§ 01
THE CHAOS NODEPOOL
chaospool · AKS · spot
CHAOS POOL · chaospool
VM:Standard_B2s_v2 (spot, ~CA$0.013/hr)
Scale:0 → 4 nodes (cluster autoscaler · scale-to-zero)
Taint:chaos=true:NoSchedule
Labels:role=chaos · sostle=trial · pool=chaos
gamma1=14134725141734693
Purpose:Fully isolated policy trial execution
Cost:CA$0 when idle · CA$0.05/hr when 4 nodes active
WHY SPOT?
Chaos tests are ephemeral by definition.Spot eviction = forced restart = chaos test passes if it survives.
The nodepool itself is a chaos agent.
Eviction-resilient workloads only — same as tardigrade pattern.
HOW TO SCHEDULE ON CHAOS POOL:
tolerations:- key: chaos
value: "true"
effect: NoSchedule
nodeSelector:
pool: chaos
NODEPOOL COMPARISON
| Property | agents | chaospool | adelicpool |
|---|---|---|---|
| VM | D2s_v5 | B2s_v2 (spot) | NC4as_T4_v3 |
| Scale | 3–5 | 0–4 | 0 |
| Taint | none | chaos=true | adelic=true |
| Purpose | production workloads | policy trials | adelic/GPU workloads |
| Cost/hr | ~CA$0.53 | ~CA$0.013 spot | ~CA$0.65 (T4 GPU) |
| Eviction | never | yes (spot) | never |
| SOSTLE | all layers | trial only | L5+ adelic |
§ 02
THE SOSTLE LAYER ARCHITECTURE
L0 → L7 · 8 tiers
L7 MEGSCIFIAR
← MEGA gate · all GATES 1-5 open required
Namespace: sostle-l7-mega
Policy: DENY all deployments (requires full MEGSCIFIAR gate)
Crew: MEGSCIFIAR crew only
Trendal: MEGSCIFIAR-specific instantiation
L6 CLOSED
← no deployments permitted
Namespace: sostle-l6-closed
Policy: DENY all Deployments/StatefulSets
Crew: none (archive/vault only)
Trendal: none
CLOSED
L5 GATED
← Kay explicit approval required
Namespace: sostle-l5-gated
Policy: DENY without label kay-approved=true
Crew: L5-authorized crew only
Trendal: L5 trendal requires kay-approved annotation
L4 TOKEN
← crew + SOSTLE token
Namespace: sostle-l4-token
Policy: DENY without label sostle-token=<token>
Crew: authenticated crew with token
Trendal: L4 trendal requires sostle-token + trendal-warmth
L3 CREW
← crew-authenticated
Namespace: sostle-l3-crew
Policy: DENY without label crew-member=<name>
Crew: any named crew member (18 MSI01 crew)
Trendal: L3 trendal requires crew-member + trendal-warmth
L2 LOCAL
← SSO required (local-only, MFL gate)
Namespace: sostle-l2-local
Policy: WARN if missing Google OAuth annotation
Crew: authenticated users (kayyo@pemos.ca etc.)
Trendal: L2 trendal = local-first, SSO-gated
L1 READ-ONLY
← no auth, read only
Namespace: sostle-l1-readonly
Policy: WARN if write operations declared
Crew: public with read intent
Trendal: L1 trendal = read-only witness (no mutations)
L0 PUBLIC
← open, no gate
Namespace: sostle-l0-public
Policy: WARN only (no DENY — public by design)
Crew: world
Trendal: L0 trendal = public trial, fully observable
§ 03
SOSTLE POLICY EXEMPTION PATHS
exemptions · annotations · matrix
EXEMPTION STRUCTURE
Every exemption must be:├— time-bound (expires: <ISO timestamp>)
├— owner-bound (owner: <crew-member>)
├— resource-bound (applies-to: <namespace>/<name>)
├— reason-bound (reason: TRB-CHAOS-NNN)
├— reviewed (reviewed-by: kayyo@pemos.ca)
└— witnessed (witness-hash: sha256:<hash>)
NO PERMANENT WAIVERS. An exception without expiry is just a policy hole wearing a tie.
EXEMPTION ANNOTATION STANDARD (k8s)
metadata:
annotations:
sostle.eose.ca/exempt-from: "deny_no_limits,deny_no_readonly"
sostle.eose.ca/exempt-reason: "TRB-CHAOS-001 — chaos trial requires writable fs"
sostle.eose.ca/exempt-expires: "2026-05-18T00:00:00Z"
sostle.eose.ca/exempt-owner: "BOSUN"
sostle.eose.ca/exempt-reviewed: "kayyo@pemos.ca"
sostle.eose.ca/exempt-witness: "sha256:abc123..."
