Logical Architecture

Data Flow — End-to-End Signal Paths

Three primary pipelines — Metrics, Logs, and Security Events — traverse 9 Kubernetes nodes across 2 Cilium ClusterMesh-linked clusters. Every signal originates at a workload, is collected by DaemonSet agents, normalised, stored, and terminates in an actionable alert or automated AWX response.

Critical Paths

Primary Signal Pipelines

METRICS Pod / Node Node Exporter :9100 kube-state-metrics :8080 Prometheus scrape Alertmanager Grafana+ Discord / AWX
LOGS containerd stdout/stderr Fluent Bit DaemonSet Loki (MinIO backend)+ Splunk HEC :8088 Grafana LogQL
SECURITY Suricata / Wazuh / Tetragon OTel Collector :4317 Wazuh Indexer+ TheHive case Cortex analyze OpenCTI enrich
CTI ENRICH AlienVault / CVE / Shodan OpenCTI connectors STIX2 graph MISP IoC TheHive case enrich
Zone Diagram

Logical Zones — Signal Ingress to Response

External
EDGE
Cloudflare
DDoS · WAF · DNS
Zero Trust Tunnel
dash.cloudflare.com ↗
HTTPS/TLS 1.3
VPS
WireGuard VPS
154.26.x.x
Tunnel endpoint
WG tunnel
ON-PREM
OPNsense HAProxy
L7 LB · SSL
Reverse proxy
VLAN route
SOC VIP
MetalLB
172.16.x.x
ingress-nginx
CLUSTER INGRESS · mTLS · OIDC
SOC Cluster
SOC
Cilium 1.19.2
eBPF CNI · L3–L7
Hubble flows · mTLS
hub.onelabs.work ↗
ClusterMesh
SEC
Cilium (SEC)
3-node cluster
Shared service mesh
DaemonSet
×6
Tetragon eBPF
Kernel syscall trace
Process audit · LSM
DaemonSet
×6
Wazuh Agent
FIM · auditd
MITRE tagging
wazu.onelabs.work ↗
DaemonSet
×6
OTel Collector
:4317 gRPC
Traces · Metrics · Logs
SOC
Prometheus
kube-prometheus-stack
ServiceMonitors · Rules
prom.onelabs.work ↗
SOC
Alertmanager
Route · Dedup
Discord + AWX trigger
alert.onelabs.work ↗
SOC
Grafana
Dashboards · LogQL
OIDC SSO · SOC views
graf.onelabs.work ↗
SOC
Fluent Bit
×6 DaemonSet
K8s metadata inject
SOC
Loki
3-write + 3-backend
MinIO S3 · 30d retain
loki.onelabs.work ↗
+
VM
Splunk HEC
:8088 Fluent Bit out
SIEM long-term
SOC
Argo CD v3.3.6
GitOps sync · App of Apps
2 repo-servers HA
argo.onelabs.work ↗
pull
VM
GitLab CE 18.x
Source · CI/CD
Pipeline → Registry
gitlab.onelabs.work ↗
push image
VM
Container Registry
regis.onelabs.work
Trivy CVE scan · CA
regis.onelabs.work ↗
VM
AWX
149 Playbooks
Event-driven · RBAC
awx.onelabs.work ↗
CILIUM CLUSTERMESH · cross-cluster DNS · shared svc
SEC Cluster
SEC
OpenCTI
CTI graph · STIX2
5 workers · ATT&CK
cti.onelabs.work ↗
sync
VM
MISP
IoC · STIX/TAXII
Community feeds
misp.onelabs.work ↗
SEC
CTI Connectors
AlienVault · Shodan
CVE · URLHaus · VT
SEC
Elasticsearch
OpenCTI backend
30 GiB PVC
+
SEC
RabbitMQ
Worker queue
5 consumers
+
SEC
MinIO (SEC)
OpenCTI S3 files
20 GiB PVC
ALERT ESCALATION · HTTPS · Internal CA
SOC Response
VM
TheHive
Case management · IR
Alert triage · Timeline
hive.onelabs.work ↗
analyzer
VM
Cortex
100+ analyzers
Responders · Auto-block
cort.onelabs.work ↗
block / enrich
VM
Authentik SSO
OIDC · LDAP · MFA
All services unified
auth.onelabs.work ↗
red-team
VM
Caldera C2
Adversary emulation
k8s-sandcat agent
c2c.onelabs.work ↗
remediate
VM
AWX Response
Auto-remediate PBs
Block IP · Pod quarantine
awx.onelabs.work ↗
IDENTITY & PKI · All Services · Vault-signed Certs
Identity / Storage
VM
AD CA (Root)
saza-AD-CA
Root of trust
adone.onelabs.work ↗
signs
VM
Vault HA Raft
Intermediate CA · Secrets
*.onelabs.work certs
vault.onelabs.work ↗
issues
SOC
cert-manager
TLS automation
Vault issuer · ACME
SOC
Longhorn 1.11.1
295 GiB · 3-replica
10 PVCs bound
stog.onelabs.work ↗
SOC
MinIO
S3 backend · 100 GiB
Loki chunks · Object Lock
minio.onelabs.work ↗
SOC cluster workload
SEC cluster workload
VM-hosted service (off-cluster)
External / edge
→ unidirectional flow
↔ bidirectional sync
Cluster Detail

Live State — Audit 2026-05-03

SOC Cluster · soc1–soc6
PropertyValue
Nodes6 (3 ctrl + 3 worker)
Total pods130
Running129 / 130
VIP (ingress)172.16.x.x
ClusterMesh VIP172.16.x.x
Storage (PVCs)10 bound · 295 GiB
Wazuh agents6/6 ✔
Tetragon6/6 ✔
Fluent Bit6/6 ✔
OTel Collector6/6 ✔
// NAMESPACES
kube-system37 monitoring28 longhorn-system27 argocd15 wazuh6 otel6 metallb-system6 cert-manager3 minio1 ingress-nginx1
SEC Cluster · sec1–sec3
PropertyValue
Nodes3 (ctrl-plane only)
Total pods92
Running90 / 92
Pending1 (clustermesh certs job)
VIP (ingress)172.16.x.x
ClusterMesh VIP172.16.x.x
Storage (PVCs)4 bound · 60 GiB
Wazuh agents3/3 ✔
Tetragon3/3 ✔
Fluent Bit3/3 ✔
OTel Collector3/3 ✔
// NAMESPACES
longhorn-system27 kube-system25 opencti16 monitoring8 metallb-system4 wazuh3 otel3 cert-manager3 ingress-nginx2 default1
NEXT
→ Observability
BACK
← Architecture