Configuration Reference

PandoCore can be configured via Helm values during installation or environment variables at runtime. This reference covers all available options.

Webhook Configuration

The admission webhook (pando-webhook Helm chart) controls automatic sidecar injection cluster-wide:

Helm Value	Default	Description
`licenseKey`	(required)	License key stored as Secret and injected into sidecars
`defaultMode`	`monitor`	Default operating mode for injected sidecars
`excludedNamespaces`	`[kube-system, kube-public, kube-node-lease]`	Namespaces where injection is always skipped
`sidecar.image`	Latest from registry	Sidecar container image to inject
`replicas`	`2`	Webhook server replicas (2 for HA)
`tls.certManager`	`false`	Use cert-manager for TLS (otherwise self-signed)

Per-pod overrides are available via annotations. See Admission Webhook for details.

Portal Integration

Detection events are automatically streamed from sidecars to your PandoCore Portal dashboard. This is enabled by default.

Helm Value	Default	Description
`portalWebhook.enabled`	`true`	Send detection events to the PandoCore Portal
`portalWebhook.url`	`https://portal.pandocore.xyz/api/events/ingest`	Portal ingestion endpoint (override for staging/custom deployments)

When enabled, the webhook sets PANDO_EVIDENCE_WEBHOOK_URL on each sidecar, authenticated via the license key. Events appear in your portal dashboard.

Alert Integration

PandoCore can send real-time Slack alerts when detections occur. Alerts fire in both alert and enforce modes.

Helm Value	Default	Description
`slackWebhookURL`	(empty)	Slack incoming webhook URL for alert notifications

To set up Slack alerts:

Create a Slack incoming webhook for your channel
Set slackWebhookURL in your Helm values
Set defaultMode to alert or enforce

# values.yaml
slackWebhookURL: "https://hooks.slack.com/services/T.../B.../xxx"
defaultMode: alert

In-Cluster Dashboard Configuration

The optional in-cluster dashboard provides real-time debugging visibility. See Dashboard for full documentation.

Helm Value	Default	Description
`dashboard.enabled`	`false`	Enable the in-cluster dashboard deployment
`dashboard.pollInterval`	`"30s"`	How often to poll sidecar `/status` endpoints
`dashboard.maxEvents`	`10000`	Maximum events stored in memory
`dashboard.resources`	50m CPU / 64Mi mem	Resource limits for the dashboard pod

Sidecar Helm Values

These values are set during helm install or in a values.yaml file:

Required Values

Value	Description	Example
`licenseKey`	Your PandoCore license key from the customer portal	`pando_live_abc123...`
`imagePullSecret`	Base64-encoded Docker config for registry access	Provided in customer portal

Image Settings

Value	Default	Description
`image.repository`	`us-central1-docker.pkg.dev/pandocore-prod/sidecar/pando-sidecar`	Container image repository
`image.tag`	Chart appVersion	Image tag to deploy
`image.pullPolicy`	`IfNotPresent`	Image pull policy

Operating Mode

Value	Default	Description
`mode`	`monitor`	`monitor`, `alert`, `enforce`, or `debug`

Detection Thresholds

Value	Default	Description
`thresholds.incremental`	`0.15`	Threshold for sudden behavioral changes (0.0-1.0). Lower = more sensitive.
`thresholds.cumulative`	`0.45`	Threshold for gradual drift accumulation (0.0-1.0). Lower = more sensitive.

Sampling

Value	Default	Description
`sampling.intervalMs`	`100`	How often behavioral data is collected (milliseconds)

Logging

Value	Default	Description
`logging.level`	`info`	Log level: `trace`, `debug`, `info`, `warn`, `error`
`logging.json`	`true`	Enable JSON-structured logging for SIEM integration

Resources

Value	Default	Description
`resources.limits.cpu`	`100m`	CPU limit for sidecar container
`resources.limits.memory`	`50Mi`	Memory limit for sidecar container
`resources.requests.cpu`	`50m`	CPU request for sidecar container
`resources.requests.memory`	`25Mi`	Memory request for sidecar container

Environment Variables

These can be set directly on the sidecar container to override Helm values:

Core Settings

Variable	Default	Description
`PANDO_LICENSE_KEY`	—	License key (required)
`PANDO_MODE`	`monitor`	Operating mode: `monitor`, `enforce`, `debug`
`POD_NAME`	—	Pod name (set via fieldRef)
`POD_NAMESPACE`	—	Pod namespace (set via fieldRef)
`PANDO_TARGET_CONTAINER`	Auto-detect	Name of the container to monitor. Auto-injected by webhook (first non-sidecar container). Override via `pandocore.xyz/target-container` annotation.
`PANDO_TARGET_PID`	`0` (auto)	Explicit PID to monitor. Overrides container-based resolution. Use only for debugging.

Alert Settings

Variable	Default	Description
`PANDO_SLACK_WEBHOOK_URL`	—	Slack incoming webhook URL for alert notifications
`PANDO_ALERT_TIMEOUT_SECONDS`	`5`	Timeout for alert delivery requests

Graduated Response

By default, drift detections follow a graduated response chain: alert → isolate → terminate. Network isolation denies all egress except DNS (port 53), preventing data exfiltration while keeping the pod reachable for health checks. If drift persists past the escalation timeout, the pod is terminated. If drift subsides, isolation is automatically removed.

