Lattice Documentation
Secure service graph and AI workload platform. Bilateral service agreements, compile-time policy enforcement, and defense-in-depth security from network to kernel.
Getting Started
Infrastructure
CloudProvider
Cloud credentials and provider configuration. AWS, Proxmox, OpenStack, Docker.
LatticeCluster
Infrastructure, node pools, and the pivot. Multi-provider cluster lifecycle.
SecretProvider
ESO ClusterSecretStore configuration. Vault, AWS Secrets Manager, webhook, and more.
BackupStore
Backup storage configuration. S3, GCS, Azure, and S3-compatible providers.
LatticeClusterBackup
Cluster-wide backup schedules and scope using Velero. Control plane and workload backups.
LatticeRestore
Restore from Velero backups. Tracks restore progress and completion.
Workloads
LatticeService
Workload definition with containers, resources, bilateral agreements, autoscaling, and deploy strategies.
LatticeJob
Batch workloads with gang scheduling via Volcano. Master/worker topologies, GPU allocation, and retry policies.
LatticeModel
Model serving with disaggregated inference. Separate entry and worker roles, GPU sharing, and model-aware scheduling.
LatticeExternalService
External service endpoints outside the cluster mesh. Creates Istio ServiceEntry and Cilium egress policies.
LatticeServicePolicy
Organization-wide policies applied to LatticeServices via label selectors. Backup, compliance, and standards.
LatticeMeshMember
Enroll namespaces into the Istio ambient mesh with Cilium integration. Manages waypoint proxies and mesh labels.
Security
CedarPolicy
Authorization rules using the Cedar policy language. Control user and group access to clusters.
Cedar Authorization
How Cedar policies are evaluated at compile time. Security overrides, workload authorization, and default-deny semantics.
OIDCProvider
OIDC identity provider for the auth proxy. JWT token validation, JWKS discovery, and claim mapping.
Runtime Enforcement
Tetragon eBPF kernel-level enforcement. Binary allowlists, rootfs write protection, and capability restrictions.