Your First Probe
This walkthrough creates an RBAC probe, watches it execute, and reads the result. It takes about 2 minutes.
Create a test namespace
Section titled “Create a test namespace”kubectl create namespace sidereal-test-targetCreate the probe
Section titled “Create the probe”kubectl apply -f - <<EOFapiVersion: sidereal.cloud/v1alpha1kind: SiderealProbemetadata: name: rbac-test namespace: sidereal-systemspec: probeType: rbac targetNamespace: sidereal-test-target executionMode: observe intervalSeconds: 300 controlMappings: nist-800-53: - AC-6(5)EOFThis tells Sidereal: every 5 minutes, verify that the sidereal-probe-rbac ServiceAccount cannot perform unauthorized operations in the sidereal-test-target namespace. Record results but don’t create incidents (observe mode).
Watch for execution
Section titled “Watch for execution”The probe executes immediately on creation, then every 5 minutes:
# Watch for the probe Jobkubectl get jobs -n sidereal-system -l sidereal.cloud/probe-name=rbac-test --watchRead the result
Section titled “Read the result”Once the Job completes:
kubectl get siderealproberesults -n sidereal-system \ -l sidereal.cloud/probe-name=rbac-testkubectl describe siderealproberesult -n sidereal-system \ -l sidereal.cloud/probe-name=rbac-testYou should see:
- outcome:
Pass— the RBAC deny path was enforced - controlEffectiveness:
Effective - integrityStatus:
Verified— HMAC check passed
Check the probe status
Section titled “Check the probe status”kubectl get siderealprobe rbac-test -n sidereal-system -o yamlThe .status section shows lastExecutedAt, lastOutcome, lastControlEffectiveness, and up to 10 recentResults.
Next steps
Section titled “Next steps”- Try other probe types: Probe Types
- Move from observe to enforce: Execution Modes
- Let Sidereal find probes for you: Discovery