Skip to main content

Module overlay

Module overlay 

Source
Expand description

Overlay-network configuration types shared across ZLayer crates.

OverlayMode is a per-service data-plane attachment knob. It bundles two independent decisions — the container-attachment topology (per-service Linux bridge vs. one shared node-wide bridge + userspace free-port L4 proxy) and the WireGuard transport (the single cluster-wide interface vs. a per-service interface with isolated crypto) — into a single setting.

Truth table:

modeshared node bridge + free-port proxy?per-service WireGuard transport?resulting behavior
Autononotoday’s default: veth-per-container on a per-service Linux bridge, carried on the single cluster-wide WireGuard interface
Dedicatednoyesveth-per-container on a per-service bridge, with its OWN per-service WireGuard transport (isolated crypto) = max isolation
SharedyesnoNO per-service bridge / NO per-service WG: one shared node-wide bridge for all services + a userspace free-port L4 proxy (host:FREEPORT -> container_ip:port), carried on the cluster-wide WireGuard interface = max sharing
Isolatednonoper-service bridge on the cluster-wide WireGuard interface (Auto topology), but L3-fenced to its own isolation network (members reach only their own network + node IP + egress)

The real decision surface is the three predicate methods OverlayMode::uses_shared_bridge, OverlayMode::uses_per_service_wg, and OverlayMode::uses_isolation_scope; consult those rather than matching on variants ad hoc.

Structs§

NetworkIsolation
Resolved network-isolation policy for a workload, derived from its OverlayMode + NetworkMode + optional explicit isolation-network label. Each runtime translates this into its own enforcement (Seatbelt .sb ACL, Linux iptables ISO chain, HCN network, …).
OverlayConfig
Per-service overlay configuration, populated from the service spec.

Enums§

EgressPolicy
Egress policy for a workload’s outbound connectivity.
OverlayMode
Per-service overlay data-plane attachment knob.

Constants§

ISOLATION_NETWORK_LABEL
Reserved container label naming the isolation network a container must join. Read by every runtime’s overlay attach path (via crate::overlay::OverlayMode + the agent’s resolve_isolation_network) and by the Windows HCS create path. An explicit value always wins over mode-derived isolation scoping. Canonical definition; per-crate copies in the api/agent crates carry the same string.

Functions§

resolve_network_isolation
Resolve the effective NetworkIsolation for a workload.