Network Flow Discovery Flow
The Network Flow Discovery controller builds a service-to-service dependency graph by reading Kubernetes NetworkPolicies and GKE FQDNNetworkPolicies.
Overview
flowchart TD
NFD["NetworkFlowDiscovery CR"] --> Chain["NFD Controller\n(Chain of Responsibility)"]
Chain -->|local| NP["List NetworkPolicies\n+ FQDNNetworkPolicies"]
Chain -->|remote| Remote["Fetch from remote portal\nvia Connect gRPC"]
NP --> Graph["Build graph\n(nodes + edges)"]
Remote --> Graph
Graph --> CRs["FlowNodeSet CR\nFlowEdgeSet CR"]
Graph --> Store["FlowGraphStore\n(in-memory ReadStore)"]
Store --> API["Connect gRPC API / MCP"]
API --> UI["Web UI\n(Network Flows page)"]
Trigger
Watch-based: triggers on create/update/delete of NetworkFlowDiscovery CRs. Requeues every 1 minute for periodic refresh.
Chain of Responsibility
flowchart TD
Start([Reconcile]) --> H1
H1["① FetchRemoteGraph\n(no-op if local)\nFetch nodes+edges from remote portal"] --> H2
H2["② BuildGraph\n(no-op if remote)\nParse NetworkPolicies\nBuild nodes + edges"] --> H3
H3["③ UpdateStatus\nCreate/Update FlowNodeSet + FlowEdgeSet CRs\nUpdate NFD status (nodeCount, edgeCount)\nProject to FlowGraphWriter"] --> Done([Done])
Step 1 — FetchRemoteGraph (remote only)
For NFDs with spec.isRemote: true:
- Look up the Portal CR to get the remote URL and TLS config
- Use a cached TLS client to call the remote portal’s Connect API
- Populate
ChainData.NodesandChainData.Edgesfrom the remote response
Step 2 — BuildGraph (local only)
For local NFDs:
- List NetworkPolicies in the configured namespaces (or all namespaces if
spec.namespacesis empty) - List FQDNNetworkPolicies (GKE-specific CRD, silently skipped if not available)
- Parse policies and extract:
- App names from policy naming conventions (strips suffixes like
-ingress-policy,-egress-policy,-fqdn-network-policy) - Nodes classified by type:
- App names from policy naming conventions (strips suffixes like
| Node Type | Source |
|---|---|
service | Apps referenced in ingress from selectors |
cron | Apps with cron-related naming patterns |
database | FQDN targets matching database patterns |
messaging | FQDN targets matching messaging patterns |
external | Other FQDN egress targets |
- Build edges between nodes:
| Edge Type | Description |
|---|---|
internal | Same namespace communication |
cross-ns | Cross-namespace communication |
cron | CronJob to service communication |
database | Service to database |
messaging | Service to message broker |
external | Service to external FQDN |
- Deduplicate edges and sort nodes (by group, then label) and edges (by from, then to)
Step 3 — UpdateStatus
- Create/Update FlowNodeSet CR (name:
{nfdName}-nodes, owner: NFD) - Create/Update FlowEdgeSet CR (name:
{nfdName}-edges, owner: NFD) - Update NFD status: nodeCount, edgeCount, lastReconcileTime, Ready condition
- Project to ReadStore: write nodes and edges to FlowGraphWriter (keyed by NFD name + portal ref)
Child CR Lifecycle
Both FlowNodeSet and FlowEdgeSet CRs have owner references to the parent NetworkFlowDiscovery. Deleting the NFD automatically cleans up the node and edge sets.
MCP Tools
| Tool | Description |
|---|---|
list_network_flows | List nodes and edges with optional portal/namespace/search filters (1-hop expansion) |
get_service_flows | Get all incoming and outgoing flows for a specific service |