Live Demo¶
Try cloudtaser on a real production-shaped environment in your browser — a managed GKE cluster in the US plus two EU-hosted VMs (beacon relay, OpenBao secret store). No signup, no installation, no cloud account required.
How the live demo is hosted¶
Unlike a single-pod browser-based scenario, the demo at cloudtaser.io/demo-lab runs against three real, separate systems that mirror a production deployment — one managed GKE cluster and two EU-hosted VMs:
| System | Region | Role |
|---|---|---|
| Target cluster (managed GKE) | US (zonal GKE, AMD SEV confidential-compute node, n2d-highcpu-2) | Runs cloudtaser-operator, the wrapper, and the eBPF daemonset |
| Beacon relay (VM) | EU · Frankfurt (europe-west3) |
Stateless TCP/TLS relay on port 443 — pairs the bridge and broker by info_hash |
| Secret store (VM) | EU · Netherlands (europe-west4) |
OpenBao + cloudtaser-bridge |
The Atlantic crossing is real. The mTLS handshake terminates at the bridge and at the broker (not at the beacon). The eBPF probes run against a real GKE node where dmesg shows AMD memory encryption active. Every cluster mutation the demo performs is published as a YAML file under cloudtaser.io/demo-lab/manifests/ — read the YAML, don't trust the narration.
The page has three tabs:
- Watch — a self-hosted 4-minute MP4 walkthrough with WebVTT captions. No third-party embed, no tracking, no ads. Good for a first look or sharing in Slack.
- Drive it (default) — the live demo environment (GKE cluster + 2 EU VMs). One driver at a time, many watchers. When idle, press "My turn" to start a 7-step session. When in use, you watch the active session's steps and probe outputs in real time over an SSE stream until the driver releases (5-minute idle timeout, 20-minute hard cap).
- Deploy yourself — the Helm one-liner and prerequisite checklist for installing cloudtaser on your own cluster.
The live demo at cloudtaser.io/demo-lab is the canonical public evaluation path; no third-party scenario hosting is involved.
What the demo covers¶
The live demo walks through the full cloudtaser workflow in 7 steps. Each step runs a short script that is fully visible in the cluster terminal pane — no hidden orchestration. The 14 curated probes (whitelisted, rate-limited, read-only) demonstrate eBPF enforcement against /proc/PID/environ, /proc/PID/mem, ptrace, and related vectors.
| Step | Title | What you see |
|---|---|---|
| 1 | Deploy PostgreSQL (traditional) | Standard K8s Secret with a database password, mounted as an env var |
| 2 | Generate cluster fingerprint | cloudtaser source register derives a UUID + fingerprint for this cluster |
| 3 | Register at the EU secret store | The fingerprint is approved at the OpenBao bridge; cluster gains scoped access |
| 4 | Install cloudtaser | Helm install of the operator, eBPF daemonset, and beacon broker |
| 5 | Annotate and cycle the pod | Add cloudtaser.io/inject + paths annotations, restart the deployment |
| 6 | Verify: secret in memfd_secret page |
The K8s Secret is gone; the secret travels from EU OpenBao through the beacon into a kernel-hidden memory page |
| 7 | Run adversarial probes | eBPF blocks /proc/PID/environ, /proc/PID/mem, ptrace attach in real time; results stream as verdict chips |
How beacon relay connectivity works in the demo¶
The demo uses beacon relay mode -- the default connectivity model for cloudtaser.
Beacon Relay
(TCP 443 only)
^
/ \
outbound / \ outbound
/ \
┌──────────┐ ┌──────────┐
│ EU Vault │ │ K8s Pod │
│ (OpenBao)│ │ (wrapper)│
└──────────┘ └──────────┘
Both OpenBao (via the bridge on VM3) and the cluster (via the broker in the GKE node) connect outbound to a stateless beacon relay on TCP 443 (VM2). The beacon matches them by a cryptographic info hash and relays encrypted mTLS traffic. The beacon never sees your secrets. No VPN, no public OpenBao endpoint, no firewall rules.
For more details, see Beacon Relay Architecture.
Prerequisites¶
The demo runs entirely in your browser against cloudtaser-operated infrastructure. You need:
- A modern web browser
- Approximately 5 minutes for the recorded walkthrough, or 15 minutes for an interactive driver session
No local tools, cloud accounts, or signups are required.
What you will learn¶
After completing the demo, you will understand:
- Why K8s Secrets are not secret -- they are base64-encoded, stored in etcd in plaintext (or with envelope encryption the provider controls), and readable from
/proc/environ - How cloudtaser eliminates this -- secrets travel directly from an EU OpenBao to process memory via an encrypted beacon relay, bypassing etcd and Kubernetes Secrets entirely
- How eBPF enforcement works -- runtime kernel-level blocking of
/proc/environ,/proc/mem, andptraceaccess to protected processes - How beacon relay connectivity works -- zero-config OpenBao-to-cluster connectivity without VPNs or public endpoints
Honest scope of the demo environment¶
The live demo runs on a real GKE confidential-compute node (AMD SEV) in the US plus two small EU VMs (Frankfurt + Netherlands) for the beacon and secret store. All three are on GCP. GCP EU regions don't clear our sovereign deployment decision guide's first-leg test — for real sovereignty, the OpenBao would live on Hetzner / OVH / Scaleway / IONOS / Exoscale / UpCloud. Migration of the demo's secret store to a non-GCP EU provider is on the roadmap.
What the demo does prove is the architecture end-to-end: real Atlantic crossing for the beacon, real confidential-compute target, real eBPF blocks against real probes, real memfd_secret-backed pages.
Running your own demo¶
If you prefer to run the demo on your own infrastructure instead of using the live environment, you can use the cloudtaser CLI:
This installs cloudtaser with an in-cluster OpenBao instance and a test pod with secret injection. Requires kubectl and helm with access to a running Kubernetes cluster.
Alternatively, use the CLI's built-in demo command:
See the CLI Reference for options.
Next steps¶
- Quickstart -- protect a real workload in 5 minutes
- Getting Started -- full deployment walkthrough on GKE
- Security Model -- trust boundaries and threat model
- Compliance Mapping -- GDPR, NIS2, DORA, and Schrems II alignment