Expand description
Overlay-network configuration types shared across ZLayer crates.
OverlayMode is a per-service data-plane attachment knob. It bundles two
independent decisions — the container-attachment topology (per-service Linux
bridge vs. one shared node-wide bridge + userspace free-port L4 proxy) and
the WireGuard transport (the single cluster-wide interface vs. a per-service
interface with isolated crypto) — into a single setting.
Truth table:
| mode | shared node bridge + free-port proxy? | per-service WireGuard transport? | resulting behavior |
|---|---|---|---|
Auto | no | no | today’s default: veth-per-container on a per-service Linux bridge, carried on the single cluster-wide WireGuard interface |
Dedicated | no | yes | veth-per-container on a per-service bridge, with its OWN per-service WireGuard transport (isolated crypto) = max isolation |
Shared | yes | no | NO per-service bridge / NO per-service WG: one shared node-wide bridge for all services + a userspace free-port L4 proxy (host:FREEPORT -> container_ip:port), carried on the cluster-wide WireGuard interface = max sharing |
Isolated | no | no | per-service bridge on the cluster-wide WireGuard interface (Auto topology), but L3-fenced to its own isolation network (members reach only their own network + node IP + egress) |
The real decision surface is the three predicate methods
OverlayMode::uses_shared_bridge, OverlayMode::uses_per_service_wg,
and OverlayMode::uses_isolation_scope; consult those rather than matching
on variants ad hoc.
Structs§
- Network
Isolation - Resolved network-isolation policy for a workload, derived from its
OverlayMode+NetworkMode+ optional explicit isolation-network label. Each runtime translates this into its own enforcement (Seatbelt.sbACL, Linux iptables ISO chain, HCN network, …). - Overlay
Config - Per-service overlay configuration, populated from the service spec.
Enums§
- Egress
Policy - Egress policy for a workload’s outbound connectivity.
- Overlay
Mode - Per-service overlay data-plane attachment knob.
Constants§
- ISOLATION_
NETWORK_ LABEL - Reserved container label naming the isolation network a container must join.
Read by every runtime’s overlay attach path (via
crate::overlay::OverlayMode+ the agent’sresolve_isolation_network) and by the Windows HCS create path. An explicit value always wins over mode-derived isolation scoping. Canonical definition; per-crate copies in the api/agent crates carry the same string.
Functions§
- resolve_
network_ isolation - Resolve the effective
NetworkIsolationfor a workload.