Skip to content

Platform Architecture

Architecture

This document describes the architecture of the Contain Platform using the principles of the C4 model. The C4 model helps communicate software architecture at different levels of abstraction, making it understandable for various audiences.

We use the formal C4 levels to "zoom in" on the platform's architecture:

  • Level 1: System Context: Shows how the platform fits into a typical organization, its users, and its high-level system interactions.
  • Level 2: Architectural Views: Decomposes the platform into its largest parts from different perspectives.
  • Level 3: Components: Zooms into individual sub-systems to show their key components.

Level 1: System Context

Overview

The System Context Overview diagram provides a simplified, high-level view of how the Contain Platform fits into a typical customer's environment. It shows the key players and systems involved, treating the platform as a single "black box" to clarify its main purpose and interactions.

Application Observability Service

Application Observability is an add-on service. While we utilize an observability system for managing and monitoring the platform itself, we also provide a fully managed observability service for customer applications.

Diagram Explanation
  • Developer: Builds and operates the customer's business applications and uses the Application Observability Service to improve application performance and stability.
  • Customer: Owns and operates business applications and can use the application observability service to monitor them
  • Customer Applications: The new, value-creating applications and services that run on the platform.
  • Contain Platform: The platform is shown as a set of high-level systems:
  • Contain Base: A managed environment for running containerized applications.
  • Application Observability: Provides insights into the health and performance of applications.
  • Managed Services: Offers a range of services to support applications.
  • Contain Operations: Manages, monitors, and maintains the platform.
  • Contain Platform Engineers: Develops and extends the platform.
High-Level System Context for the Contain PlatformHigh-Level System Context for the Contain PlatformContain[enterprise]Contain Base A managed environment forrunning containerizedapplications.ApplicationObservability Provides insights into thehealth and performance ofapplications.Managed Services Offers a range of services tosupport the platform.Contain Operations Manages, monitors, andmaintains the platformContain PlatformEngineers Develops and extends theplatformDeveloper Builds and operatesbusiness applicationsCustomer Owns and operatesbusiness applicationsCustomerApplications Value-creating applicationsand servicesBuilds and operatesRuns onUsesSends observabilitydata toViews dashboards,metrics, logsManages andmaintainsDevelops and extendsLegend  person  system  enterprise boundary  platform 
High-Level System Context for the Contain PlatformHigh-Level System Context for the Contain PlatformContain[enterprise]Contain Base A managed environment forrunning containerizedapplications.ApplicationObservability Provides insights into thehealth and performance ofapplications.Managed Services Offers a range of services tosupport the platform.Contain Operations Manages, monitors, andmaintains the platformContain PlatformEngineers Develops and extends theplatformDeveloper Builds and operatesbusiness applicationsCustomer Owns and operatesbusiness applicationsCustomerApplications Value-creating applicationsand servicesBuilds and operatesRuns onUsesSends observabilitydata toViews dashboards,metrics, logsManages andmaintainsDevelops and extendsLegend  person  system  enterprise boundary  platform 

Detail - Customer Engagement

This diagram focuses on how a customer's development team interacts with the Contain Platform and their own systems. It shows the key relationships between developers, the applications they build, and the platform services they consume.

Diagram Explanation
  • Developer: Builds and operates business applications on the Contain Platform.
  • Customer Applications: New, value-creating applications and services built by the customer.
  • Customer Systems: Existing customer systems that the platform integrates with, such as SIEM, monitoring tools, and other applications.
  • Customer IdP: The customer's Identity Provider (e.g., Entra ID, Keycloak) for user authentication.
  • Contain Platform: The system itself, composed of:
  • Contain Base: Provides a secure, managed environment for running applications.
  • Application Observability: Provides insights into the health and performance of customer applications.
System Context - Customer EngagementSystem Context - Customer EngagementCustomer's Organization[enterprise]Contain Platform[system]Developer Builds and operatesbusiness applicationsCustomerApplications Value-creating applicationsand servicesCustomer Systems e.g. SIEM, monitoring, otherappsCustomer IdP e.g. Entra ID, KeycloakContain Base Provides a managedenvironment for runningapplications.ApplicationObservability Provides insights into thehealth and performance ofapplications.BuildsDeploys and managesapplications viaGitOps & APIsRuns onIntegrates withAuthenticates usersMetrics, logs, tracesViews dashboards,metrics, logsLegend  person  system  external system  enterprise boundary  system boundary  platform 
System Context - Customer EngagementSystem Context - Customer EngagementCustomer's Organization[enterprise]Contain Platform[system]Developer Builds and operatesbusiness applicationsCustomerApplications Value-creating applicationsand servicesCustomer Systems e.g. SIEM, monitoring, otherappsCustomer IdP e.g. Entra ID, KeycloakContain Base Provides a managedenvironment for runningapplications.ApplicationObservability Provides insights into thehealth and performance ofapplications.BuildsDeploys and managesapplications viaGitOps & APIsRuns onIntegrates withAuthenticates usersMetrics, logs, tracesViews dashboards,metrics, logsLegend  person  system  external system  enterprise boundary  system boundary  platform 

