Skip to content
Lace

Networks

A Network groups endpoints into an isolated network. Endpoints are usually pods but may also be hosts outside the cluster. Networks are isolated by default: an endpoint reaches only its own network unless a routing policy opens a path. See Topology for how networks are connected.

spec.type selects one of three kinds:

  • l3 — typical CNI single-pod network.
  • l2 — suitable for KubeVirt VM workloads.
  • external — external underlay addresses.

Every pod in an L2 or L3 network has an associated NetworkEndpoint recording its address and location.

L3

Section titled “L3”

A routed network with an IPv4 and/or IPv6 subnet.

apiVersion: lace-cni.io/v1alpha1
kind: Network
metadata:
  name: backend
spec:
  type: l3
  ipv4Subnet:
    prefix: 10.40.0.0/16
    hostLocalPrefixLength: 24

IPAM is host-local:

  • The subnet’s prefix is cut into blocks sized by hostLocalPrefixLength.
  • The controller allocates a block to each node.
  • Each node allocates pod addresses from its own block.
  • A node’s block is recorded in its Allocation, a node-scoped resource holding the prefix(es) given to that node for the network.

Forwarding is routed between the nodes’ blocks:

  • A destination address resolves to the node that owns the covering block.
  • Same-node traffic is delivered over L2.
  • Cross-node traffic is the IP packet encapsulated in SRv6 to the destination node.
  • The gateway is the first address in the node’s block.

L2

Section titled “L2”

A flat network with a subnet whose endpoints share a single L2 domain.

apiVersion: lace-cni.io/v1alpha1
kind: Network
metadata:
  name: storage
spec:
  type: l2
  ipv4Subnet:
    prefix: 10.50.0.0/24

IPAM is global:

  • There are no per-node blocks.
  • The controller allocates each pod address directly from the subnet.

Forwarding is by MAC:

  • An address is resolved to a MAC (Neighbor), then forwarded to the MAC’s location (FDBEntry).
  • Cross-node traffic is the Ethernet frame encapsulated in SRv6.
  • Addresses on the same subnet and their MACs may also be learned, tracked through the same Neighbor and FDBEntry resources. Learned addresses and MACs may be mobile, moving between locations.
  • The gateway is the first address in the network’s prefix(es).

External

Section titled “External”

Defined by prefixes, with no subnet and no IPAM of its own. Represents addresses outside the cluster.

apiVersion: lace-cni.io/v1alpha1
kind: Network
metadata:
  name: corp
spec:
  type: external
  externalPrefixes:
    - 192.0.2.0/24

An underlay address is matched to a network by longest prefix match across all external networks’ prefixes. See External networks.

See Data plane for encapsulation.

Anonymous

Section titled “Anonymous”

spec.anonymous suppresses the implicit route that lets endpoints reach their own network. When set, reaching the network (even from its own endpoints) requires an explicit NetworkRoutingPolicy, so the node cannot be used as a transit next hop.

Binding

Section titled “Binding”

A NetworkBindingPolicy decides which network a resource binds to.

  • A resource binds to the network of the matching policy.
  • priority orders policies: the lowest value takes precedence, ties broken lexicographically by name.
  • matchKind scopes a policy to pods or services.

Pods and services are matched differently:

  • Pods are matched once, when they are created.
  • Services are matched continuously. A service’s network is the context for routing to its endpoints, so it should match the pods it targets.