Automated Kubernetes workload hardening using a functionality oracle

Abstract

Kubernetes allows workloads to be deployed in sandboxed environments using containerization, offering fine-grained runtime restrictions via securityContext configurations. However, determining whether an application continues to function correctly under increasingly restrictive settings remains a challenge, especially when conventional testing methodologies require application-specific knowledge or integration tests. This thesis presents a methodology for automated workload hardening, without requiring internal knowledge of the workload under test. A Kubernetes Operator was developed that iteratively restricts container runtime permissions and evaluates the functional correctness of workloads using a set of heuristics. These heuristics rely on telemetry signals such as container logs, and resource metrics, gathered during controlled check runs and compared against a recorded baseline. Log analysis is performed using the Drainalgorithm, while time series data are evaluated through statistical summaries. The operator clones the workload’s Namespace to preserve isolation, executes checks for different configurations, and synthesizes a recommended securityContext configuration based on the outcome. Real-world workloads were used for evaluation, alongside custom workloads targeting specific runtime constraints. The results demonstrate that functionality-based hardening is feasible with minimal assumptions, and that log-based heuristics are particularly elective for detecting deviations. The operator-based approach integrates seamlessly with Kubernetes environments and supports developer workflows by providing actionable hardening recommendations.