The first and most obvious challenge of BYOC is supporting all the cloud platforms you want to deploy to. Leveraging our runner architecture, Nuon is able to provide first-class support for the major cloud platforms, while maintaining a constistent experience for day-2 operations.Documentation Index
Fetch the complete documentation index at: https://docs.nuon.co/llms.txt
Use this file to discover all available pages before exploring further.
Stacks
To install the Nuon runner into your customer’s cloud account, Nuon generates a Stack template in both Terraform and the platform’s native IaC language. Each version of the Stack will create the same resources, so you can pick whichever one suits you and your customers the best. The Stack is meant to be provisioned by your customer in their cloud account, phoning home to the Nuon control plane after it has provisioned. This means no cross-account access is required to provision it — your customer stays in full control of the runner identity and the resources it manages. Nuon will generate links and CLI commands you can share with your customer to install the Stack. You can also download the template if your customer would like to inspect it. If the platform offers a simple, one-click installation method, such as AWS Cloudformation Quickcreate, will support that.Google Cloud’s IaC solution, Infrastructure Manager, uses Terraform natively, so we do not generate a separate template for Google installs.
| AWS | Azure | Google Cloud | |
|---|---|---|---|
| Terraform | |||
| Native IaC | Cloudformation | Bicep | N/A |
| GUI Installation | |||
| CLI Installation | |||
| Download Template |
Access Control
Each cloud platform has it’s own conventions, best practices, and tools to manage access control. At the same time, BYOC requires an approach that can be consistently applied across all of them. How does Nuon balance these competing concerns?Nuon Runner Identity-Based Authentication
The Nuon runner is designed to be platform-independent and stateless. When deployed, it is given an identity by the Stack, which is granted limited access to the cloud environment based on your application config. The runner does not store platform credentials. It will attempt to authenticate for each job it runs, using whatever identity has been assigned to it. Since your customer installs the Stack, they have full control over it, and can revoke the runner identity’s access at any time using their cloud’s native access control. The runner will immediately lose access to the cloud environment if they do this.Platform-Native Permissions
The access the runner identity has is controlled by each platform’s native access control features. See the page for each platform for implementation and configuration details.| AWS | Azure | Google Cloud | |
|---|---|---|---|
| Custom Roles and Permissions | |||
| Kyverno Policies on Runner Jobs | |||
| Kyverno Policies in Kubernetes Cluster |