Automatic enforcement of container security guidelines through policy as code

Abstract

The increase in Kubernetes usage and container usage in general brings new challenges regarding security. Recent surveys show that container system misconfigurations are the most common cause of concern faults and error handled by system administrators. Common security guidelines exist that can help with ensuring that configurations are correct, but they typically involve manual policy enforcement which can be tedious and time consuming. This process can be automated by employing a “policy-as-code” system which checks and evaluates the validity of given configurations. It is not clear as to what extent it is possible to enforce common security guidelines through policy-as-code. In this thesis, the questions we aim to answer are: To what extent are common security guidelines enforceable through policy-as-code? Does it have any limitations or cases that cannot be covered? Does the implementation of these policies affect performance? Are there any concrete known vulnerabilities that are mitigated by these policies? This is done through empirical studies and evaluations of security guidelines and investigations as to what extent they are enforceable. Our findings using open-source Kubernetes security software is that the overall number of common security guidelines that are enforceable through policy-as-code systems are 33 out of 55, which is 60%. The nonenforceable guidelines depend on external factors such as organizational structure and user permissions, which are hard to implement in a policy-as-code system with current technologies.