Detail - Our Engagement

This diagram shows the system context from our perspective, illustrating how our internal teams manage and develop the platform. It highlights the separation between our operational responsibilities and the customer's environment.

Diagram Explanation
  • Contain Operations: The team responsible for the 24/7 monitoring, management, and maintenance of the platform's health and security.
  • Contain Platform Engineer: The team responsible for developing new features and extending the capabilities of the platform.
  • Customer Applications: The applications and services built by the customer, which run on the platform.
  • Contain Platform: The system itself, composed of:
  • Contain Base: The managed environment where customer applications run.
  • Platform Observability: Our internal system for monitoring the health of the core platform components.
  • Application Observability: The service that provides observability for customer applications.
  • Infrastructure: The underlying cloud or on-premise resources (e.g., servers, networking) where the platform is deployed.
System Context - Our EngagementSystem Context - Our EngagementCustomer's Organization[enterprise]Contain[enterprise]Contain Platform[system]Infrastructure Provider[enterprise]CustomerApplications Value-creating applicationsand servicesContain Operations Manages, monitors, andmaintains the ContainPlatformPlatform Engineer Develops and extends theContain PlatformContain Base Provides a managedenvironment for runningapplications.PlatformObservability Provides insights into thehealth and performance ofthe platform.ApplicationObservability Provides insights into thehealth and performance ofapplications.Infrastructure Underlying cloud oron-premise resources(compute, storage, etc.)Runs onManages andmaintainsDevelops and extendsRuns onMetrics, Logs, TracesMetrics, Logs, TracesViews Dashboards,Metrics, LogsSends alertsLegend  person  system  external system  enterprise boundary  system boundary  platform 
System Context - Our EngagementSystem Context - Our EngagementCustomer's Organization[enterprise]Contain[enterprise]Contain Platform[system]Infrastructure Provider[enterprise]CustomerApplications Value-creating applicationsand servicesContain Operations Manages, monitors, andmaintains the ContainPlatformPlatform Engineer Develops and extends theContain PlatformContain Base Provides a managedenvironment for runningapplications.PlatformObservability Provides insights into thehealth and performance ofthe platform.ApplicationObservability Provides insights into thehealth and performance ofapplications.Infrastructure Underlying cloud oron-premise resources(compute, storage, etc.)Runs onManages andmaintainsDevelops and extendsRuns onMetrics, Logs, TracesMetrics, Logs, TracesViews Dashboards,Metrics, LogsSends alertsLegend  person  system  external system  enterprise boundary  system boundary  platform 

Level 2: Architectural Views

Level 2 diagrams "zoom in" on the Contain Platform to show its high-level structure. We can view the platform's architecture from different perspectives.

Logical Sub-Systems View

This first view decomposes the platform into its major logical sub-systems, showing how they work together to provide the platform's capabilities.

