Alauda Security Service
  • English

    • Architecture

    TOC

    System ArchitectureAbstractKey ComponentsScanner OverviewVulnerability SourcesDeployment NotesExternal IntegrationsComponent InteractionsAlauda Security Service with Scanner V4Default Ports and Protocols

    System Architecture

    Abstract

    This document provides a concise overview of the Alauda Security Service architecture for Kubernetes environments.

    Alauda Security Service adopts a distributed, container-based architecture for scalable, low-impact security on Kubernetes clusters.

    Key Components

    • Central Services: Deployed on a single cluster, providing management, API, and UI (Alauda Security Service Portal). Includes Central, Central DB (PostgreSQL 13), and the Scanner V4 vulnerability scanner.
    • Secured Cluster Services: Deployed on each protected cluster. Includes Sensor (cluster monitoring and policy enforcement), Admission Controller (policy admission), Collector (runtime and network data collection), and optional scanner components.

    Scanner Overview

    • Scanner V4: The default and only supported scanner since version 4.7. Supports language and OS-specific image scanning. Consists of Indexer, Matcher, and DB.

    Vulnerability Sources

    • Scanner V4 consumes vulnerability intelligence from multiple sources, including vendor data, OSV, NVD, and operating-system-specific feeds.

    Deployment Notes

    • Operator installs a lightweight Scanner V4 on each cluster for integrated registry scanning.
    • Helm installs require scannerV4.disable=false to enable the lightweight Scanner V4.
    • If Central and secured cluster services share a namespace, only Central deploys Scanner V4 components.

    External Integrations

    • Third-party systems (CI/CD, SIEM, logging, email)
    • roxctl CLI
    • Image registries (auto/manual integration)
    • definitions.stackrox.io (vulnerability feeds)
    • collector-modules.stackrox.io (kernel modules)

    The exact integration set depends on your deployment model and the integrations configured in the platform.

    Component Interactions

    Alauda Security Service with Scanner V4

    ComponentDirectionComponentDescription
    CentralScanner V4 IndexerImage indexing and report generation
    CentralScanner V4 MatcherVulnerability matching and reporting
    SensorScanner V4 IndexerDelegated image indexing
    Scanner V4 IndexerImage RegistriesPulls image metadata and layers
    Scanner V4 MatcherScanner V4 IndexerFetches index reports
    Scanner V4 IndexerScanner V4 DBStores indexing results
    Scanner V4 MatcherScanner V4 DBStores and updates vulnerability data
    SensorCentralConfiguration and event sync
    CollectorSensorSends runtime/network data
    Admission controllerSensorPolicy enforcement and scan requests
    Admission controllerCentralDirect communication if Sensor unavailable

    These interactions are conceptual. The exact runtime topology can vary depending on whether scanning is local, delegated, or shared with Central.

    Default Ports and Protocols

    ConnectionTypePortNotes
    Central ↔ Scanner V4 IndexergRPC8443
    Central ↔ SensorTCP/gRPC443Bidirectional, Sensor initiates
    Central ↔ CLIgRPC/HTTPS443See roxctl for options
    Central ↔ Vulnerability feedsHTTPS443definitions.stackrox.io
    Collector → SensorgRPC443
    Scanner V4 Indexer → CentralHTTPS443
    Scanner V4 Indexer/Matcher → DBTCP5432
    Sensor ↔ Admission ControllergRPC443Bidirectional