PORTO @ Archivio Istituzionale della Ricerca

Kubernetes has become a core substrate for digital service platforms, where multiple teams, tenants, and automation components share the same control plane. In this setting, authorisation is a central security control because it governs API operations that can expose sensitive data, change runtime behaviour, or disrupt availability. Enforcing least privilege in Kubernetes is challenging in practice: the authorisation surface is broad, policies evolve continuously, and automation identities frequently act with privileges that can amplify the impact of misconfiguration or compromise. This paper compares Kubernetes authorisation mechanisms, covering native options (Role-Based Access Control [RBAC], Attribute-Based Access Control [ABAC], and Authorization Webhooks) together with representative open-source approaches that enable more expressive models, namely Open Policy Agent (OPA) and SpiceDB. The analysis is grounded in operational requirements typical of shared clusters, including delegated administration, constrained access to sensitive resources, least-privilege automation, and controlled administrative operations. Mechanisms are evaluated through a unified framework that captures both security and operational consequences along four dimensions: complexity, granularity, scalability, and performance. The results show that no mechanism dominates across all dimensions. RBAC remains an effective baseline due to tight integration and low-latency enforcement, but it can be difficult to extend to contextual constraints without policy sprawl. ABAC supports conditional rules but is often penalised by operational workflows that make policy evolution costly. Webhook authorisation is flexible but introduces a security-critical external dependency on the API request path. More expressive approaches, such as OPA and SpiceDB, are justified when they replace brittle approximations and support disciplined policy lifecycle management or relationship-driven permissions at scale.

A Comparative Study of Authorisation Mechanisms in Kubernetes-Based Service Platforms / Pizzato, F., Bringhenti, D., Valenza, F.. - In: APPLIED CYBERSECURITY & INTERNET GOVERNANCE. - ISSN 2956-3119. - ELETTRONICO. - 5:2(2026), pp. 1-29. [10.60097/ACIG/220492]

A Comparative Study of Authorisation Mechanisms in Kubernetes-Based Service Platforms

Francesco Pizzato;Daniele Bringhenti;Fulvio Valenza
2026

Abstract

Kubernetes has become a core substrate for digital service platforms, where multiple teams, tenants, and automation components share the same control plane. In this setting, authorisation is a central security control because it governs API operations that can expose sensitive data, change runtime behaviour, or disrupt availability. Enforcing least privilege in Kubernetes is challenging in practice: the authorisation surface is broad, policies evolve continuously, and automation identities frequently act with privileges that can amplify the impact of misconfiguration or compromise. This paper compares Kubernetes authorisation mechanisms, covering native options (Role-Based Access Control [RBAC], Attribute-Based Access Control [ABAC], and Authorization Webhooks) together with representative open-source approaches that enable more expressive models, namely Open Policy Agent (OPA) and SpiceDB. The analysis is grounded in operational requirements typical of shared clusters, including delegated administration, constrained access to sensitive resources, least-privilege automation, and controlled administrative operations. Mechanisms are evaluated through a unified framework that captures both security and operational consequences along four dimensions: complexity, granularity, scalability, and performance. The results show that no mechanism dominates across all dimensions. RBAC remains an effective baseline due to tight integration and low-latency enforcement, but it can be difficult to extend to contextual constraints without policy sprawl. ABAC supports conditional rules but is often penalised by operational workflows that make policy evolution costly. Webhook authorisation is flexible but introduces a security-critical external dependency on the API request path. More expressive approaches, such as OPA and SpiceDB, are justified when they replace brittle approximations and support disciplined policy lifecycle management or relationship-driven permissions at scale.
2026
File in questo prodotto:
Non ci sono file associati a questo prodotto.
Pubblicazioni consigliate

I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione.

Utilizza questo identificativo per citare o creare un link a questo documento: https://hdl.handle.net/11583/3011568
 Attenzione

Attenzione! I dati visualizzati non sono stati sottoposti a validazione da parte dell'ateneo