Diagram Explanation
  • Management Plane: The central control point that manages the lifecycle of and offers services to the clusters.
  • Workload Plane: One or more Kubernetes clusters where customer applications are deployed and run.
  • Observability Plane: Systems that collect and analyze telemetry (metrics, logs, traces). This includes both our own internal observability systems and the Application Observability add-on service.
  • Managed Services: A suite of managed services like databases and object storage.
Major Sub-Systems within the Contain PlatformMajor Sub-Systems within the Contain PlatformContain PlatformManagement Plane[Manages clusters and platformservices]Workload Plane[Runs customer applications]Observability Plane[Collects and analyzes alltelemetry]Managed Services[Databases, Object Storage,etc.]DeveloperOperations Manages and maintains theContain PlatformPlatform Engineer Develops and extends theContain Platformobservability_plane_planeDeploys applicationstoViews dashboardsand logs fromUsesSends telemetry toSends telemetry toProvisions andconfiguresUses services fromLegend  person  boundary  platform 
Major Sub-Systems within the Contain PlatformMajor Sub-Systems within the Contain PlatformContain PlatformManagement Plane[Manages clusters and platformservices]Workload Plane[Runs customer applications]Observability Plane[Collects and analyzes alltelemetry]Managed Services[Databases, Object Storage,etc.]DeveloperOperations Manages and maintains theContain PlatformPlatform Engineer Develops and extends theContain Platformobservability_plane_planeDeploys applicationstoViews dashboardsand logs fromUsesSends telemetry toSends telemetry toProvisions andconfiguresUses services fromLegend  person  boundary  platform 

Cluster View

This second view shows the platform's architecture from the perspective of its physical cluster topology. The platform is composed of several specialized Kubernetes clusters that work together.

Diagram Explanation
  • Workload Cluster(s): The clusters where applications run. This runs the Contain Base service and other managed services.
  • Application Observability (if enabled): Service that provides a monitoring stack for your applications.
  • Management Services: Various services used by the clusters (image registry, IdP, etc.)
  • Managed Services: A suite of managed services like databases and object storage.
Clusters and ServicesClusters and ServicesContain PlatformManagement Services[Service] Shared services (registry,IdP, etc)ApplicationObservability[Service] Centralized monitoring,logging, and tracing stack.Workload Cluster(s)[Kubernetes Cluster] Runs customer applicationsand services.Managed Services[Service] Managed services (db,queue, etc)Provisions andManages LifecycleUsesSends telemetry toSends telemetry toUsesLegend  boundary  cluster  service 
Clusters and ServicesClusters and ServicesContain PlatformManagement Services[Service] Shared services (registry,IdP, etc)ApplicationObservability[Service] Centralized monitoring,logging, and tracing stack.Workload Cluster(s)[Kubernetes Cluster] Runs customer applicationsand services.Managed Services[Service] Managed services (db,queue, etc)Provisions andManages LifecycleUsesSends telemetry toSends telemetry toUsesLegend  boundary  cluster  service 

Infrastructure View

This third view shows the platform's architecture from the perspective of its physical infrastructure in a single datacenter. It illustrates how a workload cluster is deployed within an isolated network environment on the underlying servers or virtual machines.

In reality the cluster will span multiple datacenters, Availability Zones or Availability Cells. For the sake of simplicity, we will focus on a single datacenter in this view.

Diagram Explanation
  • Infrastructure Layer: The physical or virtual servers that host the platform.
  • Network Segment / Security Group: An isolated network environment for each cluster, providing security and separation.
  • Workload Cluster: Decomposed into its control plane and worker nodes.
  • Control Plane: A set of three nodes for high availability.
  • Worker Nodes: A minimum of three nodes (usually 6 or more for production environments) that run the customer applications.
Infrastructure ViewInfrastructure ViewInfrastructure Layer[Cloud, On-Premise, or Air-gapped]Network Segment / Security Group[Isolated Network Environment]Workload Cluster[system]Control PlaneWorker NodesNode 1[Server/VM]Node 2[Server/VM]Node 3[Server/VM]Node 1[Server/VM]Node 2[Server/VM]Node 3[Server/VM]...[Server/VM]Legend  system boundary  boundary  server/vm 
Infrastructure ViewInfrastructure ViewInfrastructure Layer[Cloud, On-Premise, or Air-gapped]Network Segment / Security Group[Isolated Network Environment]Workload Cluster[system]Control PlaneWorker NodesNode 1[Server/VM]Node 2[Server/VM]Node 3[Server/VM]Node 1[Server/VM]Node 2[Server/VM]Node 3[Server/VM]...[Server/VM]Legend  system boundary  boundary  server/vm 

Level 3: Components

Level 3 diagrams zoom into a specific sub-system to show its internal components. These are useful for understanding the details of a particular capability.

