Skip to main content

LUP Student Papers

LUND UNIVERSITY LIBRARIES

A systematic evaluation of CVEs and mitigation strategies for a Kubernetes stack

Nordell, Fred LU (2022) EITM01 20222
Department of Electrical and Information Technology
Abstract
Kubernetes is a container orchestration platform growing ever more popular, and
as the software industry shifts into the container cloud, security will become
paramount. The Common Vulnerabilities and Exposures (CVEs) systems cata-
log and provide references to known vulnerabilities. The goal of this thesis is
to systematically evaluate the security situation of Kubernetes through common
mitigation strategies.

The methodology was split into two parts; a theoretical analysis, and an ex-
perimental test. Firstly, mitigation strategies were chosen and analyzed. Secondly,
CVEs for Kubernetes, Nginx ingress, and containerd were analyzed. Thereafter,
an evaluation matrix was developed. From this matrix, the mitigation strategies
were... (More)
Kubernetes is a container orchestration platform growing ever more popular, and
as the software industry shifts into the container cloud, security will become
paramount. The Common Vulnerabilities and Exposures (CVEs) systems cata-
log and provide references to known vulnerabilities. The goal of this thesis is
to systematically evaluate the security situation of Kubernetes through common
mitigation strategies.

The methodology was split into two parts; a theoretical analysis, and an ex-
perimental test. Firstly, mitigation strategies were chosen and analyzed. Secondly,
CVEs for Kubernetes, Nginx ingress, and containerd were analyzed. Thereafter,
an evaluation matrix was developed. From this matrix, the mitigation strategies
were discussed and evaluated. The findings were verified in the experimental part
where Proofs of concepts for a selection of CVEs were executed against a vulner-
able cluster. Thereafter, the same exploits were executed against a cluster where
mitigation strategies were in place. The experiment validated the findings of the
theoretical analysis for the selected CVEs.

The conclusion is that the common mitigation strategies provide a foundation
that can provide a foundation as a part of a larger system. They prevent some
but not all CVEs and administrators should not rely on them solely. Moreover,
the thesis provides a systematic way of evaluating CVEs for Kubernetes that can
be expanded upon, an addition to the literature regarding Kubernetes. (Less)
Please use this url to cite or link to this publication:
author
Nordell, Fred LU
supervisor
organization
alternative title
En systematisk evaluering av CVEer och begränsningsstrategier för Kubernetes
course
EITM01 20222
year
type
H2 - Master's Degree (Two Years)
subject
keywords
Kubernetes, CVE, Mitigation strategies, containers
report number
LU/LTH-EIT 2022-900
language
English
id
9103043
date added to LUP
2022-11-21 10:42:45
date last changed
2022-12-07 14:09:50
@misc{9103043,
  abstract     = {{Kubernetes is a container orchestration platform growing ever more popular, and
as the software industry shifts into the container cloud, security will become
paramount. The Common Vulnerabilities and Exposures (CVEs) systems cata-
log and provide references to known vulnerabilities. The goal of this thesis is
to systematically evaluate the security situation of Kubernetes through common
mitigation strategies.

The methodology was split into two parts; a theoretical analysis, and an ex-
perimental test. Firstly, mitigation strategies were chosen and analyzed. Secondly,
CVEs for Kubernetes, Nginx ingress, and containerd were analyzed. Thereafter,
an evaluation matrix was developed. From this matrix, the mitigation strategies
were discussed and evaluated. The findings were verified in the experimental part
where Proofs of concepts for a selection of CVEs were executed against a vulner-
able cluster. Thereafter, the same exploits were executed against a cluster where
mitigation strategies were in place. The experiment validated the findings of the
theoretical analysis for the selected CVEs.

The conclusion is that the common mitigation strategies provide a foundation
that can provide a foundation as a part of a larger system. They prevent some
but not all CVEs and administrators should not rely on them solely. Moreover,
the thesis provides a systematic way of evaluating CVEs for Kubernetes that can
be expanded upon, an addition to the literature regarding Kubernetes.}},
  author       = {{Nordell, Fred}},
  language     = {{eng}},
  note         = {{Student Paper}},
  title        = {{A systematic evaluation of CVEs and mitigation strategies for a Kubernetes stack}},
  year         = {{2022}},
}