A Multi-pronged Self-adaptive Controller for Analyzing Misconfigurations for Kubernetes Clusters and IoT Edge Devices
Pages 153 - 169
Abstract
Kubernetes default configurations do not always provide optimal security and performance for all clusters and IoT edge devices deployed, making them vulnerable to security breaches and information leakage if misconfigured. Misconfiguration leads to a compromised system that disrupts the workload, allows access to system resources, and degrades the system’s performance. To provide optimal security for deployed clusters and IoT edge devices, the system should detect misconfigurations to secure and optimize its performance. We consider that configurations are hidden, as they are some sort of secret key or access token for an external service. We aim to link the clusters and IoT edge devices’ undesirable observed performance to their hidden configurations by providing a multi-pronged self-adaptive controller to monitor and detect misconfigurations in such settings. Furthermore, the controller implements standardized enforcement policies, demonstrating the controls required for regulatory compliance and providing users with appropriate access to the system resources. The aim of this paper is to introduce the controller mechanism by providing its main processes. Initial evaluations are done to assess the reliability and performance of the controller under different misconfiguration scenarios.
References
[1]
Alspach, K.: Major vulnerability found in open source dev tool for kubernetes (2022). https://venturebeat.com/security/major-vulnerability-found-in-open-source-dev-tool-for-kubernetes/
[2]
Assuncao, L., Cunha, J.C.: Dynamic workflow reconfigurations for recovering from faulty cloud services, vol. 1, pp. 88–95. IEEE Computer Society (2013)
[3]
Chiba, T., Nakazawa, R., Horii, H., Suneja, S., Seelam, S.: Confadvisor: a performance-centric configuration tuning framework for containers on kubernetes, pp. 168–178 (2019)
[4]
Fairwinds: Kubernetes benchmark report security, cost, and reliability workload results (2023). https://www.fairwinds.com/kubernetes-config-benchmark-report
[5]
Fine S, Singer Y, and Tishby N The hierarchical hidden Markov model: analysis and applications Mach. Learn. 1998 32 41-62
[6]
Gantikow H, Reich C, Knahl M, and Clarke N Ferguson D, Méndez Muñoz V, Pahl C, and Helfert M Rule-based security monitoring of containerized environments Cloud Computing and Services Science 2020 Cham Springer 66-86
[7]
Haque, M.U., Kholoosi, M.M., Babar, M.A.: Kgsecconfig: a knowledge graph based approach for secured container orchestrator configuration, pp. 420–431. Institute of Electrical and Electronics Engineers Inc. (2022)
[8]
Hicks, M., Tse, S., Hicks, B., Zdancewic, S.: Dynamic updating of information-flow policies, pp. 7–18 (2005)
[9]
Hu, Y., Huang, G., Huang, P.: Automated reasoning and detection of specious configuration in large systems with symbolic execution, pp. 719–734 (2020)
[10]
Kermabon-Bobinnec, H., et al.: Prospec: proactive security policy enforcement for containers, pp. 155–166. Association for Computing Machinery, Inc. (2022)
[11]
Lakshmanan, R.: Microsoft confirms server misconfiguration led to 65,000+ companies’ data leak (2022). https://thehackernews.com/2022/10/microsoft-confirms-server.html
[12]
Mahajan, V.B., Mane, S.B.: Detection, analysis and countermeasures for container based misconfiguration using docker and kubernetes, pp. 1–6. Institute of Electrical and Electronics Engineers Inc. (2022)
[13]
Moothedath, S., et al.: Dynamic information flow tracking for detection of advanced persistent threats: a stochastic game approach. arXiv:2006.12327 (2020)
[14]
NVD: Cve-2019-5736 (2019). https://nvd.nist.gov/vuln/detail/CVE-2019-5736
[15]
NVD: Cve-2019-6538 (2019). https://nvd.nist.gov/vuln/detail/CVE-2019-6538
[16]
