NyxClusterConfig is the cluster’s control object. It’s a singleton — one per cluster — and it sets the fallback verdict for unmatched traffic, the enforcement mode for Nyx’s system-generated policies, and the namespaces Nyx leaves alone.
| API version | nyx.tracenyx.io/v1alpha1 |
| Kind | NyxClusterConfig |
| Scope | Cluster |
| Short names | sncc |
Example
Spec
The fallback verdict when no policy rule matches a flow.
allow— all unmatched traffic passes. The safe default for migrating an existing cluster onto Nyx.deny-cross-namespace— traffic within a namespace passes; cross-namespace traffic is denied.deny— all unmatched traffic is denied. Full zero-trust.
deny-cross-namespace generates baseline policies that implement it (visible in your policy list); deny applies as a cluster-wide default without adding policies. See Enforcement Modes for how to stage this safely.The enforcement mode applied to the system-generated deny policies that
defaultMode creates: dry-run, audit, or enforce. This sets the mode for those generated baselines only — it does not change the mode on your own policies, which each carry their own enforcement.Namespaces that bypass all policy enforcement. The bypass is bidirectional — excluded namespaces are neither subject to policy nor counted as a policy source or destination. Observability hooks are still installed, so you keep visibility into excluded namespaces even though they aren’t enforced.
Status
Nyx populatesstatus — it’s read-only. Fields include observedMode (the mode currently in effect), systemPoliciesReady (whether the generated baseline policies are applied), and lastSyncTime.