☁️

master.dev

THE CLOUD FORGE · AKS DEV SYSTEM · SILO 4 OF 7

canadacentral · aks-eose-aaas-dev · K8s 1.33.7 · FLEET CLOUD TIER

☁️ CLOUD TIER AKS K8s 1.33 383 PODS SILO 4/7 FLUX CD

ISTIO ASM

FLUX CD

CERT-MGR

GATEKEEPER

K8s 1.33.7

83 NS

2 CLUSTERS

SILOTON · CLOUD NODE · ANIMATED

☁️ MENENDO

⚙️ yUNI

⚖️ yLAW

MENENDO — CLOUD SOVEREIGNTY DOCTRINE the cluster IS the machine

// menendo: cloud as sovereign ground doctrine cloud-sovereignty { axiom: "AKS nodes are bare metal — just rented" axiom: "The cluster IS the machine" region: canadacentral sovereign-tier: CLOUD // highest abstraction, full control sub: 427873ee tenant: e37b389d rg-compute: rg-eose-aks-dev rg-dns: rg-eose-dns-dev // 34 DNS zones } node-class D2s_v5 { count: 2 sovereign-compute: true // rented but owned in law cluster: aks-eose-aaas-dev } node-class B4ms { cluster: aks-kantai-eose-dev role: kantai-chat-sovereignty }

v1 ✓ GROUND v2 ✓ DOCTRINE v3 ✓ AZURE-LAW v4 ✓ FLEET-SYNC v5 ◉ NOW

CLOUD SOVEREIGNTY PILLARS

REGION

canadacentral

Azure sovereign zone

COMPUTE

D2s_v5

2× system nodes

GPU POOL

T4/H100

hvcp-system tier

CLUSTER

2 AKS

aaas-dev + kantai

SUBSCRIPTION

427873ee

Azure sub ID

TENANT

e37b389d

AAD tenant

MASTER URL

master.dev

master.dev.eose.ca

KANTAI

kantai.dev

kantai.dev.eose.ca

CLUSTER VISUALIZATION

☁️

aks-eose-aaas-dev

⚙️

K8s 1.33.7

🔄

Flux CD

🔥

GPU T4/H100

yUNI — KUBERNETES UNIVERSE 383 pods · 83 namespaces · 2 clusters

TOTAL PODS

383

across both clusters

NAMESPACES

logical isolation

CLUSTERS

aaas-dev + kantai

K8s VERSION

1.33.7

latest stable

ISTIO

ASM

20.116.164.26

KANTAI LB

nginx

20.200.111.70

FLUX

bug-sync branch

GATEKEEPER

OPA

policy engine

v1 ✓ CLUSTER v2 ✓ MESH v3 ✓ FLUX v4 ✓ GATE v5 ◉ NOW

KEY NAMESPACES

dev-system

core

hvcp-system

GPU

kantai-chat

chat

pemos-system

portal

tenant-pemos-pro

tenant

eose-entry

ingress

flux-system

GitOps

cert-manager

TLS

istio-system

mesh

kube-system

infra

gatekeeper-system

OPA

monitoring

obs

FLUX WORKLOADS — bug-sync BRANCH

# Flux kustomizations managed on bug-sync kustomization/platform-platform: source: bug-sync # THE LAW BRANCH manages: platform-gateway health: True kustomization/pemos-portal: namespace: pemos-system image: eosefleetacrdev.azurecr.io/pemos-portal kustomization/bob-portal: namespace: pemos-system # mirrors pemos-portal helmrelease/kantai: namespace: kantai-chat ingress: 20.200.111.70

ISTIO ASM MESH

Istio Ingress GW

20.116.164.26

external LB · ASM

Kantai nginx LB

20.200.111.70

kantai-chat ns

AKS CNI Overlay

10.x.x.x/16

pod CIDR

Azure VNet

rg-eose-aks-dev

canadacentral

master.dev URL

master.dev.eose.ca

200 OK

kantai.dev URL

kantai.dev.eose.ca

Gangway portal

yLAW — FLUX GOVERNANCE bug-sync branch IS the law

// yLAW: Flux governance law for master.dev law flux-branch-law { branch: bug-sync // ALL changes MUST go here main-branch: FORBIDDEN // direct push = policy violation enforcement: Flux reconciliation source-of-truth: git } law rbac-law { azure-rbac: enabled workload-identity: enabled service-principals: managed k8s-rbac: ClusterRoleBinding + RoleBinding } law tls-law { provider: cert-manager ACME issuer: letsencrypt-prod exception: onba-ca-tls // stuck — manual action needed }

v1 ✓ RBAC v2 ✓ FLUX-LAW v3 ✓ OPA v4 ✓ ACME v5 ◉ NOW

GATEKEEPER — OPA POLICY ENGINE

ENGINE

OPA

Gatekeeper

NAMESPACE

gatekeeper-system

dedicated

CONSTRAINTS

active

fleet policies

AUDIT

enabled

continuous

CERT-MANAGER — TLS LAW

letsencrypt-prod

ACME

*.eose.ca

34 zones

*.pemos.ca

active

*.deseof.ca

active

*.deseof.com

active

onba-ca-tls

⚠️ stuck

AZURE RBAC — IAM LAW

azure-sub: 427873ee tenant: e37b389d workload-identity: enabled # pods get Azure creds service-principals: managed # ACR pull, DNS, KV acr: eosefleetacrdev.azurecr.io dns-zones: 34 # rg-eose-dns-dev managed-identity: per-workload