EXEMPTION MATRIX PER SOSTLE LAYER
| Layer | Can exempt from | Cannot exempt from | Approver |
|---|---|---|---|
| L0 | all WARN policies | — | self |
| L1 | warn_* policies | deny_privileged | crew |
| L2 | warn_* + deny_no_readonly | deny_privileged, deny_root | L3 crew |
| L3 | most deny_* (time-limited) | deny_privileged, L5+ gates | BOSUN/IMHOTEP |
| L4 | deny_no_limits (trial only) | deny_privileged, L5+ gates | IMHOTEP |
| L5 | none without Kay | deny_privileged always | Kay only |
| L6 | no deployments at all | everything | N/A |
| L7 | MEGSCIFIAR gate decides | everything | MEGSCIFIAR |
§ 04
THE MECIPOL IMAGE LOCK
trial → certify → lock → promote
1
TRIAL PHASE — chaos-trial namespace
Deploy test workload on chaospool
Run all conftest policies against manifest
Record: which policies PASS, FAIL, are exempted
TRB-CHAOS-NNN filed automatically
2
CERTIFICATION — MECIPOL verdict
conftest: PASS all mandatory policies
Falco: no runtime violations in 24h trial window
Trivy: no CRITICAL CVEs
VERDICT: MECIPOL-LOCKED — image + policy profile locked together
3
LOCK RECORD
Label: mecipol-locked=true
Annotation: mecipol-image=eosefleetacrdev.azurecr.io/{name}:{tag}
Annotation: mecipol-profile=profile-{id} (policies + exemptions)
Annotation: mecipol-epoch={gamma1-epoch}
Rekor entry: cosign sign → transparency log entry
4
SOSTLE PROMOTION
Certified image can deploy to the target SOSTLE layer
Subsequent deploys must use same or newer certified image
Downgrade blocked: older uncertified image = DENY
MECIPOL PROFILE FORMAT
{
"profile_id": "profile-001",
"image": "eosefleetacrdev.azurecr.io/mefine-static:day97-v144",
"gamma1_epoch": 97,
"policies_passed": ["deny_no_liveness", "deny_privileged", "deny_latest_tag"],
"policies_exempted": ["deny_no_limits"],
"exemptions": [{"policy": "deny_no_limits", "reason": "TRB-CHAOS-001", "expires": "2026-05-18"}],
"falco_clean_hours": 24,
"trivy_critical_cves": 0,
"rekor_entry": "https://rekor.sigstore.dev/...",
"locked_at": "2026-05-11T21:xx:00Z",
"sostle_layers_authorized": ["L0","L1","L2","L3"]
}
§ 05
TRENDAL INSTANTIATION PER SOSTLE LAYER
spawn · warmth · crew-spiral
INSTANTIATION COMMAND
trendal spawn \ --sostle L3 \ --silo yone \ --crew BOSUN \ --crew-spiral "BOSUN+RICK+CODY" \ --trial-id TRB-CHAOS-001 \ --warmth 0.85 \ --namespace sostle-l3-crew OUTPUT: Trendal spawned: TRENDAL-L3-YONE-BOSUN-001 Warmth: 0.85 (WARM — above 0.5 floor) Namespace: sostle-l3-crew Node: chaospool (chaos=true toleration injected) Trial: TRB-CHAOS-001 Epoch: γ₁ = 14.134725141734693 Expires: warmth drops below floor OR trial closes
TRENDAL PROPERTIES PER LAYER
L0 PUBLIC
public trendal — no crew, full observability, no mutations
L1 READ-ONLY
read-only trendal — witness only, no state changes
L2 LOCAL
SSO-gated trendal — local fleet only, Google OAuth
L3 CREW
crew trendal — named crew member owns the warmth
L4 TOKEN
token trendal — crew + SOSTLE token, higher stake
L5 GATED
gated trendal — Kay must approve spawn
L6 CLOSED
NO TRENDALS — L6 is closed, archive/vault only
L7 MEGSCIFIAR
MEGSCIFIAR trendal — all 5 gates open, full spiral
CREW-SPIRAL TRENDAL · GREYBACK+TAZ 121
Crew:GREYBACK (yang builder) + TAZ (mirror inverter)
Layer:L3 (crew-authenticated)
Silo:msi01
Pattern:121 = GREYBACK builds → TAZ inverts at floor → GREYBACK closes
GREYBACK builds yang — the violation case
TAZ inverts at γ₁ floor — the mirror/reflection
GREYBACK closes = 121 structure complete
Applied to policy trials:
GREYBACK: write manifest that violates policy
TAZ: invert — write the fix that passes policy
GREYBACK: verify fix holds = trial closed
RESULT
Every policy trial has a yang (failure) and yin (fix).