Workload Plane

This diagram details the major logical systems inside a single Workload Plane, which is one or more Kubernetes clusters. It shows the Kubernetes Control Plane, the GitOps controller that manages the cluster state, and where customer applications run.

Workload Plane ComponentsWorkload Plane ComponentsWorkload PlaneControl PlaneWorker NodesContain Baseetcd[Cluster State Store]Scheduler[Assigns pods to nodes]Controller Manager[Maintains desired state]Kubernetes API[Primary entry point for allcluster interactions]CustomerApplications[Containerized Workloads]Managed Services[Databases, Queues, etc.]GitOps Controller[FluxCD] Synchronizes cluster statefrom GitCore Services[Services] DNS, Secrets, Certificates,etc.Applies manifests toReads/Writes statefrom/toWatches forunscheduled pods viaWatches for statechanges viaLegend  container  boundary 
Workload Plane ComponentsWorkload Plane ComponentsWorkload PlaneControl PlaneWorker NodesContain Baseetcd[Cluster State Store]Scheduler[Assigns pods to nodes]Controller Manager[Maintains desired state]Kubernetes API[Primary entry point for allcluster interactions]CustomerApplications[Containerized Workloads]Managed Services[Databases, Queues, etc.]GitOps Controller[FluxCD] Synchronizes cluster statefrom GitCore Services[Services] DNS, Secrets, Certificates,etc.Applies manifests toReads/Writes statefrom/toWatches forunscheduled pods viaWatches for statechanges viaLegend  container  boundary 

Contain Base

Contain Base is our fully managed and production-ready Kubernetes service that serves as the central orchestration engine for containerized applications. It's a curated, "batteries-included" distribution that extends upstream Kubernetes with a set of best-in-class, open-source components, pre-integrated and hardened by our team.

This diagram shows the key components that are included in every cluster as part of the Contain Base service.

Diagram Explanation
  • Automation & Delivery: Using GitOps to manage the cluster state.
  • Security & Governance: Enforcing policies and managing secrets and certificates.
  • Networking: Controlling ingress traffic and managing DNS.
  • Operations & Resilience: Providing backup/restore capabilities and resource metrics.
  • CSI, CNI, CPI: Providing storage, networking, and cloud provider integration.
Contain Base ComponentsContain Base ComponentsContain Base (in Workload Cluster)[system]Automation & DeliverySecurity & GovernanceNetworkingOperations & ResilienceStorageCloudKubernetes API[API Server] Central control planeendpointCustomerApplications[Workloads] Applications deployed byusers.Flux (GitOps Toolkit)[Controller] Reconciles cluster statefrom Git.Namespace Operator[Controller] Automates namespaceprovisioning with defaults.Gatekeeper[Admission Controller] Enforces policies onresource creation.cert-manager[Controller] Automates TLS certificatemanagement.External Secrets[Controller] Syncs secrets from externalstores.Contour[Ingress Controller] Manages external access toservices.ExternalDNS[Controller] Automates creation of DNSrecords.CNI[Interface] Manages networkconnectivity.Velero[Backup Tool] Provides disaster recoveryfor cluster resources.metrics-server[Monitoring] Provides basic resourcemetrics for HPA.CSI[Interface] Manages storageCPI[Interface] Manages cloud providerresourcesGit Repositories Sources of truth for clusterstateExternal Secret Store e.g., Vault, OpenBao, AzureKey VaultCloud DNS Provider e.g., AWS Route53, GoogleCloud DNSBackup ObjectStorage S3-compatible storage forbackupsExternal CertificateAuthority e.g., Let's EncryptProvides declarativestate to[Git]Manages resourcesviaDeploys & ConfiguresProvides secrets toSyncs secrets intoRoutes externaltraffic toSignals required DNSrecords toCreates/Updates DNSrecords inValidates/Mutatesresources viaAdmission WebhooksManages Certificate& Secret resources inRequests certificatesfromStores backups inBacks up resourcesfromProvides metrics toSchedules & RunsLegend  component  external system  system boundary  boundary  k8s-api  security  automation  networking  operations  external  cloud  storage 
Contain Base ComponentsContain Base ComponentsContain Base (in Workload Cluster)[system]Automation & DeliverySecurity & GovernanceNetworkingOperations & ResilienceStorageCloudKubernetes API[API Server] Central control planeendpointCustomerApplications[Workloads] Applications deployed byusers.Flux (GitOps Toolkit)[Controller] Reconciles cluster statefrom Git.Namespace Operator[Controller] Automates namespaceprovisioning with defaults.Gatekeeper[Admission Controller] Enforces policies onresource creation.cert-manager[Controller] Automates TLS certificatemanagement.External Secrets[Controller] Syncs secrets from externalstores.Contour[Ingress Controller] Manages external access toservices.ExternalDNS[Controller] Automates creation of DNSrecords.CNI[Interface] Manages networkconnectivity.Velero[Backup Tool] Provides disaster recoveryfor cluster resources.metrics-server[Monitoring] Provides basic resourcemetrics for HPA.CSI[Interface] Manages storageCPI[Interface] Manages cloud providerresourcesGit Repositories Sources of truth for clusterstateExternal Secret Store e.g., Vault, OpenBao, AzureKey VaultCloud DNS Provider e.g., AWS Route53, GoogleCloud DNSBackup ObjectStorage S3-compatible storage forbackupsExternal CertificateAuthority e.g., Let's EncryptProvides declarativestate to[Git]Manages resourcesviaDeploys & ConfiguresProvides secrets toSyncs secrets intoRoutes externaltraffic toSignals required DNSrecords toCreates/Updates DNSrecords inValidates/Mutatesresources viaAdmission WebhooksManages Certificate& Secret resources inRequests certificatesfromStores backups inBacks up resourcesfromProvides metrics toSchedules & RunsLegend  component  external system  system boundary  boundary  k8s-api  security  automation  networking  operations  external  cloud  storage 

