Architecture overview
Lace is split into a cluster-wide control plane and a per-node data plane. The two never talk to each other directly: the controller compiles user-facing resources into internal resources in the Kubernetes API, and each node acts on the ones meant for it.
Controller plugin
Section titled “Controller plugin”Deployed once in the cluster. It runs the central controllers that turn the user-facing API into something nodes can apply:
- allocates everything that must be unique cluster-wide — network IDs, pod addresses (IPAM), underlay locator prefixes, LoadBalancer VIPs,
- compiles the whole policy set into Segments and coordinates their rollout across nodes.
Node plugin
Section titled “Node plugin”Runs on every node as a DaemonSet. It owns that node’s data plane, acting only on already-resolved internal resources:
- builds the node’s interfaces,
- programs the eBPF maps from the resolved state,
- garbage-collects connection tracking,
- exposes the data plane’s metrics and flow traces.
CNI plugin
Section titled “CNI plugin”A thin binary the container runtime invokes when a pod is created or destroyed. It does no wiring itself; it proxies the CNI call over a local socket to the node plugin, which attaches the pod to its network and programs the data plane for it. The binary and its CNI config are placed on the node by the node plugin’s init container.