Cloud Foundation Community
Maturity Model🗂 Tenant Management

Container Platform Landing Zone

⭐️⭐️☁️ PlatformA dedicated landing zone offering a developer-centric experience for building and running container-based applications on the cloud on top of a container platform.

🚧 This capability reference page is a draft.

If you want to be notified when the capability reference page is finished, click here.

  • Many organizations have in-house application development teams. Unless they established DevOps (proper) and have dedicated resources embedded within every application team, providing a central platform bundling infrastructure operations makes a lot of sense and can provide major productivity enhancements (internal developer platform)

  • Many application teams target containers and kubernetes specifically as an abstraction layer. Reduced vendor lock-in, reasonable abstraction over cloud infrastructure

  • Central platform teams can build multi-tenant k8s on top of managed cloud provider offerings (e.g. GKE, AKS etc.) more easily. Should look into this angle first before offering Kubernetes Cluster as a Service - it’s easier to operate fewer bigger clusters than many small cluster

  • Caveat: Kubernetes is not specifically designed for hosting multi-tenant workloads, albeit this is usually fine in an in-house platform context with semi-trusted workloads. Some kubernetes based platforms like OpenShift offer better implementations

  • Developer experience essentially “serverless”, i.e. no infrastructure responsibility.

  • Make sure to enable kubernetes audit logs and store persistently → Centralized audit logs. This is easy with managed services, e.g. https://cloud.google.com/kubernetes-engine/docs/how-to/audit-loggingopen in new window

  • Can “augment” these landing zones with cloud-native tenant access, e.g. for object storage, cloud-native DBs (Dynamo DB etc.) → very powerful

  • Alternative is a proprietary fully-managed serverless stack, e.g. AWS lambda, Azure Functions etc. Using containers is optional here, but has advanatages (see toolchain below)

  • Landing Zone can deliver integrated Managed DevOps Toolchain, Shared container registry, SDLC tooling etc.

  • Landing Zone should set IAM policies and resource Quotas

  • Should include Private Cloud pay-per-use chargeback

  • Consider implementing the Container Platform on top of a Cloud-native Landing Zone if you also have it - good litmus test if the cloud-native LZ is really ready to serve cloud-native workloads

  • meshStack

    meshStack has built-in support for building and operating OpenShift, AKS and other Kubernetes based Landing Zones including IAM, quota management and consumption metering.

    Learn More open in new window

Depends On

⭐️☁️ Platform

Private Cloud pay-per-use chargeback

Resource consumption on multi-tenant private cloud platforms such as OpenStack, Cloud Foundry or OpenShift is billed according to a pay-per-use pricing model.

⭐️☁️ Platform

Federated Identity and Authentication

Integration Cloud Platform IAM systems with Enterprise IAM landscape incl. federated authentication.

⭐️⭐️🛬 Landing Zone

Resource Authorization Management

Establish consistent guidelines and guardrails for managing authorization to cloud resources in Landing Zones. Authorization management should consider key principles like segregation of duties, need-to-know and separation of privileged and unprivile...

⭐️🏢 Core

Shared Responsibility Model Alignment

The cloud foundation team can make decisions about the shared responsibility model clarifying responsibilities between application teams, the cloud foundation and cloud providers. A process is in place to align decisions with relevant stakeholders in...

⭐️☁️ Platform

Centralized audit logs

Audit logs from all cloud tenants (API/resource access) are centrally collected and stored.

⭐️🛬 Landing Zone

Service and Location Restrictions

Basic policies on cloud resources restrict access to incompliant cloud services and cloud regions (geographic locations).

⭐️🛬 Landing Zone

Tenant Provisioning

On-demand provisioning of primitive cloud tenants (e.g. AWS Accounts, Azure Subscriptions etc.).

Recommended

⭐️⭐️🏢 Core

Quota Management

Quotas are a simple mechanism for protecting cloud foundations and application teams against unforeseen spikes in usage/spend.

⭐️⭐️⭐️🏢 Core

Guided Cloud Onboarding

Application teams are guided through the organizational (e.g. budget) and regulatory (e.g. compliance) cloud onboarding duties.

⭐️⭐️☁️ Platform

Managed DNS Services

Application teams can manage DNS Zones and Records for their cloud workloads in self-service.

⭐️⭐️🛬 Landing Zone

Shared container registry

A central repository provides hardened container images.

⭐️⭐️⭐️☁️ Platform

Managed SSL Certificates

Application teams can request and renew SSL certificates for their cloud workloads in self-service.

⭐️⭐️⭐️🛬 Landing Zone

Managed DevOps Toolchain

Application teams can use DevOps tools that are integrated with the cloud tenants used by the team. Any required service account or automation user credentials are automatically maintained and rotated.

Built with ❤️ by  meshcloud·Imprint·Privacy Policy· Licensed under CC BY-SA 4.0