Container Platform Landing Zone
🚧 This capability reference page is a draft.
If you want to be notified when the capability reference page is finished, click here.
Many organizations have in-house application development teams. Unless they established DevOps (proper) and have dedicated resources embedded within every application team, providing a central platform bundling infrastructure operations makes a lot of sense and can provide major productivity enhancements (internal developer platform)
Many application teams target containers and kubernetes specifically as an abstraction layer. Reduced vendor lock-in, reasonable abstraction over cloud infrastructure
Central platform teams can build multi-tenant k8s on top of managed cloud provider offerings (e.g. GKE, AKS etc.) more easily. Should look into this angle first before offering Kubernetes Cluster as a Service - it’s easier to operate fewer bigger clusters than many small cluster
Caveat: Kubernetes is not specifically designed for hosting multi-tenant workloads, albeit this is usually fine in an in-house platform context with semi-trusted workloads. Some kubernetes based platforms like OpenShift offer better implementations
Developer experience essentially “serverless”, i.e. no infrastructure responsibility.
Make sure to enable kubernetes audit logs and store persistently → Centralized audit logs. This is easy with managed services, e.g. https://cloud.google.com/kubernetes-engine/docs/how-to/audit-logging
Can “augment” these landing zones with cloud-native tenant access, e.g. for object storage, cloud-native DBs (Dynamo DB etc.) → very powerful
Alternative is a proprietary fully-managed serverless stack, e.g. AWS lambda, Azure Functions etc. Using containers is optional here, but has advanatages (see toolchain below)
Landing Zone can deliver integrated Managed DevOps Toolchain, Shared container registry, SDLC tooling etc.
Landing Zone should set IAM policies and resource Quotas
Should include Private Cloud pay-per-use chargeback
Consider implementing the Container Platform on top of a Cloud-native Landing Zone if you also have it - good litmus test if the cloud-native LZ is really ready to serve cloud-native workloads
Related Tools
- meshStack
meshStack has built-in support for building and operating OpenShift, AKS and other Kubernetes based Landing Zones including IAM, quota management and consumption metering.
Learn More