controlled in part by ingresses, which define where your application will be exposed as a HTTP endpoint. You can control where your application is reachable from by selecting the appropriate ingress domain.

Make sure you understand where you expose your application, taking into account the state of your application, what kind of data it exposes and how it is secured. If in doubt, ask in #nais or someone on the NAIS team.

You can control from where you application is reachable by selecting the appropriate ingress domain. If no ingress is selected, the application will not be reachable from outside the cluster.

dev-gcp ingresses

domain

accessible from

description

dev.nav.no

naisdevice

development ingress for nav.no applications

dev.adeo.no

naisdevice

development ingress for adeo.no applications

dev-nav.no

navtunnel

deprecated, replaced by dev.nav.no

dev-adeo.no

navtunnel

deprecated, replaced by dev.adeo.no

dev-gcp.nais.io

naisdevice

nais cluster services only, applications should use dev.{nav,adeo}.no

prod-gcp ingresses

domain

accessible from

description

nav.no

internet

manually configured, contact at #tech-sikkerhet

adeo.no

case workers, naisdevice

automatically configured (wildcard DNS)

prod-gcp.nais.io

naisdevice

nais cluster services only, applications should use .{nav,adeo}.no

ROS and PVK

When establishing an application on GCP, it is a great time to update its Risikovurdering (ROS) analysis. It is required to update the application's entry in the Behandlingsoversikt when changing platforms. If both of these words are unfamiliar to your team, it's time to sit down and take a look at both of them.

Every application needs to have a ROS analysis, and applications handling personal information needs a Personvernkonsekvens (PVK) analysis, and furthermore an entry in the Behandlingsoversikt. More information about ROS, PVK, and Behandlingsoversikt can be found on our intranet. Questions about ROS can be directed to Leif Tore Løvmo, while Line Langlo Spongsveen can answer questions about the other two.