nais blog

Project Structure on GCP

A short explanation of projects in NAV's GCP setup

Published by Gøran Berntsen

In terms of the GCP resource hierarchy, NAV is an Organization, each team is assigned two projects (one for dev and one for prod), and the teams can provision resources within these projects. In theory, these resources can be any of the services offered by Google Cloud Platform. In practice, some restrictions apply. More on this later.

The team projects are automatically set up when a team is added to teams.yaml (NAV private repository). These projects will be named {teamname}-dev and {teamname}-prod, and owner/administrator roles will be assigned based on the associated Azure AD group. In addition, the team is assigned its own namespace in the nais kubernetes clusters. The namespace is named the same as the team in teams.yaml.

There are three kubernetes clusters operated by nais on GCP:

clusterproject
prod-gcpnais-prod
dev-gcpnais-dev
labs-gcpnais-labs

These clusters run in projects managed by the nais team. This means that team members of the product teams will not have privileges for the project the cluster runs in, nor the ability to manage the resources the cluster uses. However, the team is able to manage the kubernetes resources in the team's namespace.

Resources in the kubernetes clusters are provisioned through nais.yaml. In addition, bucket storage and postgres databases should also be provisioned through nais.yaml, but these resources will be added to the team's own project(s).

teams.yaml automatically provision team projects and namespaces

(Note: the team can also provision Kafka topics through topic.yaml and Elastic Search through an IaC repo. However, while these resources also reside on GCP, they are operated as SaaS-solutions by the vendor Aiven and run in the Aiven organization. As such, they cannot be directly managed by neither the product team nor the nais team through the Cloud Console.)

The team can also set up other GCP services in their own project(s). It is important to note that teams have access to enable services that haven't yet been pre-approved by the nais team. Before any new service can be used, however, the commercial and usage terms for that service must be evaluated and approved in cooperation with the Cloud Governance team, and a Risk Assessment must be conducted and accepted by the nais team. The currently approved services are the same ones as listed in Platform Risk assessments.

On a final note, the team can access billing data for their GCP usage through the per-team GCP billing dashboard. In this dashboard, both resources billed through the team's projects and through the team's namespaces in kubernetes are shown.