Interactive Demo

Try CloudTaser on a live Kubernetes cluster in your browser. No signup, no installation, no cloud account required.

Launch the demo on Killercoda

---

What the demo covers

The interactive demo runs on a real single-node Kubernetes cluster (kubeadm) and walks through the full CloudTaser workflow in 8 steps. Each step runs a short bash script that shows every command -- no hidden magic.

Step	Title	What you see
1	Install CloudTaser	Helm install of the operator, eBPF daemonset, and P2P beacon broker
2	Deploy PostgreSQL (traditional)	Standard K8s Secret with a database password, mounted as an env var
3	The problem: secrets everywhere	The password is readable from etcd, kubectl get secret, env, and /proc/environ
4	Migrate secrets to EU vault	Move the password to an EU-hosted OpenBao vault using the CloudTaser CLI
5	Redeploy with CloudTaser	The same PostgreSQL pod, now with CloudTaser annotations -- secrets delivered via encrypted P2P relay
6	Verify: secrets gone from K8s	The K8s Secret is deleted, etcd is clean, but the app still works -- secrets are in process memory
7	eBPF blocks /proc/environ	Attempt a root-level /proc/environ read -- eBPF denies it in real time
8	Summary and comparison	Side-by-side comparison of CloudTaser vs. alternatives

---

How P2P connectivity works in the demo

The demo uses P2P beacon mode -- the default connectivity model for CloudTaser.

                     Beacon Relay
                    (TCP 443 only)
                         ^
                        / \
            outbound   /   \   outbound
                      /     \
          ┌──────────┐       ┌──────────┐
          │ EU Vault │       │ K8s Pod  │
          │ (OpenBao)│       │ (wrapper)│
          └──────────┘       └──────────┘

Both the vault (via the bridge) and the cluster (via the broker) connect outbound to a stateless beacon relay on TCP 443. The beacon matches them by a cryptographic info hash and relays encrypted mTLS traffic. The beacon never sees your secrets. No VPN, no public vault endpoint, no firewall rules.

For more details, see P2P Beacon Architecture.

---

Prerequisites

The demo runs entirely in your browser on Killercoda's infrastructure. You need:

• A modern web browser
• Approximately 15 minutes

No local tools, cloud accounts, or signups are required.

---

What you will learn

After completing the demo, you will understand:

1. Why K8s Secrets are not secret -- they are base64-encoded, stored in etcd in plaintext (or with envelope encryption the provider controls), and readable from /proc/environ
2. How CloudTaser eliminates this -- secrets travel directly from an EU vault to process memory via an encrypted P2P relay, bypassing etcd and Kubernetes Secrets entirely
3. How eBPF enforcement works -- runtime kernel-level blocking of /proc/environ, /proc/mem, and ptrace access to protected processes
4. How P2P beacon connectivity works -- zero-config vault-to-cluster connectivity without VPNs or public endpoints

---

Running your own demo

If you prefer to run the demo on your own infrastructure instead of Killercoda, you can use the CloudTaser CLI:

curl -fsSL https://docs.cloudtaser.io/install.sh | bash -s -- --demo

This installs CloudTaser with an in-cluster OpenBao vault and a test pod with secret injection. Requires kubectl and helm with access to a running Kubernetes cluster.

Alternatively, use the CLI's built-in demo command:

cloudtaser demo

See the CLI Reference for options.

---

Next steps

• Quickstart -- protect a real workload in 5 minutes
• Getting Started -- full deployment walkthrough on GKE
• Security Model -- trust boundaries and threat model
• Compliance Mapping -- GDPR, NIS2, DORA, and Schrems II alignment