Extending Kubernetes for Pods Integrity Verification

Cloud computing is driving a substantial shift of tenant applications and services to external infrastructures administered by third-party providers. As a result, tenants experience an almost complete loss of control over deployment and execution monitoring, which in turn limits their ability to enforce security mechanisms and policies. In this context, the risk of executing unintended and potentially harmful operations increases, along with the likelihood that such actions may go unnoticed. Integrity verification is a key countermeasure, ensuring code integrity and detecting compromises. Cloud computing extensively leverages resource virtualisation, and in this context, Kubernetes has emerged as the de facto standard for cloud application management, orchestrating workloads into groups of containers known as Pods. However, virtualisation represents an additional obstacle to security assurance, and providing integrity verification in such environments remains an open challenge due to the absence of standardised procedures. Despite the transition to cloud environments, tenants must still verify application integrity and indirectly assess the underlying infrastructure security. Trusted computing techniques offer a practical approach to this challenge, mainly through remote attestation, which allows systems to generate verifiable proofs about their integrity state, validated then by a trusted external entity. This paper presents a remote attestation architecture integrated into the Kubernetes framework, allowing tenants to obtain non-repudiable evidence of the security posture of their applications and the integrity of the hosting platforms, thereby restoring visibility and control in cloud environments. The proposed solution was evaluated through functional and performance tests, demonstrating both effectiveness and minimal overhead.