Documentation
Access Policies
Define least-privilege network access with identity-aware policies.
Policy model
Policies define who can reach which resources based on user identity, group membership, device trust, and destination tags.
- Allow engineers to reach production Kubernetes nodes
- Deny contractors from private database subnets
- Require MFA-verified sessions for admin endpoints
Example policy
policy:
name: platform-team-prod-access
sources:
groups: [platform-team]
destinations:
tags: [production, kubernetes]
action: allow