Q: What are the components of the Cyral sidecar, and what parts of my infrastructure do they communicate with?
A: The components of the Cyral sidecar are shown in the illustration below and explained in the text that follows.
Sidecar component interactions
Sidecar components and systems they communicate with
Component | Function | Communication Mechanisms |
Interceptor | Intercepts client connections at network Layer 4
Handles TLS for client and data endpoint | TCP + mTLS with client and data endpoint
Unix Domain Sockets with Analyzer |
Analyzer | Decodes data endpoint’s comm protocol
Parses request grammar
Analyzes requests
Monitors responses | In-memory library APIs with Policy Engine
gRPC with Authenticator and Alerter |
Policy Engine | Evaluates requests and responses for policy violations | The policy engine contacts the Cyral control plane to load the latest policy. The sidecar sends non-sensitive reporting information to the Cyral control plane. For details, see cyral.com/docs/privacy |
Authenticator | Validates users’ access tokens
Looks up SSO groups and maps to data endpoint accounts
Reads data endpoint account credentials from Vault | mTLS with Identity Provider and Vault |
Alerter | Sends policy violation alerts to configured messaging service | mTLS with messaging service |
Logs Shipper | Sends logs to configured SIEM | mTLS with SIEM |
Metrics Shipper | Send metrics to configured APM | mTLS with APM |
