Alauda Container Security

Architecture

TOC

System Architecture

Abstract

This document provides a concise overview of the Alauda Container Security architecture for Kubernetes environments.

Alauda Container Security adopts a distributed, container-based architecture for scalable, low-impact security on Alauda Container Platform or Kubernetes clusters.

Key Components

  • Central Services: Deployed on a single cluster, providing management, API, and UI (Alauda Container Security Portal). Includes Central, Central DB (PostgreSQL 13), and the Scanner V4 vulnerability scanner.
  • Secured Cluster Services: Deployed on each protected cluster. Includes Sensor (cluster monitoring and policy enforcement), Admission Controller (policy admission), Collector (runtime and network data collection), and optional scanner components.

Scanner Overview

  • Scanner V4: The default and only supported scanner since version 4.7. Supports language and OS-specific image scanning. Consists of Indexer, Matcher, and DB.

Vulnerability Sources

  • Scanner V4: Red Hat VEX, Red Hat CVE Map, OSV, NVD, and additional OS sources.

Deployment Notes

  • Operator installs a lightweight Scanner V4 on each cluster for integrated registry scanning.
  • Helm installs require scannerV4.disable=false to enable the lightweight Scanner V4.
  • If Central and secured cluster services share a namespace, only Central deploys Scanner V4 components.

External Integrations

  • Third-party systems (CI/CD, SIEM, logging, email)
  • roxctl CLI
  • Image registries (auto/manual integration)
  • definitions.stackrox.io (vulnerability feeds)
  • collector-modules.stackrox.io (kernel modules)

Component Interactions

Alauda Container Security with Scanner V4

ComponentDirectionComponentDescription
CentralScanner V4 IndexerImage indexing and report generation
CentralScanner V4 MatcherVulnerability matching and reporting
SensorScanner V4 IndexerDelegated image indexing
Scanner V4 IndexerImage RegistriesPulls image metadata and layers
Scanner V4 MatcherScanner V4 IndexerFetches index reports
Scanner V4 IndexerScanner V4 DBStores indexing results
Scanner V4 MatcherScanner V4 DBStores and updates vulnerability data
SensorCentralConfiguration and event sync
CollectorSensorSends runtime/network data
Admission controllerSensorPolicy enforcement and scan requests
Admission controllerCentralDirect communication if Sensor unavailable

Default Ports and Protocols

ConnectionTypePortNotes
Central ↔ Scanner V4 IndexergRPC8443
Central ↔ SensorTCP/gRPC443Bidirectional, Sensor initiates
Central ↔ CLIgRPC/HTTPS443See roxctl for options
Central ↔ Vulnerability feedsHTTPS443definitions.stackrox.io
Collector → SensorgRPC443
Collector (Compliance) → SensorgRPC8444If node scanning enabled
Scanner V4 Indexer → CentralHTTPS443
Scanner V4 Indexer/Matcher → DBTCP5432
Sensor ↔ Admission ControllergRPC443Bidirectional