Variable	Default	Description
`PANDO_RESPONSE_ACTIONS`	Per-detection type	Comma-separated response chain: `alert`, `isolate`, `terminate`
`PANDO_ESCALATION_TIMEOUT_SECS`	`120`	Seconds after isolation before escalating to terminate
`PANDO_RECOVERY_TIMEOUT_SECS`	`60`	Seconds of clean samples after isolation before removing isolation

Default chains by detection type:

Drift threshold exceeded: alert → isolate → terminate
ML anomaly: alert → isolate → terminate
Integrity violation: alert → terminate (immediate, no isolation)
Deadman timeout: alert → terminate
Internal error: alert only

Detection Thresholds

Variable	Default	Description
`PANDO_THRESHOLD_INCREMENTAL`	`0.15`	Threshold for sudden changes (sample-to-sample drift)
`PANDO_THRESHOLD_CUMULATIVE`	`0.45`	Threshold for total drift from baseline
`PANDO_SAMPLE_INTERVAL_MS`	`100`	Sampling interval in milliseconds

Sliding Window (Adaptive Baseline)

Variable	Default	Description
`PANDO_WINDOW_DURATION_SECONDS`	`600`	Duration of the sliding window (10 minutes)
`PANDO_WINDOW_MIN_SAMPLES`	`60`	Minimum samples for a valid window
`PANDO_WINDOW_MAX_SAMPLES`	`6000`	Maximum samples to retain in window

Learning Phase (Threshold Calibration)

Variable	Default	Description
`PANDO_LEARNING_DURATION_SECONDS`	`600`	Learning phase duration (10 minutes)
`PANDO_LEARNING_MIN_SAMPLES`	`300`	Minimum samples for threshold calibration
`PANDO_SKIP_LEARNING`	`false`	Skip learning phase (not recommended)
`PANDO_SENSITIVITY`	`2.0`	Threshold sensitivity multiplier. Higher = fewer false positives. Range: 0.5–10.0
`PANDO_RUNTIME_PROFILE`	`default`	Runtime profile: `default` (sensitivity 2.0), `jit` (sensitivity 3.0, for Java/Node.js/.NET), or `database` (sensitivity 3.0, for PostgreSQL/MySQL/Redis/MongoDB). Auto-detected by the webhook.

Automatic Runtime Detection

The admission webhook automatically detects runtime families from container images and sets the appropriate PANDO_RUNTIME_PROFILE:

jit — Java (OpenJDK, Temurin, Corretto, Spring, Tomcat, Quarkus), Node.js, .NET. JIT runtimes produce higher ambient drift due to tiered compilation and GC heap reorganization.
database — PostgreSQL, MySQL/MariaDB, Redis, MongoDB, Cassandra, CockroachDB, Elasticsearch. Databases exhibit cyclical memory entropy shifts from buffer pool pressure, WAL activity, and connection pool churn.

Both profiles raise sensitivity to 3.0, preventing false positives without reducing detection capability. You can override with an explicit PANDO_SENSITIVITY value.

Integrity Checks

Variable	Default	Description
`PANDO_CHECK_TRACED_STATE`	`true`	Enable detection of debugger attachment
`PANDO_INTEGRITY_CHECK_INTERVAL_SECS`	`30`	Interval between integrity checks

ML Anomaly Detection

Variable	Default	Description
`PANDO_ML_ENABLED`	`true`	Enable ML-based anomaly detection
`PANDO_ML_THRESHOLD`	`0.7`	ML anomaly score threshold (0.0-1.0)
`PANDO_ML_INFERENCE_INTERVAL_SECS`	`60`	Seconds between ML inference runs

Logging Settings

Variable	Default	Description
`PANDO_LOG_LEVEL`	`info`	Log level: `trace`, `debug`, `info`, `warn`, `error`
`PANDO_LOG_JSON`	`true`	Enable JSON-formatted logs for SIEM integration

Configuration Examples

Production Deployment

Recommended settings for production workloads:

# values-production.yaml
licenseKey: "your-license-key"
imagePullSecret: "your-pull-secret"

mode: enforce

thresholds:
  incremental: 0.15
  cumulative: 0.45

logging:
  level: info
  json: true

resources:
  limits:
    cpu: 100m
    memory: 50Mi
  requests:
    cpu: 50m
    memory: 25Mi

Initial Evaluation

Settings for initial deployment and tuning:

# values-evaluation.yaml
licenseKey: "your-license-key"
imagePullSecret: "your-pull-secret"

mode: monitor  # Detect only, don't enforce

thresholds:
  incremental: 0.20  # Less sensitive during evaluation
  cumulative: 0.55

logging:
  level: debug  # More verbose for tuning
  json: true

High-Sensitivity Workloads

For workloads requiring tighter monitoring:

# values-high-sensitivity.yaml
licenseKey: "your-license-key"
imagePullSecret: "your-pull-secret"

mode: enforce

thresholds:
  incremental: 0.10  # More sensitive
  cumulative: 0.35

sampling:
  intervalMs: 50  # Faster sampling

Tuning Thresholds

If you're seeing too many or too few detections, adjust the thresholds:

ℹ️ Tuning Tips

Too many detections: Increase threshold values (e.g., 0.20, 0.55)
Missing real issues: Decrease threshold values (e.g., 0.10, 0.35)
Spiky workloads: Focus on increasing incremental threshold
Gradual drift issues: Focus on adjusting cumulative threshold

Runtime Threshold Adjustment

# Adjust thresholds without redeployment
kubectl set env deployment/your-app -c pando-sidecar \
  PANDO_THRESHOLD_INCREMENTAL=0.20 \
  PANDO_THRESHOLD_CUMULATIVE=0.55

Next Steps

Operating Modes — Understand monitor vs enforce
Evidence Format — Structure of detection events
FAQ — Common configuration questions