// Technology / Network Isolation

Isolation follows the label.

QHx Manager can generate Kubernetes NetworkPolicies from MLS labels so workloads with different classification, compartment, or releasability are isolated by default.

MLS policy Use case →

// Mechanism

Different MLS identities become different network neighborhoods.

The controller groups resources by their MLS identity and creates NetworkPolicies that allow traffic within the same MLS node while denying traffic across different nodes unless policy permits an exception.

Automatic policy generationNetworkPolicy objects are reconciled as resources appear and change.
Default isolationWorkloads with different MLS label combinations are isolated by default.
Selector bindingPolicies bind to labels, not static pod IPs.
Controlled exceptionsExternal and cross-node flows can be opened through explicit policy where needed.

Two workloads on the same node, on different sides of the boundary, can't see each other.