Networking Layer¶
Scope¶
The networking layer documents pod networking, ingress, service exposure, edge tunneling, DNS paths, and access-control boundaries.
Components that belong here¶
- calico for cluster networking and network policy
- metallb for service load-balancer address allocation
- traefik for ingress and HTTP or TCP routing
- cloudflared for tunnel-based external exposure
- authelia and crowdsec-lapi when they act as edge protection or access-control dependencies
Mandatory topics¶
- Ingress topology and north-south traffic path
- East-west networking assumptions and network-policy enforcement
- External exposure model for LAN, VPN, and internet-facing services
- TLS termination point and certificate ownership
- Load-balancer IP pools, advertised ranges, and failure domains
- Authentication or edge filtering dependencies for protected apps
Required artifacts¶
- Edge request flow diagram from client to pod
- Service exposure matrix with internal and external URLs
- TLS and certificate ownership notes
- Network-policy ownership guidance
- Troubleshooting entry points for DNS, ingress, or tunnel failures
Operator outcomes¶
An operator reading this layer page should be able to answer:
- Why a service is reachable or not reachable from a given network path
- Which component owns routing, authentication, and TLS for that path
- Which runbooks to open during a traffic outage or authentication failure