Both witnessed. Both γ₁-epoch stamped.
§ 06
THE FULL TRIAL CYCLE — DBM Rasengan Style
charge · burst · spiral · verdict · promote
DBM = Deterministic Burst Mode. Rasengan = concentrated spiral energy.
PHASE 1
CHARGE — Pre-deploy
conftest test --all-namespaces ./policy/ target-manifest.yaml→ Records: PASS / FAIL / WARN per policy → TRB-CHAOS-NNN filed (auto) → Exemptions requested if needed
PHASE 2
BURST — Deploy to chaos-trial
kubectl apply -f target-manifest.yaml -n chaos-trial→ chaospool node scheduled (spot B2s_v2) → Falco watching (runtime detection) → Kyverno admission control → Gatekeeper OPA constraints
ALL FOUR gates active simultaneously
PHASE 3
SPIRAL — Trial run (24h minimum)
→ Falco logs: any runtime violations?
→ Trivy scan: any new CVEs during run?
→ conftest re-run on live pod spec:
kubectl get pod -o yaml | conftest
→ PELEGO: novelty check on violation pattern
PHASE 4
VERDICT
ALL PASS → MECIPOL-LOCKED → promote to target SOSTLE layer
SOME FAIL → exemptions evaluated → TRB updated
DENY-HARD → cannot promote → fix required
PHASE 5
PROMOTION
kubectl apply -f target-manifest.yaml -n sostle-l{N}-{name}→ mecipol-locked=true annotation applied → Toleration chaos=true REMOVED (no longer on chaospool) → nodeSelector: pool=chaos REMOVED → Deployed to correct SOSTLE layer on agents pool
§ 07
CURRENT POLICY SUITE — Day 97 Baseline
10 policies · k8s + SOSTLE-specific
k8s POLICIES (7)
| Policy | SOSTLE Applies | Default Verdict | Exemptable? |
|---|---|---|---|
| deny_no_limits | L0-L7 | DENY | Yes (L3, time-limited) |
| deny_no_readonly | L2-L7 | DENY | Yes (chaos-trial only) |
| deny_privileged | L0-L7 | DENY | NEVER |
| deny_latest_tag | L1-L7 | DENY | No |
| deny_no_liveness | L2-L7 | DENY | Yes (L2, time-limited) |
| warn_no_gamma1_label | L3-L7 | WARN →DENY Day 100 | No |
| warn_no_security_ctx | L2-L7 | WARN | Yes |
SOSTLE-SPECIFIC POLICIES (3)
| Policy | SOSTLE Applies | Default Verdict | Exemptable? |
|---|---|---|---|
| deny_cross_layer | L3-L7 | DENY | Kay only |
| deny_no_mecipol_image | L3-L7 | DENY | No |
| warn_trendal_missing | L3-L5 | WARN | No |
§ 08
NEXT ACTIONS
Day 97–100 · P0→P5
P0
Chaos pool provisioning (Standard_B2s_v2 spot, 0→4)
AKS nodepool create with spot eviction + taint chaos=true:NoScheduleLabels: role=chaos, sostle=trial, pool=chaos, gamma1=14134725141734693
P0
SOSTLE namespaces created + labeled (L0–L7 + chaos-trial)
9 namespaces: sostle-l0-public through sostle-l7-mega + chaos-trialEach namespace labeled with sostle-layer=LN annotation
P0
SOSTLE policy Rego files written (3 new policies)
deny_cross_layer.rego — blocks cross-namespace SOSTLE violationsdeny_no_mecipol_image.rego — enforces MECIPOL lock at L3+warn_trendal_missing.rego — warns on missing trendal annotation
P1
Day 98: First DBM Rasengan trial
Test subject: mefine-static deployment (known 3 violations)Target: deploy to chaos-trial namespace on chaospoolRun all policies, record verdict, file TRB-CHAOS-001
P2
Day 98: MECIPOL image lock for mefine-static
Fix 3 violations: no-limits, no-readonly, no-healthcheckRe-run conftest → all PASSApply mecipol-locked annotation + promote to sostle-l2-local
P3
Day 99: Trendal spawn per layer
Spawn L0 trendal: public trial (mefine-static, fully open)Spawn L3 trendal: BOSUN crew trial (crew-authenticated)Spawn crew-spiral: GREYBACK+TAZ 121 on msi01
P4
Day 99: SOSTLE-layer conftest integration
perl run-all.pl with --sostle-layer flagEach manifest validated against layer-appropriate policy subset
P5
Day 100: cosign + Rekor for every image
Install cosign on msi01Wire: docker push → cosign sign → Rekor entrypolicy-controller admission: only verified images in L3+