ARCHITECTURE

A unified security control plane for Kubernetes.

A unified control plane, lightweight agents in every cluster, and native integrations with your existing stack. This is what hides behind the diagram.

Centralized Control Plane

Manage policies, compliance and clusters from a single pane of glass. JWT/OIDC-secured REST API, Vue 3 frontend, PostgreSQL 16 store, NATS event bus.
- Live dashboards (clusters, violations, compliance score)
- Policy Center: assignment, audit/enforce, TTL exceptions
- Audit Engine: immutable trail, JSON/syslog exports
- Reporting: Cosign-signed PDF, SHA-256 hash
Cluster Agents

Kubernetes-native agents deployed in each customer cluster. Air-gap mode supported. HTTPS-outbound only (mTLS).
- Heartbeat: 30s
- Kyverno: local policy enforcement
- Runtime Collector (coming): eBPF, Falco/Tetragon
- Footprint: < 50 Mi RAM per agent
Native Integrations

Aegis Vetis does not reinvent the wheel. We stand on the CNCF ecosystem and plug into your operations stack.
- Kyverno (policies)
- Kubescape, Trivy (posture / vulnerabilities)
- Prometheus / Grafana (observability)
- Argo CD, Falco/Tetragon (coming)
- SIEM Graylog/Splunk/Sentinel (coming)
Data Layer

PostgreSQL 16 encrypted at rest, schema versioned with golang-migrate. Artefacts (PDF reports, raw scans) stored on persistent volume or sovereign object storage.
- PostgreSQL 16 (HA optional via patroni)
- Idempotent migrations
- pgbackrest backups
- No customer data ever leaves your infrastructure
Platform Security

Aegis Vetis applies to itself what it expects from others: hardening, Cosign signatures, distroless, mTLS by default, strict RBAC.
- Distroless images, Cosign keyless signed
- mTLS Control Plane ↔ agents (cert-manager + internal CA)
- Least-privilege Kubernetes RBAC
- Yearly pen-test, documented threat model
- Responsible disclosure: 90-day window

Back to home

Centralized Control Plane

Cluster Agents

Native Integrations

Data Layer

Platform Security