Login | Register

Proactive Security Policy Enforcement for Containers


Proactive Security Policy Enforcement for Containers

Kermabon-Bobinnec, Hugo ORCID: https://orcid.org/0000-0003-0044-2178 (2022) Proactive Security Policy Enforcement for Containers. Masters thesis, Concordia University.

[thumbnail of Kermabon-Bobinnec_MASc_S2023.pdf]
Text (application/pdf)
Kermabon-Bobinnec_MASc_S2023.pdf - Accepted Version
Available under License Creative Commons Attribution.


By providing lightweight and portable support for cloud native applications, container environments have recently gained significant momentum. A container orchestrator, such as Kubernetes, can enable the automatic deployment and maintenance of a large number of containerized applications. However, due to its critical role, a container orchestrator also attracts a wide range of security threats exploiting misconfigurations or implementation flaws. Moreover, enforcing security policies at runtime against such security threats becomes far more challenging, as the large scale of container environments implies high complexity, while the high dynamicity demands a short response time. In this thesis, we tackle this key security challenge to container environments through a novel proactive approach. Our proposed approach leverages learning-based prediction to conduct the computationally intensive steps (e.g., security verification) in advance, while keeping the runtime steps (e.g., policy enforcement) lightweight. Consequently, this approach can ensure a practical response time (e.g., less than 10 ms in contrast to 600 ms with one of the most popular existing approaches) for large container environments (e.g., up to 800 Pods). We demonstrate its deployability by integrating our solution with Kubernetes, one of the most popular container orchestrators.

Divisions:Concordia University > Gina Cody School of Engineering and Computer Science > Concordia Institute for Information Systems Engineering
Item Type:Thesis (Masters)
Authors:Kermabon-Bobinnec, Hugo
Institution:Concordia University
Degree Name:M.A. Sc.
Program:Information Systems Security
Date:9 December 2022
Thesis Supervisor(s):Wang, Lingyu and Majumdar, Suryadipta
Keywords:container security kubernetes docker cybersecurity proactive opa gatekeeper policy enforcement computer science
ID Code:991534
Deposited By: Hugo Kermabon-Bobinnec
Deposited On:21 Jun 2023 14:34
Last Modified:21 Jun 2023 14:34
All items in Spectrum are protected by copyright, with all rights reserved. The use of items is governed by Spectrum's terms of access.

Repository Staff Only: item control page

Downloads per month over past year

Research related to the current document (at the CORE website)
- Research related to the current document (at the CORE website)
Back to top Back to top