Detection Events Dashboard

PandoCore provides two ways to view detection events:

Portal Dashboard (recommended) — Detection events are streamed from sidecars to your PandoCore Portal at portal.pandocore.xyz, stored in Firestore, and displayed in your authenticated customer dashboard. This is the primary way to view events and requires no additional setup beyond the Helm install.
In-cluster Dashboard (optional) — A lightweight dashboard that runs entirely within your cluster for real-time debugging. No data leaves your environment.

Portal Integration

When installed via Helm, the sidecar's PANDO_EVIDENCE_WEBHOOK_URL is automatically configured to send detection events to the PandoCore Portal. Events appear in your customer dashboard at portal.pandocore.xyz/dashboard.

Portal Dashboard

The portal dashboard is available at portal.pandocore.xyz/dashboard after signing in. It shows:

Event Stats — events in last 24h and 7 days, enforcements, and "would have killed" counts
Recent Events — chronological list of detection events with drift scores, severity, and actions taken
Namespace Breakdown — which namespaces are generating events

Events are automatically streamed from sidecars to the portal when portalWebhook.enabled=true (the default). No additional configuration is needed.

Event Data Flow

Sidecar detects drift or threshold exceedance
Evidence is POSTed to portal.pandocore.xyz/api/events/ingest (authenticated via license key)
Portal stores the event in Firestore under your customer account
Dashboard displays events with severity classification and action details

In-Cluster Dashboard (Optional)

For real-time debugging or air-gapped environments, PandoCore also offers an optional in-cluster dashboard.

What the In-Cluster Dashboard Shows

Overview

Protected Deployments — count of deployments with the PandoCore sidecar
Protected Pods — total running pods under protection
Events (24h / 7d) — detection events in the last day and week
Trips (24h) — threshold-exceeding detections
Pod Status — how many pods are in learning, monitoring, or enforcing phase

Event Timeline

A chronological list of detection events, filterable by:

Type — drift detected, trip executed, attestation failed
Severity — info, warning, critical
Namespace — filter to a specific namespace

"What Would Have Happened"

In monitor mode, PandoCore detects but does not terminate pods. The dashboard shows which pods would have been killed if enforcement were enabled, along with the drift score and reason. This lets you validate PandoCore's behavior before switching to enforce mode.

Mode	Action Column Shows
Monitor	WOULD HAVE KILLED — trip threshold exceeded, but no action taken
Enforce	POD TERMINATED — pod was killed and evidence emitted

Enabling the Dashboard

The dashboard is an optional component of the pando-webhook Helm chart:

helm install pando-webhook oci://<registry>/charts/pando-webhook \
  --namespace pando-system \
  --set licenseKey="<your-key>" \
  --set dashboard.enabled=true

Or enable it on an existing installation:

helm upgrade pando-webhook oci://<registry>/charts/pando-webhook \
  --namespace pando-system \
  --reuse-values \
  --set dashboard.enabled=true

Accessing the Dashboard

The dashboard runs as a ClusterIP Service. Access it via port-forward:

kubectl port-forward svc/pando-dashboard -n pando-system 8080:80

Then open http://localhost:8080 in your browser.

No Ingress Required

The dashboard is designed for kubectl port-forward access. You can optionally expose it via an Ingress or LoadBalancer Service if your security policy allows it.

Configuration

Helm Value	Default	Description
`dashboard.enabled`	`false`	Enable the dashboard deployment
`dashboard.pollInterval`	`"30s"`	How often to poll sidecar `/status` endpoints
`dashboard.maxEvents`	`10000`	Maximum events stored in memory
`dashboard.resources`	50m CPU / 64Mi mem	Resource limits for the dashboard pod

REST API

The dashboard exposes a REST API that the UI consumes. You can also use it directly:

Endpoint	Description
`GET /api/summary`	Cluster-wide stats: protected pods, events, trips
`GET /api/deployments`	List of protected deployments with status and drift scores
`GET /api/events?page=1&limit=50`	Paginated event timeline with optional filters (`type`, `severity`, `namespace`)

Architecture

The dashboard is a single Go binary running as a Deployment in pando-system. It collects data from two sources:

Kubernetes Events — watches for events with label pando.io/event-type=collapse (created by sidecars on trip/detection)
Sidecar /status endpoints — polls each protected pod's sidecar on port 9090 at the configured interval

Events are stored in an in-memory ring buffer (configurable size, default 10,000 events). The dashboard has read-only RBAC permissions: it can list/watch events and list pods, but cannot modify any resources.

Resource Footprint

Resource	Limit
CPU	50m
Memory	64Mi

Troubleshooting

Dashboard shows 0 protected pods

Verify pods have the label: kubectl get pods -l pandocore.xyz/protect=true --all-namespaces
Verify the sidecar container is running (2/2 Ready)
Check the dashboard logs: kubectl logs -n pando-system -l app.kubernetes.io/name=pando-dashboard

Events not appearing

Events are populated from two sources. If the event timeline is empty:

Check that sidecars have RBAC to create events (events/create permission)
Wait for the poll interval (default 30s) for status-based events to appear
Verify the dashboard's ClusterRole has events watch permission