PORTO @ Archivio Istituzionale della Ricerca

The shift toward cloud-native and microservice-based architectures has made Kubernetes the de facto platform for managing containerized applications. However, its limited native support for security features has led to the proliferation of diverse enforcement mechanisms, such as Cilium, Calico, Tetragon, and KubeArmor. These tools vary in capabilities and configuration, complicating the establishment of an effective security posture. This work proposes a conceptual model that abstracts runtime security enforcement across these tools, enabling intent-based security policy design and automation. We present a model-driven approach to bridge high-level security requirements with low-level enforcement configurations. Our approach facilitates cloud portability, simplifies policy refinement, and enhances security consistency for heterogeneous environments. Validation across real-world microservice architectures and security policy catalogs demonstrates its practicality and effectiveness.

Towards A Capability Model of Kubernetes Runtime Security Enforcement Mechanisms / Settanni, Francesco; Lisena, Giuseppe; Basile, Cataldo. - 15994:(2025), pp. 266-284. (Intervento presentato al convegno ARES 2025 International Workshops tenutosi a Ghent (BEL) nel August 11–14, 2025) [10.1007/978-3-032-00630-1_15].

Towards A Capability Model of Kubernetes Runtime Security Enforcement Mechanisms

Settanni, Francesco;Basile, Cataldo
2025

Abstract

The shift toward cloud-native and microservice-based architectures has made Kubernetes the de facto platform for managing containerized applications. However, its limited native support for security features has led to the proliferation of diverse enforcement mechanisms, such as Cilium, Calico, Tetragon, and KubeArmor. These tools vary in capabilities and configuration, complicating the establishment of an effective security posture. This work proposes a conceptual model that abstracts runtime security enforcement across these tools, enabling intent-based security policy design and automation. We present a model-driven approach to bridge high-level security requirements with low-level enforcement configurations. Our approach facilitates cloud portability, simplifies policy refinement, and enhances security consistency for heterogeneous environments. Validation across real-world microservice architectures and security policy catalogs demonstrates its practicality and effectiveness.
2025
LECTURE NOTES IN COMPUTER SCIENCE
9783032006295
9783032006301
4.1 Contributo in Atti di convegno
File in questo prodotto:
File Dimensione Formato  
978-3-032-00630-1_15-2.pdf

accesso riservato

Descrizione: Towards A Capability Model of Kubernetes Runtime Security Enforcement Mechanisms
Tipologia: 2a Post-print versione editoriale / Version of Record
Licenza: Non Pubblico - Accesso privato/ristretto
Dimensione 1.14 MB
Formato Adobe PDF
  Visualizza/Apri   Richiedi una copia
1.14 MB Adobe PDF   Visualizza/Apri   Richiedi una copia
Towards A Capability Model of Kubernetes Runtime Security Enforcement Mechanisms.pdf

embargo fino al 09/08/2026

Descrizione: Towards A Capability Model of Kubernetes Runtime Security Enforcement Mechanisms
Tipologia: 2. Post-print / Author's Accepted Manuscript
Licenza: Pubblico - Tutti i diritti riservati
Dimensione 485.17 kB
Formato Adobe PDF
  Visualizza/Apri   Richiedi una copia
485.17 kB Adobe PDF   Visualizza/Apri   Richiedi una copia
Pubblicazioni consigliate

I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione.

Utilizza questo identificativo per citare o creare un link a questo documento: https://hdl.handle.net/11583/3003088