diff --git a/pov-validation/Makefile b/pov-validation/Makefile new file mode 100644 index 0000000..c6d111c --- /dev/null +++ b/pov-validation/Makefile @@ -0,0 +1,266 @@ +.PHONY: help setup security-test performance-test operations-test clean + +help: + @echo "POV Validation Test Suite" + @echo "" + @echo "Prerequisites:" + @echo " make setup - Install RuntimeClass and verify cluster" + @echo "" + @echo "Security Tests:" + @echo " make welcome - Deploy welcome-to-edera test pod" + @echo " make leaky-vessel - Show secrets exposed without Edera" + @echo " make leaky-vessel-secure - Show secrets protected with Edera" + @echo " make falco-install - Install Falco with Edera plugin" + @echo " make falco-test - Deploy Falco test pod (requires Edera Falco plugin)" + @echo "" + @echo "Performance Tests:" + @echo " make iperf-compare - Run iperf benchmark with comparison table" + @echo " make iperf - Run iperf network benchmark (Edera only)" + @echo " make iperf-baseline - Run iperf baseline (without Edera)" + @echo " make sysbench - Run sysbench CPU benchmark (Edera)" + @echo " make sysbench-baseline - Run sysbench CPU baseline (without Edera)" + @echo " make sysbench-compare - Run sysbench with comparison table" + @echo " make kcbench - Run kcbench CPU benchmark (kernel compile)" + @echo " make kcbench-baseline - Run kcbench baseline (without Edera)" + @echo "" + @echo "Operations Tests:" + @echo " make grafana-install - Install Prometheus/Grafana stack" + @echo " make kyverno-install - Install Kyverno" + @echo " make kyverno-test - Test Kyverno auto-assignment policy" + @echo "" + @echo "Cleanup:" + @echo " make clean-security - Remove security test resources" + @echo " make clean-performance - Remove performance test resources" + @echo " make clean-operations - Remove operations test resources" + @echo " make clean - Remove all test resources" + +# Setup +setup: + @echo "Installing Edera RuntimeClass..." + kubectl apply -f https://public.edera.dev/kubernetes/runtime-class.yaml + @echo "" + @echo "Verifying setup..." + kubectl get runtimeclass edera + kubectl get nodes -l runtime=edera + +# Security Tests +welcome: + kubectl apply -f security/welcome-to-edera.yaml + @echo "Waiting for pod to be ready..." + kubectl wait --for=condition=ready pod/welcome-to-edera --timeout=120s + @echo "" + @echo "Pod is running. Verify with:" + @echo " kubectl get pod welcome-to-edera -o jsonpath='{.spec.runtimeClassName}' && echo" + +leaky-vessel: + @echo "=== Leaky Vessel Demo: Process Isolation ===" + @echo "" + @echo "Step 1: Deploy vulnerable pod (no Edera) and raider pod" + kubectl apply -f security/leaky-vessel-test.yaml + @echo "Waiting for pods to be ready..." + kubectl wait --for=condition=ready pod/vulnerable-pod --timeout=120s + kubectl wait --for=condition=ready pod/raider --timeout=120s + @echo "" + @echo "Step 2: Raider attempts to steal secrets from vulnerable pod..." + @echo "" + @PID=$$(kubectl exec raider -- /bin/sh -c "ps faux | grep '[s]leep 5' | head -n1 | awk '{print \$$2}'"); \ + if [ -n "$$PID" ]; then \ + echo "Found vulnerable pod process: $$PID"; \ + echo "Secrets stolen:"; \ + kubectl exec raider -- /bin/sh -c "cat /proc/$$PID/environ | tr '\0' '\n' | grep 'PASSWORD\|SECRET'"; \ + else \ + echo "Could not find process"; \ + fi + @echo "" + @echo "=== Without Edera, secrets are exposed! ===" + @echo "" + @echo "Now run 'make leaky-vessel-secure' to see Edera's protection" + +leaky-vessel-secure: + @echo "=== Deploying secure pod with Edera ===" + kubectl delete pod vulnerable-pod --force --ignore-not-found + kubectl apply -f