GCP Infrastructure Overview

The platform is organized into four project layers — bootstrap, organization, platform, and tenant — with a single shared GKE cluster per environment and namespace-based isolation between applications.

Project layers

Bootstrap — u2i-bootstrap (us-central1)

Terraform state, Cloud Deploy pipelines, GitHub connections, and the shared Artifact Registry live here. Region chosen for cost, not data residency.

Organization — u2i-organization, u2i-dns, u2i-security

Org-wide policies, DNS zones, and centralized audit logging (7-year retention).

Platform — u2i-platform-nonprod / u2i-platform-prod (europe-west1)

Owns the GKE Fleet, Config Sync, and Binary Authorization for the region.

Tenant — c-u2i-nonprod / c-u2i-prod (europe-west1)

The shared tenant project that hosts every application's namespace, images, and Cloud Build/Deploy resources. europe-west1 is used here for GDPR/EU data residency.

GKE clusters

Shared Autopilot clusters

One cluster per environment (u2i-nonprod, u2i-prod) in europe-west1. Every app is a namespace on the shared cluster rather than getting its own cluster.

Namespace isolation

Namespaces follow {app}-dev, {app}-qa, {app}-prod, and {app}-pr-{N} for pull-request previews.

Networking

Private nodes behind Cloud NAT; dual-stack IPv4/IPv6 in nonprod, IPv4 only in prod. Pod/service CIDRs are allocated centrally so they stay globally unique across clusters.

IAM & service accounts

Zero standing privilege

Terraform service accounts are read-only by default. Write access is granted only through PAM: 30-minute windows for CI/CD, 2-hour windows for break-glass access.

Per-app service accounts

Each app gets a {app}-ci account (builds images, creates Cloud Deploy releases) and a {app}-cloud-deploy account (executes kubectl apply against the clusters).

No standing keys

Everything authenticates via Application Default Credentials locally or Workload Identity Federation in CI — no long-lived service account keys.

Compliance & security

terraform-google-compliance-modules

Reusable modules aligned with ISO 27001 and SOC 2 Type II. Google-managed encryption is accepted for GKE/Compute; CMEK is still required for databases, BigQuery, and Secret Manager.

Centralized logging

All audit logs flow into the u2i-security project with a 7-year retention policy.

Privileged Access Manager (PAM)

Time-bound elevation with an audit trail written to BigQuery and a Slack notification on every grant.

Storage: GCS via GCSFuse CSI

Native CSI driver, no sidecars

Apps that need bucket-backed storage (e.g. RetroTool's board backgrounds) mount GCS through GKE's gcsfuse.csi.storage.gke.io driver directly on the pod — not a sidecar container.

Tunable per environment

Cache sizes (fileCacheCapacity, ephemeral storage requests/limits) are set per environment in Helm values — smaller in preview to fit spot instances.

Bucket provisioning

Buckets are provisioned declaratively via Config Connector through the gke-tenant-storage chart; the app's GKE service account gets roles/storage.objectUser via Workload Identity.