Skip to content
ugallu

Architecture

ugallu is a monorepo of independently-deployable operators that share one versioned API surface (security.ugallu.io/v1alpha1) and one supply-chain pipeline (cosign-keyless via GitHub OIDC).

Operators

Section titled “Operators”
OperatorClassWhat it does
audit-detectionDetectionApiserver audit log → Sigma rule engine → SecurityEvent.
dns-detectDetectionCoreDNS plugin gRPC stream → 5 detectors (exfil, tunneling, blocklist, young-domain, anomalous-port).
tenant-escapeDetectionCross-tenant Secret/HostPath/NetworkPolicy/Exec via audit-bus + Tetragon.
honeypotDetectionDecoy CRs (Secret/SA) + tripwire SE on read.
webhook-auditorDetectionRisk-scores admission webhooks; flags fail-open + missing CA bundles.
forensicsForensicSE-triggered IR pipeline: pod freeze → snapshot → WORM → unfreeze.
seccomp-genPolicyViolationCaptures runtime syscalls via tetragon-bridge → renders OCI seccomp.json.
backup-verifyComplianceVelero / etcd-snapshot integrity verification + sandbox restore + diff.
compliance-scanCompliancekube-bench (CIS) + Falco runtime + in-tree CEL custom checks.
confidential-attestationComplianceTPM 2.0 / SEV-SNP / TDX node attestation.
gitops-responderForensicEventResponse → ArgoCD Application kick.

Plus the SDK runtime singletons:

ComponentRole
resolverSubject hydration: cgroup/PID/IP/SA → Pod tier-1 snapshot.
attestorSigns SE → DSSE bundle → cosign keyless → Rekor → WORM.
ttlTime-based GC of SE / Result CRs.
backpressureCluster-wide rate limiter for emitter SDK.
tetragon-bridgeTyped gRPC fan-out from Tetragon FineGuidance.

CRD surface (security.ugallu.io/v1alpha1)

Section titled “CRD surface (security.ugallu.io/v1alpha1)”
SecurityEvent              - the headline event type
EventResponse              - typed action taken in response (PodFreeze, ...)
AttestationBundle          - cosign-signed in-toto envelope of an SE
SigmaRule                  - per-rule detection definition for audit-detection
AuditDetectionConfig       - audit-detection runtime config (singleton)
DNSDetectConfig            - dns-detect runtime config (singleton)
HoneypotConfig             - honeypot decoys + allowlisted actors
WebhookAuditorConfig       - webhook risk thresholds + caBundle allowlist
ForensicsConfig            - capture trigger predicate + concurrency cap
TenantBoundary             - multi-tenancy boundary (per-tenant)
WORMConfig                 - evidence bucket endpoint, encryption, retention
AttestorConfig             - signing mode (fulcio / openbao / dual) + Rekor URL
TTLConfig                  - per-severity retention windows
GitopsResponderConfig      - git provider routing + bot identity
SeccompTrainingRun         -> SeccompTrainingProfile
BackupVerifyRun            -> BackupVerifyResult
ComplianceScanRun          -> ComplianceScanResult
ConfidentialAttestationRun -> ConfidentialAttestationResult

16 ValidatingAdmissionPolicies guard the CRD surface; 5 of them enforce admission-time structural invariants (subject discriminator, type catalog parity, ack allowlist), the rest are per-CRD spec validators.

Supply chain

Section titled “Supply chain”
   commit → CI build → multi-arch image (amd64+arm64)
                          
                          
                    cosign sign (Fulcio + Rekor + GitHub OIDC)
                          
                          
                    SBOM attestation (spdxjson via cosign attest)
                          
                          
                    GHCR image + .sig + .att tags

The same pipeline applies at SE level: every SecurityEvent the platform emits goes through DSSE encoding → cosign signing → Rekor inclusion → WORM archive.