Automated Kubernetes workload hardening using a functionality oracle
Lade...
Autor:innen
Autor:in (Körperschaft)
Publikationsdatum
05.09.2025
Typ der Arbeit
Bachelor
Studiengang
Typ
11 - Studentische Arbeit
Herausgeber:innen
Herausgeber:in (Körperschaft)
Betreuer:in
Übergeordnetes Werk
Themenheft
DOI der Originalpublikation
Link
Reihe / Serie
Reihennummer
Jahrgang / Band
Ausgabe / Nummer
Seiten / Dauer
Patentnummer
Verlag / Herausgebende Institution
Hochschule für Informatik FHNW
Verlagsort / Veranstaltungsort
Windisch
Auflage
Version
Programmiersprache
Abtretungsempfänger:in
Praxispartner:in/Auftraggeber:in
Zusammenfassung
Kubernetes allows workloads to be deployed in sandboxed environments using containerization, offering fine-grained runtime restrictions via securityContext configurations. However, determining whether an application continues to function correctly under increasingly restrictive settings remains a challenge, especially when conventional testing methodologies require application-specific knowledge or integration tests. This thesis presents a methodology for automated workload hardening, without requiring internal knowledge of the workload under test.
A Kubernetes Operator was developed that iteratively restricts container runtime permissions and evaluates the functional correctness of workloads using a set of heuristics. These heuristics rely on telemetry signals such as container logs, and resource metrics, gathered during controlled check runs and compared against a recorded baseline. Log analysis is performed using the Drainalgorithm, while time series data are evaluated through statistical summaries. The operator clones the workload’s Namespace to preserve isolation, executes checks for different configurations, and synthesizes a recommended securityContext configuration based on the outcome. Real-world workloads were used for evaluation, alongside custom workloads targeting specific runtime constraints. The results demonstrate that functionality-based hardening is feasible with minimal assumptions, and that log-based heuristics are particularly elective for detecting deviations. The operator-based approach integrates seamlessly with Kubernetes environments and supports developer workflows by providing actionable hardening recommendations.
Schlagwörter
Kubernetes, Heuristic Testing, Workload Hardening
Fachgebiet (DDC)
Veranstaltung
Startdatum der Ausstellung
Enddatum der Ausstellung
Startdatum der Konferenz
Enddatum der Konferenz
Datum der letzten Prüfung
ISBN
ISSN
Sprache
Englisch
Während FHNW Zugehörigkeit erstellt
Ja
Zukunftsfelder FHNW
Publikationsstatus
Begutachtung
Open Access-Status
Lizenz
Zitation
Petermann, M. (2025). Automated Kubernetes workload hardening using a functionality oracle [Hochschule für Informatik FHNW]. https://doi.org/10.26041/fhnw-13664