Login
Register
Submit a Paper
Propose a Special lssue
Open Access
ARTICLE
Container Instrumentation and Enforcement System for Runtime Security of Kubernetes Platform with eBPF
Soongsil University, Seoul, 06978, Korea
* Corresponding Author: Souhwan Jung. Email:
(This article belongs to the Special Issue: Advanced Achievements of Intelligent and Secure Systems for the Next Generation Computing)
Intelligent Automation & Soft Computing 2023, 37(2), 1773-1786. https://doi.org/10.32604/iasc.2023.039565
Received 06 February 2023; Accepted 14 April 2023; Issue published 21 June 2023
View Full Text
Download PDFAbstract
Containerization is a fundamental component of modern cloud-native infrastructure, and Kubernetes is a prominent platform of container orchestration systems. However, containerization raises significant security concerns due to the nature of sharing a kernel among multiple containers, which can lead to container breakout or privilege escalation. Kubernetes cannot avoid it as well. While various tools, such as container image scanning and configuration checking, can mitigate container workload vulnerabilities, these are not foolproof and cannot guarantee perfect isolation or prevent every active threat in runtime. As such, a policy enforcement solution is required to tackle the problem, and existing solutions based on LSM (Linux Security Module) frameworks may not be adequate for some situations. To address this, we propose an enforcement system based on BPF-LSM, which leverages eBPF (extended Berkeley Packet Filter) technology to provide fine-grained control and dynamic adoption of security policies. In this paper, we compare different LSM implementations to highlight the challenges of current enforcement solutions before detailing the design of our eBPF-based Kubernetes Runtime Instrumentation and Enforcement System (KRSIE). Finally, we evaluate the effectiveness of our system using a real-world scenario, as measuring the performance of a policy enforcement system is a complex task. Our results show that KRSIE can successfully control containers’ behaviors using LSM hooks at container runtime, offering improved container security for cloud-native infrastructure.Keywords
Cite This Article
APA Style
Gwak, S., Doan, T., Jung, S. (2023). Container instrumentation and enforcement system for runtime security of kubernetes platform with ebpf. Intelligent Automation & Soft Computing, 37(2), 1773-1786. https://doi.org/10.32604/iasc.2023.039565
Vancouver Style
Gwak S, Doan T, Jung S. Container instrumentation and enforcement system for runtime security of kubernetes platform with ebpf. Intell Automat Soft Comput . 2023;37(2):1773-1786 https://doi.org/10.32604/iasc.2023.039565
IEEE Style
S. Gwak, T. Doan, and S. Jung "Container Instrumentation and Enforcement System for Runtime Security of Kubernetes Platform with eBPF," Intell. Automat. Soft Comput. , vol. 37, no. 2, pp. 1773-1786. 2023. https://doi.org/10.32604/iasc.2023.039565
This work is licensed under a Creative Commons Attribution 4.0 International License , which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.
Downloads
Citation Tools
