Getting Started

This guide will help you deploy PandoCore to protect your Kubernetes workloads. The entire process takes about 5 minutes.

ℹ️ Prerequisites

You'll need:

A Kubernetes cluster (1.25+)
Helm 3.0+ installed
kubectl configured for your cluster
Your PandoCore license key (from portal.pandocore.xyz)

Step 1: Add the Helm Repository

First, authenticate with the PandoCore Helm registry (credentials available in your customer portal):

# Authenticate with the PandoCore registry
helm registry login us-central1-docker.pkg.dev \
  --username _json_key \
  --password "$(cat your-credentials.json)"

Step 2: Install the Admission Webhook

Install the PandoCore webhook. This is a one-time, cluster-wide install that enables automatic sidecar injection:

# Install the PandoCore admission webhook
helm install pando-webhook \
  oci://us-central1-docker.pkg.dev/pandocore-prod/charts/pando-webhook \
  --namespace pando-system \
  --create-namespace \
  --set licenseKey="YOUR_LICENSE_KEY"

License Key

Replace YOUR_LICENSE_KEY with the license key from your customer portal. Keep this value secure.

Step 3: Protect a Deployment

Add one label to any deployment to enable PandoCore protection. The webhook automatically injects the sidecar on the next pod creation:

# Label your deployment
kubectl label deployment your-app pandocore.xyz/protect=true

# Restart to trigger injection
kubectl rollout restart deployment/your-app

That's it. The webhook handles sidecar injection, shared process namespace, service account, environment variables, probes, and resource limits automatically.

Per-Namespace Setup

Each namespace with protected pods needs a pando-sidecar ServiceAccount and a copy of the license Secret. The Helm NOTES output includes the exact commands. See Webhook Reference for details.

Step 4: Verify the Installation

Check that the sidecar was injected and is running:

# Check pods — you should see 2/2 containers
kubectl get pods -n your-namespace -l app=your-app

# View sidecar logs
kubectl logs -n your-namespace <pod-name> -c pando-sidecar

# Check sidecar status
kubectl exec -n your-namespace <pod-name> -c pando-sidecar \
  -- wget -qO- http://localhost:9090/status

Learning Phase

When the sidecar starts, it enters a learning phase to establish a baseline of your application's normal behavior. The /readyz endpoint returns 503 during learning and 200 once complete. Default learning duration is 10 minutes.

Step 5: View Metrics (Optional)

PandoCore exposes Prometheus-compatible metrics. If you have Prometheus installed, add a scrape config:

- job_name: 'pando-sidecar'
  kubernetes_sd_configs:
    - role: pod
  relabel_configs:
    - source_labels: [__meta_kubernetes_pod_container_name]
      regex: pando-sidecar
      action: keep
    - source_labels: [__meta_kubernetes_pod_container_port_name]
      regex: metrics
      action: keep

Step 6: Configure Slack Alerts (Optional)

Get real-time Slack notifications when PandoCore detects anomalous behavior. Set the operating mode to alert or enforce and provide a Slack incoming webhook URL:

# Upgrade the webhook with Slack alerts enabled
helm upgrade pando-webhook \
  oci://us-central1-docker.pkg.dev/pandocore-prod/charts/pando-webhook \
  --namespace pando-system \
  --set licenseKey="YOUR_LICENSE_KEY" \
  --set defaultMode=alert \
  --set slackWebhookURL="https://hooks.slack.com/services/T.../B.../xxx"

Or configure per-deployment via environment variable:

kubectl set env deployment/your-app -c pando-sidecar \
  PANDO_MODE=alert \
  PANDO_SLACK_WEBHOOK_URL="https://hooks.slack.com/services/T.../B.../xxx"

Alerts are color-coded by severity (critical, high, warning, info) and include pod name, drift score, and action taken. See Operating Modes for the full Monitor → Alert → Enforce escalation model.

Alternative: Manual Injection

For environments where the admission webhook cannot be installed, use the injection script:

# Install sidecar infrastructure only (no webhook)
helm install pando \
  oci://us-central1-docker.pkg.dev/pandocore-prod/charts/pando-sidecar \
  --namespace pando-system \
  --create-namespace \
  --set licenseKey="YOUR_LICENSE_KEY"

# Inject sidecar into a specific deployment
PANDO_LICENSE_KEY="YOUR_LICENSE_KEY" \
  ./inject-pandocore.sh your-app your-namespace

What Happens Next

Once deployed, PandoCore will:

Learn your application's normal behavioral patterns (configurable duration)
Monitor continuously for deviations from the baseline
Respond according to the configured operating mode (monitor, alert, or enforce)

ℹ️ Default Mode: Monitor

By default, PandoCore runs in monitor mode, which detects and logs anomalies without terminating pods. This is recommended for initial deployment. See Operating Modes for details on enabling enforcement.

Quick Reference

Task	Command
View sidecar logs	`kubectl logs <pod> -c pando-sidecar`
Check health	`kubectl exec <pod> -c pando-sidecar -- wget -qO- http://localhost:9090/healthz`
View current drift	`kubectl exec <pod> -c pando-sidecar -- wget -qO- http://localhost:9090/metrics \| grep pando_drift`
Switch to enforce mode	`kubectl set env deployment/<name> -c pando-sidecar PANDO_MODE=enforce`
Trigger re-learning	`kubectl exec <pod> -c pando-sidecar -- wget -qO- --post-data='' http://localhost:9090/relearn`

Next Steps

Webhook Reference — How automatic injection works
Configuration Reference — All available settings
Operating Modes — Understanding monitor vs enforce
Evidence Format — Integrate with your SIEM
Emergency Procedures — Quick disable if needed