Nowadays more and more workloads are moving to the Cloud and consequently the use of emerging technologies like “Containers” (i.e., software components that can package up code and all its dependencies, allowing quick and reliable execution of applications in every environment) is gaining momentum. Since the number of containers to be deployed increases a lot for real world applications, it is crucial to use a component that is in charge of coordinating physical as well as software resources. This tool, usually called “Orchestrator”, is supposed to manage aspects like security, resource usage optimization, networking, etc. In this containerized application domain, the most important tool that is arising as a “de facto standard” is an open source project developed by Google: Kubernetes. In the meanwhile, the number of cyberattacks is constantly increasing, for this reason it is important for developers to pay particular attention to security. Often there is a misconception that the Cloud is secure by default, however this is not true. Actually there is the need to secure and manage applications running on the Cloud the same way they are managed on premise. What makes the difference is the set of tools and technologies to configure that security. The aim of this thesis is to understand Kubernetes architecture and design a tool able to deeply analyze a Kubernetes cluster with all its components in order to discover vulnerabilities that can be used by attackers to violate the cluster. This tool provides a detailed report with the weak spots detected and suggestions to fix them. Moreover at the end of the execution it is reported a numerical score evaluating the security, allowing to compare the risk exposure of different Kubernetes cluster architectures. It can be run by administrators in order to keep under control the security and the vulnerabilities of their clusters every time something in the configuration changes. 

Nowadays more and more workloads are moving to the Cloud and consequently the use of emerging technologies like “Containers” (i.e., software components that can package up code and all its dependencies, allowing quick and reliable execution of applications in every environment) is gaining momentum. Since the number of containers to be deployed increases a lot for real world applications, it is crucial to use a component that is in charge of coordinating physical as well as software resources. This tool, usually called “Orchestrator”, is supposed to manage aspects like security, resource usage optimization, networking, etc. In this containerized application domain, the most important tool that is arising as a “de facto standard” is an open source project developed by Google: Kubernetes. In the meanwhile, the number of cyberattacks is constantly increasing, for this reason it is important for developers to pay particular attention to security. Often there is a misconception that the Cloud is secure by default, however this is not true. Actually there is the need to secure and manage applications running on the Cloud the same way they are managed on premise. What makes the difference is the set of tools and technologies to configure that security. The aim of this thesis is to understand Kubernetes architecture and design a tool able to deeply analyze a Kubernetes cluster with all its components in order to discover vulnerabilities that can be used by attackers to violate the cluster. This tool provides a detailed report with the weak spots detected and suggestions to fix them. Moreover at the end of the execution it is reported a numerical score evaluating the security, allowing to compare the risk exposure of different Kubernetes cluster architectures. It can be run by administrators in order to keep under control the security and the vulnerabilities of their clusters every time something in the configuration changes. 

A security framework for multi-cluster Kubernetes architectures

CROCIANI, RICCARDO
2021/2022

Abstract

Nowadays more and more workloads are moving to the Cloud and consequently the use of emerging technologies like “Containers” (i.e., software components that can package up code and all its dependencies, allowing quick and reliable execution of applications in every environment) is gaining momentum. Since the number of containers to be deployed increases a lot for real world applications, it is crucial to use a component that is in charge of coordinating physical as well as software resources. This tool, usually called “Orchestrator”, is supposed to manage aspects like security, resource usage optimization, networking, etc. In this containerized application domain, the most important tool that is arising as a “de facto standard” is an open source project developed by Google: Kubernetes. In the meanwhile, the number of cyberattacks is constantly increasing, for this reason it is important for developers to pay particular attention to security. Often there is a misconception that the Cloud is secure by default, however this is not true. Actually there is the need to secure and manage applications running on the Cloud the same way they are managed on premise. What makes the difference is the set of tools and technologies to configure that security. The aim of this thesis is to understand Kubernetes architecture and design a tool able to deeply analyze a Kubernetes cluster with all its components in order to discover vulnerabilities that can be used by attackers to violate the cluster. This tool provides a detailed report with the weak spots detected and suggestions to fix them. Moreover at the end of the execution it is reported a numerical score evaluating the security, allowing to compare the risk exposure of different Kubernetes cluster architectures. It can be run by administrators in order to keep under control the security and the vulnerabilities of their clusters every time something in the configuration changes. 
2021
A security framework for multi-cluster Kubernetes architectures
Nowadays more and more workloads are moving to the Cloud and consequently the use of emerging technologies like “Containers” (i.e., software components that can package up code and all its dependencies, allowing quick and reliable execution of applications in every environment) is gaining momentum. Since the number of containers to be deployed increases a lot for real world applications, it is crucial to use a component that is in charge of coordinating physical as well as software resources. This tool, usually called “Orchestrator”, is supposed to manage aspects like security, resource usage optimization, networking, etc. In this containerized application domain, the most important tool that is arising as a “de facto standard” is an open source project developed by Google: Kubernetes. In the meanwhile, the number of cyberattacks is constantly increasing, for this reason it is important for developers to pay particular attention to security. Often there is a misconception that the Cloud is secure by default, however this is not true. Actually there is the need to secure and manage applications running on the Cloud the same way they are managed on premise. What makes the difference is the set of tools and technologies to configure that security. The aim of this thesis is to understand Kubernetes architecture and design a tool able to deeply analyze a Kubernetes cluster with all its components in order to discover vulnerabilities that can be used by attackers to violate the cluster. This tool provides a detailed report with the weak spots detected and suggestions to fix them. Moreover at the end of the execution it is reported a numerical score evaluating the security, allowing to compare the risk exposure of different Kubernetes cluster architectures. It can be run by administrators in order to keep under control the security and the vulnerabilities of their clusters every time something in the configuration changes. 
Kubernetes
Cluster
Security
Vulnerabilities
File in questo prodotto:
File Dimensione Formato  
Crociani_Riccardo.pdf

accesso riservato

Dimensione 29.81 MB
Formato Adobe PDF
29.81 MB Adobe PDF

The text of this website © Università degli studi di Padova. Full Text are published under a non-exclusive license. Metadata are under a CC0 License

Utilizza questo identificativo per citare o creare un link a questo documento: https://hdl.handle.net/20.500.12608/35521