What sets Nyx apart
Kernel-native, no sidecars. Nyx runs as just two components — thenyx-agent DaemonSet and the nyx-gatekeeper admission webhook. Enforcement happens in the kernel, so there’s no per-pod proxy, no injected containers, and no data-path latency tax.
Observe before you enforce. Every policy runs in one of three modes — dry-run, audit, or enforce — so you can validate a rule against live traffic before it ever blocks a packet. Nyx shows you exactly what would happen before it happens.
Cross-platform by design. The same policy model and the same enforcement semantics apply whether a workload runs on a Linux or a Windows node.
Ask your network questions. Nyx’s AI assistant lets you query your traffic in plain language — “which pods tried to reach the internet in the last hour?” — and turn the answers into dashboards and alerts.
Get started
New to Nyx? The fastest path is the Quickstart — it gets Nyx installed and observing your cluster in about ten minutes. From there, the tutorial walks through writing real policies hands-on.Quickstart
Install Nyx and see live cluster traffic in about ten minutes.
Core Concepts
Tiers, priority bands, and enforcement modes — the model behind every policy.
CRD Reference
The full schema for NyxNetworkPolicy and NyxClusterNetworkPolicy.
Hardening Guide
Workload identity and intra-namespace deny for production clusters.