Architecture
Isolation

Environment Isolation

Uffizzi enforces isolation of ephemeral environments at three levels: network, namespace, and process. This ensures that each environment is isolated from other environments running on the same cluster. This is important for security and reliability, such as fair sharing of resources.

Network-level Isolation

Each environment created by Uffizzi enforces Kubernetes Network Policies (opens in a new tab) that restrict network traffic that disallows traffic between Uffizzi enviroments. This means that pods in one environment cannot communicate with, nor are discoverable by, pods in another environment.

Namespace-level Isolation

Each Uffizzi ephemeral environments exists in its own Namespace (opens in a new tab). This includes virtual clusters and dev clusters, which are full installations of the Kubernetes API inside a namespace.

When you delete an environment on Uffizzi, the entire namespaces gets deleted. The result is that everyting, including any persistent volumes, are deleted as well.

Process-level Isolation

Uffizzi Cloud customers also benefit from process-level isolation via gVisor (opens in a new tab). Originally developed by Google, gVisor is acts as a container runtime to provide a secure isolation boundary between the host operating system and the application running inside the container. This isolation boundary prevents the application from escaping the container and interfering with other applications running on the host.