Skip to main content
NyxNetworkPolicy is the namespace-scoped policy resource. It applies to pods in the namespace it’s created in, selected by a podSelector, and carries ingress and egress rules that are evaluated top-down, first match wins.
API versionnyx.tracenyx.io/v1alpha1
KindNyxNetworkPolicy
ScopeNamespaced
Short namessnnp, snnpolicy

Example

This policy allows the cloudmart-frontend namespace to reach the API on port 8080, and runs in audit mode so it logs without dropping: 
apiVersion: nyx.tracenyx.io/v1alpha1
kind: NyxNetworkPolicy
metadata:
  name: api-allow-frontend
  namespace: cloudmart-api
spec:
  podSelector:
    matchLabels:
      app: cloudmart-api
  priority: 100
  enforcement: audit
  policyTypes:
    - Ingress
  ingress:
    - decision: Allow
      fromNamespaceSelector:
        matchLabels:
          kubernetes.io/metadata.name: cloudmart-frontend
      ports:
        - protocol: TCP
          port: 8080

Spec

podSelector
object
required
Selects the pods in this namespace the policy applies to. Uses the label selector shape. An empty selector matches all pods in the namespace.
priority
integer
default:"100"
Evaluation priority. Lower numbers are evaluated first and win — a priority 50 rule overrides a priority 100 rule. Must fall within a band the admission webhook permits; see Priority System. Defaults to 100, in the namespace band.
enforcement
string
default:"enforce"
Enforcement mode for this policy’s Deny rules: dry-run, audit, or enforce. See Enforcement Modes. Defaults to enforce.
policyTypes
array of string
Which directions this policy governs: Ingress, Egress, or both.
ingress
array
Ingress rules, evaluated top-down. The first matching rule decides the verdict.
egress
array
Egress rules, evaluated top-down. The first matching rule decides the verdict.

Label selectors

podSelector and every from*/to* selector use the same Kubernetes-style label selector shape:
matchLabels
map[string]string
A map of label key-value pairs. All listed labels must match.
matchExpressions
array
A list of selector requirements.

Ports

Port objects take a protocol (TCP, UDP, or SCTP, defaulting to TCP) and a port (1–65535). When a rule specifies ports, only traffic on those ports matches the rule; when ports is absent, all ports match. Rule-level ports — the ingress[].ports and egress[].ports fields — are enforced. Per-FQDN ports (toFqdn[].ports) are not; see FQDN egress.

FQDN egress

toFqdn matches egress traffic by domain name rather than by IP, in two forms:
  • matchName — an exact FQDN to allow or deny.
  • matchPattern — a wildcard, most commonly * for a catch-all deny.
FQDN allow matching applies to HTTPS traffic on port 443: Nyx reads the server name from the TLS handshake (SNI) and matches it against the policy. A matchName allow won’t match the same FQDN reached over a different port — govern non-443 destinations with rule-level ports and toIpBlock. The * catch-all deny is independent of port 443. toFqdn[].ports is accepted but not enforced; per-FQDN port restrictions are a future addition. To restrict ports, use the rule-level egress[].ports field.
Plain HTTP carries no SNI, so FQDN matching doesn’t apply to plaintext egress — govern it with port-level and IP-level rules. Blocking plaintext egress outright is the cleaner posture; see the Hardening guide. Encrypted ClientHello (ECH), which conceals the SNI, is still early in adoption and is tracked on the Nyx roadmap.

Status

Nyx populates status on each policy — it’s read-only. Fields include phase (Pending, Active, or Failed), appliedAt, affectedPods (name, namespace, nodeName, ip), nodesApplied, and a human-readable message.

Working with kubectl

Use the short names for quick access: 
kubectl get snnp -n cloudmart-api
The list view shows the pod selector, priority, status phase, and age.