From cb698de98e039da4f63f2f6c82a379486566734a Mon Sep 17 00:00:00 2001 From: Ann Wallace Date: Wed, 21 Jan 2026 16:04:16 -0800 Subject: [PATCH 1/6] Add POV validation test suite with security, performance, and operations tests Structured testing framework for POV evaluations: - Security: welcome-to-edera, leaky-vessel demo, falco integration - Performance: iperf network benchmarks, kbench CPU/storage tests - Operations: Grafana observability, Kyverno automation Includes Makefile with targets for all tests and cleanup. --- pov-validation/Makefile | 153 ++++++++++++++++++ pov-validation/README.md | 106 ++++++++++++ .../operations/auto-edera-test.yaml | 11 ++ .../operations/edera-servicemonitor.yaml | 15 ++ .../operations/kyverno-edera-policy.yaml | 18 +++ .../performance/iperf-baseline.yaml | 36 +++++ pov-validation/performance/iperf-client.yaml | 10 ++ pov-validation/performance/iperf-server.yaml | 25 +++ .../performance/kbench-baseline.yaml | 16 ++ pov-validation/performance/kbench-edera.yaml | 16 ++ pov-validation/security/falco-test.yaml | 10 ++ .../security/leaky-vessel-no-edera.yaml | 11 ++ .../security/leaky-vessel-test.yaml | 11 ++ pov-validation/security/welcome-to-edera.yaml | 11 ++ 14 files changed, 449 insertions(+) create mode 100644 pov-validation/Makefile create mode 100644 pov-validation/README.md create mode 100644 pov-validation/operations/auto-edera-test.yaml create mode 100644 pov-validation/operations/edera-servicemonitor.yaml create mode 100644 pov-validation/operations/kyverno-edera-policy.yaml create mode 100644 pov-validation/performance/iperf-baseline.yaml create mode 100644 pov-validation/performance/iperf-client.yaml create mode 100644 pov-validation/performance/iperf-server.yaml create mode 100644 pov-validation/performance/kbench-baseline.yaml create mode 100644 pov-validation/performance/kbench-edera.yaml create mode 100644 pov-validation/security/falco-test.yaml create mode 100644 pov-validation/security/leaky-vessel-no-edera.yaml create mode 100644 pov-validation/security/leaky-vessel-test.yaml create mode 100644 pov-validation/security/welcome-to-edera.yaml diff --git a/pov-validation/Makefile b/pov-validation/Makefile new file mode 100644 index 0000000..46a9963 --- /dev/null +++ b/pov-validation/Makefile @@ -0,0 +1,153 @@ +.PHONY: help setup security-test performance-test operations-test clean + +help: + @echo "POV Validation Test Suite" + @echo "" + @echo "Prerequisites:" + @echo " make setup - Install RuntimeClass and verify cluster" + @echo "" + @echo "Security Tests:" + @echo " make welcome - Deploy welcome-to-edera test pod" + @echo " make leaky-vessel - Run Leaky Vessel container escape demo" + @echo " make falco-install - Install Falco for security monitoring" + @echo " make falco-test - Run Falco integration test" + @echo "" + @echo "Performance Tests:" + @echo " make iperf - Run iperf network benchmark" + @echo " make iperf-baseline - Run iperf baseline (without Edera)" + @echo " make kbench - Run kbench CPU/storage benchmark" + @echo " make kbench-baseline - Run kbench baseline (without Edera)" + @echo "" + @echo "Operations Tests:" + @echo " make grafana-install - Install Prometheus/Grafana stack" + @echo " make kyverno-install - Install Kyverno" + @echo " make kyverno-test - Test Kyverno auto-assignment policy" + @echo "" + @echo "Cleanup:" + @echo " make clean-security - Remove security test resources" + @echo " make clean-performance - Remove performance test resources" + @echo " make clean-operations - Remove operations test resources" + @echo " make clean - Remove all test resources" + +# Setup +setup: + @echo "Installing Edera RuntimeClass..." + kubectl apply -f https://public.edera.dev/kubernetes/runtime-class.yaml + @echo "" + @echo "Verifying setup..." + kubectl get runtimeclass edera + kubectl get nodes -l runtime=edera + +# Security Tests +welcome: + kubectl apply -f security/welcome-to-edera.yaml + @echo "Waiting for pod to be ready..." + kubectl wait --for=condition=ready pod/welcome-to-edera --timeout=120s + @echo "" + @echo "Pod is running. Verify zone on node with: sudo protect zone list" + +leaky-vessel: + kubectl apply -f security/leaky-vessel-test.yaml + @echo "Waiting for pod to complete..." + kubectl wait --for=condition=ready pod/leaky-vessel-test --timeout=120s || true + @echo "" + @echo "Check logs with: kubectl logs leaky-vessel-test" + +leaky-vessel-baseline: + @echo "WARNING: This demonstrates a container escape on unprotected runtime" + @echo "Only run on test clusters!" + kubectl apply -f security/leaky-vessel-no-edera.yaml + +falco-install: + helm repo add falcosecurity https://falcosecurity.github.io/charts + helm repo update + helm install falco falcosecurity/falco --namespace falco --create-namespace + +falco-test: + kubectl apply -f security/falco-test.yaml + kubectl wait --for=condition=ready pod/falco-test --timeout=120s + @echo "" + @echo "Trigger alert with: kubectl exec -it falco-test -- cat /etc/shadow" + @echo "View alerts with: kubectl logs -n falco -l app.kubernetes.io/name=falco --tail=50" + +# Performance Tests +iperf: + kubectl apply -f performance/iperf-server.yaml + kubectl apply -f performance/iperf-client.yaml + @echo "Waiting for pods to be ready..." + kubectl wait --for=condition=ready pod/iperf-server --timeout=120s + kubectl wait --for=condition=ready pod/iperf-client --timeout=120s + @echo "" + @echo "Run benchmark with: kubectl exec -it iperf-client -- iperf3 -c iperf-server -t 30" + +iperf-baseline: + kubectl apply -f performance/iperf-baseline.yaml + @echo "Waiting for pods to be ready..." + kubectl wait --for=condition=ready pod/iperf-server-baseline --timeout=120s + kubectl wait --for=condition=ready pod/iperf-client-baseline --timeout=120s + @echo "" + @echo "Run benchmark with: kubectl exec -it iperf-client-baseline -- iperf3 -c iperf-server-baseline -t 30" + +kbench: + kubectl apply -f performance/kbench-edera.yaml + @echo "Waiting for job to complete..." + kubectl wait --for=condition=complete job/kbench-edera --timeout=300s + @echo "" + kubectl logs job/kbench-edera + +kbench-baseline: + kubectl apply -f performance/kbench-baseline.yaml + @echo "Waiting for job to complete..." + kubectl wait --for=condition=complete job/kbench-baseline --timeout=300s + @echo "" + kubectl logs job/kbench-baseline + +# Operations Tests +grafana-install: + helm repo add prometheus-community https://prometheus-community.github.io/helm-charts + helm repo update + helm install prometheus prometheus-community/kube-prometheus-stack --namespace monitoring --create-namespace + @echo "" + @echo "Access Grafana with: kubectl port-forward -n monitoring svc/prometheus-grafana 3000:80" + @echo "Default credentials: