Overview
PandoCore is a runtime execution-integrity security system for Kubernetes. It continuously monitors your containerized workloads and responds instantly when anomalous behavior is detected, providing an additional layer of protection that operates during execution.
đ Getting Started
Deploy PandoCore in your cluster in under 5 minutes using Helm.
âī¸ Configuration
Complete reference for all Helm values and environment variables.
đ Operating Modes
Understand monitor, enforce, and debug modes.
đ¨ Emergency Procedures
Quickly disable or remove PandoCore when needed.
What PandoCore Does
PandoCore deploys as a sidecar container within your Kubernetes pods. It monitors the behavioral characteristics of your running workloads and detects when execution patterns deviate significantly from established baselines. When drift is detected, PandoCore can:
- Monitor: Detect anomalies and emit evidence without taking action
- Alert: Detect anomalies and send real-time notifications (Slack, webhook) without enforcement
- Enforce: Detect, alert, and respond with graduated actions: network isolation and pod termination
- Debug: Provide verbose logging for troubleshooting and tuning
Architecture Overview
PandoCore operates as a Kubernetes-native sidecar that shares the pod lifecycle with your application:
The sidecar container runs alongside your application within the same pod, sharing the process namespace. This allows PandoCore to observe your workload's behavior without any code changes to your application.
Key Components
| Component | Description |
|---|---|
| Sidecar Container | The core monitoring component that runs alongside your application |
| Admission Webhook | Cluster-wide automatic sidecar injection via label pandocore.xyz/protect=true |
| PandoCorePolicy CRD | Declarative per-namespace policy configuration for GitOps workflows |
| Helm Chart | Configures RBAC, ConfigMaps, and provides the sidecar injection template |
| Metrics Endpoint | Prometheus-compatible /metrics endpoint for observability |
| Evidence Output | Structured JSON logs suitable for SIEM integration |
How It Works
When a pod starts with PandoCore:
- Learning Phase: PandoCore observes your application's normal behavior and establishes a baseline (configurable duration)
- Monitoring Phase: Continuous behavioral monitoring begins, comparing current state against the baseline
- Detection: When significant deviation is detected, PandoCore evaluates the drift against configured thresholds
- Response: Based on operating mode, PandoCore logs the event (monitor), sends alerts (alert), or executes a graduated response -- alert, network isolation, and terminate (enforce)
What PandoCore Monitors
PandoCore observes multiple dimensions of your workload's execution:
| Dimension | Description |
|---|---|
| Memory | Heap usage, allocation patterns, memory growth trends |
| Process | Thread count, file descriptors, child processes |
| Temporal | Execution timing patterns and scheduling characteristics |
| System | CPU utilization and I/O patterns |
Integration with Your Stack
PandoCore is designed to complement your existing security infrastructure:
- Observability: Prometheus metrics + Grafana dashboards included
- Log Aggregation: Structured JSON evidence integrates with Splunk, Elastic, Datadog, etc.
- Kubernetes Events: Enforcement actions emit K8s events for audit trails
- Alerting: Use your existing alerting infrastructure on PandoCore metrics
PandoCore requires no modifications to your application code. Simply add the sidecar container to your existing deployments.
PandoCore has been validated across 5 real-world workloads (nginx, PostgreSQL, Express.js, Spring PetClinic, FastAPI) over 693 pod-hours with zero false positives. See the full validation results.
Requirements
| Requirement | Version |
|---|---|
| Kubernetes | 1.25+ |
| Helm | 3.0+ |
| kubectl | Compatible with your cluster version |
Next Steps
Ready to get started? Follow our Getting Started guide to deploy PandoCore in your cluster in under 5 minutes.