Abstract | Keywords | Export | Availability | Bookmark

Choose an application

• Reference Manager
• EndNote
• RefWorks (Direct export to RefWorks)

Cloud-native development is an approach to building and deploying applications within containers in cloud environments and has become an industry standard thanks to its many advantages such as cost efficiency, scalability, and automation. The cloud-native technology stack can be divided into many different layers with their own responsibilities, such as the code, container and cloud layer. For example, the container layer handles the deployment and management of containerized applications, while the cloud layer manages everything regarding the virtual machines upon which the containerized applications run. These separate layers are usually managed by specialized tools that provide their own security features. An often recurring security feature concerns the network communication rules, which restrict communication between components in order to prevent the spread of malicious attacks throughout the layer. However, conflicts may still arise when the communication rules of different layers are not aligned with each other, resulting in unreachable components or an additional attack vector for malicious attackers. Additionally, the alignment of these rules is hindered by the dynamic nature of cloud deployments, since containers can be added or removed for the purpose of automatic scaling. Until only recently, the state-of-the-art in cross-layer network policy management has largely ignored the fact that proper placement of containers on nodes can avoid these conflicts. However, conflicts arising from security policy changes cannot be avoided for already deployed applications. This thesis presents a conflict detection algorithm to verify network security rules between the cloud and cluster layer, specifically Kubernetes network policies and OpenStack security group rules. To do this, it leverages the reachability matrix introduced in Kano, while trying to increase time performance by including an incremental update approach for this reachability matrix. The conflict detection is triggered by any event that can influence the connections between containers in the cluster, found by continuously monitoring the cluster. When such an event is captured our incremental approach is used to find any connectivity changes which are then verified against a mocked cloud layer of security group rules to find any newly introduced conflicts. We evaluate the proposed algorithm and compare our incremental approach to an existing generative approach of updating the reachability matrix. The results show that our incremental update approach proves to be faster when the cluster has increased enough in size with the drawback of extra memory consumption. Our entire conflict detection solution has proven to only add a little overhead in time on top of the incremental update approach. The maximum average in the biggest cluster size of our experiments proved to only add 11.85% of time to the container replacement process to resolve the conflict.