docs(networking): add network architecture overview

[IvanHunters]

Summary

• Add comprehensive network architecture documentation to the Networking section
• Covers MetalLB (L2/BGP modes), Cilium eBPF (kube-proxy replacement), Kube-OVN (centralized IPAM), and tenant isolation with identity-based eBPF policies
• All diagrams use Mermaid

Test plan

• Verify page renders correctly on the Hugo site
• Verify all Mermaid diagrams render properly

Summary by CodeRabbit

• Documentation
  • Added comprehensive Network Architecture documentation providing detailed explanations of the networking stack including external load balancing, service connectivity, pod networking, network policies for tenant isolation, and observability capabilities. Documentation covers multiple deployment modes, kernel-level enforcement mechanisms, traffic flow patterns, and practical configuration examples.

[netlify]

✅ Deploy Preview for cozystack ready!

Name	Link
🔨 Latest commit	1377c9f
🔍 Latest deploy log	https://app.netlify.com/projects/cozystack/deploys/6992ca52727cb90008fa68f7
😎 Deploy Preview	https://deploy-preview-422--cozystack.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify project configuration.

[gemini-code-assist]

Summary of Changes

Hello @IvanHunters, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request introduces new documentation that provides a detailed overview of the Cozystack cluster's network architecture. It clarifies how various components like MetalLB, Cilium eBPF, and Kube-OVN work together to manage external load balancing, internal pod networking, and robust tenant isolation. The document aims to enhance understanding of the system's networking capabilities and security enforcement mechanisms.

Highlights

• New Documentation: Added a comprehensive network architecture overview document to the Networking section.
• MetalLB Integration: Detailed the use of MetalLB for external load balancing, covering both Layer 2 (ARP) and BGP modes with illustrative diagrams.
• Cilium eBPF as kube-proxy Replacement: Explained how Cilium eBPF replaces kube-proxy for efficient service load balancing and network policies, including a comparison with traditional iptables.
• Kube-OVN for Pod Networking: Described Kube-OVN's role in centralized IPAM and overlay networking, highlighting its shared Pod CIDR model.
• Tenant Isolation: Outlined the tenant isolation strategy using Kube-OVN and Cilium's identity-based eBPF policies, demonstrating how cross-tenant traffic is denied in-kernel.
• Mermaid Diagrams: Incorporated numerous Mermaid diagrams throughout the document to visually represent network flows and architectural components.

🧠 New Feature in Public Preview: You can now enable Memory to help Gemini Code Assist learn from your team's feedback. This makes future code reviews more consistent and personalized to your project's style. Click here to enable Memory in your admin console.

Changelog

• content/en/docs/v1/networking/architecture.md
  • Added new documentation file detailing the network architecture.

Activity

• The pull request was created by IvanHunters, introducing new documentation for the network architecture.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[coderabbitai]

📝 Walkthrough

Walkthrough

A new comprehensive documentation file is added describing Cozystack's network architecture, covering multi-layered networking with MetalLB for external load balancing, Cilium eBPF for service load balancing and network policy enforcement, Kube-OVN for pod networking, and Hubble for observability.

Changes

Cohort / File(s)	Summary
Network Architecture Documentation content/en/docs/v1/networking/architecture.md	Adds comprehensive documentation covering network architecture layers (MetalLB, Cilium, Kube-OVN, Hubble), cluster configuration, external traffic ingress modes, service load balancing, tenant isolation strategies, policy enforcement mechanisms in kernel space, and traffic flow diagrams.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~15 minutes

Poem

🐰 Through tunnels of packets, a bunny takes flight,
MetalLB and Cilium keep networks tight,
Kube-OVN weaves paths with IPAM grace,
Hubble watches over this architectural space! 🌐

🚥 Pre-merge checks | ✅ 4

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'docs(networking): add network architecture overview' directly and clearly summarizes the main change: adding comprehensive network architecture documentation to the networking section.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Merge Conflict Detection	✅ Passed	✅ No merge conflicts detected when merging into main

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch docs/network-architecture

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[gemini-code-assist]

Code Review

This pull request adds a comprehensive and well-structured documentation page for Cozystack's network architecture. The document is clear, detailed, and makes excellent use of Mermaid diagrams to explain complex concepts like MetalLB modes, Cilium's eBPF-based processing, and tenant isolation. The explanations are accurate and easy to follow. I have a couple of minor suggestions to improve the clarity of two diagrams, but overall this is a great addition to the documentation.