Management Plane

The Management Plane provides a set of centralized, shared services that are used by the workload clusters and the operations team. These services are essential for the security, automation, and management of the entire platform.

This diagram shows the key services that make up the Management Plane.

Diagram Explanation
  • Identity Provider (IdP): A centralized service for managing user and service authentication.
  • Container Registry: A private registry for storing and distributing container images, with integrated vulnerability scanning.
  • Git Server: The source of truth for the GitOps-driven cluster and application configuration.
  • DNS Provider: Manages the DNS records for services running in the workload clusters.
  • Secret Store: A secure, centralized location for managing secrets and other sensitive data.
  • PKI Service: Manages the Public Key Infrastructure, including issuing and renewing certificates.
  • Image Scanner: Scans container images for known vulnerabilities.
Management Plane ComponentsManagement Plane ComponentsManagement Services[system]Identity Provider(IdP)[e.g., Keycloak, Entra ID] Provides centralizedauthentication for users andservices.Container Registry[e.g., Harbor, GHCR] Stores, secures, anddistributes containerimages.Git Server[e.g., GitHub, GitLab] Provides the source of truthfor GitOps.DNS Provider[e.g., Route53, Azure DNS] Hosts and managespublic/private DNS zones.Secret Store[e.g., OpenBao, Vault] Provides centralized andsecure secret management.PKI Service[e.g., OpenBao, Cloud CA] Manages certificateauthorities and issuescertificates.Image Scanner[Trivy] Scans container images forvulnerabilities.Workload Cluster The Kubernetes clusterrunning customerapplications.CI/CD Pipeline Builds and pushes images.Developer Writes application andinfrastructure code.Pushes code andconfiguration toPushes images toAuthenticates usersvia[OIDC/LDAP]Pulls images fromReconciles state from[GitOps]Manages DNS recordsin[API]Syncs secrets from[API]Requests certificatesfrom[ACME/API]Scans images inTriggers scans onpushLegend  component  external person  external system  system boundary  identity  registry  git  dns  secrets  pki  scanning  cluster  external 
Management Plane ComponentsManagement Plane ComponentsManagement Services[system]Identity Provider(IdP)[e.g., Keycloak, Entra ID] Provides centralizedauthentication for users andservices.Container Registry[e.g., Harbor, GHCR] Stores, secures, anddistributes containerimages.Git Server[e.g., GitHub, GitLab] Provides the source of truthfor GitOps.DNS Provider[e.g., Route53, Azure DNS] Hosts and managespublic/private DNS zones.Secret Store[e.g., OpenBao, Vault] Provides centralized andsecure secret management.PKI Service[e.g., OpenBao, Cloud CA] Manages certificateauthorities and issuescertificates.Image Scanner[Trivy] Scans container images forvulnerabilities.Workload Cluster The Kubernetes clusterrunning customerapplications.CI/CD Pipeline Builds and pushes images.Developer Writes application andinfrastructure code.Pushes code andconfiguration toPushes images toAuthenticates usersvia[OIDC/LDAP]Pulls images fromReconciles state from[GitOps]Manages DNS recordsin[API]Syncs secrets from[API]Requests certificatesfrom[ACME/API]Scans images inTriggers scans onpushLegend  component  external person  external system  system boundary  identity  registry  git  dns  secrets  pki  scanning  cluster  external 

