Concepts glossary
Short, linkable definitions of the platform-engineering terms used across this site. Every entry has its own anchor, so you can deep-link straight to a definition.
- #Azure CNI Overlay + Cilium
- The cluster networking and eBPF dataplane. Provides pod networking, network policy enforcement and observability for AKS.
- #Azure Landing Zone (ALZ)
- The enterprise foundation that owns the management-group hierarchy and tenant-wide policy. This platform onboards subscriptions beneath an existing ALZ.See it applied
- #Azure Service Operator (ASO)
- A Kubernetes operator that lets workload teams declare their Azure dependencies as Kubernetes resources, reconciled into real Azure resources.See it applied
- #Backstage
- An open developer portal. Here it provides the catalog, TechDocs and golden-path scaffolder. It initiates workflows but is never a source of truth.See it applied
- #Break-glass
- Tightly controlled, heavily audited emergency access used only when normal privileged-access paths are unavailable. Monitored and alerted on every use.
- #Cognitive load
- The total a team must hold in their heads to do their work. Platform engineering deliberately reduces extraneous load by absorbing undifferentiated cloud toil.
- #cosign keyless signing
- Signs container images and Helm charts using short-lived certificates tied to an OIDC identity, with no long-lived signing key to manage or leak.See it applied
- #Default-deny egress
- Outbound traffic is blocked unless explicitly allowed through the hub firewall's FQDN allowlist. Additions go through a time-bound exception workflow.See it applied
- #Enabling team
- A Team Topologies concept: a team that helps others get better at something rather than doing it for them. The platform team runs the IDP as a product.
- #FinOps
- The practice of bringing financial accountability to variable cloud spend, making cost a shared, engineering-visible signal rather than an afterthought.See it applied
- #Flux
- A CNCF GitOps controller. Here it owns in-cluster Kubernetes state, reconciling the cluster from a separate cluster-state repository.See it applied
- #GitOps
- An operating model where desired system state lives in Git and a controller continuously reconciles the running system to match. Changes are reviewed pull requests.See it applied
- #Internal Developer Platform (IDP)
- A product, built by a platform team, that gives application teams a self-service, paved road to production. It abstracts the cloud's complexity behind golden paths.See it applied
- #Kyverno
- A Kubernetes-native policy engine. It is the single in-cluster admission and mutation engine here; the Azure Policy Gatekeeper add-on is intentionally not used.See it applied
- #OIDC federation
- Lets GitHub Actions authenticate to Azure using short-lived, workflow-scoped tokens instead of stored cloud secrets. Identity over secrets.See it applied
- #OPA / conftest
- Open Policy Agent and its testing tool conftest, used to validate Terraform plans against Rego policy before any infrastructure changes are applied.See it applied
- #Paved road / golden path
- The supported, well-lit default way to build and run a service. It packages the platform's hard decisions so teams don't reinvent CI, security or delivery.See it applied
- #PIM (Privileged Identity Management)
- Entra capability for just-in-time, time-bound, approved elevation to privileged roles, so standing administrative access stays close to zero.
- #Pod Security Admission (PSA)
- A built-in Kubernetes admission controller that enforces the Pod Security Standards, restricting what workloads are allowed to do at the pod level.See it applied
- #Policy as code
- Governance expressed as version-controlled, testable rules rather than wiki pages. Applied at the cloud control plane, at plan time, and at cluster admission.See it applied
- #Private Link
- Keeps traffic to Azure PaaS services (Key Vault, ACR, Postgres) on the private network via private endpoints, instead of traversing public endpoints.See it applied
- #SBOM
- A Software Bill of Materials: a machine-readable inventory of everything in an artifact. Generated for every build (SPDX and CycloneDX) to make dependencies auditable.See it applied
- #Showback
- Reporting each team's and product's cloud cost back to them for visibility, without necessarily charging it (chargeback). Driven by mandatory cost tags.See it applied
- #SLO
- A Service Level Objective: a target for a reliability signal (such as availability or latency) that a team commits to and measures against an error budget.
- #Vending
- Turning a reviewed, code-based request into provisioned tenancy: a subscription, team or namespace with identity, RBAC, quota and tags created automatically.See it applied
- #Workload Identity
- Lets a Kubernetes workload federate to an Entra identity and obtain Azure tokens without any stored secret, replacing long-lived credentials.See it applied
No terms match that filter.