[gemini-code-assist]

In the "Tenant Isolation" summary diagram, the label ALLOW → Pod A' could be clearer. The A' notation is ambiguous and might be confused with a different state of Pod A. To improve clarity, consider changing it to explicitly state that traffic is allowed to another pod within the same tenant.

Suggested change

	flowchart LR
	A["Pod A"] --> CHECK{"eBPF<br/>Policy Check"}
	CHECK -->|"Cross-tenant"| DENY["DENY"]
	CHECK -->|"Same tenant"| ALLOW["ALLOW → Pod A'"]
	flowchart LR
	A["Pod A"] --> CHECK{"eBPF<br/>Policy Check"}
	CHECK -->|"Cross-tenant"| DENY["DENY"]
	CHECK -->|"Same tenant"| ALLOW["ALLOW → Pod in same tenant"]

[coderabbitai]

Actionable comments posted: 1

🤖 Fix all issues with AI agents

In `@content/en/docs/v1/networking/architecture.md`:
- Around line 277-292: The sentence "All of this happens in kernel space in
approximately 100 nanoseconds." is an unsupported precise latency claim; update
the text in the "Policy Enforcement in Kernel" section to either remove the
numeric value or qualify it and add a citation: e.g., replace with a softened
statement such as "All of this happens in kernel space and is typically
performed in sub-microsecond time on modern hardware" or "…in approximately 100
nanoseconds (hardware- and version-dependent; see [benchmark/source])" and
include a reference to the benchmark or paper if you keep the number; locate the
exact sentence in that section to edit.

🧹 Nitpick comments (1)

content/en/docs/v1/networking/architecture.md (1)

294-316: Avoid absolute security guarantees; qualify the statements.

Phrases like “No userspace bypass” / “no race conditions” / “cannot be bypassed” read as unconditional guarantees. Consider qualifying them (e.g., “by design” or “under correct configuration”) to avoid over-promising.

✏️ Suggested wording

-| **No userspace bypass** | All network traffic must pass through eBPF hooks |
-| **Atomic updates** | Policy changes are atomic — no race conditions |
+| **No userspace bypass (by design)** | All network traffic is expected to pass through eBPF hooks under correct configuration |
+| **Atomic updates** | Policy updates are applied atomically to reduce race windows |

-        EBPF["eBPF Programs<br/>• Attached to network interfaces<br/>• Run in privileged kernel context<br/>• Verified by kernel<br/>• Cannot be bypassed by userspace<br/>• Atomic policy updates"]
+        EBPF["eBPF Programs<br/>• Attached to network interfaces<br/>• Run in privileged kernel context<br/>• Verified by kernel<br/>• Not intended to be bypassed by userspace (with correct configuration)<br/>• Atomic policy updates"]

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Soften or source the “~100 nanoseconds” performance claim.

This is a very specific latency figure and is likely hardware/version dependent. Consider removing the number, qualifying it, or citing a benchmark if you have one.

✏️ Suggested wording

-All of this happens in kernel space in approximately 100 nanoseconds.
+All of this happens in kernel space with very low per-packet overhead (exact latency depends on hardware, kernel, and policy complexity).

🤖 Prompt for AI Agents

In `@content/en/docs/v1/networking/architecture.md` around lines 277 - 292, The
sentence "All of this happens in kernel space in approximately 100 nanoseconds."
is an unsupported precise latency claim; update the text in the "Policy
Enforcement in Kernel" section to either remove the numeric value or qualify it
and add a citation: e.g., replace with a softened statement such as "All of this
happens in kernel space and is typically performed in sub-microsecond time on
modern hardware" or "…in approximately 100 nanoseconds (hardware- and
version-dependent; see [benchmark/source])" and include a reference to the
benchmark or paper if you keep the number; locate the exact sentence in that
section to edit.