Kubernetes Topology Visualization
C4CI drills down into Azure Kubernetes Service (AKS) clusters to visualize namespaces, deployments, pods, services, and sidecar topology — directly from your Azure subscription. No agents to install, no Helm charts, no cluster access beyond the standard Reader role. Available on Pro, Enterprise, and PAYG tiers.
For teams running AKS, the K8s drill-down answers the question that kubectl get pods --all-namespaces cannot: what does my cluster actually look like as an architecture diagram, and where did it drift from the last approved state?
What C4CI visualizes in AKS
The K8s topology view is accessible from the L3 diagram on any project with an AKS cluster in scope. C4CI reads from the AKS API via Azure Resource Graph — the same Reader role used for all other scans.
| Resource | What C4CI shows | Tier |
|---|---|---|
| AKS Cluster | Cluster name, node pool count, Kubernetes version, region | Pro+ |
| Namespaces | All namespaces with pod count and resource quota status | Pro+ |
| Deployments | Name, replica count, image tag, restart policy | Pro+ |
| Pods | Name, status (Running/Pending/Failed), node assignment, container count | Pro+ |
| Services | ClusterIP, LoadBalancer, and NodePort — with port mappings and selectors | Pro+ |
| Sidecar containers | Injected sidecars (e.g. Istio ztunnel, OTEL collector) — toggle show/hide | Pro+ |
| Image tag drift | Containers running image tags not matching the approved baseline | Enterprise / PAYG |
| ConfigMaps and Secrets (names only) | Referenced ConfigMaps and Secrets per deployment — values never retrieved | Enterprise |
Sidecar filter toggle
Service meshes and observability stacks inject sidecar containers into every pod — Istio ztunnel, Linkerd proxy, OpenTelemetry collector, Datadog agent. These sidecars are real infrastructure, but they make topology diagrams hard to read when visible on every workload pod.
The K8s diagram view includes a sidecar toggle. When off, only application containers are shown. When on, all sidecars are rendered as separate nodes connected to their parent pod — useful for debugging mesh configuration or verifying that all pods have the expected observability sidecar injected.
Image tag drift detection
Image tag drift is detected when a container in your cluster is running an image version that was not present in the last approved architecture snapshot. This happens when a deployment is updated outside the normal IaC pipeline — a hotfix applied directly via kubectl set image, or a Helm release rolled back manually.
C4CI compares the running image tags across all AKS namespaces against the approved baseline and flags any mismatches as drift items in the K8s topology view. Image tag drift is severity-scored — a production workload running an image with a known CVE would be flagged as Critical.
This feature is directly relevant to NIS2 Article 21(2)(j) supply-chain security requirements. Container image provenance and version control are named technical controls under NIS2. Image tag drift detection provides an automated mechanism to enforce them without requiring manual audits.
How the drill-down works
Starting from the L2 or L3 diagram, click any AKS cluster node to enter the K8s drill-down view. The diagram redraws around the cluster, showing:
- Namespace lanes — each namespace is a swimlane containing its deployments, pods, and services
- Service connections — ClusterIP and LoadBalancer services are drawn as edges connecting pods to ingress or external consumers
- Drift annotations — pods with image tag drift are highlighted in the severity colour (Critical red, Warning amber) with a tooltip showing the running tag vs the approved tag
- Sidecar toggle — button in the diagram toolbar to show or hide injected sidecars
The diagram can be exported to PDF or PlantUML from the toolbar, like any other C4CI diagram level. PlantUML export is useful for committing a point-in-time topology snapshot to your architecture repository.
Frequently asked questions
Does C4CI read pod logs or exec into containers?
No. C4CI requires only the Reader role on your Azure subscription. It reads Kubernetes resource metadata via the AKS API — resource names, status, image tags, and relationships. It never reads pod logs, exec into containers, or access running workload data.
Which Kubernetes distributions does C4CI support?
C4CI currently supports Azure Kubernetes Service (AKS) on Azure. Multi-cloud Kubernetes support (EKS, GKE) is on the roadmap for post-Enterprise validation.
What is image tag drift and why does it matter for NIS2?
Image tag drift is when a container in your cluster is running an image version that was not in the last approved architecture snapshot — for example, because a deploy ran outside the normal IaC pipeline. NIS2 Article 21(2)(j) requires supply-chain security measures. Detecting unapproved image versions is a direct technical control for that requirement.
Can I filter out system namespaces from the diagram?
Yes. The K8s diagram view lets you filter namespaces. System namespaces (kube-system, kube-public, cert-manager, etc.) can be hidden to focus on application workloads.
Get started
K8s drill-down is available on Pro, Enterprise, and PAYG tiers. Image tag drift detection requires Enterprise or PAYG. Connect your first Azure subscription and run a scan — if your subscription includes AKS clusters, they appear in the L2 diagram automatically.
- Quickstart — connect your Azure subscription in under 10 minutes
- Drift detection — how the comparison engine works
- NIS2 / DORA compliance — supply-chain security requirements
- View pricing — Pro+ tier access
- Contact us — enterprise inquiries