Skip to content

Under the hood

In this explanation, we will go through some of the underlying technologies we use to provide NAIS.

Environment

Runtime implementation

Each environment is its own Kubernetes cluster using Google Kubernetes Engine (GKE) .

Inside each environment, every team has their own namespace .

A namespace can contain one or more workloads. Only members of the team have access to the namespace and its resources.

graph LR
    subgraph env-dev[dev environment]
        subgraph ns-dev[team namespace]
          app[App]
          job[Job]
        end
    end

In the example above, the team has an application and a job running in the dev environment.

Workload isolation

All workloads are deployed in a team namespace.

Every workload is isolated from all other workloads with Kubernetes network policies .

Access is denied by default, unless explicitly allowed.

Google Cloud Platform (GCP) resources

Each team has a dedicated GCP project for each environment.

When your workload requests resources e.g. a bucket, it will be provisioned in the team's project for the matching environment.

graph LR
    subgraph env-dev["dev environment"]
        subgraph ns-dev[team namespace]
          app-dev[App]
        end
    end

    subgraph project-dev[team project dev]
        bucket-dev[Bucket]
    end

    subgraph env-prod["prod environment"]
        subgraph ns-prod[team namespace]
            app-prod[App]
        end
    end

    subgraph project-prod[team project prod]
        bucket-prod[Bucket]
    end

app-dev--> bucket-dev
app-prod--> bucket-prod

In the example above, the team has an application running in the dev environment. When the application requests a bucket, it is provisioned in the team's dev project.

Equivalently for the prod environment, the bucket is provisioned in the team's prod project.