admin/prom-operator" + +kyverno-install: + helm repo add kyverno https://kyverno.github.io/kyverno/ + helm repo update + helm install kyverno kyverno/kyverno --namespace kyverno --create-namespace + +kyverno-test: + kubectl create namespace secure-workloads --dry-run=client -o yaml | kubectl apply -f - + kubectl apply -f operations/kyverno-edera-policy.yaml + kubectl apply -f operations/auto-edera-test.yaml + @echo "" + @echo "Verify RuntimeClass was added:" + kubectl get pod auto-edera-test -n secure-workloads -o yaml | grep runtimeClassName + +# Cleanup +clean-security: + -kubectl delete -f security/welcome-to-edera.yaml + -kubectl delete -f security/leaky-vessel-test.yaml + -kubectl delete -f security/leaky-vessel-no-edera.yaml + -kubectl delete -f security/falco-test.yaml + -helm uninstall falco -n falco + -kubectl delete namespace falco + +clean-performance: + -kubectl delete -f performance/iperf-server.yaml + -kubectl delete -f performance/iperf-client.yaml + -kubectl delete -f performance/iperf-baseline.yaml + -kubectl delete job kbench-edera kbench-baseline + +clean-operations: + -kubectl delete -f operations/auto-edera-test.yaml + -kubectl delete -f operations/kyverno-edera-policy.yaml + -kubectl delete namespace secure-workloads + -kubectl delete servicemonitor edera-protect -n monitoring + -helm uninstall kyverno -n kyverno + -kubectl delete namespace kyverno + -helm uninstall prometheus -n monitoring + -kubectl delete namespace monitoring + +clean: clean-security clean-performance clean-operations + @echo "All POV test resources removed" diff --git a/pov-validation/README.md b/pov-validation/README.md new file mode 100644 index 0000000..f31870e --- /dev/null +++ b/pov-validation/README.md @@ -0,0 +1,106 @@ +# POV Validation Test Suite + +Structured testing framework for validating Edera's security, performance, and operational capabilities during proof of value (POV) evaluations. + +## Prerequisites + +- Access to a Kubernetes cluster with Edera nodes +- `kubectl` configured to access the cluster +- `helm` installed for optional components (Falco, Grafana, Kyverno) + +## Quick Start + +```bash +# Install RuntimeClass and verify setup +make setup + +# View all available tests +make help +``` + +## Test Suites + +### Security Demonstration + +Validates container isolation and escape prevention. + +| Test | Command | Description | +|------|---------|-------------| +| Welcome to Edera | `make welcome` | Verify basic zone isolation | +| Leaky Vessel | `make leaky-vessel` | Container escape prevention demo | +| Falco Integration | `make falco-install && make falco-test` | Security monitoring compatibility | + +### Performance Validation + +Benchmarks network and CPU performance. + +| Test | Command | Description | +|------|---------|-------------| +| iperf (Edera) | `make iperf` | Network throughput with Edera | +| iperf (Baseline) | `make iperf-baseline` | Network throughput without Edera | +| kbench (Edera) | `make kbench` | CPU/storage benchmark with Edera | +| kbench (Baseline) | `make kbench-baseline` | CPU/storage benchmark without Edera | + +### Operations Integration + +Verifies integration with existing tools and workflows. + +| Test | Command | Description | +|------|---------|-------------| +| Grafana | `make grafana-install` | Install Prometheus/Grafana stack | +| Kyverno | `make kyverno-install && make kyverno-test` | RuntimeClass auto-assignment | + +## Running Individual Tests + +You can also apply manifests directly: + +```bash +# Security +kubectl apply -f security/welcome-to-edera.yaml + +# Performance +kubectl apply -f performance/iperf-server.yaml +kubectl apply -f performance/iperf-client.yaml + +# Operations +kubectl apply -f operations/kyverno-edera-policy.yaml +``` + +## Cleanup + +```bash +# Remove specific test resources +make clean-security +make clean-performance +make clean-operations + +# Remove all test resources +make clean +``` + +## Documentation + +For detailed test procedures and expected results, see the [POV Validation Guide](https://docs.edera.dev/guides/pov-validation/). + +## File Structure + +``` +pov-validation/ +├── Makefile +├── README.md +├── security/ +│ ├── welcome-to-edera.yaml +│ ├── leaky-vessel-test.yaml +│ ├── leaky-vessel-no-edera.yaml +│ └── falco-test.yaml +├── performance/ +│ ├── iperf-server.yaml +│ ├── iperf-client.yaml +│ ├── iperf-baseline.yaml +│ ├── kbench-edera.yaml +│ └── kbench-baseline.yaml +└── operations/ + ├── edera-servicemonitor.yaml + ├── kyverno-edera-policy.yaml + └── auto-edera-test.yaml +``` diff --git a/pov-validation/operations/auto-edera-test.yaml b/pov-validation/operations/auto-edera-test.yaml new file mode 100644 index 0000000..5635873 --- /dev/null +++ b/pov-validation/operations/auto-edera-test.yaml @@ -0,0 +1,11 @@ +# Test pod for Kyverno policy - deploy to secure-workloads namespace +# The policy will automatically add runtimeClassName: edera +apiVersion: v1 +kind: Pod +metadata: + name: auto-edera-test + namespace: secure-workloads +spec: + containers: + - name: nginx + image: nginx:latest diff --git a/pov-validation/operations/edera-servicemonitor.yaml b/pov-validation/operations/edera-servicemonitor.yaml new file mode 100644 index 0000000..b5a2327 --- /dev/null +++ b/pov-validation/operations/edera-servicemonitor.yaml @@ -0,0 +1,15 @@ +apiVersion: monitoring.coreos.com/v1 +kind: ServiceMonitor +metadata: + name: edera-protect + namespace: monitoring +spec: + selector: + matchLabels: + app: edera-protect + endpoints: + - port: metrics + interval: 30s + namespaceSelector: + matchNames: + - kube-system diff --git a/pov-validation/operations/kyverno-edera-policy.yaml b/pov-validation/operations/kyverno-edera-policy.yaml new file mode 100644 index 0000000..eb835c7 --- /dev/null +++ b/pov-validation/operations/kyverno-edera-policy.yaml @@ -0,0 +1,18 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: assign-edera-runtime +spec: + rules: + - name: assign-runtime-class + match: + resources: + kinds: + - Pod + namespaces: + - production + - secure-workloads + mutate: + patchStrategicMerge: + spec: + runtimeClassName: edera diff --git a/pov-validation/performance/iperf-baseline.yaml b/pov-validation/performance/iperf-baseline.yaml new file mode 100644 index 0000000..157c935 --- /dev/null +++ b/pov-validation/performance/iperf-baseline.yaml @@ -0,0 +1,36 @@ +# Baseline iperf test without Edera for comparison +apiVersion: v1 +kind: Pod +metadata: + name: iperf-server-baseline + labels: + app: iperf-server-baseline +spec: + # No runtimeClassName - uses default runtime + containers: + - name: iperf + image: networkstatic/iperf3:latest + command: ["iperf3", "-s"] + ports: + - containerPort: 5201 +--- +apiVersion: