Skip to content
ugallu

Forensics & storage CRDs

These three kinds wire together the lifecycle of an incident artifact: capture (ForensicsConfig), retention (TTLConfig), and the write-once backend (WORMConfig).

KindScopeCardinalityOwning operator
ForensicsConfigClustersingletonforensics
TTLConfigNamespacedsingleton per namespaceugallu-ttl
WORMConfigNamespacedsingleton per namespaceugallu-worm

ForensicsConfig

Section titled “ForensicsConfig”

Singleton, cluster-scoped. Owned by forensics. Gates which SecurityEvents trigger a capture, sizes the snapshot, and bounds concurrency.

Spec

  • trigger.classes[] (enum) - default [Detection, Anomaly]. Other values: PolicyViolation, Forensic, Compliance, Audit.
  • trigger.minSeverities[] (enum) - default [high, critical].
  • trigger.requireAttested (bool) - default true. Gates capture on AttestationBundle.phase=Sealed so a forged SE cannot drive a freeze.
  • trigger.namespaceAllowlist[] (string) - empty = match-all.
  • whitelistedTypes[] (string) - explicit opt-in by SE type. Empty is “match nothing”: you must list the types you want captured.
  • snapshot.filesystemSnapshot (bool) - default true.
  • snapshot.maxBytes (Quantity) - default 2Gi.
  • maxConcurrentIncidents (int) - default 5.

Status

  • freezeBackend - auto-detected NetworkPolicy backend (Cilium or CoreV1), refreshed every 10m.
  • lastConfigLoadAt.
  • inFlightIncidents - live concurrent-incident count.
  • conditions[].

Example

apiVersion: security.ugallu.io/v1alpha1
kind: ForensicsConfig
metadata: { name: default }
spec:
  trigger:
    classes: [Detection, Anomaly]
    minSeverities: [high, critical]
    requireAttested: true
    namespaceAllowlist: []
    whitelistedTypes:
      - PrivilegedPodChange
      - HostPathMount
      - ExecIntoPod
      - HoneypotTriggered
      - CrossTenantSecretAccess
      - CrossTenantExec
  snapshot:
    filesystemSnapshot: true
    maxBytes: "2Gi"
  cleanup:
    autoUnfreezeAfter: 4h
  evidence:
    bucket: ugallu-forensics
    objectLock: COMPLIANCE
    retainDays: 365
  maxConcurrentIncidents: 5

TTLConfig

Section titled “TTLConfig”

Namespace-scoped singleton. Owned by ugallu-ttl. Per-severity retention windows for SecurityEvent plus the strategies for EventResponse and AttestationBundle.

Spec

  • defaults.securityEvent.{info,low,medium,high,critical} (Duration)
    • default windows 6h / 12h / 24h / 72h / 168h.
  • defaults.eventResponse.strategy (enum) - matchParent (default) or constant.
  • defaults.attestationBundle.strategy (enum) - parentPlusGrace (default).
  • archiveSnapshotEnabled (bool) - default true. When true the TTL operator writes a per-severity archive snapshot to WORM before the in-cluster object is deleted.
  • worker.poolSize (int) - default 10.
  • worker.queueRateLimit (Quantity) - max events/sec processed.

Status - none. The operator rebuilds its in-memory schedule on spec change.

Example

apiVersion: security.ugallu.io/v1alpha1
kind: TTLConfig
metadata: { name: default, namespace: ugallu-system }
spec:
  defaults:
    securityEvent:
      info:     6h
      low:      12h
      medium:   24h
      high:     72h
      critical: 168h
    eventResponse:
      strategy: matchParent
    attestationBundle:
      strategy: parentPlusGrace
      grace:    24h
  archiveSnapshotEnabled: true
  worker:
    poolSize:        10
    queueRateLimit:  "100/s"

WORMConfig

Section titled “WORMConfig”

Namespace-scoped singleton. Owned by ugallu-worm. Backend endpoint, encryption mode, and retention floors.

Spec

  • backend (enum) - seaweedfs (default) or s3.
  • endpoint (string) - WORM backend endpoint.
  • bucket (string).
  • encryption.mode (enum) - sse-kms (default) or none.
  • encryption.kmsKeyID (string).
  • retention.bundle (Duration) - minimum retention for attestation bundles.
  • retention.forensicsFs (Duration) - default 1y.
  • retention.forensicsMem (Duration) - default 1y.
  • quotas.softQuotaPercent (int) - default 80. The operator emits a WormQuotaWarning SE above this watermark.

Status - none. State lives on the bucket itself; the operator queries the backend on every reconcile rather than caching.

Example

apiVersion: security.ugallu.io/v1alpha1
kind: WORMConfig
metadata: { name: default, namespace: ugallu-system }
spec:
  backend:  s3
  endpoint: https://worm.example.internal
  bucket:   ugallu-worm-prod
  encryption:
    mode:     sse-kms
    kmsKeyID: "arn:aws:kms:eu-west-1:111122223333:key/abcdef..."
  retention:
    bundle:        10y
    forensicsFs:   5y
    forensicsMem:  1y
  quotas:
    softQuotaPercent: 80