Networking

How traffic enters and leaves Kestrel workloads, and what the default network posture allows.

Ingress on Kestrel Traefik as the ingress controller, allowed ingressClassName, hostname collision scope, wildcards, and TLS.

Why LoadBalancer and NodePort are blocked The Capsule policy, the rationale, and what to use instead when you think you need a non-Ingress service type.

NetworkPolicy in practice Default-deny posture, the allow rules tenants get for free, and how to add tenant-scoped allows safely.

TLS certificates How cert-manager issues certificates for tenant Ingresses and what tenants do and do not control.