Overview
PandoCore is a runtime execution-integrity security system for Kubernetes. It continuously monitors your containerized workloads and responds instantly when anomalous behavior is detected, providing an additional layer of protection that operates during execution.
đ Getting Started
Deploy PandoCore in your cluster in under 5 minutes using Helm.
âī¸ Configuration
Complete reference for all Helm values and environment variables.
đ Operating Modes
Understand monitor, enforce, and debug modes.
đ¨ Emergency Procedures
Quickly disable or remove PandoCore when needed.
What PandoCore Does
PandoCore deploys as a sidecar container within your Kubernetes pods. It monitors the behavioral characteristics of your running workloads and detects when execution patterns deviate significantly from established baselines. On detection, PandoCore can:
- Monitor: Detect anomalies and emit evidence without taking action
- Alert: Detect anomalies and send real-time notifications (Slack, webhook) without enforcement
- Enforce: Detect, alert, and respond with graduated actions: network isolation and pod termination
- Debug: Provide verbose logging for troubleshooting and tuning
Architecture Overview
PandoCore operates as a Kubernetes-native sidecar that shares the pod lifecycle with your application:
The sidecar container runs alongside your application within the same pod, sharing the process namespace. This allows PandoCore to observe your workload's behavior without any code changes to your application.
Key Components
| Component | Description |
|---|---|
| Sidecar Container | The core monitoring component that runs alongside your application |
| Admission Webhook | Cluster-wide automatic sidecar injection via label pandocore.io/protect=true |
| PandoCorePolicy CRD | Declarative per-namespace policy configuration for GitOps workflows |
| Helm Chart | Configures RBAC, ConfigMaps, and provides the sidecar injection template |
| Metrics Endpoint | Prometheus-compatible /metrics endpoint for observability |
| Evidence Output | Structured JSON logs suitable for SIEM integration |
How It Works
When a pod starts with PandoCore:
- Learning Window: PandoCore builds a per-workload operational profile during a short startup window (configurable duration)
- Monitoring: Once the profile is ready, the sidecar begins detecting runtime behavioral anomalies
- Detection: Anomalies are classified by severity
- Response: Based on operating mode, PandoCore logs the event (monitor), sends alerts (alert), or executes a graduated response: alert, network isolation, and terminate (enforce)
Integration with Your Stack
PandoCore is designed to complement your existing security infrastructure:
- Observability: Prometheus metrics + Grafana dashboards included
- Log Aggregation: Structured JSON evidence integrates with Splunk, Elastic, Datadog, etc.
- Kubernetes Events: Enforcement actions emit K8s events for audit trails
- Alerting: Use your existing alerting infrastructure on PandoCore metrics
PandoCore requires no modifications to your application code. Simply add the sidecar container to your existing deployments.
PandoCore has been validated across 10+ real-world workloads over 5,000+ pod-hours with a sub-0.005% false positive rate. See the full validation results.
Requirements
| Requirement | Version |
|---|---|
| Kubernetes | 1.25+ |
| Helm | 3.0+ |
| kubectl | Compatible with your cluster version |
Next Steps
Ready to get started? Follow our Getting Started guide to deploy PandoCore in your cluster in under 5 minutes.