Workloads

LatticeServicePolicy

Applies organization-wide policies to LatticeServices via label selectors. Use policies to enforce backup configuration, compliance requirements, and operational standards across services.

group: lattice.dev version: v1alpha1 scope: namespaced

Examples

pci-backup-policy.yaml

apiVersion: lattice.dev/v1alpha1
kind: LatticeServicePolicy
metadata:
  name: pci-backup-requirements
  namespace: platform
spec:
  selector:
    matchLabels:
      compliance: pci
    namespaceSelector:
      matchLabels:
        compliance: pci
  description: Enforce backup hooks for PCI-compliant services
  priority: 100
  backup:
    hooks:
      pre:
        - name: freeze-writes
          container: main
          command: ["/bin/sh", "-c", "pg_dump ..."]
          timeout: "600s"
          onError: Fail
    volumes:
      defaultPolicy: opt-in
      include: [data]

all-services-backup.yaml

apiVersion: lattice.dev/v1alpha1
kind: LatticeServicePolicy
metadata:
  name: default-backup
  namespace: platform
spec:
  selector: {}
  description: Default backup policy for all services
  backup:
    volumes:
      defaultPolicy: opt-out

Spec

LatticeServicePolicy spec fields
Field	Type	Description
`selector`	ServiceSelector	Selector for matching LatticeServices. Empty matches all services within namespace constraints.
`description`	string?	Human-readable description.
`priority`	i32	Evaluation order (higher = evaluated first). Default: `0`. Equal priority uses alphabetical name.
`backup`	ServiceBackupSpec?	Backup configuration to apply to matched services. See ServiceBackupSpec.
`ingress`	IngressPolicySpec?	Default ingress configuration for matched services.

  IngressPolicySpec
   IngressPolicySpec fields   Field  Type  Description  
 
   tls  IngressTls?  Default TLS configuration for routes without explicit TLS.  
  gatewayClass  string?  Default gateway class.  
 
 
 
  ServiceSelector
   ServiceSelector fields   Field  Type  Description  
 
   matchLabels  map<string, string>?  Labels that must all match.  
  matchExpressions  []LabelSelectorRequirement  Complex label queries.  
  namespaceSelector  NamespaceSelector?  Target specific namespaces. Without this, policy only applies to the same namespace.  
 
 
 
  LabelSelectorRequirement
   LabelSelectorRequirement fields   Field  Type  Description  
 
   key  string  Label key.  
  operator  LabelSelectorOperator  Operator for matching: In, NotIn, Exists, DoesNotExist.  
  values  []string  Values for In/NotIn operators (empty for Exists/DoesNotExist).  
 
 
 
  LabelSelectorOperator
   In Value must be in specified set. 
  NotIn Value must not be in specified set. 
  Exists Label must exist. 
  DoesNotExist Label must not exist. 
 
  Status
   LatticeServicePolicy status fields   Field  Type  Description  
 
   phase  ServicePolicyPhase  Current phase: Pending, Compiling, Active, or Failed.  
  matchedServices  u32  Count of matched services.  
  matchedServiceRefs  []string  Matched service refs (namespace/name).  
  conditions  []Condition  Standard Kubernetes conditions.  
  message  string?  Human-readable status message.  
  observedGeneration  i64?  Last observed metadata.generation.

Field	Type	Description
`tls`	IngressTls?	Default TLS configuration for routes without explicit TLS.
`gatewayClass`	string?	Default gateway class.

Field	Type	Description
`matchLabels`	map<string, string>?	Labels that must all match.
`matchExpressions`	[]LabelSelectorRequirement	Complex label queries.
`namespaceSelector`	NamespaceSelector?	Target specific namespaces. Without this, policy only applies to the same namespace.

Field	Type	Description
`key`	string	Label key.
`operator`	LabelSelectorOperator	Operator for matching: In, NotIn, Exists, DoesNotExist.
`values`	[]string	Values for In/NotIn operators (empty for Exists/DoesNotExist).

Field	Type	Description
`phase`	ServicePolicyPhase	Current phase: `Pending`, `Compiling`, `Active`, or `Failed`.
`matchedServices`	u32	Count of matched services.
`matchedServiceRefs`	[]string	Matched service refs (`namespace/name`).
`conditions`	[]Condition	Standard Kubernetes conditions.
`message`	string?	Human-readable status message.
`observedGeneration`	i64?	Last observed `metadata.generation`.