Skip to content
Lace

External networks

An external network classifies underlay traffic — any host reachable on the underlay, including node-local addresses — into a network by its address. Once an address carries a network identity, the same topology rules apply to it as to a pod network: a peering decides what it may reach and what may reach it, in either direction.

What it’s for

Section titled “What it’s for”

All north-south traffic — between the cluster and anything outside it — is modeled through external networks. Classifying an underlay address into a network lets you:

  • allow pods to reach external endpoints (egress)
  • allow external endpoints to reach pods (ingress)
  • restrict which source networks may reach a NodePort or LoadBalancer service

Each is expressed with the ordinary NetworkRoutingPolicy between the external network and a pod network.

Prefixes

Section titled “Prefixes”

An external network has no subnet and no IPAM of its own. It is defined purely by the prefixes it claims:

apiVersion: lace-cni.io/v1alpha1
kind: Network
metadata:
  name: corp
spec:
  type: external
  externalPrefixes:
    - 192.0.2.0/24

Prefixes can describe private ranges — the node network and other local addresses — or public ranges. Anything not covered by an external network has no network identity and cannot be the source or destination of a peering.

Longest-prefix matching

Section titled “Longest-prefix matching”

An underlay address resolves to a network by longest prefix match across the prefixes of all external networks. A more specific prefix always wins over a broader one, so the two can coexist as separate networks with independent policies:

apiVersion: lace-cni.io/v1alpha1
kind: Network
metadata:
  name: internet
spec:
  type: external
  externalPrefixes:
    - 0.0.0.0/0
    - ::/0

With internet covering everything and corp (192.0.2.0/24) carved out of it, an address in the corporate range classifies as corp while everything else falls through to internet. A pod can then be peered to corp without being granted the whole internet.

Routing

Section titled “Routing”

External destinations are not reached over the SRv6 overlay. The node resolves them with a FIB lookup — it consults the host routing table and forwards the packet the way the host itself would. Egress masquerade and egress gateways for traffic leaving the cluster are properties of the NetworkRoutingPolicy, not of the external network.

See also

Section titled “See also”
  • Networks — network types and how endpoints are bound into them.
  • Topology — peering external networks with pod networks.