Git and Artifacts Flow

The platform is built on a GitOps workflow, where Git is the single source of truth for both application and infrastructure configuration. This diagram illustrates the end-to-end flow, from a developer pushing code to a new version of the application running in the cluster.

Diagram Explanation
  1. A developer pushes code changes to a Git repository.
  2. The push triggers a CI/CD pipeline that builds and tests the application, then pushes a new container image to the registry.
  3. The pipeline updates a configuration file in the Git repository with the new image tag.
  4. The GitOps controller (Flux), running in the cluster, detects the change in the repository.
  5. Flux applies the new configuration to the cluster, which then pulls the new image and deploys the updated application.
Git and Artifacts FlowGit and Artifacts FlowKubernetes Cluster[system]GitOps Controller(Flux)[Continuously reconciles thecluster state with Git.]Application[The running customerapplication.]Developer Writes and commits code.Git Repository Source of truth forapplication andinfrastructure code.CI/CD Pipeline Builds, tests, and packagesthe application.Container Registry Stores container images.1. Pushes code &config changes2. Triggers pipeline4. Updates image tagin config3. Pushes containerimage5. Detects changes inGit6. Applies updatedstate to7. Pulls newcontainer image fromLegend  person  component  external person  external system  system boundary  person  git  cicd  registry  automation 
Git and Artifacts FlowGit and Artifacts FlowKubernetes Cluster[system]GitOps Controller(Flux)[Continuously reconciles thecluster state with Git.]Application[The running customerapplication.]Developer Writes and commits code.Git Repository Source of truth forapplication andinfrastructure code.CI/CD Pipeline Builds, tests, and packagesthe application.Container Registry Stores container images.1. Pushes code &config changes2. Triggers pipeline4. Updates image tagin config3. Pushes containerimage5. Detects changes inGit6. Applies updatedstate to7. Pulls newcontainer image fromLegend  person  component  external person  external system  system boundary  person  git  cicd  registry  automation 

Observability

The platform provides a centralized observability solution based on the Grafana LGTM stack (Loki for logs, Grafana for visualization, Tempo for traces, and Mimir for metrics). When the Application Observability Service is enabled for a workload cluster, telemetry agents are deployed to collect and forward data to the central observability plane.

This diagram illustrates the flow of telemetry data from an instrumented application to the observability platform, where a developer can analyze it.

Observability Plane

The Observability Plane covers all services related to observability. While the diagram shows one system, in reality it consists of multiple observability stacks. For instance, to avoid resource contention, we deploy our own internal stack for monitoring the platform itself. For more information, see Observability.

