Towards A Capability Model of Kubernetes Runtime Security Enforcement Mechanisms

Towards A Capability Model of Kubernetes Runtime Security Enforcement Mechanisms

연구 분야: Software Development

학회: International Conference on Availability, Reliability and Security

The shift toward cloud-native and microservice-based architectures has made Kubernetes the de facto platform for managing containerized applications. However, its limited native support for security features has led to the proliferation of diverse enforcement mechanisms, such as Cilium, Calico, Tetragon, and KubeArmor. These tools vary in capabilities and configuration, complicating the establishment of an effective security posture. This work proposes a conceptual model that abstracts runtime security enforcement across these tools, enabling intent-based security policy design and automation. We present a model-driven approach to bridge high-level security requirements with low-level enforcement configurations. Our approach facilitates cloud portability, simplifies policy refinement, and enhances security consistency for heterogeneous environments. Validation across real-world microservice architectures and security policy catalogs demonstrates its practicality and effectiveness.