A systematic evaluation of CVEs and mitigation strategies for a Kubernetes stack
(2022) EITM01 20222Department of Electrical and Information Technology
- Abstract
- Kubernetes is a container orchestration platform growing ever more popular, and
as the software industry shifts into the container cloud, security will become
paramount. The Common Vulnerabilities and Exposures (CVEs) systems cata-
log and provide references to known vulnerabilities. The goal of this thesis is
to systematically evaluate the security situation of Kubernetes through common
mitigation strategies.
The methodology was split into two parts; a theoretical analysis, and an ex-
perimental test. Firstly, mitigation strategies were chosen and analyzed. Secondly,
CVEs for Kubernetes, Nginx ingress, and containerd were analyzed. Thereafter,
an evaluation matrix was developed. From this matrix, the mitigation strategies
were... (More) - Kubernetes is a container orchestration platform growing ever more popular, and
as the software industry shifts into the container cloud, security will become
paramount. The Common Vulnerabilities and Exposures (CVEs) systems cata-
log and provide references to known vulnerabilities. The goal of this thesis is
to systematically evaluate the security situation of Kubernetes through common
mitigation strategies.
The methodology was split into two parts; a theoretical analysis, and an ex-
perimental test. Firstly, mitigation strategies were chosen and analyzed. Secondly,
CVEs for Kubernetes, Nginx ingress, and containerd were analyzed. Thereafter,
an evaluation matrix was developed. From this matrix, the mitigation strategies
were discussed and evaluated. The findings were verified in the experimental part
where Proofs of concepts for a selection of CVEs were executed against a vulner-
able cluster. Thereafter, the same exploits were executed against a cluster where
mitigation strategies were in place. The experiment validated the findings of the
theoretical analysis for the selected CVEs.
The conclusion is that the common mitigation strategies provide a foundation
that can provide a foundation as a part of a larger system. They prevent some
but not all CVEs and administrators should not rely on them solely. Moreover,
the thesis provides a systematic way of evaluating CVEs for Kubernetes that can
be expanded upon, an addition to the literature regarding Kubernetes. (Less)
Please use this url to cite or link to this publication:
http://lup.lub.lu.se/student-papers/record/9103043
- author
- Nordell, Fred LU
- supervisor
-
- Maria Kihl LU
- organization
- alternative title
- En systematisk evaluering av CVEer och begränsningsstrategier för Kubernetes
- course
- EITM01 20222
- year
- 2022
- type
- H2 - Master's Degree (Two Years)
- subject
- keywords
- Kubernetes, CVE, Mitigation strategies, containers
- report number
- LU/LTH-EIT 2022-900
- language
- English
- id
- 9103043
- date added to LUP
- 2022-11-21 10:42:45
- date last changed
- 2022-12-07 14:09:50
@misc{9103043, abstract = {{Kubernetes is a container orchestration platform growing ever more popular, and as the software industry shifts into the container cloud, security will become paramount. The Common Vulnerabilities and Exposures (CVEs) systems cata- log and provide references to known vulnerabilities. The goal of this thesis is to systematically evaluate the security situation of Kubernetes through common mitigation strategies. The methodology was split into two parts; a theoretical analysis, and an ex- perimental test. Firstly, mitigation strategies were chosen and analyzed. Secondly, CVEs for Kubernetes, Nginx ingress, and containerd were analyzed. Thereafter, an evaluation matrix was developed. From this matrix, the mitigation strategies were discussed and evaluated. The findings were verified in the experimental part where Proofs of concepts for a selection of CVEs were executed against a vulner- able cluster. Thereafter, the same exploits were executed against a cluster where mitigation strategies were in place. The experiment validated the findings of the theoretical analysis for the selected CVEs. The conclusion is that the common mitigation strategies provide a foundation that can provide a foundation as a part of a larger system. They prevent some but not all CVEs and administrators should not rely on them solely. Moreover, the thesis provides a systematic way of evaluating CVEs for Kubernetes that can be expanded upon, an addition to the literature regarding Kubernetes.}}, author = {{Nordell, Fred}}, language = {{eng}}, note = {{Student Paper}}, title = {{A systematic evaluation of CVEs and mitigation strategies for a Kubernetes stack}}, year = {{2022}}, }