CONTAINER LAYER DASHBOARD V13 · eose-dev k3s
EVERY LAYER. EVERY GATE. EVERY CONTAINER.
PER-LAYER VERDICTS · 6 GATES LIVE · CHAOS TEST READY · WPA SCORED
γ₁ = 14.134725141734693 · eose-dev 192.168.2.21 · Day 97 · Gatekeeper+Kyverno+Falco+Trivy all Running
GATE STATUS BAR — LIVE
GATE 1
TRIVY
● SCANNING
CVE scans: active
SBOM: generating
KCF: EB-8
GATE 2
GATEKEEPER
● 2/2 RUNNING
Webhook: active
Constraints: 0 deployed
KCF: EA-64..73
GATE 3
FALCO
● eBPF RUNNING
Driver: modern_ebpf
Rules: default loaded
KCF: EA-75..80
GATE 4
KYVERNO
● 4/4 RUNNING
Admission: active
Policies: 0 deployed
KCF: EA-65,69
GATE 5
MEROSTONE
◐ 82 KCF READY
Controls: 82 defined
γ₁-anchored: yes
KCF: ALL
GATE 6
MECIPOL
● D1-D10 LIVE
QE Floor: eose-dev
D1-D7: defined
D8-D10: confirmed
CONTAINER LAYER VERDICTS — eose-dev k3s WORKLOADS
| CONTAINER / LAYER |
IMAGE (MSH) |
IDENTITY (PID) |
RUNTIME (OBX) |
NETWORK (AL1) |
LINEAGE (IN1) |
VERDICT (DG1) |
qdrant eose-dev ns · :30333 |
docker.iono cosigndigest ok |
no GID labelSOSTLE: unset |
no limitsno seccomp |
no netpol |
no SBOMunsigned |
ADMIT-WATCHraincheque filed |
redis eose-dev ns · :30379 |
docker.iono cosigndigest ok |
no GID labelSOSTLE: unset |
no limitsno seccomp |
no netpol |
no SBOMunsigned |
ADMIT-WATCHraincheque filed |
neo4j eose-dev ns · :30474 |
docker.iono cosigndigest ok |
no GID labelSOSTLE: unset |
no limitsno seccomp |
no netpol |
no SBOMunsigned |
ADMIT-WATCHraincheque filed |
kanidm docker · healthy 2w |
kanidm/serverno cosign |
no GID |
no limits |
LAN only |
unsigned |
ADMIT-WATCH |
mefine-static pemos-system · v135 |
eosefleetacrdevday97-v135 |
pemos-system ns |
limits set |
ingress only |
ACR provenance |
ADMIT |
NEXT STEPS — CLOSE THE WATCH GAPS
QUICK WINS (eose-dev k3s)
1. Add GID + SOSTLE labels to qdrant/redis/neo4j manifests
2. Set resource limits (CPU/RAM requests+limits)
3. Deploy Gatekeeper constraint templates (KCF EA-64..73)
4. Deploy Kyverno policies (image verify, label enforcement)
5. Add NetworkPolicy to eose-dev namespace
6. Wire Trivy SBOM output to MECIPOL D3 check
GATE CONSTRAINT DEPLOY
Deploy KCF EA-64 constraint: GID label required
Deploy KCF EA-67 constraint: resource limits required
Deploy KCF EA-68 constraint: no privileged containers
Deploy KCF EA-69 constraint: registry allowlist
Deploy KCF EA-70 constraint: label schema enforced
→ Then re-run dashboard: qdrant/redis/neo4j → ADMIT
CHAOS TEST PANEL
CHAOS + WPA STRESS TESTS — ALL GATES UNDER LOAD
WPA GATE LATENCY CONTRIBUTION
TRIVY · G1
~2s
per image scan
GATEKEEPER · G2
<10ms
admission webhook
FALCO · G3
<1ms
eBPF runtime
KYVERNO · G4
<15ms
policy webhook
MEROSTONE · G5
<5ms
82 KCF eval
MECIPOL · G6
<30ms
D1-D10 sweep
EOSE-DEV k3s GATE STACK VERDICT
4 GATES LIVE · CONSTRAINTS PENDING
Gatekeeper + Kyverno + Falco + Trivy all Running. Next: deploy KCF constraint templates → qdrant/redis/neo4j → ADMIT.