Kub-Sec, an automatic Kubernetes cluster AppArmor profile generation engine

Zhu, Hui; Gehrmann, Christian

Kub-Sec, an automatic Kubernetes cluster AppArmor profile generation engine

Mark

Zhu, Hui ^LU and Gehrmann, Christian ^LU (2022) 14th International Conference on COMmunication Systems and NETworkS, COMSNETS 2022 In International Conference on Communication Systems and Networks p.129-137

Abstract: Kubernetes (K8s) is one of the best options available to deploy applications in large-scale infrastructures. Security has been a big concern for all practitioners in the K8s eco-system. Almost all cloud vendors have their security solution for K8s cluster, pods, workloads, etc. In recent years, a large number of open-source tools and projects related to K8s security have emerged to meet the increased demand for enhanced security in these systems. Following this general need and trend, we propose a new design for automatic K8s cluster AppArmor profile generation. Our design is based on a most recent work of automatic AppArmor policy generator for Docker containers called Lic-Sec. The system collects the behavioral data of application... (More); Kubernetes (K8s) is one of the best options available to deploy applications in large-scale infrastructures. Security has been a big concern for all practitioners in the K8s eco-system. Almost all cloud vendors have their security solution for K8s cluster, pods, workloads, etc. In recent years, a large number of open-source tools and projects related to K8s security have emerged to meet the increased demand for enhanced security in these systems. Following this general need and trend, we propose a new design for automatic K8s cluster AppArmor profile generation. Our design is based on a most recent work of automatic AppArmor policy generator for Docker containers called Lic-Sec. The system collects the behavioral data of application containers in all worker nodes distributively, then centrally transforms the data to AppArmor policies for each application container, and enforces the policies without interrupting the service. We present a prototype of the system using Google K8s environment and with an AppArmor profile for a WordPress personal blog. We show that the security policies generated by the system can defend one typical kind of attack which targets all WordPress's XML-RPC interface.
(Less)

Please use this url to cite or link to this publication: https://lup.lub.lu.se/record/911454bf-e9fb-4ed9-9bc8-bf5b18344a85

author

Zhu, Hui ^LU and Gehrmann, Christian ^LU

organization

publishing date

2022

type

Chapter in Book/Report/Conference proceeding

publication status

published

subject

Computer Sciences

keywords

AppArmor, cloud, Kubernetes, security

host publication

2022 14th International Conference on COMmunication Systems and NETworkS, COMSNETS 2022

series title

International Conference on Communication Systems and Networks

article number

21458101

pages

9 pages

publisher

IEEE - Institute of Electrical and Electronics Engineers Inc.

conference name

14th International Conference on COMmunication Systems and NETworkS, COMSNETS 2022

conference location

Bangalore, India

conference dates

2022-01-04 - 2022-01-08

external identifiers

scopus:85125188840

ISSN

2155-2509

2155-2487

ISBN

9781665421041

DOI

10.1109/COMSNETS53615.2022.9668504

project

Cyber Security for Next Generation Factory (SEC4FACTORY)

language

English

LU publication?

yes

id

911454bf-e9fb-4ed9-9bc8-bf5b18344a85

date added to LUP

2022-04-14 13:10:05

date last changed

2025-04-12 13:02:42

@inproceedings{911454bf-e9fb-4ed9-9bc8-bf5b18344a85,
  abstract     = {{<p>Kubernetes (K8s) is one of the best options available to deploy applications in large-scale infrastructures. Security has been a big concern for all practitioners in the K8s eco-system. Almost all cloud vendors have their security solution for K8s cluster, pods, workloads, etc. In recent years, a large number of open-source tools and projects related to K8s security have emerged to meet the increased demand for enhanced security in these systems. Following this general need and trend, we propose a new design for automatic K8s cluster AppArmor profile generation. Our design is based on a most recent work of automatic AppArmor policy generator for Docker containers called Lic-Sec. The system collects the behavioral data of application containers in all worker nodes distributively, then centrally transforms the data to AppArmor policies for each application container, and enforces the policies without interrupting the service. We present a prototype of the system using Google K8s environment and with an AppArmor profile for a WordPress personal blog. We show that the security policies generated by the system can defend one typical kind of attack which targets all WordPress's XML-RPC interface. </p>}},
  author       = {{Zhu, Hui and Gehrmann, Christian}},
  booktitle    = {{2022 14th International Conference on COMmunication Systems and NETworkS, COMSNETS 2022}},
  isbn         = {{9781665421041}},
  issn         = {{2155-2509}},
  keywords     = {{AppArmor; cloud; Kubernetes; security}},
  language     = {{eng}},
  pages        = {{129--137}},
  publisher    = {{IEEE - Institute of Electrical and Electronics Engineers Inc.}},
  series       = {{International Conference on Communication Systems and Networks}},
  title        = {{Kub-Sec, an automatic Kubernetes cluster AppArmor profile generation engine}},
  url          = {{http://dx.doi.org/10.1109/COMSNETS53615.2022.9668504}},
  doi          = {{10.1109/COMSNETS53615.2022.9668504}},
  year         = {{2022}},
}

Lund University Publications

LUND UNIVERSITY LIBRARIES

Kub-Sec, an automatic Kubernetes cluster AppArmor profile generation engine