NyxClusterNetworkPolicy

NyxClusterNetworkPolicy is the cluster-scoped policy resource. Unlike NyxNetworkPolicy, it isn’t bound to a single namespace — it selects namespaces with a namespaceSelector and applies across the cluster. It’s the resource platform teams use for cluster-wide overrides and baselines.


API version	`nyx.tracenyx.io/v1alpha1`
Kind	`NyxClusterNetworkPolicy`
Scope	Cluster
Short names	`scnp`

Example

A platform-override that denies all public-internet egress from production namespaces. The low priority (50) puts it in the platform-override band, so it wins over any namespace or workload policy:

apiVersion: nyx.tracenyx.io/v1alpha1
kind: NyxClusterNetworkPolicy
metadata:
  name: deny-public-internet
spec:
  tier: platform
  priority: 50
  enforcement: enforce
  namespaceSelector:
    matchLabels:
      environment: production
  policyTypes:
    - Egress
  egress:
    - decision: Deny
      toIpBlock:
        cidr: 0.0.0.0/0

Spec

tier

string

required

Must be platform. Marks the policy as platform-managed.

priority

integer

default:"100"

Evaluation priority, 0–99,999. Lower numbers are evaluated first and win. Must fall within a band the admission webhook permits; see Priority System. Defaults to 100.

enforcement

string

default:"enforce"

Enforcement mode for this policy’s Deny rules: dry-run, audit, or enforce. See Enforcement Modes. Defaults to enforce.

namespaceSelector

object

Selects the namespaces this policy applies to, using the label selector shape. Omit it (or leave it empty) to apply to all namespaces.

podSelector

object

Narrows the policy to specific pods within the matched namespaces, using the label selector shape. Omit it to apply to all pods.

policyTypes

array of string

Which directions this policy governs: Ingress, Egress, or both.

ingress

array

Ingress rules, evaluated top-down. The first matching rule decides the verdict.

Show rule fields

decision

string

required

Allow or Deny.

fromNamespaceSelector

object

Selects source namespaces, using the label selector shape.

fromPodSelector

object

Selects source pods, using the label selector shape.

ports

array

Restricts the rule to specific ports. See Ports.

egress

array

Egress rules, evaluated top-down. The first matching rule decides the verdict.

Show rule fields

decision

string

required

Allow or Deny.

toNamespaceSelector

object

Selects destination namespaces, using the label selector shape.

toPodSelector

object

Selects destination pods, using the label selector shape.

toFqdn

array

Matches egress by fully-qualified domain name — matchName (exact), matchPattern (a wildcard such as * for a catch-all deny), and an optional ports field. FQDN matching applies to HTTPS (port 443) traffic, and toFqdn[].ports is accepted but not enforced. See FQDN egress.

toIpBlock

object

Matches egress to an IP range via a required cidr field, e.g. 0.0.0.0/0.

ports

array

Port restriction for non-FQDN destinations. See Ports.

The label selector and port structures are identical to NyxNetworkPolicy.

Status

Nyx populates status on each policy — it’s read-only. Fields include phase (Pending, Active, or Failed), appliedAt, affectedPods (name, namespace, nodeName, ip), nodesApplied, and a human-readable message.

Working with kubectl

kubectl get scnp

The list view shows the tier, priority, enforcement mode, status phase, and age.

​Example

​Spec

​Status

​Working with kubectl

Example

Spec

Status

Working with kubectl