Governance & Guardrails
In Development
This feature is currently in development. Governance models described here are subject to change.
Purpose: For platform engineers and security officers, describes how the portal enforces governance — preventing resource sprawl, controlling costs, and gating elevated access behind approvals.
Governance Layers
| Layer | Mechanism | Enforcement Point |
|---|---|---|
| Quotas | ResourceQuota per namespace | Kubernetes API server |
| Policies | Kyverno ClusterPolicies | Admission controller |
| Approval gates | Portal workflow engine | Pre-commit (before Git push) |
| Cost controls | Label-based cost attribution | Prometheus + reporting |
| Audit trail | Git history + portal event log | Post-hoc compliance |
Resource Quotas
Every team namespace has enforced quotas:
| Resource | Default (Standard tier) | Expandable via |
|---|---|---|
| CPU requests | 16 cores | Approval gate |
| Memory requests | 64 Gi | Approval gate |
| PVCs | 20 | Approval gate |
| LoadBalancer services | 2 | Platform team only |
| GPU requests | 0 | AI blueprint only |
Approval Gates
Actions that exceed standard boundaries require explicit approval:
| Trigger | Approver | SLA |
|---|---|---|
| Quota increase > 2× | Platform team lead | 4 hours |
| Premium service tier | Platform team | 24 hours |
| Cross-namespace NetworkPolicy exception | Security team | 24 hours |
| External ingress (public internet) | Security + platform | 48 hours |
Cost Attribution
All portal-provisioned resources are labeled with:
labels:
opencenter.cloud/team: "checkout"
opencenter.cloud/cost-center: "engineering-retail"
opencenter.cloud/environment: "production"
opencenter.cloud/provisioned-by: "portal"
These labels feed into Prometheus-based cost reporting dashboards.
Audit & Compliance
Every portal action is:
- Recorded as a Git commit (who, what, when)
- Logged in the portal event stream (Loki-indexed)
- Attributable to a Keycloak identity
- Queryable for compliance evidence generation