Elastic Cross-Layer Orchestration of Network Policies in the Kubernetes Stack

IF 4.7 2区计算机科学 Q1 COMPUTER SCIENCE, INFORMATION SYSTEMS

IEEE Transactions on Network and Service Management Pub Date : 2025-01-17 DOI:10.1109/TNSM.2025.3531040

Gerald Budigiri;Christoph Baumann;Eddy Truyen;Wouter Joosen

{"title":"Elastic Cross-Layer Orchestration of Network Policies in the Kubernetes Stack","authors":"Gerald Budigiri;Christoph Baumann;Eddy Truyen;Wouter Joosen","doi":"10.1109/TNSM.2025.3531040","DOIUrl":null,"url":null,"abstract":"Packaging applications in Containers, dynamically managed using a cluster orchestrator, is the de-facto approach for deployment of cloud-native applications. When Containers run inside Virtual Machines (VMs) to protect infrastructural assets, Network Policies at the Container layer and Security Groups at the VM layer provide complementary firewall mechanisms that strengthen defenses against lateral movement of attackers. However, least-privilege network policies at the Container layer may not always be consistent with statically defined, over-permissive Security Groups at the VM layer. This is especially a problem with low-latency configuration of Container networking solutions that requires every opened Container protocol, port and traffic direction also to be opened at the VM layer. In any post-exploitation scenario where attackers escape from within an already compromised or infected Container, such over-permissive Security Groups do not prevent the attacker from spreading across VMs to find powerful tokens for accessing the cluster orchestrator. In this paper, we introduce GrassHopper, a fast and dynamic cross-layer enforcement approach for Network Policies, which automatically generates Security Group configurations from dynamically verified Network Policies and Container scheduling decisions. Given the low-latency context, the design of GrassHopper must ensure that dynamically generated Security Group rules come in a timely manner to effect before the newly scheduled Containers become ready to serve traffic. We evaluate the performance of GrassHopper on a Kubernetes cluster running on OpenStack at the network and application level. In comparison to a Security Group management approach that is not scheduling-aware, our findings show that for low-latency applications GrassHopper can reduce the network attack surface between VMs at a ratio of 78-to-99%, while causing no network performance overhead at the application level with respect to latency and throughput.","PeriodicalId":13423,"journal":{"name":"IEEE Transactions on Network and Service Management","volume":"22 2","pages":"2031-2058"},"PeriodicalIF":4.7000,"publicationDate":"2025-01-17","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"IEEE Transactions on Network and Service Management","FirstCategoryId":"94","ListUrlMain":"https://ieeexplore.ieee.org/document/10844916/","RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q1","JCRName":"COMPUTER SCIENCE, INFORMATION SYSTEMS","Score":null,"Total":0}

引用次数: 0

Abstract

Packaging applications in Containers, dynamically managed using a cluster orchestrator, is the de-facto approach for deployment of cloud-native applications. When Containers run inside Virtual Machines (VMs) to protect infrastructural assets, Network Policies at the Container layer and Security Groups at the VM layer provide complementary firewall mechanisms that strengthen defenses against lateral movement of attackers. However, least-privilege network policies at the Container layer may not always be consistent with statically defined, over-permissive Security Groups at the VM layer. This is especially a problem with low-latency configuration of Container networking solutions that requires every opened Container protocol, port and traffic direction also to be opened at the VM layer. In any post-exploitation scenario where attackers escape from within an already compromised or infected Container, such over-permissive Security Groups do not prevent the attacker from spreading across VMs to find powerful tokens for accessing the cluster orchestrator. In this paper, we introduce GrassHopper, a fast and dynamic cross-layer enforcement approach for Network Policies, which automatically generates Security Group configurations from dynamically verified Network Policies and Container scheduling decisions. Given the low-latency context, the design of GrassHopper must ensure that dynamically generated Security Group rules come in a timely manner to effect before the newly scheduled Containers become ready to serve traffic. We evaluate the performance of GrassHopper on a Kubernetes cluster running on OpenStack at the network and application level. In comparison to a Security Group management approach that is not scheduling-aware, our findings show that for low-latency applications GrassHopper can reduce the network attack surface between VMs at a ratio of 78-to-99%, while causing no network performance overhead at the application level with respect to latency and throughput.

查看原文本刊更多论文

Kubernetes堆栈中网络策略的弹性跨层编排

将应用程序打包到容器中，使用集群编排器进行动态管理，是部署云原生应用程序的实际方法。当容器在虚拟机（VM）内运行以保护基础设施资产时，容器层的网络策略和虚拟机层的安全组提供了互补的防火墙机制，加强了对攻击者横向移动的防御。但是，容器层的最小特权网络策略可能并不总是与VM层的静态定义的、过度许可的安全组一致。对于低延迟配置的容器网络解决方案来说，这尤其是个问题，因为它要求每个打开的容器协议、端口和流量方向也要在VM层打开。在攻击者从已经受到破坏或感染的容器中逃脱的任何利用后场景中，这种过度许可的安全组并不能阻止攻击者跨vm传播，以找到强大的令牌来访问集群编排器。本文介绍了一种快速、动态的网络策略跨层实施方法GrassHopper，它可以根据动态验证的网络策略和容器调度决策自动生成安全组配置。考虑到低延迟上下文，GrassHopper的设计必须确保动态生成的安全组规则在新调度的容器准备好为流量服务之前及时生效。我们在网络和应用程序级别评估了运行在OpenStack上的Kubernetes集群上的GrassHopper的性能。与不支持调度的安全组管理方法相比，我们的研究结果表明，对于低延迟应用程序，GrassHopper可以将虚拟机之间的网络攻击面减少78%到99%，同时不会在应用程序级别造成与延迟和吞吐量相关的网络性能开销。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

IEEE Transactions on Network and Service Management Computer Science-Computer Networks and Communications

CiteScore

9.30

自引率

15.10%

发文量

325

期刊介绍： IEEE Transactions on Network and Service Management will publish (online only) peerreviewed archival quality papers that advance the state-of-the-art and practical applications of network and service management. Theoretical research contributions (presenting new concepts and techniques) and applied contributions (reporting on experiences and experiments with actual systems) will be encouraged. These transactions will focus on the key technical issues related to: Management Models, Architectures and Frameworks; Service Provisioning, Reliability and Quality Assurance; Management Functions; Enabling Technologies; Information and Communication Models; Policies; Applications and Case Studies; Emerging Technologies and Standards.