v1 +kind: Service +metadata: + name: iperf-server-baseline +spec: + selector: + app: iperf-server-baseline + ports: + - port: 5201 + targetPort: 5201 +--- +apiVersion: v1 +kind: Pod +metadata: + name: iperf-client-baseline +spec: + containers: + - name: iperf + image: networkstatic/iperf3:latest + command: ["sleep", "3600"] diff --git a/pov-validation/performance/iperf-client.yaml b/pov-validation/performance/iperf-client.yaml new file mode 100644 index 0000000..42e89f5 --- /dev/null +++ b/pov-validation/performance/iperf-client.yaml @@ -0,0 +1,10 @@ +apiVersion: v1 +kind: Pod +metadata: + name: iperf-client +spec: + runtimeClassName: edera + containers: + - name: iperf + image: networkstatic/iperf3:latest + command: ["sleep", "3600"] diff --git a/pov-validation/performance/iperf-server.yaml b/pov-validation/performance/iperf-server.yaml new file mode 100644 index 0000000..38799e2 --- /dev/null +++ b/pov-validation/performance/iperf-server.yaml @@ -0,0 +1,25 @@ +apiVersion: v1 +kind: Pod +metadata: + name: iperf-server + labels: + app: iperf-server +spec: + runtimeClassName: edera + containers: + - name: iperf + image: networkstatic/iperf3:latest + command: ["iperf3", "-s"] + ports: + - containerPort: 5201 +--- +apiVersion: v1 +kind: Service +metadata: + name: iperf-server +spec: + selector: + app: iperf-server + ports: + - port: 5201 + targetPort: 5201 diff --git a/pov-validation/performance/kbench-baseline.yaml b/pov-validation/performance/kbench-baseline.yaml new file mode 100644 index 0000000..31f2ad7 --- /dev/null +++ b/pov-validation/performance/kbench-baseline.yaml @@ -0,0 +1,16 @@ +# Baseline kbench test without Edera for comparison +apiVersion: batch/v1 +kind: Job +metadata: + name: kbench-baseline +spec: + template: + spec: + restartPolicy: Never + containers: + - name: kbench + image: ghcr.io/edera-dev/kbench:latest + resources: + limits: + cpu: "2" + memory: "4Gi" diff --git a/pov-validation/performance/kbench-edera.yaml b/pov-validation/performance/kbench-edera.yaml new file mode 100644 index 0000000..7669aaa --- /dev/null +++ b/pov-validation/performance/kbench-edera.yaml @@ -0,0 +1,16 @@ +apiVersion: batch/v1 +kind: Job +metadata: + name: kbench-edera +spec: + template: + spec: + runtimeClassName: edera + restartPolicy: Never + containers: + - name: kbench + image: ghcr.io/edera-dev/kbench:latest + resources: + limits: + cpu: "2" + memory: "4Gi" diff --git a/pov-validation/security/falco-test.yaml b/pov-validation/security/falco-test.yaml new file mode 100644 index 0000000..a010baf --- /dev/null +++ b/pov-validation/security/falco-test.yaml @@ -0,0 +1,10 @@ +apiVersion: v1 +kind: Pod +metadata: + name: falco-test +spec: + runtimeClassName: edera + containers: + - name: alpine + image: alpine:latest + command: ["sh", "-c", "while true; do sleep 30; done"] diff --git a/pov-validation/security/leaky-vessel-no-edera.yaml b/pov-validation/security/leaky-vessel-no-edera.yaml new file mode 100644 index 0000000..f7811cb --- /dev/null +++ b/pov-validation/security/leaky-vessel-no-edera.yaml @@ -0,0 +1,11 @@ +# WARNING: This demonstrates a container escape vulnerability +# Only run on test clusters +apiVersion: v1 +kind: Pod +metadata: + name: leaky-vessel-no-edera +spec: + # No runtimeClassName - uses default containerd + containers: + - name: leaky-vessel + image: ghcr.io/edera-dev/leaky-vessel-demo:latest diff --git a/pov-validation/security/leaky-vessel-test.yaml b/pov-validation/security/leaky-vessel-test.yaml new file mode 100644 index 0000000..839100c --- /dev/null +++ b/pov-validation/security/leaky-vessel-test.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +kind: Pod +metadata: + name: leaky-vessel-test +spec: + runtimeClassName: edera + containers: + - name: leaky-vessel + image: ghcr.io/edera-dev/leaky-vessel-demo:latest + securityContext: + privileged: false diff --git a/pov-validation/security/welcome-to-edera.yaml b/pov-validation/security/welcome-to-edera.yaml new file mode 100644 index 0000000..37cfac4 --- /dev/null +++ b/pov-validation/security/welcome-to-edera.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +kind: Pod +metadata: + name: welcome-to-edera +spec: + runtimeClassName: edera + containers: + - name: nginx + image: nginx:latest + ports: + - containerPort: 80 From 491f383926523cf08b9a61a51f1fb5dbe2f84e74 Mon Sep 17 00:00:00 2001 From: Ann Wallace Date: Thu, 22 Jan 2026 11:44:29 -0800 Subject: [PATCH 2/6] Add Falco installation and update Leaky Vessel demo - Add falco-edera-values.yaml for Helm-based Falco installation - Add falco-install and cleanup targets to Makefile - Update Leaky Vessel demo to use vulnerable-pod + raider pattern - Add secure-pod.yaml for Edera-protected demonstration --- pov-validation/Makefile | 82 +++++++++++++++---- .../security/falco/falco-edera-values.yaml | 73 +++++++++++++++++ .../security/leaky-vessel-no-edera.yaml | 11 --- .../security/leaky-vessel-test.yaml | 35 ++++++-- pov-validation/security/secure-pod.yaml | 17 ++++ 5 files changed, 186 insertions(+), 32 deletions(-) create mode 100644 pov-validation/security/falco/falco-edera-values.yaml delete mode 100644 pov-validation/security/leaky-vessel-no-edera.yaml create mode 100644 pov-validation/security/secure-pod.yaml diff --git a/pov-validation/Makefile b/pov-validation/Makefile index 46a9963..1449aaa 100644 --- a/pov-validation/Makefile +++ b/pov-validation/Makefile @@ -8,9 +8,10 @@ help: @echo "" @echo "Security Tests:" @echo " make welcome - Deploy welcome-to-edera test pod" - @echo " make leaky-vessel - Run Leaky Vessel container escape demo" - @echo " make falco-install - Install Falco for security monitoring" - @echo " make falco-test - Run Falco integration test" + @echo " make leaky-vessel - Show secrets exposed without Edera" + @echo " make leaky-vessel-secure - Show secrets protected with Edera" + @echo " make falco-install - Install Falco with Edera plugin" + @echo " make falco-test - Deploy Falco test pod (requires Edera Falco plugin)" @echo "" @echo "Performance Tests:" @echo " make iperf - Run iperf network benchmark" @@ -44,31 +45,80 @@ welcome: @echo "Waiting for pod to be ready..." kubectl wait --for=condition=ready pod/welcome-to-edera --timeout=120s @echo "" - @echo "Pod is running. Verify zone on node with: sudo protect zone list" + @echo "Pod is running. Verify with:" + @echo " kubectl get pod welcome-to-edera -o jsonpath='{.spec.runtimeClassName}' && echo" leaky-vessel: + @echo "=== Leaky Vessel Demo: Process Isolation ===" + @echo "" + @echo "Step 1: Deploy vulnerable pod (no Edera) and raider pod" kubectl apply -f security/leaky-vessel-test.yaml - @echo "Waiting for pod to complete..." - kubectl wait --for=condition=ready pod/leaky-vessel-test --timeout=120s || true + @echo "Waiting for pods to be ready..." + kubectl wait --for=condition=ready pod/vulnerable-pod --timeout=120s + kubectl wait --for=condition=ready pod/raider --timeout=120s @echo "" - @echo "Check logs with: kubectl logs leaky-vessel-test" - -leaky-vessel-baseline: - @echo "WARNING: This demonstrates a container escape on unprotected runtime" - @echo "Only run on test clusters!" - kubectl apply -f security/leaky-vessel-no-edera.yaml + @echo "Step 2: Raider attempts to steal secrets from vulnerable pod..." + @echo "" + @PID=$$(kubectl exec raider -- /bin/sh -c "ps faux | grep '[s]leep 5' | head -n1 | awk '{print \$$2}'"); \ + if [ -n "$$PID" ]; then \ + echo "Found vulnerable pod process: $$PID"; \ + echo "Secrets stolen:"; \ + kubectl exec raider -- /bin/sh -c "cat /proc/$$PID/environ | tr '\0' '\n' | grep 'PASSWORD\|SECRET'"; \ + else \ + echo "Could not find process"; \ + fi + @echo "" + @echo "=== Without Edera, secrets are exposed! ===" + @echo "" + @echo "Now run 'make leaky-vessel-secure' to see Edera's protection" + +leaky-vessel-secure: + @echo "=== Deploying secure pod with Edera ===" + kubectl delete pod vulnerable-pod --force --ignore-not-found + kubectl apply -f security/secure-pod.yaml + @echo "Waiting for secure pod..." + kubectl wait --for=condition=ready pod/secure-pod --timeout=120s + @echo "" + @echo "Step 3: Raider attempts to steal secrets from secure pod..." + @echo "" + @PID=$$(kubectl exec raider -- /bin/sh -c "ps faux | grep '[s]leep 5' | head -n1 | awk '{print \$$2}'" 2>/dev/null); \ + if [ -n "$$PID" ]; then \ + echo "Found process: $$PID"; \ + kubectl exec raider -- /bin/sh -c "cat /proc/$$PID/environ | tr '\0' '\n' | grep 'PASSWORD\|SECRET'" || echo "Cannot access secrets!"; \ + else \ + echo "No process found - the container is secure!"; \ + fi + @echo "" + @echo "=== With Edera, secrets are protected by zone isolation! ===" falco-install: + @echo "Installing Falco with Edera plugin support..." + @echo "NOTE: This requires Edera Protect to be installed on the nodes." + @echo "See: https://docs.edera.dev/guides/observability/falco-integration/" + @echo "" helm repo add falcosecurity https://falcosecurity.github.io/charts helm repo update - helm install falco falcosecurity/falco --namespace falco --create-namespace + helm install falco falcosecurity/falco \ + --namespace falco \ + --create-namespace \ + -f security/falco/falco-edera-values.yaml + @echo "" + @echo "Waiting for Falco pods to be ready..." + kubectl wait --for=condition=ready pod -l app.kubernetes.io/name=falco -n falco --timeout=120s + @echo "" + @echo "Falco installed. Verify with:" + @echo " kubectl logs -n falco -l app.kubernetes.io/name=falco | grep -i edera" falco-test: + @echo "NOTE: Monitoring inside Edera zones requires the Edera Falco plugin." + @echo "See: https://docs.edera.dev/guides/observability/falco-integration/" + @echo "" kubectl apply -f security/falco-test.yaml kubectl wait --for=condition=ready pod/falco-test --timeout=120s @echo "" - @echo "Trigger alert with: kubectl exec -it falco-test -- cat /etc/shadow" - @echo "View alerts with: kubectl logs -n falco -l app.kubernetes.io/name=falco --tail=50" + @echo "Test pod deployed. If Edera Falco plugin is installed:" + @echo " Trigger alert: kubectl exec -it falco-test -- cat /etc/shadow" + @echo " View alerts: kubectl logs -n falco -l app.kubernetes.io/name=falco --tail=50" # Performance Tests iperf: @@ -128,7 +178,7 @@ kyverno-test: clean-security: -kubectl delete -f security/welcome-to-edera.yaml -kubectl delete -f security/leaky-vessel-test.yaml - -kubectl delete -f security/leaky-vessel-no-edera.yaml + -kubectl delete -f security/secure-pod.yaml -kubectl delete -f security/falco-test.yaml -helm uninstall falco -n falco -kubectl delete namespace falco diff --git a/pov-validation/security/falco/falco-edera-values.yaml b/pov-validation/security/falco/falco-edera-values.yaml new file mode 100644 index 0000000..196277e --- /dev/null +++ b/pov-validation/security/falco/falco-edera-values.yaml @@ -0,0 +1,73 @@ +# Falco Helm values for Edera zone monitoring +# See: https://docs.edera.dev/guides/observability/falco-integration/ + +# Mount Edera plugin and daemon socket from host into Falco pods +mounts: + volumes: + - name: edera-plugin + hostPath: + path: /var/lib/edera/protect/falco + - name: edera-daemon-socket + hostPath: + path: /var/lib/edera/protect + + volumeMounts: + - name: edera-plugin + mountPath: /var/lib/edera/protect/falco + readOnly: true + - name: edera-daemon-socket + mountPath: /var/lib/edera/protect + readOnly: false + +# Configure the Edera plugin +falco: + plugins: + - name: edera + library_path: /var/lib/edera/protect/falco/libedera_falco_plugin.so + init_config: + mirror_host_syscalls: true + + load_plugins: [edera] + +# Add custom Edera detection rules +customRules: + edera-rules.yaml: |- + - macro: open_read_edera + condition: (evt.pluginname == "edera") + + - rule: Edera Events + desc: > + Logs every syscall event from every running Edera zone, with no filtering. + Useful for testing and understanding what events are available. + source: edera_zone + output: > + Edera Event | time=%evt.time zone_id=%edera.zone.id evt.type=%evt.type + syscall.type=%syscall.type evt.category=%evt.category evt.dir=%evt.dir + proc.exe=%proc.exe evt.args=%evt.args is_open=%evt.type.is[open] + priority: WARNING + tags: [edera_zone, filesystem] + condition: > + open_read_edera + + - rule: Edera Sensitive File Read + desc: Detects when a process in an Edera zone reads sensitive files + source: edera_zone + output: > + Sensitive file read in zone | zone_id=%edera.zone.id proc=%proc.exe + file=%fd.name + priority: WARNING + condition: > + evt.pluginname == "edera" and + evt.type == open and + (fd.name startswith /etc/shadow or fd.name startswith /etc/passwd) + + - rule: Edera Process Execution + desc: Logs all process executions inside Edera zones + source: edera_zone + output: > + Process executed in zone | zone_id=%edera.zone.id proc=%proc.exe + cmdline=%proc.cmdline + priority: NOTICE + condition: > + evt.pluginname == "edera" and + evt.type == execve diff --git a/pov-validation/security/leaky-vessel-no-edera.yaml b/pov-validation/security/leaky-vessel-no-edera.yaml deleted file mode 100644 index f7811cb..0000000 --- a/pov-validation/security/leaky-vessel-no-edera.yaml +++ /dev/null @@ -1,11 +0,0 @@ -# WARNING: This demonstrates a container escape vulnerability -# Only run on test clusters -apiVersion: v1 -kind: Pod -metadata: - name: leaky-vessel-no-edera -spec: - # No runtimeClassName - uses default containerd - containers: - - name: leaky-vessel - image: ghcr.io/edera-dev/leaky-vessel-demo:latest diff --git