Diagram Explanation
  • Developer: Instruments their application using OpenTelemetry SDKs and uses Grafana to view dashboards, logs, traces, and metrics.
  • Customer Application: The customer's application is instrumented to generate telemetry data (logs, metrics, traces) using OpenTelemetry which is either pulled or pushed.
  • Telemetry Collectors: The telemetry data is collected either by scraping customer applications or via pushes from customer applications.
  • Observability Plane: Dedicated clusters hosting the LGTM stack, which receives, stores, and visualizes the telemetry data.
Observability FlowObservability FlowWorkload Cluster[system]Telemetry AgentsObservability Plane[system]Customer Application[Instrumented withOpenTelemetry SDKs.]OpenTelemetryCollector[Receives, processes, andexports telemetry data.]Prometheus Agent[Scrapes and forwards metrics.]Loki[Stores and queries logs.]Tempo[Stores and queries traces.]Metrics Store (Mimir)[Stores and queries metrics.]Grafana[Visualizes logs, metrics, andtraces.]Alertmanager[Handles alerts and sendsnotifications.]Developer Instruments apps, createsdashboards, and analyzestelemetry.Operations Monitors platform healthand responds to incidents.1. Instrumentsapplication with SDKs6. Creates/viewsdashboards, logs,traces & metrics2. Sends traces &logs[OTLP]3. Scrapes metrics4. Forwards logs4. Forwards traces4. Forwards metrics5. Queries logs5. Queries traces5. Queries metricsForwards alerts toSends notifications toViews dashboardsLegend  person  component  external person  system boundary  boundary  person  app  telemetry  lgtm 
Observability FlowObservability FlowWorkload Cluster[system]Telemetry AgentsObservability Plane[system]Customer Application[Instrumented withOpenTelemetry SDKs.]OpenTelemetryCollector[Receives, processes, andexports telemetry data.]Prometheus Agent[Scrapes and forwards metrics.]Loki[Stores and queries logs.]Tempo[Stores and queries traces.]Metrics Store (Mimir)[Stores and queries metrics.]Grafana[Visualizes logs, metrics, andtraces.]Alertmanager[Handles alerts and sendsnotifications.]Developer Instruments apps, createsdashboards, and analyzestelemetry.Operations Monitors platform healthand responds to incidents.1. Instrumentsapplication with SDKs6. Creates/viewsdashboards, logs,traces & metrics2. Sends traces &logs[OTLP]3. Scrapes metrics4. Forwards logs4. Forwards traces4. Forwards metrics5. Queries logs5. Queries traces5. Queries metricsForwards alerts toSends notifications toViews dashboardsLegend  person  component  external person  system boundary  boundary  person  app  telemetry  lgtm 

Authentication

While direct access to the Kubernetes API can be made available, we encourage teams to interact with the Contain Platform primarily through the GitOps workflow for deployments and the observability platform for monitoring. This approach provides a more secure, auditable, and collaborative environment. Direct access may not always be available, depending on the specific security and compliance requirements of the organization.

When direct access is required, the platform authenticates users via our Managed Identity Provider (IdP), which can optionally federate with the organization's existing IdP (like Entra ID or Okta).

This diagram shows a simplified, high-level view of the authentication flow from a user's perspective.

Diagram Explanation
  1. User Authenticates to Cluster: The user initiates an action against the Workload Cluster (e.g., via kubectl or a UI).
  2. Cluster Redirects to Managed IdP: The cluster redirects the user's authentication request to our Managed IdP.
  3. Managed IdP Federates (Optional): If configured, our IdP federates with the customer's own IdP, allowing the user to authenticate with their corporate credentials.
  4. User Receives Token: After successful authentication, the user receives a token that the client can use.
  5. User Accesses Cluster: The user's client uses the token to securely access the Workload Cluster.
High-Level Authentication FlowHigh-Level Authentication FlowManagement Plane[system]Managed IdP[Keycloak] Our central IdP.User/Developer Wants to access the cluster.Workload ClusterCustomer IdP e.g., Entra ID, Okta1. Authenticates to[kubectl/UI]2. Redirects authrequest to3. Federates with(optional)Legend  person  system boundary  cluster  managed-idp  customer-idp 
High-Level Authentication FlowHigh-Level Authentication FlowManagement Plane[system]Managed IdP[Keycloak] Our central IdP.User/Developer Wants to access the cluster.Workload ClusterCustomer IdP e.g., Entra ID, Okta1. Authenticates to[kubectl/UI]2. Redirects authrequest to3. Federates with(optional)Legend  person  system boundary  cluster  managed-idp  customer-idp 

Authorization

Once a user is authenticated, the platform uses Kubernetes Role-Based Access Control (RBAC) to determine what actions they are allowed to perform.

Authorization is based on the group claims present in the user's ID Token (JWT), which is provided by the Identity Provider. These groups are then mapped to Kubernetes Roles or ClusterRoles via RoleBindings or ClusterRoleBindings.

This diagram illustrates how the Kubernetes API server uses the information in a user's ID token to make an authorization decision.