NVD: Cve-2020-10749 (2020). https://nvd.nist.gov/vuln/detail/cve-2020-10749
[17]
NVD: Cve-2022-0811 (2022). https://nvd.nist.gov/vuln/detail/cve-2022-0811
[18]
Pranata, A.A., Barais, O., Bourcier, J., Noirie, L.: Misconfiguration discovery with principal component analysis for cloud-native services, pp. 269–278. Institute of Electrical and Electronics Engineers Inc. (2020)
[19]
Rahman, A., Shamim, S.I., Bose, D.B., Pandita, R.: Security misconfigurations in open source kubernetes manifests: an empirical study. ACM Trans. Softw. Eng. Methodol. 1–37 (2023)
[20]
Samir, A., Dagenborg, H.: A self-configuration controller to detect, identify, and recover misconfiguration at IoT edge devices and containerized cluster system, pp. 765–773 (2023)
[21]
Samir A, Ioini NE, Fronza I, Barzegar H, Le V, and Pahl C A controller for anomaly detection, analysis and management for self-adaptive container clusters Int. J. Adv. Softw. 2019 12 356-371
[22]
Santolucito, M., Zhai, E., Dhodapkar, R., Shim, A., Piskac, R.: Synthesizing configuration file specifications with association rule learning. Proc. ACM Program. Lang. 1 (2017)
[23]
Sorkunlu, N., Chandola, V., Patra, A.: Tracking system behavior from resource usage data, vol. 2017-Sept, pp. 410–418 (2017)
[24]
Taft, D.K.: Armo: misconfiguration is number 1 kubernetes security risk (2022). https://thenewstack.io/armo-misconfiguration-is-number-1-kubernetes-security-risk/
[25]
Venkat, A.: Misconfiguration and vulnerabilities biggest risks in cloud security: report (2023). https://www.csoonline.com/article/3686579/misconfiguration-and-vulnerabilities.html
[26]
Wang T, Xu J, Zhang W, Gu Z, and Zhong H Self-adaptive cloud monitoring with online anomaly detection Futur. Gener. Comput. Syst. 2018 80 89-101
[27]
Xu, T., Jin, X., Huang, P., Zhou, Y.: Early detection of configuration errors to reduce failure damage, pp. 619–634. USENIX Association (2016)
[28]
Zhang J, Piskac R, Zhai E, and Xu T Static detection of silent misconfigurations with deep interaction analysis Proc. ACM Program. Lang. 2021 5 1-30
[29]
Zhang, J., et al.: Encore: exploiting system environment and correlation information for misconfiguration detection, pp. 687–700 (2014)
Recommendations
Adaptive Controller to Identify Misconfigurations and Optimize the Performance of Kubernetes Clusters and IoT Edge Devices
Service-Oriented and Cloud ComputingAbstractKubernetes default configurations do not always provide optimal security and performance for all clusters and IoT edge devices deployed, affecting the scalability of a given workload and making them vulnerable to security breaches and information ...
Security Misconfigurations in Open Source Kubernetes Manifests: An Empirical Study
Context: Kubernetes has emerged as the de-facto tool for automated container orchestration. Business and government organizations are increasingly adopting Kubernetes for automated software deployments. Kubernetes is being used to provision applications ...
Do not blame users for misconfigurations
SOSP '13: Proceedings of the Twenty-Fourth ACM Symposium on Operating Systems PrinciplesSimilar to software bugs, configuration errors are also one of the major causes of today's system failures. Many configuration issues manifest themselves in ways similar to software bugs such as crashes, hangs, silent failures. It leaves users clueless ...
Comments
Information & Contributors
Information
Published In
Oct 2023
294 pages
ISBN:978-3-031-46234-4
DOI:10.1007/978-3-031-46235-1
© IFIP International Federation for Information Processing 2023.
Publisher
Springer-Verlag
Berlin, Heidelberg
Publication History
Published: 24 October 2023
Author Tags
Qualifiers
- Article
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- 0Total Citations
- 0Total Downloads
- Downloads (Last 12 months)0
- Downloads (Last 6 weeks)0
Reflects downloads up to 03 Jan 2025