Under the hood¶
In this explanation, we will go through some of the underlying technologies we use to provide NAIS.
Environment¶
Runtime implementation¶
Each environment is its own Kubernetes cluster using GKE. Inside each environment, every team has their own namespace, which is only accessible by the members of the team.
Workload isolation¶
All workloads are deployed in a team namespace and every workload is isolated from all other workloads by utilizing Kubernetes network policies unless explicitly allowed.
GCP resources (CloudSQL, Cloud Storage, BigQuery, etc.)¶
When resources, such as a database, is requested, it is provisioned in a separate GCP project that is dedicated to this team for this environment. As with the team's namespace, the team's project is only accessible by the members of the team.
Example NAIS environment:
graph LR
subgraph GCP
subgraph NAIS-dev cluster
subgraph team-a-ns[Team A namespace]
team-a-app[App A]
end
subgraph team-b-ns[Team B namespace]
team-b-app[App B]
end
subgraph team-c-ns[Team C namespace]
team-c-app[App C]
end
end
subgraph team-a-project[A-dev project]
team-a-db[Database A]
end
subgraph team-b-project[B-dev project]
team-b-db[Database B]
end
subgraph team-c-project[C-dev project]
team-c-db[Database C]
end
end
team-a-app --> team-a-db
team-b-app --> team-b-db
team-c-app --> team-c-db
In the example above, we have three teams, A
, B
and C
.
Each team has their own namespace in the dev
cluster, and when they request a database, it is provisioned in their own team-dev
project.