Diagram Explanation
  1. User Makes Request: An authenticated user makes a request to the Kubernetes API, presenting their ID Token.
  2. API Checks RBAC Policies: The API server extracts the user's identity and group membership from the token. It then checks the stored RBAC policies to find any roles bound to that user or their groups.
  3. Allow or Deny: Based on the permissions defined in the associated roles, the API server either allows or denies the user's request.
Kubernetes RBAC Authorization FlowKubernetes RBAC Authorization FlowKubernetes Cluster[system]Kubernetes APIServer[Receives API requests.]RBAC Policy Store[Stores Roles, ClusterRoles,RoleBindings, andClusterRoleBindings.]Authenticated User A user who has alreadyauthenticated.ID Token (JWT)[Contains user identity (name,groups) from the IdP.]1. Makes API requestwith[ID Token]3. Allows or Deniesrequest2. Checks user'spermissions againstFinds matchingRoleBindings foruser/groupsGets allowedverbs/resources fromRolesExtracts user &groupsLegend  person  component  system boundary  person  rbac  authz data 
Kubernetes RBAC Authorization FlowKubernetes RBAC Authorization FlowKubernetes Cluster[system]Kubernetes APIServer[Receives API requests.]RBAC Policy Store[Stores Roles, ClusterRoles,RoleBindings, andClusterRoleBindings.]Authenticated User A user who has alreadyauthenticated.ID Token (JWT)[Contains user identity (name,groups) from the IdP.]1. Makes API requestwith[ID Token]3. Allows or Deniesrequest2. Checks user'spermissions againstFinds matchingRoleBindings foruser/groupsGets allowedverbs/resources fromRolesExtracts user &groupsLegend  person  component  system boundary  person  rbac  authz data 

Backup & Recovery

Application Data Backup

By default, the platform's backup and recovery solution covers the Kubernetes resources and configuration within your cluster. However, it does not automatically back up the data stored within your application's Persistent Volumes (PVs). To ensure your application data is protected, you must explicitly use our managed backup service for your stateful applications. Read more about this here.

The platform provides a robust backup and recovery solution using Velero, an open-source tool for safely backing up and restoring resources in a Kubernetes cluster. Velero runs in each workload cluster and is configured to store backups in a dedicated, S3-compatible object storage bucket located in the Management Plane.

This diagram illustrates the high-level backup and restore flow.

Diagram Explanation

Backup Flow

  1. Backup Initiated: An automated backup schedule or a manual trigger initiates a backup job.
  2. Velero Queries API: Velero queries the Kubernetes API server to get a list of the resources to be backed up.
  3. Velero Backs Up Resources: Velero creates a backup file of the Kubernetes objects (Deployments, Services, etc.).
  4. Velero Backs Up PVs: For any Persistent Volumes (PVs), Velero performs a file-system level backup of the data within the volume.
  5. Backup Stored in S3: The Kubernetes object backup and the PV file-system backup are stored in the S3-compatible object storage bucket in the Management Plane.

Restore Flow

  1. Restore Initiated: An operator initiates a restore job, specifying the backup to restore from.
  2. Velero Retrieves Backup: Velero retrieves the Kubernetes object backup and the PV file-system backup from the S3 bucket.
  3. Velero Restores Resources: Velero restores the Kubernetes objects and creates new Persistent Volumes. Velero then restores the file-system data into the new volumes, bringing the application back to its previous state.
Backup & Recovery FlowBackup & Recovery FlowWorkload Cluster[system]Management Plane[system]Kubernetes API[Resource endpoint]Velero[Backup & Restore Tool] Orchestrates backup andrecovery.Persistent Volumes[Application Data] Stores application state.S3 Object Storage[Backup Target] Stores cluster resourcebackups.Queries configurationand schedulesTakes backups ofPushes backups toPulls backups from[Restore]Legend  component  system boundary  backup-tool  storage  k8s-api 
Backup & Recovery FlowBackup & Recovery FlowWorkload Cluster[system]Management Plane[system]Kubernetes API[Resource endpoint]Velero[Backup & Restore Tool] Orchestrates backup andrecovery.Persistent Volumes[Application Data] Stores application state.S3 Object Storage[Backup Target] Stores cluster resourcebackups.Queries configurationand schedulesTakes backups ofPushes backups toPulls backups from[Restore]Legend  component  system boundary  backup-tool  storage  k8s-api