Skip to content
ugallu

What is ugallu?

Ugallu - apotropaic spirit at the gates of Mesopotamian temples. Watches, warns, and turns the bad guys back. Same job in your cluster.

ugallu is an open-source Kubernetes security platform that focuses on three things you actually need to ship:

  1. Detection - audit-log Sigma rules, CoreDNS-plugin DNS-anomaly detection, multi-tenancy boundary breaches, decoy honeypots, webhook risk-scoring, exec/process-tree observation via Tetragon.
  2. Forensics - pod-freeze + ephemeral-container snapshot pipeline that streams the container filesystem to a WORM bucket, all driven by SecurityEvent CRs (IR-as-code).
  3. Attestation - every SE the platform emits is wrapped in a cosign-signed in-toto attestation, anchored in Rekor + Fulcio, then sealed in a WORM object so you can prove “what we saw, when we saw it, who saw it”.

Around the three pillars sit compliance (kube-bench / Falco / in-tree CEL checks), backup verification (Velero + etcd-snapshot checksum + sandbox-restore), seccomp profile training, and confidential-computing attestation (TPM / SEV-SNP / TDX) - each one a single-purpose operator on the same CRD surface.

Why CRD-first

Section titled “Why CRD-first”

Every operator emits and consumes Kubernetes Custom Resources. The benefits are concrete:

  • kubectl is the API. No second IAM, no separate audit log.
  • GitOps friendly. ArgoCD/Flux manage the runtime config.
  • Drift visible. kubectl get securityevents -A is the dashboard.
  • Pluggable. Build your own detector - emit a SecurityEvent and the rest of the platform (forensics trigger, attestation, WORM archiving) picks it up for free.

Where it runs

Section titled “Where it runs”
  • Kubernetes ≥ 1.30 for the ValidatingAdmissionPolicy CEL surface.
  • Linux node kernel ≥ 5.8 for modern-eBPF (Falco / Tetragon).
  • Cilium is the canonical CNI; Calico and other CNIs are supported via the generic NetworkPolicy fallback.

What’s not

Section titled “What’s not”
  • Not a SIEM. ugallu emits events; ship them to your existing SIEM.
  • Not a CI/CD scanner. The compliance backend is runtime focused (CIS K8s + Falco rules + your CEL pack); image scanning is its own pipeline.
  • Not a replacement for Kyverno or OPA Gatekeeper. ugallu uses ValidatingAdmissionPolicies for guard-rails on its own CRD surface; cluster-wide policy lives in your existing tool of choice.