Automatic enforcement of container security guidelines through policy as code
Typ
Examensarbete för masterexamen
Master's Thesis
Master's Thesis
Program
Computer systems and networks (MPCSN), MSc
Publicerad
2022
Författare
Rönnbäck, Marcus
Åberg, Fredrik
Modellbyggare
Tidskriftstitel
ISSN
Volymtitel
Utgivare
Sammanfattning
The increase in Kubernetes usage and container usage in general brings new challenges
regarding security. Recent surveys show that container system misconfigurations
are the most common cause of concern faults and error handled by system
administrators. Common security guidelines exist that can help with ensuring
that configurations are correct, but they typically involve manual policy enforcement
which can be tedious and time consuming. This process can be automated
by employing a “policy-as-code” system which checks and evaluates the validity
of given configurations. It is not clear as to what extent it is possible to enforce
common security guidelines through policy-as-code. In this thesis, the questions
we aim to answer are: To what extent are common security guidelines enforceable
through policy-as-code? Does it have any limitations or cases that cannot be covered?
Does the implementation of these policies affect performance? Are there any
concrete known vulnerabilities that are mitigated by these policies? This is done
through empirical studies and evaluations of security guidelines and investigations
as to what extent they are enforceable. Our findings using open-source Kubernetes
security software is that the overall number of common security guidelines that are
enforceable through policy-as-code systems are 33 out of 55, which is 60%. The nonenforceable
guidelines depend on external factors such as organizational structure
and user permissions, which are hard to implement in a policy-as-code system with
current technologies.
Beskrivning
Ämne/nyckelord
kubernetes , policy-as-code , policy , open policy agent , rego , opa