Elastic Cross-Layer Orchestration of Network Policies in the Kubernetes Stack

IF 4.7 2区计算机科学 Q1 COMPUTER SCIENCE, INFORMATION SYSTEMS

IEEE Transactions on Network and Service Management Pub Date : 2025-01-17 DOI:10.1109/TNSM.2025.3531040

Gerald Budigiri;Christoph Baumann;Eddy Truyen;Wouter Joosen

{"title":"Elastic Cross-Layer Orchestration of Network Policies in the Kubernetes Stack","authors":"Gerald Budigiri;Christoph Baumann;Eddy Truyen;Wouter Joosen","doi":"10.1109/TNSM.2025.3531040","DOIUrl":null,"url":null,"abstract":"Packaging applications in Containers, dynamically managed using a cluster orchestrator, is the de-facto approach for deployment of cloud-native applications. When Containers run inside Virtual Machines (VMs) to protect infrastructural assets, Network Policies at the Container layer and Security Groups at the VM layer provide complementary firewall mechanisms that strengthen defenses against lateral movement of attackers. However, least-privilege network policies at the Container layer may not always be consistent with statically defined, over-permissive Security Groups at the VM layer. This is especially a problem with low-latency configuration of Container networking solutions that requires every opened Container protocol, port and traffic direction also to be opened at the VM layer. In any post-exploitation scenario where attackers escape from within an already compromised or infected Container, such over-permissive Security Groups do not prevent the attacker from spreading across VMs to find powerful tokens for accessing the cluster orchestrator. In this paper, we introduce GrassHopper, a fast and dynamic cross-layer enforcement approach for Network Policies, which automatically generates Security Group configurations from dynamically verified Network Policies and Container scheduling decisions. Given the low-latency context, the design of GrassHopper must ensure that dynamically generated Security Group rules come in a timely manner to effect before the newly scheduled Containers become ready to serve traffic. We evaluate the performance of GrassHopper on a Kubernetes cluster running on OpenStack at the network and application level. In comparison to a Security Group management approach that is not scheduling-aware, our findings show that for low-latency applications GrassHopper can reduce the network attack surface between VMs at a ratio of 78-to-99%, while causing no network performance overhead at the application level with respect to latency and throughput.","PeriodicalId":13423,"journal":{"name":"IEEE Transactions on Network and Service Management","volume":"22 2","pages":"2031-2058"},"PeriodicalIF":4.7000,"publicationDate":"2025-01-17","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"IEEE Transactions on Network and Service Management","FirstCategoryId":"94","ListUrlMain":"https://ieeexplore.ieee.org/document/10844916/","RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q1","JCRName":"COMPUTER SCIENCE, INFORMATION SYSTEMS","Score":null,"Total":0}

引用次数: 0

Abstract

Packaging applications in Containers, dynamically managed using a cluster orchestrator, is the de-facto approach for deployment of cloud-native applications. When Containers run inside Virtual Machines (VMs) to protect infrastructural assets, Network Policies at the Container layer and Security Groups at the VM layer provide complementary firewall mechanisms that strengthen defenses against lateral movement of attackers. However, least-privilege network policies at the Container layer may not always be consistent with statically defined, over-permissive Security Groups at the VM layer. This is especially a problem with low-latency configuration of Container networking solutions that requires every opened Container protocol, port and traffic direction also to be opened at the VM layer. In any post-exploitation scenario where attackers escape from within an already compromised or infected Container, such over-permissive Security Groups do not prevent the attacker from spreading across VMs to find powerful tokens for accessing the cluster orchestrator. In this paper, we introduce GrassHopper, a fast and dynamic cross-layer enforcement approach for Network Policies, which automatically generates Security Group configurations from dynamically verified Network Policies and Container scheduling decisions. Given the low-latency context, the design of GrassHopper must ensure that dynamically generated Security Group rules come in a timely manner to effect before the newly scheduled Containers become ready to serve traffic. We evaluate the performance of GrassHopper on a Kubernetes cluster running on OpenStack at the network and application level. In comparison to a Security Group management approach that is not scheduling-aware, our findings show that for low-latency applications GrassHopper can reduce the network attack surface between VMs at a ratio of 78-to-99%, while causing no network performance overhead at the application level with respect to latency and throughput.

查看原文本刊更多论文

求助全文

约1分钟内获得全文求助全文

来源期刊

IEEE Transactions on Network and Service Management Computer Science-Computer Networks and Communications

CiteScore

9.30

自引率

15.10%

发文量

325

期刊介绍： IEEE Transactions on Network and Service Management will publish (online only) peerreviewed archival quality papers that advance the state-of-the-art and practical applications of network and service management. Theoretical research contributions (presenting new concepts and techniques) and applied contributions (reporting on experiences and experiments with actual systems) will be encouraged. These transactions will focus on the key technical issues related to: Management Models, Architectures and Frameworks; Service Provisioning, Reliability and Quality Assurance; Management Functions; Enabling Technologies; Information and Communication Models; Policies; Applications and Case Studies; Emerging Technologies and Standards.