Enforce a Global Security Policy for User Access to Clustered Container Systems via User Namespace Sharing

2020 19th RoEduNet Conference: Networking in Education and Research (RoEduNet) Pub Date : 2020-12-11 DOI:10.1109/RoEduNet51892.2020.9324866

Ioan Stan, D. Rosner, Ștefan-Dan Ciocîrlan

{"title":"Enforce a Global Security Policy for User Access to Clustered Container Systems via User Namespace Sharing","authors":"Ioan Stan, D. Rosner, Ștefan-Dan Ciocîrlan","doi":"10.1109/RoEduNet51892.2020.9324866","DOIUrl":null,"url":null,"abstract":"With the advancement of containerization technologies and the isolation mechanisms provided by the Linux kernel through features like namespaces and cgroups, a question arises whether total isolation in containers (virtual enclave) can provide an increased level of security in all use cases. In the current paper we aim to explore the idea of unifying the container's user namespace with the host system's user namespace, to validate if this approach may increase the overall security in some areas of use. Such an approach can facilitate the implementation of complex access policies with high granularity and reduce the weak points that can lead to privilege-escalation attacks. We will explore how different containerization engines can be configured to support the user namespace unification and we will see why the Singularity containerization engine is a perfect fit for our purposes. In addition, we will propose a concept architecture for an academic cluster that can natively support the enforcement of a unified user access policy among both: underlying nodes and containers running above.","PeriodicalId":140521,"journal":{"name":"2020 19th RoEduNet Conference: Networking in Education and Research (RoEduNet)","volume":"50 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2020-12-11","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"2020 19th RoEduNet Conference: Networking in Education and Research (RoEduNet)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/RoEduNet51892.2020.9324866","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 0

Abstract

With the advancement of containerization technologies and the isolation mechanisms provided by the Linux kernel through features like namespaces and cgroups, a question arises whether total isolation in containers (virtual enclave) can provide an increased level of security in all use cases. In the current paper we aim to explore the idea of unifying the container's user namespace with the host system's user namespace, to validate if this approach may increase the overall security in some areas of use. Such an approach can facilitate the implementation of complex access policies with high granularity and reduce the weak points that can lead to privilege-escalation attacks. We will explore how different containerization engines can be configured to support the user namespace unification and we will see why the Singularity containerization engine is a perfect fit for our purposes. In addition, we will propose a concept architecture for an academic cluster that can natively support the enforcement of a unified user access policy among both: underlying nodes and containers running above.

查看原文本刊更多论文

对用户通过用户命名空间共享访问集群容器系统实施全局安全策略

随着容器化技术的进步和Linux内核通过名称空间和cgroups等特性提供的隔离机制，出现了一个问题，即容器(虚拟enclave)中的完全隔离是否能够在所有用例中提供更高级别的安全性。在本文中，我们的目标是探索将容器的用户名称空间与主机系统的用户名称空间统一起来的想法，以验证这种方法是否可以在某些使用领域提高整体安全性。这种方法可以促进高粒度复杂访问策略的实现，并减少可能导致特权升级攻击的弱点。我们将探讨如何配置不同的容器化引擎来支持用户名称空间统一，并了解为什么Singularity容器化引擎非常适合我们的目的。此外，我们将为一个学术集群提出一个概念架构，该集群可以本地支持在底层节点和上面运行的容器之间执行统一的用户访问策略。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

2020 19th RoEduNet Conference: Networking in Education and Research (RoEduNet)

自引率

0.00%

发文量