// Technology / Flowspecs

Describe the flow. Let the system realize it.

Flowspecs use Kubernetes service annotations to define which workloads can connect, what protocol is mediated, and which proxy features apply.

QHx ProxyRuntime path →

// Mechanism

Policy should not require hand-built sidecars.

Instead of manually wiring every proxy, operators annotate services. QHx Manager deploys and configures the client and server proxies needed to secure the path.

  • Protocol selectionDefine HTTP or TCP flows and the ports they use.
  • Source selectorsRestrict clients by labels, service accounts, or SPIFFE ID patterns.
  • Local mediationClient applications can call localhost while QHx Proxy secures the peer connection.
  • ExtensionsEnable request notarization for flows that require signed evidence.
FLOW SPEC

http from app=client having serviceAccount == frontend-sa with restNotary(signRequest)