Skip to content
Lace

Network policy

Lace supports upstream Kubernetes NetworkPolicy. The Network primitives — isolation and routing topology — already cover a lot of use cases and should be preferred. NetworkPolicy may complement them for microsegmentation.

Conformance

Section titled “Conformance”

Lace implements the Kubernetes NetworkPolicy API as specified — ingress and egress rules, pod and namespace selectors, and port/protocol constraints all behave as upstream defines. There is no lace-specific policy API; you write ordinary NetworkPolicy objects.

Segments

Section titled “Segments”

Each endpoint is assigned a segment id that captures which policy rules apply to it. The data plane resolves the source and destination of a flow to their segments and enforces the rules between them, rather than evaluating selectors per packet. How segments are derived is covered in How policy works.

The peer of a flow — the destination on egress, the source on ingress — is resolved to the endpoint it belongs to, and from there to that endpoint’s segment:

  • L3 — the endpoint is identified by its IP address.
  • L2 — the endpoint is identified by the MAC address the frame is associated with.