This is not the latest version of this item. You can find the latest version here.
Automated Kubernetes workload hardening using a functionality oracle
Loading...
Authors
Author (Corporation)
Publication date
05.09.2025
Typ of student thesis
Bachelor
Course of study
Collections
Type
11 - Student thesis
Editors
Editor (Corporation)
Supervisor
Parent work
Special issue
DOI of the original publication
Link
Series
Series number
Volume
Issue / Number
Pages / Duration
Patent number
Publisher / Publishing institution
Hochschule für Informatik FHNW
Place of publication / Event location
Windisch
Edition
Version
Programming language
Assignee
Practice partner / Client
Abstract
Kubernetes allows workloads to be deployed in sandboxed environments using containerization, offering fine-grained runtime restrictions via securityContext configurations. However, determining whether an application continues to function correctly under increasingly restrictive settings remains a challenge, especially when conventional testing methodologies require application-specific knowledge or integration tests. This thesis presents a methodology for automated workload hardening, without requiring internal knowledge of the workload under test.
A Kubernetes Operator was developed that iteratively restricts container runtime permissions and evaluates the functional correctness of workloads using a set of heuristics. These heuristics rely on telemetry signals such as container logs, and resource metrics, gathered during controlled check runs and compared against a recorded baseline. Log analysis is performed using the Drainalgorithm, while time series data are evaluated through statistical summaries. The operator clones the workload’s Namespace to preserve isolation, executes checks for different configurations, and synthesizes a recommended securityContext configuration based on the outcome. Real-world workloads were used for evaluation, alongside custom workloads targeting specific runtime constraints. The results demonstrate that functionality-based hardening is feasible with minimal assumptions, and that log-based heuristics are particularly elective for detecting deviations. The operator-based approach integrates seamlessly with Kubernetes environments and supports developer workflows by providing actionable hardening recommendations.
Keywords
Kubernetes, Heuristic Testing, Workload Hardening
Subject (DDC)
Event
Exhibition start date
Exhibition end date
Conference start date
Conference end date
Date of the last check
ISBN
ISSN
Language
English
Created during FHNW affiliation
Yes
Strategic action fields FHNW
Publication status
Review
Open access category
License
Citation
Petermann, M. (2025). Automated Kubernetes workload hardening using a functionality oracle [Hochschule für Informatik FHNW]. https://irf.fhnw.ch/handle/11654/52556