It is NAIS to be a developer at NAV¶
-
Your first application
Set up your very first NAIS application with a simple
nais.yaml
file. -
Deploy in minutes
Get your application up and running in minutes with GitHub Actions.
-
Know what's going on
Observe everything that happens in your application with Prometheus and Grafana.
-
We got your back!
We have assembled the best tips and tricks to help you succeed.
Why NAIS exists¶
When you have a large development organisation, providing the developers with turn-key solutions for their most common needs is a good investment.
"Swiss Army Knife"¶
At the core of NAIS lies Kubernetes, which can be described as a Swiss army knife of tools. Each of these tools comes with its own set of instructions and in sum this adds up and makes for a bit of a mess in terms of choices and considerations.
Our goal is to lift this burden from our developers, and in order to do so we've condensed the essential parts into a single configuration file that we use to generate all the underlying Kubernetes resources. In NAIS terms this file is most commonly referred to as nais.yaml
The services included are (but not limited to) logging, metrics, alerts, deployment, operators and a runtime environment (across on-premise and Google Cloud Platform).
To make this all happen we leverage open source projects best suited to our needs and provide them with usable abstractions, sane defaults and the required security hardening.
Clusters¶
In ye olde days of yore, NAVs security model was based on network segmentation and zones. (And if we are being honest this still holds true for parts of our operation). Our goal (and strategy) however is to move everything to "Public Cloud". So anything described as on-prem is scheduled to be taken out behind the barn at some point and new apps, services or products are destined to exist in GCP (for now).
NAIS on-premises (FSS)¶
Many of our older systems, and systems with a high degree of sensitive content were placed in a dedicated zone with very strict restrictions: Fagsystemsone (FSS). Connectivity to and from this zone is very limited - no connectivity to the internet, inbound connections have to go through security gateways. However - connectivity inside this zone is not restricted in any way, shape or form. Everyone can connect with everyone else - like a true hippie community. (As many of these applications were written in the seventies, it sort of makes sense)
We further divided our clusters in to development and production clusters to maintain a healthy separation.
Thus the two clusters we've got on-premises are: dev-fss
and prod-fss
(and a third called nais-ci, but that's just for us to test stuff)
NAIS in GCP¶
Luckily the world has moved on from zones and segmentation.
When we built NAIS in GCP we wanted the applications to be able to communicate without jumping over hurdles and figured we'd adopt a zero-trust-model, where applications specify with whom they want to communicate, and who is allowed to communicate with them in their application manifest.
And so the two GCP clusters dev-gcp
and prod-gcp
were born.
For Application Teams¶
NAIS is for the application teams.
We believe that a team should be able to take full responsibility for what they build - in the entirety of its lifecycle. This creates better software and happier teams.
To achieve this, we ensure that each team has their own space where they can experiment, develop and host the stuff they build. Here they have the full set of permissions, and are only limited by their own imagination.
You can also learn about our user management and permissions.
Access Your Applications¶
In the extended NAIS universe we also have a component called [naisdevice][./device]. This is a cross-platform mechanism that provices access to NAIS services. The product adheres to the Honest.security principles and takes aim at securing our operations without getting in your way.
Contact the NAIS team¶
The team can be found on Slack. Also, follow us on Twitter @nais_io!
Created: 2017-09-07