security/secure-pod.yaml + @echo "Waiting for secure pod..." + kubectl wait --for=condition=ready pod/secure-pod --timeout=120s + @echo "" + @echo "Step 3: Raider attempts to steal secrets from secure pod..." + @echo "" + @PID=$$(kubectl exec raider -- /bin/sh -c "ps faux | grep '[s]leep 5' | head -n1 | awk '{print \$$2}'" 2>/dev/null); \ + if [ -n "$$PID" ]; then \ + echo "Found process: $$PID"; \ + kubectl exec raider -- /bin/sh -c "cat /proc/$$PID/environ | tr '\0' '\n' | grep 'PASSWORD\|SECRET'" || echo "Cannot access secrets!"; \ + else \ + echo "No process found - the container is secure!"; \ + fi + @echo "" + @echo "=== With Edera, secrets are protected by zone isolation! ===" + +falco-install: + @echo "Installing Falco with Edera plugin support..." + @echo "NOTE: This requires Edera Protect to be installed on the nodes." + @echo "See: https://docs.edera.dev/guides/observability/falco-integration/" + @echo "" + helm repo add falcosecurity https://falcosecurity.github.io/charts + helm repo update + helm upgrade --install falco falcosecurity/falco \ + --namespace falco \ + --create-namespace \ + -f security/falco/falco-edera-values.yaml + @echo "" + @echo "Waiting for Falco pods to be ready..." + kubectl wait --for=condition=ready pod -l app.kubernetes.io/name=falco -n falco --timeout=120s + @echo "" + @echo "Falco installed. Verify with:" + @echo " kubectl logs -n falco -l app.kubernetes.io/name=falco | grep -i edera" + +falco-test: + @echo "NOTE: Monitoring inside Edera zones requires the Edera Falco plugin." + @echo "See: https://docs.edera.dev/guides/observability/falco-integration/" + @echo "" + kubectl apply -f security/falco-test.yaml + kubectl wait --for=condition=ready pod/falco-test --timeout=120s + @echo "" + @echo "Test pod deployed. If Edera Falco plugin is installed:" + @echo " Trigger alert: kubectl exec -it falco-test -- cat /etc/shadow" + @echo " View alerts: kubectl logs -n falco -l app.kubernetes.io/name=falco --tail=50" + +# Performance Tests +iperf: + kubectl apply -f performance/iperf-edera.yaml + @echo "Waiting for pod to be ready..." + kubectl wait --for=condition=ready pod/iperf-edera --timeout=120s + @echo "" + @POD_IP=$$(kubectl get pod iperf-edera -o jsonpath='{.status.podIP}'); \ + echo "Run benchmark with: kubectl exec -it iperf-edera -c iperf-client -- iperf3 -c $$POD_IP -t 30" + +iperf-baseline: + kubectl apply -f performance/iperf-baseline.yaml + @echo "Waiting for pod to be ready..." + kubectl wait --for=condition=ready pod/iperf-baseline --timeout=120s + @echo "" + @echo "Run benchmark with: kubectl exec -it iperf-baseline -c iperf-client -- iperf3 -c localhost -t 30" + +iperf-compare: + @echo "=== iperf Network Performance Comparison ===" + @echo "" + @echo "Deploying test pods..." + @kubectl apply -f performance/iperf-edera.yaml -f performance/iperf-baseline.yaml > /dev/null + @kubectl wait --for=condition=ready pod/iperf-edera pod/iperf-baseline --timeout=120s > /dev/null + @echo "" + @echo "Running Edera benchmark (30s)..." + @POD_IP=$$(kubectl get pod iperf-edera -o jsonpath='{.status.podIP}'); \ + kubectl exec iperf-edera -c iperf-client -- iperf3 -c $$POD_IP -t 30 -J > /tmp/iperf-edera.json 2>/dev/null; \ + echo "Running Baseline benchmark (30s)..."; \ + kubectl exec iperf-baseline -c iperf-client -- iperf3 -c localhost -t 30 -J > /tmp/iperf-baseline.json 2>/dev/null; \ + EDERA=$$(jq '.end.sum_received.bits_per_second' /tmp/iperf-edera.json); \ + BASELINE=$$(jq '.end.sum_received.bits_per_second' /tmp/iperf-baseline.json); \ + EDERA_GBPS=$$(echo "scale=1; $$EDERA / 1000000000" | bc); \ + BASELINE_GBPS=$$(echo "scale=1; $$BASELINE / 1000000000" | bc); \ + PCT=$$(echo "scale=0; $$EDERA * 100 / $$BASELINE" | bc); \ + echo ""; \ + echo "┌─────────────┬────────────────┬──────────────┐"; \ + echo "│ Test │ Throughput │ % of Baseline│"; \ + echo "├─────────────┼────────────────┼──────────────┤"; \ + printf "│ Edera │ %6.1f Gbps │ %3d%% │\n" $$EDERA_GBPS $$PCT; \ + printf "│ Baseline │ %6.1f Gbps │ 100%% │\n" $$BASELINE_GBPS; \ + echo "└─────────────┴────────────────┴──────────────┘" + +sysbench: + kubectl apply -f performance/sysbench-edera.yaml + @echo "Waiting for job to complete..." + kubectl wait --for=condition=complete job/sysbench-edera --timeout=300s + @echo "" + kubectl logs job/sysbench-edera + +sysbench-baseline: + kubectl apply -f performance/sysbench-baseline.yaml + @echo "Waiting for job to complete..." + kubectl wait --for=condition=complete job/sysbench-baseline --timeout=300s + @echo "" + kubectl logs job/sysbench-baseline + +sysbench-compare: + @echo "=== sysbench CPU Performance Comparison ===" + @echo "" + @echo "Deploying test jobs..." + @kubectl delete job sysbench-edera sysbench-baseline --ignore-not-found > /dev/null 2>&1 || true + @kubectl apply -f performance/sysbench-edera.yaml -f performance/sysbench-baseline.yaml > /dev/null + @echo "Waiting for jobs to complete (~90 seconds)..." + @kubectl wait --for=condition=complete job/sysbench-edera job/sysbench-baseline --timeout=300s > /dev/null + @echo "" + @EDERA_EPS=$$(kubectl logs job/sysbench-edera | grep "events per second" | tail -1 | awk '{print $$NF}'); \ + BASELINE_EPS=$$(kubectl logs job/sysbench-baseline | grep "events per second" | tail -1 | awk '{print $$NF}'); \ + EDERA_LAT=$$(kubectl logs job/sysbench-edera | grep "avg:" | tail -1 | awk '{print $$2}'); \ + BASELINE_LAT=$$(kubectl logs job/sysbench-baseline | grep "avg:" | tail -1 | awk '{print $$2}'); \ + PCT=$$(echo "scale=1; $$EDERA_EPS * 100 / $$BASELINE_EPS" | bc); \ + echo "┌─────────────┬─────────────────┬─────────────┬──────────────┐"; \ + echo "│ Test │ Events/sec │ Avg Latency │ % of Baseline│"; \ + echo "├─────────────┼─────────────────┼─────────────┼──────────────┤"; \ + printf "│ Edera │ %10.2f │ %6.2f ms │ %5.1f%% │\n" $$EDERA_EPS $$EDERA_LAT $$PCT; \ + printf "│ Baseline │ %10.2f │ %6.2f ms │ 100.0%% │\n" $$BASELINE_EPS $$BASELINE_LAT; \ + echo "└─────────────┴─────────────────┴─────────────┴──────────────┘" + +kcbench: + kubectl apply -f performance/kcbench-edera.yaml + @echo "Waiting for job to complete (this may take 10+ minutes)..." + kubectl wait --for=condition=complete job/kcbench-edera --timeout=1800s + @echo "" + kubectl logs job/kcbench-edera + +kcbench-baseline: + kubectl apply -f performance/kcbench-baseline.yaml + @echo "Waiting for job to complete (this may take 10+ minutes)..." + kubectl wait --for=condition=complete job/kcbench-baseline --timeout=1800s + @echo "" + kubectl logs job/kcbench-baseline + +# Operations Tests +grafana-install: + helm repo add prometheus-community https://prometheus-community.github.io/helm-charts + helm repo update + helm upgrade --install prometheus prometheus-community/kube-prometheus-stack --namespace monitoring --create-namespace + @echo "" + @echo "Access Grafana with: kubectl port-forward -n monitoring svc/prometheus-grafana 3000:80" + @echo "Get password with: kubectl get secret -n monitoring prometheus-grafana -o jsonpath='{.data.admin-password}' | base64 -d && echo" + @echo "Username: admin" + +kyverno-install: + helm repo add kyverno https://kyverno.github.io/kyverno/ + helm repo update + helm upgrade --install kyverno kyverno/kyverno --namespace kyverno --create-namespace + +kyverno-test: + kubectl create namespace secure-workloads --dry-run=client -o yaml | kubectl apply -f - + kubectl apply -f operations/kyverno-edera-policy.yaml + kubectl apply -f operations/auto-edera-test.yaml + @echo "" + @echo "Verify RuntimeClass was added:" + kubectl get pod auto-edera-test -n secure-workloads -o yaml | grep runtimeClassName + +# Cleanup +clean-security: + -kubectl delete -f security/welcome-to-edera.yaml + -kubectl delete -f security/leaky-vessel-test.yaml + -kubectl delete -f security/secure-pod.yaml + -kubectl delete -f security/falco-test.yaml + -helm uninstall falco -n falco + -kubectl delete namespace falco + +clean-performance: + -kubectl delete -f performance/iperf-edera.yaml + -kubectl delete -f performance/iperf-baseline.yaml + -kubectl delete job sysbench-edera sysbench-baseline + -kubectl delete job kcbench-edera kcbench-baseline + +clean-operations: + -kubectl delete -f operations/auto-edera-test.yaml + -kubectl delete -f operations/kyverno-edera-policy.yaml + -kubectl delete namespace secure-workloads + -kubectl delete servicemonitor edera-protect -n monitoring + -helm uninstall kyverno -n kyverno + -kubectl delete namespace kyverno + -helm uninstall prometheus -n monitoring + -kubectl delete namespace monitoring + +clean: clean-security clean-performance clean-operations + @echo "All POV test resources removed" diff --git a/pov-validation/README.md b/pov-validation/README.md new file mode 100644 index 0000000..f31870e --- /dev/null +++ b/pov-validation/README.md @@ -0,0 +1,106 @@ +# POV Validation Test Suite + +Structured testing framework for validating Edera's security, performance, and operational capabilities during proof of value (POV) evaluations. + +## Prerequisites + +- Access to a Kubernetes cluster with Edera nodes +- `kubectl` configured to access the cluster +- `helm` installed for optional components (Falco, Grafana, Kyverno) + +## Quick Start + +```bash +# Install RuntimeClass and verify setup +make setup + +# View all available tests +make help +``` + +## Test Suites + +### Security Demonstration + +Validates container isolation and escape prevention. + +| Test | Command | Description | +|------|---------|-------------| +| Welcome to Edera | `make welcome` | Verify basic zone isolation | +| Leaky Vessel | `make leaky-vessel` | Container escape prevention demo | +| Falco Integration | `make falco-install && make falco-test` | Security monitoring compatibility | + +### Performance Validation + +Benchmarks network and CPU performance. + +| Test | Command | Description | +|------|---------|-------------| +| iperf (Edera) | `make iperf` | Network throughput with Edera | +| iperf (Baseline) | `make iperf-baseline` | Network throughput without Edera | +| kbench (Edera) | `make kbench` | CPU/storage benchmark with Edera | +| kbench (Baseline) | `make kbench-baseline` | CPU/storage benchmark without Edera | + +### Operations Integration + +Verifies integration with existing tools and workflows. + +| Test | Command | Description | +|------|---------|-------------| +| Grafana | `make grafana-install` | Install Prometheus/Grafana stack | +| Kyverno | `make kyverno-install && make kyverno-test` | RuntimeClass auto-assignment | + +## Running Individual Tests + +You can also apply manifests directly: + +```bash +# Security +kubectl apply -f security/welcome-to-edera.yaml + +# Performance +kubectl apply -f performance/iperf-server.yaml +kubectl apply -f performance/iperf-client.yaml + +# Operations +kubectl apply -f operations/kyverno-edera-policy.yaml +``` + +## Cleanup + +```bash +# Remove specific test resources +make clean-security +make clean-performance +make clean-operations + +# Remove all test resources +make clean +``` + +## Documentation + +For detailed test procedures and expected results, see the [POV Validation Guide](https://docs.edera.dev/guides/pov-validation/). + +## File Structure + +``` +pov-validation/ +├── Makefile +├── README.md +├── security/ +│ ├── welcome-to-edera.yaml +│ ├── leaky-vessel-test.yaml +│ ├── leaky-vessel-no-edera.yaml +│ └── falco-test.yaml +├── performance/ +│ ├── iperf-server.yaml +│ ├── iperf-client.yaml +│ ├── iperf-baseline.yaml +│ ├── kbench-edera.yaml +│ └── kbench-baseline.yaml +└── operations/ + ├── edera-servicemonitor.yaml + ├── kyverno-edera-policy.yaml + └── auto-edera-test.yaml +``` diff --git a/pov-validation/operations/auto-edera-test.yaml b/pov-validation/operations/auto-edera-test.yaml new file mode 100644 index 0000000..5635873 --- /dev/null +++ b/pov-validation/operations/auto-edera-test.yaml @@ -0,0 +1,11 @@ +# Test pod for Kyverno policy - deploy to secure-workloads namespace +# The policy will automatically add runtimeClassName: edera +apiVersion: v1 +kind: Pod +metadata: + name: auto-edera-test + namespace: secure-workloads +spec: + containers: + - name: nginx + image: nginx:latest diff --git a/pov-validation/operations/edera-servicemonitor.yaml b/pov-validation/operations/edera-servicemonitor.yaml new file mode 100644 index 0000000..4ef20cb --- /dev/null +++ b/pov-validation/operations/edera-servicemonitor.yaml @@ -0,0 +1,47 @@ +# ServiceMonitor for Edera Protect metrics +# Requires a headless Service pointing to Edera node(s) +apiVersion: v1 +kind: Service +metadata: + name: edera-protect-metrics + namespace: monitoring + labels: + app: edera-protect +spec: + clusterIP: None + ports: + - name: metrics + port: 3035 + targetPort: 3035 +--- +# Endpoints must be created manually with Edera node IPs +# Replace NODE_IP with your Edera node's internal IP +apiVersion: v1 +kind: Endpoints +metadata: + name: edera-protect-metrics + namespace: monitoring +subsets: +- addresses: + - ip: NODE_IP # Replace with: kubectl get nodes -l runtime=edera -o jsonpath='{.items[0].status.addresses[?(@.type=="InternalIP")].address}' + ports: + - name: metrics + port: 3035 +--- +apiVersion: monitoring.coreos.com/v1 +kind: ServiceMonitor +metadata: + name: edera-protect + namespace: monitoring + labels: + release: prometheus # Match Prometheus selector +spec: + selector: + matchLabels: + app: edera-protect + namespaceSelector: + matchNames: + - monitoring + endpoints: + - port: metrics + interval: 30s diff --git a/pov-validation/operations/kyverno-edera-policy.yaml b/pov-validation/operations/kyverno-edera-policy.yaml new file mode 100644 index 0000000..eb835c7 --- /dev/null +++ b/pov-validation/operations/kyverno-edera-policy.yaml @@ -0,0 +1,18 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: assign-edera-runtime +spec: + rules: + - name: assign-runtime-class + match: + resources: + kinds: + - Pod + namespaces: + - production + - secure-workloads + mutate: + patchStrategicMerge: + spec: + runtimeClassName: edera diff --git a/pov-validation/performance/iperf-baseline.yaml b/pov-validation/performance/iperf-baseline.yaml new file mode 100644 index 0000000..ad65f40 --- /dev/null +++ b/pov-validation/performance/iperf-baseline.yaml @@ -0,0 +1,16 @@ +# iperf baseline benchmark without Edera - client and server in same pod +apiVersion: v1 +kind: Pod +metadata: + name: iperf-baseline +spec: + # No runtimeClassName - uses default runtime + containers: + - name: iperf-server + image: networkstatic/iperf3:latest + command: ["iperf3", "-s"] + ports: + - containerPort: 5201 + - name: iperf-client + image: networkstatic/iperf3:latest + command: ["sleep", "3600"] diff --git a/pov-validation/performance/iperf-edera.yaml b/pov-validation/performance/iperf-edera.yaml new file mode 100644 index 0000000..86fdaf1 --- /dev/null +++ b/pov-validation/performance/iperf-edera.yaml @@ -0,0 +1,16 @@ +# iperf benchmark with Edera - client and server in same pod (same zone) +apiVersion: v1 +kind: Pod +metadata: + name: iperf-edera +spec: + runtimeClassName: edera + containers: + - name: iperf-server + image: networkstatic/iperf3:latest + command: ["iperf3", "-s"] + ports: + - containerPort: 5201 + - name: iperf-client + image: networkstatic/iperf3:latest + command: ["sleep", "3600"] diff --git a/pov-validation/performance/kcbench-baseline.yaml b/pov-validation/performance/kcbench-baseline.yaml new file mode 100644 index 0000000..0be7eb9 --- /dev/null +++ b/pov-validation/performance/kcbench-baseline.yaml @@ -0,0 +1,49 @@ +# CPU benchmark baseline (without Edera) using kcbench (kernel compilation) +apiVersion: batch/v1 +kind: Job +metadata: + name: kcbench-baseline +spec: + template: + spec: + # No runtimeClassName - uses default runtime + restartPolicy: Never + volumes: + - name: workspace + emptyDir: + sizeLimit: 15Gi + containers: + - name: kcbench + image: mirror.gcr.io/library/fedora:latest + command: ["/bin/bash", "-c"] + args: + - | + echo "=== Baseline CPU Benchmark (kcbench) ===" + + # Use workspace volume for all disk-heavy operations + export TMPDIR=/workspace/tmp + mkdir -p /workspace/tmp /workspace/dnf-cache + + echo "Installing dependencies..." + dnf install -y --setopt=cachedir=/workspace/dnf-cache kcbench diffutils openssl openssl-devel-engine cpio + + echo "" + echo "Running kernel compilation benchmark (kernel 6.11.3)..." + echo "This will take several minutes..." + + # Run kcbench with work directory in workspace + cd /workspace + kcbench -i 1 -j $(nproc) -s 6.11.3 + + echo "" + echo "=== Benchmark Complete ===" + volumeMounts: + - name: workspace + mountPath: /workspace + resources: + requests: + memory: "4Gi" + cpu: "2" + limits: + memory: "4Gi" + cpu: "2" diff --git a/pov-validation/performance/kcbench-edera.yaml b/pov-validation/performance/kcbench-edera.yaml new file mode 100644 index 0000000..dc10d31 --- /dev/null +++ b/pov-validation/performance/kcbench-edera.yaml @@ -0,0 +1,76 @@ +# CPU benchmark with Edera using kernel compilation +# Uses pre-built image with all dependencies included +# Requires 16GB memory and 8 CPUs for zone resources +apiVersion: batch/v1 +kind: Job +metadata: + name: kcbench-edera +spec: + template: + metadata: + annotations: + dev.edera/resource-policy: "dynamic" + dev.edera/initial-memory-request: "2048" + spec: + runtimeClassName: edera + restartPolicy: Never + volumes: + - name: workspace + emptyDir: + sizeLimit: 15Gi + containers: + - name: kcbench + image: ttl.sh/kcbench-prebuilt-v2:24h + command: ["/bin/bash", "-c"] + args: + - | + set -ex + echo "=== Edera CPU Benchmark (kernel compilation) ===" + echo "" + echo "CPUs available: $(nproc)" + echo "Memory:" + free -h + echo "" + echo "Disk space:" + df -h + echo "" + + # Setup workspace + mkdir -p /workspace/tmp + rm -rf /tmp 2>/dev/null || true + ln -sf /workspace/tmp /tmp + export TMPDIR=/workspace/tmp + export HOME=/workspace + + # Extract kernel source + echo "Extracting kernel source..." + cd /workspace + tar -xf /usr/share/kcbench/linux-6.6.70.tar.xz + cd linux-6.6.70 + + # Configure and build + echo "Configuring kernel (defconfig)..." + make defconfig + + echo "" + echo "Starting kernel compilation with $(nproc) CPUs..." + START=$(date +%s.