Under the hood¶
In this explanation, we will go through some of the underlying technologies we use to provide NAIS.
Environment¶
Runtime implementation¶
Each environment is its own Kubernetes cluster using Google Kubernetes Engine (GKE) .
Inside each environment, every team has their own namespace .
A namespace can contain one or more workloads. Only members of the team have access to the namespace and its resources.
graph LR
subgraph env-dev[dev environment]
subgraph ns-dev[team namespace]
app[App]
job[Job]
end
endIn the example above, the team has an application and a job running in the dev environment.
Workload isolation¶
All workloads are deployed in a team namespace.
Every workload is isolated from all other workloads with Kubernetes network policies .
Access is denied by default, unless explicitly allowed.
Google Cloud Platform (GCP) resources¶
Each team has a dedicated GCP project for each environment.
When your workload requests resources e.g. a bucket, it will be provisioned in the team's project for the matching environment.
graph LR
subgraph env-dev["dev environment"]
subgraph ns-dev[team namespace]
app-dev[App]
end
end
subgraph project-dev[team project dev]
bucket-dev[Bucket]
end
subgraph env-prod["prod environment"]
subgraph ns-prod[team namespace]
app-prod[App]
end
end
subgraph project-prod[team project prod]
bucket-prod[Bucket]
end
app-dev--> bucket-dev
app-prod--> bucket-prodIn the example above, the team has an application running in the dev environment.
When the application requests a bucket, it is provisioned in the team's dev project.
Equivalently for the prod environment, the bucket is provisioned in the team's prod project.