a/pov-validation/security/leaky-vessel-test.yaml b/pov-validation/security/leaky-vessel-test.yaml index 839100c..0087a13 100644 --- a/pov-validation/security/leaky-vessel-test.yaml +++ b/pov-validation/security/leaky-vessel-test.yaml @@ -1,11 +1,36 @@ +# Leaky Vessel demonstration - shows Edera's process isolation +# This creates a "raider" pod that attempts to access secrets from other pods + +--- +# Vulnerable pod WITHOUT Edera - secrets can be accessed via /proc apiVersion: v1 kind: Pod metadata: - name: leaky-vessel-test + name: vulnerable-pod spec: - runtimeClassName: edera containers: - - name: leaky-vessel - image: ghcr.io/edera-dev/leaky-vessel-demo:latest + - name: vulnerable-container + image: busybox + env: + - name: PASSWORD + value: superSecretPassword + - name: SECRET + value: reallyVeryImportantSecret + command: ["/bin/sh", "-c"] + args: ["while true; do sleep 5; done"] +--- +# Raider pod - uses hostPID to access other pods' processes +apiVersion: v1 +kind: Pod +metadata: + name: raider +spec: + hostPID: true + containers: + - name: raider + image: ubuntu:24.04 + command: ["/bin/sh", "-c"] + args: ["while true; do sleep 10; done"] securityContext: - privileged: false + privileged: true + tty: true diff --git a/pov-validation/security/secure-pod.yaml b/pov-validation/security/secure-pod.yaml new file mode 100644 index 0000000..9c4dad9 --- /dev/null +++ b/pov-validation/security/secure-pod.yaml @@ -0,0 +1,17 @@ +# Secure pod WITH Edera - secrets are isolated in a zone +apiVersion: v1 +kind: Pod +metadata: + name: secure-pod +spec: + runtimeClassName: edera + containers: + - name: secure-container + image: busybox + env: + - name: PASSWORD + value: superSecretPassword + - name: SECRET + value: reallyVeryImportantSecret + command: ["/bin/sh", "-c"] + args: ["while true; do sleep 5; done"] From 3b5571c43456afb88271fcf0fb04a9907888c8cb Mon Sep 17 00:00:00 2001 From: Ann Wallace Date: Fri, 23 Jan 2026 11:47:46 -0800 Subject: [PATCH 3/6] Add performance benchmark tests with comparison targets Add sysbench CPU benchmark (iperf already existed) with Edera and baseline variants. Update Makefile with comparison targets that output formatted tables showing throughput/events and percentage of baseline. Replace separate iperf client/server with combined pod manifests for simpler testing. --- pov-validation/Makefile | 112 ++++++++++++++---- .../performance/iperf-baseline.yaml | 28 +---- pov-validation/performance/iperf-client.yaml | 10 -- pov-validation/performance/iperf-edera.yaml | 16 +++ pov-validation/performance/iperf-server.yaml | 25 ---- .../performance/kbench-baseline.yaml | 16 --- pov-validation/performance/kbench-edera.yaml | 16 --- .../performance/kcbench-baseline.yaml | 49 ++++++++ pov-validation/performance/kcbench-edera.yaml | 76 ++++++++++++ .../performance/sysbench-baseline.yaml | 38 ++++++ .../performance/sysbench-edera.yaml | 39 ++++++ 11 files changed, 309 insertions(+), 116 deletions(-) delete mode 100644 pov-validation/performance/iperf-client.yaml create mode 100644 pov-validation/performance/iperf-edera.yaml delete mode 100644 pov-validation/performance/iperf-server.yaml delete mode 100644 pov-validation/performance/kbench-baseline.yaml delete mode 100644 pov-validation/performance/kbench-edera.yaml create mode 100644 pov-validation/performance/kcbench-baseline.yaml create mode 100644 pov-validation/performance/kcbench-edera.yaml create mode 100644 pov-validation/performance/sysbench-baseline.yaml create mode 100644 pov-validation/performance/sysbench-edera.yaml diff --git a/pov-validation/Makefile b/pov-validation/Makefile index 1449aaa..096a2ea 100644 --- a/pov-validation/Makefile +++ b/pov-validation/Makefile @@ -14,10 +14,14 @@ help: @echo " make falco-test - Deploy Falco test pod (requires Edera Falco plugin)" @echo "" @echo "Performance Tests:" - @echo " make iperf - Run iperf network benchmark" + @echo " make iperf-compare - Run iperf benchmark with comparison table" + @echo " make iperf - Run iperf network benchmark (Edera only)" @echo " make iperf-baseline - Run iperf baseline (without Edera)" - @echo " make kbench - Run kbench CPU/storage benchmark" - @echo " make kbench-baseline - Run kbench baseline (without Edera)" + @echo " make sysbench - Run sysbench CPU benchmark (Edera)" + @echo " make sysbench-baseline - Run sysbench CPU baseline (without Edera)" + @echo " make sysbench-compare - Run sysbench with comparison table" + @echo " make kcbench - Run kcbench CPU benchmark (kernel compile)" + @echo " make kcbench-baseline - Run kcbench baseline (without Edera)" @echo "" @echo "Operations Tests:" @echo " make grafana-install - Install Prometheus/Grafana stack" @@ -98,7 +102,7 @@ falco-install: @echo "" helm repo add falcosecurity https://falcosecurity.github.io/charts helm repo update - helm install falco falcosecurity/falco \ + helm upgrade --install falco falcosecurity/falco \ --namespace falco \ --create-namespace \ -f security/falco/falco-edera-values.yaml @@ -122,35 +126,93 @@ falco-test: # Performance Tests iperf: - kubectl apply -f performance/iperf-server.yaml - kubectl apply -f performance/iperf-client.yaml - @echo "Waiting for pods to be ready..." - kubectl wait --for=condition=ready pod/iperf-server --timeout=120s - kubectl wait --for=condition=ready pod/iperf-client --timeout=120s + kubectl apply -f performance/iperf-edera.yaml + @echo "Waiting for pod to be ready..." + kubectl wait --for=condition=ready pod/iperf-edera --timeout=120s @echo "" - @echo "Run benchmark with: kubectl exec -it iperf-client -- iperf3 -c iperf-server -t 30" + @POD_IP=$$(kubectl get pod iperf-edera -o jsonpath='{.status.podIP}'); \ + echo "Run benchmark with: kubectl exec -it iperf-edera -c iperf-client -- iperf3 -c $$POD_IP -t 30" iperf-baseline: kubectl apply -f performance/iperf-baseline.yaml - @echo "Waiting for pods to be ready..." - kubectl wait --for=condition=ready pod/iperf-server-baseline --timeout=120s - kubectl wait --for=condition=ready pod/iperf-client-baseline --timeout=120s + @echo "Waiting for pod to be ready..." + kubectl wait --for=condition=ready pod/iperf-baseline --timeout=120s + @echo "" + @echo "Run benchmark with: kubectl exec -it iperf-baseline -c iperf-client -- iperf3 -c localhost -t 30" + +iperf-compare: + @echo "=== iperf Network Performance Comparison ===" + @echo "" + @echo "Deploying test pods..." + @kubectl apply -f performance/iperf-edera.yaml -f performance/iperf-baseline.yaml > /dev/null + @kubectl wait --for=condition=ready pod/iperf-edera pod/iperf-baseline --timeout=120s > /dev/null @echo "" - @echo "Run benchmark with: kubectl exec -it iperf-client-baseline -- iperf3 -c iperf-server-baseline -t 30" + @echo "Running Edera benchmark (30s)..." + @POD_IP=$$(kubectl get pod iperf-edera -o jsonpath='{.status.podIP}'); \ + kubectl exec iperf-edera -c iperf-client -- iperf3 -c $$POD_IP -t 30 -J > /tmp/iperf-edera.json 2>/dev/null; \ + echo "Running Baseline benchmark (30s)..."; \ + kubectl exec iperf-baseline -c iperf-client -- iperf3 -c localhost -t 30 -J > /tmp/iperf-baseline.json 2>/dev/null; \ + EDERA=$$(jq '.end.sum_received.bits_per_second' /tmp/iperf-edera.json); \ + BASELINE=$$(jq '.end.sum_received.bits_per_second' /tmp/iperf-baseline.json); \ + EDERA_GBPS=$$(echo "scale=1; $$EDERA / 1000000000" | bc); \ + BASELINE_GBPS=$$(echo "scale=1; $$BASELINE / 1000000000" | bc); \ + PCT=$$(echo "scale=0; $$EDERA * 100 / $$BASELINE" | bc); \ + echo ""; \ + echo "┌─────────────┬────────────────┬──────────────┐"; \ + echo "│ Test │ Throughput │ % of Baseline│"; \ + echo "├─────────────┼────────────────┼──────────────┤"; \ + printf "│ Edera │ %6.1f Gbps │ %3d%% │\n" $$EDERA_GBPS $$PCT; \ + printf "│ Baseline │ %6.1f Gbps │ 100%% │\n" $$BASELINE_GBPS; \ + echo "└─────────────┴────────────────┴──────────────┘" -kbench: - kubectl apply -f performance/kbench-edera.yaml +sysbench: + kubectl apply -f performance/sysbench-edera.yaml @echo "Waiting for job to complete..." - kubectl wait --for=condition=complete job/kbench-edera --timeout=300s + kubectl wait --for=condition=complete job/sysbench-edera --timeout=300s @echo "" - kubectl logs job/kbench-edera + kubectl logs job/sysbench-edera -kbench-baseline: - kubectl apply -f performance/kbench-baseline.yaml +sysbench-baseline: + kubectl apply -f performance/sysbench-baseline.yaml @echo "Waiting for job to complete..." - kubectl wait --for=condition=complete job/kbench-baseline --timeout=300s + kubectl wait --for=condition=complete job/sysbench-baseline --timeout=300s + @echo "" + kubectl logs job/sysbench-baseline + +sysbench-compare: + @echo "=== sysbench CPU Performance Comparison ===" + @echo "" + @echo "Deploying test jobs..." + @kubectl delete job sysbench-edera sysbench-baseline --ignore-not-found > /dev/null 2>&1 || true + @kubectl apply -f performance/sysbench-edera.yaml -f performance/sysbench-baseline.yaml > /dev/null + @echo "Waiting for jobs to complete (~90 seconds)..." + @kubectl wait --for=condition=complete job/sysbench-edera job/sysbench-baseline --timeout=300s > /dev/null + @echo "" + @EDERA_EPS=$$(kubectl logs job/sysbench-edera | grep "events per second" | tail -1 | awk '{print $$NF}'); \ + BASELINE_EPS=$$(kubectl logs job/sysbench-baseline | grep "events per second" | tail -1 | awk '{print $$NF}'); \ + EDERA_LAT=$$(kubectl logs job/sysbench-edera | grep "avg:" | tail -1 | awk '{print $$2}'); \ + BASELINE_LAT=$$(kubectl logs job/sysbench-baseline | grep "avg:" | tail -1 | awk '{print $$2}'); \ + PCT=$$(echo "scale=1; $$EDERA_EPS * 100 / $$BASELINE_EPS" | bc); \ + echo "┌─────────────┬─────────────────┬─────────────┬──────────────┐"; \ + echo "│ Test │ Events/sec │ Avg Latency │ % of Baseline│"; \ + echo "├─────────────┼─────────────────┼─────────────┼──────────────┤"; \ + printf "│ Edera │ %10.2f │ %6.2f ms │ %5.1f%% │\n" $$EDERA_EPS $$EDERA_LAT $$PCT; \ + printf "│ Baseline │ %10.2f │ %6.2f ms │ 100.0%% │\n" $$BASELINE_EPS $$BASELINE_LAT; \ + echo "└─────────────┴─────────────────┴─────────────┴──────────────┘" + +kcbench: + kubectl apply -f performance/kcbench-edera.yaml + @echo "Waiting for job to complete (this may take 10+ minutes)..." + kubectl wait --for=condition=complete job/kcbench-edera --timeout=1800s + @echo "" + kubectl logs job/kcbench-edera + +kcbench-baseline: + kubectl apply -f performance/kcbench-baseline.yaml + @echo "Waiting for job to complete (this may take 10+ minutes)..." + kubectl wait --for=condition=complete job/kcbench-baseline --timeout=1800s @echo "" - kubectl logs job/kbench-baseline + kubectl logs job/kcbench-baseline # Operations Tests grafana-install: @@ -184,10 +246,10 @@ clean-security: -kubectl delete namespace falco clean-performance: - -kubectl delete -f performance/iperf-server.yaml - -kubectl delete -f performance/iperf-client.yaml + -kubectl delete -f performance/iperf-edera.yaml -kubectl delete -f performance/iperf-baseline.yaml - -kubectl delete job kbench-edera kbench-baseline + -kubectl delete job sysbench-edera sysbench-baseline + -kubectl delete job kcbench-edera kcbench-baseline clean-operations: -kubectl delete -f operations/auto-edera-test.yaml diff --git a/pov-validation/performance/iperf-baseline.yaml b/pov-validation/performance/iperf-baseline.yaml index 157c935..ad65f40 100644 --- a/pov-validation/performance/iperf-baseline.yaml +++ b/pov-validation/performance/iperf-baseline.yaml @@ -1,36 +1,16 @@ -# Baseline iperf test without Edera for comparison +# iperf baseline benchmark without Edera - client and server in same pod apiVersion: v1 kind: Pod metadata: - name: iperf-server-baseline - labels: - app: iperf-server-baseline + name: iperf-baseline spec: # No runtimeClassName - uses default runtime containers: - - name: iperf + - name: iperf-server image: networkstatic/iperf3:latest command: ["iperf3", "-s"] ports: - containerPort: 5201 ---- -apiVersion: v1 -kind: Service -metadata: - name: iperf-server-baseline -spec: - selector: - app: iperf-server-baseline - ports: - - port: 5201 - targetPort: 5201 ---- -apiVersion: v1 -kind: Pod -metadata: - name: iperf-client-baseline -spec: - containers: - - name: iperf + - name: iperf-client image: networkstatic/iperf3:latest command: ["sleep", "3600"] diff --git a/pov-validation/performance/iperf-client.yaml b/pov-validation/performance/iperf-client.yaml deleted file mode 100644 index 42e89f5..0000000 --- a/pov-validation/performance/iperf-client.yaml +++ /dev/null @@ -1,10 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: iperf-client -spec: - runtimeClassName: edera - containers: - - name: iperf - image: networkstatic/iperf3:latest - command: ["sleep", "3600"] diff --git a/pov-validation/performance/iperf-edera.yaml b/pov-validation/performance/iperf-edera.yaml new file mode 100644 index 0000000..86fdaf1 --- /dev/null +++ b/pov-validation/performance/iperf-edera.yaml @@ -0,0 +1,16 @@ +# iperf benchmark with Edera - client and server in same pod (same zone) +apiVersion: v1 +kind: Pod +metadata: + name: iperf-edera +spec: + runtimeClassName: edera + containers: + - name: iperf-server + image: networkstatic/iperf3:latest + command: ["iperf3", "-s"] + ports: + - containerPort: 5201 + - name: iperf-client + image: networkstatic/iperf3:latest + command: ["sleep", "3600"] diff --git a/pov-validation/performance/iperf-server.yaml b/pov-validation/performance/iperf-server.yaml deleted file mode 100644 index 38799e2..0000000 --- a/pov-validation/performance/iperf-server.yaml +++ /dev/null @@ -1,25 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: iperf-server - labels: - app: iperf-server -spec: - runtimeClassName: edera - containers: - - name: iperf - image: networkstatic/iperf3:latest - command: ["iperf3", "-s"] - ports: - - containerPort: 5201 ---- -apiVersion: v1 -kind: Service -metadata: - name: iperf-server -spec: - selector: - app: iperf-server - ports: - - port: 5201 - targetPort: 5201 diff --git a/pov-validation/performance/kbench-baseline.yaml b/pov-validation/performance/kbench-baseline.yaml deleted file mode 100644 index 31f2ad7..0000000 --- a/pov-validation/performance/kbench-baseline.yaml +++ /dev/null @@ -1,16 +0,0 @@ -# Baseline kbench test without Edera for comparison -apiVersion: batch/v1 -kind: Job -metadata: - name: kbench-baseline -spec: - template: - spec: - restartPolicy: Never - containers: - - name: kbench - image: ghcr.io/edera-dev/kbench:latest - resources: - limits: - cpu: "2" - memory: "4Gi" diff --git a/pov-validation/performance/kbench-edera.yaml b/pov-validation/performance/kbench-edera.yaml deleted file mode 100644 index 7669aaa..0000000 --- a/pov-validation/performance/kbench-edera.yaml +++ /dev/null @@ -1,16 +0,0 @@ -apiVersion: batch/v1 -kind: Job -metadata: - name: kbench-edera -spec: - template: - spec: - runtimeClassName: edera - restartPolicy: Never - containers: - - name: kbench - image: ghcr.io/edera-dev/kbench:latest - resources: - limits: - cpu: "2" - memory: "4Gi" diff --git a/pov-validation/performance/kcbench-baseline.yaml b/pov-validation/performance/kcbench-baseline.yaml new file mode 100644 index 0000000..0be7eb9 --- /dev/null +++ b/pov-validation/performance/kcbench-baseline.yaml @@ -0,0 +1,49 @@ +# CPU benchmark baseline (without Edera) using kcbench (kernel compilation) +apiVersion: batch/v1 +kind: Job +metadata: + name: kcbench-baseline +spec: + template: + spec: + # No runtimeClassName - uses default runtime + restartPolicy: Never + volumes: + - name: workspace + emptyDir: + sizeLimit: 15Gi + containers: + - name: kcbench + image: mirror.gcr.io/library/fedora:latest + command: ["/bin/bash", "-c"] + args: + - | + echo "=== Baseline CPU Benchmark (kcbench) ===" + + # Use workspace volume for all disk-heavy operations + export TMPDIR=/workspace/tmp + mkdir -p /workspace/tmp /workspace/dnf-cache + + echo "Installing dependencies..." + dnf install -y --setopt=cachedir=/workspace/dnf-cache kcbench diffutils openssl openssl-devel-engine cpio + + echo "" + echo "Running kernel compilation benchmark (kernel 6.11.3)..." + echo "This will take several minutes..." + + # Run kcbench with work directory in workspace + cd /workspace + kcbench -i 1 -j $(nproc) -s 6.11.3 + + echo "" + echo "=== Benchmark Complete ===" + volumeMounts: + - name: workspace + mountPath: /workspace + resources: + requests: + memory: "4Gi" + cpu: "2" + limits: + memory: "4Gi" + cpu: "2" diff --git a/pov-validation/performance/kcbench-edera.yaml b/pov-validation/performance/kcbench-edera.yaml new file mode 100644 index 0000000..dc10d31 --- /dev/null +++ b/pov-validation/performance/kcbench-edera.yaml @@ -0,0 +1,76 @@ +# CPU benchmark with Edera using kernel compilation +# Uses pre-built image with all dependencies included +# Requires 16GB memory and 8 CPUs for zone resources +apiVersion: batch/v1 +kind: Job +metadata: + name: kcbench-edera +spec: + template: + metadata: + annotations: + dev.edera/resource-policy: "dynamic" + dev.edera/initial-memory-request: "2048" + spec: + runtimeClassName: edera + restartPolicy: Never + volumes: + - name: workspace + emptyDir: + sizeLimit: 15Gi + containers: + - name: kcbench + image: ttl.sh/kcbench-prebuilt-v2:24h + command: ["/bin/bash", "-c"] + args: + - | + set -ex + echo "=== Edera CPU Benchmark (kernel compilation) ===" + echo "" + echo "CPUs available: $(nproc)" + echo "Memory:" + free -h + echo "" + echo "Disk space:" + df -h + echo "" + + # Setup workspace + mkdir -p /workspace/tmp + rm -rf /tmp 2>/dev/null || true + ln -sf /workspace/tmp /tmp + export TMPDIR=/workspace/tmp + export HOME=/workspace + + # Extract kernel source + echo "Extracting kernel source..." + cd /workspace + tar -xf /usr/share/kcbench/linux-6.6.70.tar.xz + cd linux-6.6.70 + + # Configure and build + echo "Configuring kernel (defconfig)..." + make defconfig + + echo "" + echo "Starting kernel compilation with $(nproc) CPUs..." + START=$(date +%s.%N) + make -j$(nproc) + END=$(date +%s.%N) + + ELAPSED=$(echo "$END - $START" | bc) + echo "" + echo "=== Results ===" + echo "Compile time: ${ELAPSED} seconds" + echo "CPUs used: $(nproc)" + echo "=== Benchmark Complete ===" + volumeMounts: + - name: workspace + mountPath: /workspace + resources: + requests: + memory: "2Gi" + cpu: "2" + limits: + memory: "4Gi" + cpu: "2" diff --git a/pov-validation/performance/sysbench-baseline.yaml b/pov-validation/performance/sysbench-baseline.yaml new file mode 100644 index 0000000..d0cfb26 --- /dev/null +++ b/pov-validation/performance/sysbench-baseline.yaml @@ -0,0 +1,38 @@ +# CPU benchmark baseline (without Edera) using sysbench +apiVersion: batch/v1 +kind: Job +metadata: + name: sysbench-baseline +spec: + template: + spec: + # No runtimeClassName - uses default runtime + restartPolicy: Never + containers: + - name: sysbench + image: severalnines/sysbench:latest + command: ["/bin/sh", "-c"] + args: + - | + echo "=== Baseline CPU Benchmark (sysbench) ===" + echo "" + echo "System info:" + echo "CPUs available: $(nproc)" + cat /proc/cpuinfo | grep "model name" | head -1 + echo "" + echo "Running CPU benchmark (10 seconds, prime numbers to 20000)..." + echo "" + sysbench cpu --cpu-max-prime=20000 --threads=2 --time=10 run + echo "" + echo "Running CPU benchmark (60 seconds for more stable results)..." + echo "" + sysbench cpu --cpu-max-prime=20000 --threads=2 --time=60 run + echo "" + echo "=== Benchmark Complete ===" + resources: + requests: + memory: "512Mi" + cpu: "2" + limits: + memory: "512Mi" + cpu: "2" diff --git a/pov-validation/performance/sysbench-edera.yaml b/pov-validation/performance/sysbench-edera.yaml new file mode 100644 index 0000000..ca12f4a --- /dev/null +++ b/pov-validation/performance/sysbench-edera.yaml @@ -0,0 +1,39 @@ +# CPU benchmark with Edera using sysbench +# Uses pre-built image to avoid package manager issues in zones +apiVersion: batch/v1 +kind: Job +metadata: + name: sysbench-edera +spec: + template: + spec: + runtimeClassName: edera + restartPolicy: Never + containers: + - name: sysbench + image: severalnines/sysbench:latest + command: ["/bin/sh", "-c"] + args: + - | + echo "=== Edera CPU Benchmark (sysbench) ===" + echo "" + echo "System info:" + echo "CPUs available: $(nproc)" + cat /proc/cpuinfo | grep "model name" | head -1 + echo "" + echo "Running CPU benchmark (10 seconds, prime numbers to 20000)..." + echo "" + sysbench cpu --cpu-max-prime=20000 --threads=2 --time=10 run + echo "" + echo "Running CPU benchmark (60 seconds for more stable results)..." + echo "" + sysbench cpu --cpu-max-prime=20000 --threads=2 --time=60 run + echo "" + echo "=== Benchmark Complete ===" + resources: + requests: + memory: "512Mi" + cpu: "2" + limits: + memory: "512Mi" + cpu: "2" From 2c44acf10fb3affefc1e47446383347a86c3a19d Mon Sep 17 00:00:00 2001 From: Ann Wallace Date: Fri, 23 Jan 2026 13:11:24 -0800 Subject: [PATCH 4/6] Update operations tests with working Edera metrics setup - Fix ServiceMonitor to scrape Edera metrics at port 3035 - Add Service and Endpoints for node-level metrics endpoint - Use helm upgrade --install for idempotent installs - Fix Grafana password retrieval command in output --- pov-validation/Makefile | 7 ++-- .../operations/edera-servicemonitor.yaml | 38 +++++++++++++++++-- 2 files changed, 39 insertions(+), 6 deletions(-) diff --git a/pov-validation/Makefile b/pov-validation/Makefile index 096a2ea..c6d111c 100644 --- a/pov-validation/Makefile +++ b/pov-validation/Makefile @@ -218,15 +218,16 @@ kcbench-baseline: grafana-install: helm repo add prometheus-community https://prometheus-community.github.io/helm-charts helm repo update - helm install prometheus prometheus-community/kube-prometheus-stack --namespace monitoring --create-namespace + helm upgrade --install prometheus prometheus-community/kube-prometheus-stack --namespace monitoring --create-namespace @echo "" @echo "Access Grafana with: kubectl port-forward -n monitoring svc/prometheus-grafana 3000:80" - @echo "Default credentials: admin/prom-operator" + @echo "Get password with: kubectl get secret -n monitoring prometheus-grafana -o jsonpath='{.data.admin-password}' | base64 -d && echo" + @echo "Username: admin" kyverno-install: helm repo add kyverno https://kyverno.github.io/kyverno/ helm repo update - helm install kyverno kyverno/kyverno --namespace kyverno --create-namespace + helm upgrade --install kyverno kyverno/kyverno --namespace kyverno --create-namespace kyverno-test: kubectl create namespace secure-workloads --dry-run=client -o yaml | kubectl apply -f - diff --git a/pov-validation/operations/edera-servicemonitor.yaml b/pov-validation/operations/edera-servicemonitor.yaml index b5a2327..4ef20cb 100644 --- a/pov-validation/operations/edera-servicemonitor.yaml +++ b/pov-validation/operations/edera-servicemonitor.yaml @@ -1,15 +1,47 @@ +# ServiceMonitor for Edera Protect metrics +# Requires a headless Service pointing to Edera node(s) +apiVersion: v1 +kind: Service +metadata: + name: edera-protect-metrics + namespace: monitoring + labels: + app: edera-protect +spec: + clusterIP: None + ports: + - name: metrics + port: 3035 + targetPort: 3035 +--- +# Endpoints must be created manually with Edera node IPs +# Replace NODE_IP with your Edera node's internal IP +apiVersion: v1 +kind: Endpoints +metadata: + name: edera-protect-metrics + namespace: monitoring +subsets: +- addresses: + - ip: NODE_IP # Replace with: kubectl get nodes -l runtime=edera -o jsonpath='{.items[0].status.addresses[?(@.type=="InternalIP")].address}' + ports: + - name: metrics + port: 3035 +--- apiVersion: monitoring.coreos.com/v1 kind: ServiceMonitor metadata: name: edera-protect namespace: monitoring + labels: + release: prometheus # Match Prometheus selector spec: selector: matchLabels: app: edera-protect + namespaceSelector: + matchNames: + - monitoring endpoints: - port: metrics interval: 30s - namespaceSelector: - matchNames: - - kube-system From 8d450d6ffbf5a2f58ebbb096074a056dc4720563 Mon Sep 17 00:00:00 2001 From: Ann Wallace Date: Tue, 27 Jan 2026 14:22:29 -0800 Subject: [PATCH 5/6] Add zone kernel 6.16 annotation for Falco support --- pov-validation/security/falco-test.yaml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/pov-validation/security/falco-test.yaml b/pov-validation/security/falco-test.yaml index a010baf..b405474 100644 --- a/pov-validation/security/falco-test.yaml +++ b/pov-validation/security/falco-test.yaml @@ -2,6 +2,8 @@ apiVersion: v1 kind: Pod metadata: name: falco-test + annotations: + dev.edera/kernel: ghcr.io/edera-dev/zone-kernel:6.16 spec: runtimeClassName: edera containers: From ce8a7387aa97d8e6424fa5e8affbdd7eb74df455 Mon Sep 17 00:00:00 2001 From: Ann Wallace Date: Fri, 30 Jan 2026 06:44:30 -0800 Subject: [PATCH 6/6] Fix Falco plugin config: mirror_host_syscalls false, simplify rules --- .../security/falco/falco-edera-values.yaml | 36 +++++-------------- 1 file changed, 9 insertions(+), 27 deletions(-) diff --git a/pov-validation/security/falco/falco-edera-values.yaml b/pov-validation/security/falco/falco-edera-values.yaml index 196277e..d1c8f27 100644 --- a/pov-validation/security/falco/falco-edera-values.yaml +++ b/pov-validation/security/falco/falco-edera-values.yaml @@ -25,49 +25,31 @@ falco: - name: edera library_path: /var/lib/edera/protect/falco/libedera_falco_plugin.so init_config: - mirror_host_syscalls: true + mirror_host_syscalls: false load_plugins: [edera] # Add custom Edera detection rules customRules: edera-rules.yaml: |- - - macro: open_read_edera - condition: (evt.pluginname == "edera") - - - rule: Edera Events - desc: > - Logs every syscall event from every running Edera zone, with no filtering. - Useful for testing and understanding what events are available. - source: edera_zone - output: > - Edera Event | time=%evt.time zone_id=%edera.zone.id evt.type=%evt.type - syscall.type=%syscall.type evt.category=%evt.category evt.dir=%evt.dir - proc.exe=%proc.exe evt.args=%evt.args is_open=%evt.type.is[open] - priority: WARNING - tags: [edera_zone, filesystem] - condition: > - open_read_edera - - - rule: Edera Sensitive File Read - desc: Detects when a process in an Edera zone reads sensitive files + - rule: Edera Zone Activity + desc: Detects file access inside Edera zones source: edera_zone output: > - Sensitive file read in zone | zone_id=%edera.zone.id proc=%proc.exe - file=%fd.name - priority: WARNING + Zone file access | zone_id=%edera.zone.id proc=%proc.exe + evt.type=%evt.type evt.args=%evt.args + priority: DEBUG condition: > evt.pluginname == "edera" and - evt.type == open and - (fd.name startswith /etc/shadow or fd.name startswith /etc/passwd) + evt.type == open - rule: Edera Process Execution - desc: Logs all process executions inside Edera zones + desc: Detects process execution inside Edera zones source: edera_zone output: > Process executed in zone | zone_id=%edera.zone.id proc=%proc.exe cmdline=%proc.cmdline - priority: NOTICE + priority: WARNING condition: > evt.pluginname == "edera" and evt.type == execve