%N) + make -j$(nproc) + END=$(date +%s.%N) + + ELAPSED=$(echo "$END - $START" | bc) + echo "" + echo "=== Results ===" + echo "Compile time: ${ELAPSED} seconds" + echo "CPUs used: $(nproc)" + echo "=== Benchmark Complete ===" + volumeMounts: + - name: workspace + mountPath: /workspace + resources: + requests: + memory: "2Gi" + cpu: "2" + limits: + memory: "4Gi" + cpu: "2" diff --git a/pov-validation/performance/sysbench-baseline.yaml b/pov-validation/performance/sysbench-baseline.yaml new file mode 100644 index 0000000..d0cfb26 --- /dev/null +++ b/pov-validation/performance/sysbench-baseline.yaml @@ -0,0 +1,38 @@ +# CPU benchmark baseline (without Edera) using sysbench +apiVersion: batch/v1 +kind: Job +metadata: + name: sysbench-baseline +spec: + template: + spec: + # No runtimeClassName - uses default runtime + restartPolicy: Never + containers: + - name: sysbench + image: severalnines/sysbench:latest + command: ["/bin/sh", "-c"] + args: + - | + echo "=== Baseline CPU Benchmark (sysbench) ===" + echo "" + echo "System info:" + echo "CPUs available: $(nproc)" + cat /proc/cpuinfo | grep "model name" | head -1 + echo "" + echo "Running CPU benchmark (10 seconds, prime numbers to 20000)..." + echo "" + sysbench cpu --cpu-max-prime=20000 --threads=2 --time=10 run + echo "" + echo "Running CPU benchmark (60 seconds for more stable results)..." + echo "" + sysbench cpu --cpu-max-prime=20000 --threads=2 --time=60 run + echo "" + echo "=== Benchmark Complete ===" + resources: + requests: + memory: "512Mi" + cpu: "2" + limits: + memory: "512Mi" + cpu: "2" diff --git a/pov-validation/performance/sysbench-edera.yaml b/pov-validation/performance/sysbench-edera.yaml new file mode 100644 index 0000000..ca12f4a --- /dev/null +++ b/pov-validation/performance/sysbench-edera.yaml @@ -0,0 +1,39 @@ +# CPU benchmark with Edera using sysbench +# Uses pre-built image to avoid package manager issues in zones +apiVersion: batch/v1 +kind: Job +metadata: + name: sysbench-edera +spec: + template: + spec: + runtimeClassName: edera + restartPolicy: Never + containers: + - name: sysbench + image: severalnines/sysbench:latest + command: ["/bin/sh", "-c"] + args: + - | + echo "=== Edera CPU Benchmark (sysbench) ===" + echo "" + echo "System info:" + echo "CPUs available: $(nproc)" + cat /proc/cpuinfo | grep "model name" | head -1 + echo "" + echo "Running CPU benchmark (10 seconds, prime numbers to 20000)..." + echo "" + sysbench cpu --cpu-max-prime=20000 --threads=2 --time=10 run + echo "" + echo "Running CPU benchmark (60 seconds for more stable results)..." + echo "" + sysbench cpu --cpu-max-prime=20000 --threads=2 --time=60 run + echo "" + echo "=== Benchmark Complete ===" + resources: + requests: + memory: "512Mi" + cpu: "2" + limits: + memory: "512Mi" + cpu: "2" diff --git a/pov-validation/security/falco-test.yaml b/pov-validation/security/falco-test.yaml new file mode 100644 index 0000000..b405474 --- /dev/null +++ b/pov-validation/security/falco-test.yaml @@ -0,0 +1,12 @@ +apiVersion: v1 +kind: Pod +metadata: + name: falco-test + annotations: + dev.edera/kernel: ghcr.io/edera-dev/zone-kernel:6.16 +spec: + runtimeClassName: edera + containers: + - name: alpine + image: alpine:latest + command: ["sh", "-c", "while true; do sleep 30; done"] diff --git a/pov-validation/security/falco/falco-edera-values.yaml b/pov-validation/security/falco/falco-edera-values.yaml new file mode 100644 index 0000000..d1c8f27 --- /dev/null +++ b/pov-validation/security/falco/falco-edera-values.yaml @@ -0,0 +1,55 @@ +# Falco Helm values for Edera zone monitoring +# See: https://docs.edera.dev/guides/observability/falco-integration/ + +# Mount Edera plugin and daemon socket from host into Falco pods +mounts: + volumes: + - name: edera-plugin + hostPath: + path: /var/lib/edera/protect/falco + - name: edera-daemon-socket + hostPath: + path: /var/lib/edera/protect + + volumeMounts: + - name: edera-plugin + mountPath: /var/lib/edera/protect/falco + readOnly: true + - name: edera-daemon-socket + mountPath: /var/lib/edera/protect + readOnly: false + +# Configure the Edera plugin +falco: + plugins: + - name: edera + library_path: /var/lib/edera/protect/falco/libedera_falco_plugin.so + init_config: + mirror_host_syscalls: false + + load_plugins: [edera] + +# Add custom Edera detection rules +customRules: + edera-rules.yaml: |- + - rule: Edera Zone Activity + desc: Detects file access inside Edera zones + source: edera_zone + output: > + Zone file access | zone_id=%edera.zone.id proc=%proc.exe + evt.type=%evt.type evt.args=%evt.args + priority: DEBUG + condition: > + evt.pluginname == "edera" and + evt.type == open + + - rule: Edera Process Execution + desc: Detects process execution inside Edera zones + source: edera_zone + output: > + Process executed in zone | zone_id=%edera.zone.id proc=%proc.exe + cmdline=%proc.cmdline + priority: WARNING + condition: > + evt.pluginname == "edera" and + evt.type == execve diff --git a/pov-validation/security/leaky-vessel-test.yaml b/pov-validation/security/leaky-vessel-test.yaml new file mode 100644 index 0000000..0087a13 --- /dev/null +++ b/pov-validation/security/leaky-vessel-test.yaml @@ -0,0 +1,36 @@ +# Leaky Vessel demonstration - shows Edera's process isolation +# This creates a "raider" pod that attempts to access secrets from other pods + +--- +# Vulnerable pod WITHOUT Edera - secrets can be accessed via /proc +apiVersion: v1 +kind: Pod +metadata: + name: vulnerable-pod +spec: + containers: + - name: vulnerable-container + image: busybox + env: + - name: PASSWORD + value: superSecretPassword + - name: SECRET + value: reallyVeryImportantSecret + command: ["/bin/sh", "-c"] + args: ["while true; do sleep 5; done"] +--- +# Raider pod - uses hostPID to access other pods' processes +apiVersion: v1 +kind: Pod +metadata: + name: raider +spec: + hostPID: true + containers: + - name: raider + image: ubuntu:24.04 + command: ["/bin/sh", "-c"] + args: ["while true; do sleep 10; done"] + securityContext: + privileged: true + tty: true diff --git a/pov-validation/security/secure-pod.yaml b/pov-validation/security/secure-pod.yaml new file mode 100644 index 0000000..9c4dad9 --- /dev/null +++ b/pov-validation/security/secure-pod.yaml @@ -0,0 +1,17 @@ +# Secure pod WITH Edera - secrets are isolated in a zone +apiVersion: v1 +kind: Pod +metadata: + name: secure-pod +spec: + runtimeClassName: edera + containers: + - name: secure-container + image: busybox + env: + - name: PASSWORD + value: superSecretPassword + - name: SECRET + value: reallyVeryImportantSecret + command: ["/bin/sh", "-c"] + args: ["while true; do sleep 5; done"] diff --git a/pov-validation/security/welcome-to-edera.yaml b/pov-validation/security/welcome-to-edera.yaml new file mode 100644 index 0000000..37cfac4 --- /dev/null +++ b/pov-validation/security/welcome-to-edera.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +kind: Pod +metadata: + name: welcome-to-edera +spec: + runtimeClassName: edera + containers: + - name: nginx + image: nginx:latest + ports: + - containerPort: 80