Repository logo

Browsing by Author "BARBOSA, DIOGO DA COSTA"

Now showing 1 - 1 of 1
  • Framework de Segurança para Kubernetes
    Publication . BARBOSA, DIOGO DA COSTA; Nogueira, Luis Miguel Pinho
    In this document, we can follow the entire process of developing the Master’s Thesis written for the completion of the Master’s Degree in Computer Engineering at the Higher Institute of Engineering of Porto. Considering that the Master’s degree specializes in Cybersecurity and Systems Administration and that one of the most significant emerging technologies in recent years is Kubernetes, which is closely linked to the current systems administration scenario, it made perfect sense to develop something in the area of Kubernetes security. In recent years, more and more companies have adopted other styles of system development, as conventional monolithic systems have begun to show some limitations. Thus, new architectures for computer systems have emerged, one of the most prominent in the market in recent years being Microservices. This architecture aims to divide systems into small services, whose operation does not depend on any other service. However, adopting this has been quite complicated, until solutions appeared that could work according to the principles of Microservices. The solution for better implementing Microservices lies in containers. These allow for a higher level of abstraction of the system where they run, managing to simulate different types of systems on the same machine. Containers complement Microservices, as each of the independent services developed will be executed in different containers. This achieves another level of independence, as technological dependencies practically cease to exist, since each container has a different execution. However, when large companies began their journey to migrate to Microservices, they noticed that the larger the system used, the greater the number of containers required, and since each container has a different execution and even different containers running the same service (different instances), managing these containers was becoming quite difficult. As a result, container management tools began to be developed, with some companies managing to develop their own internal solutions. The best example is Google, which currently has two internal container management tools, which it used as a basis to create the largest open-source container management tool. Kubernetes was launched by Google in 2014 and immediately received strong support from the entire community, which readily contributed its knowledge to improvements that would come over the next eleven years. Despite the keen interest of a large community and many companies, it is still considered a recent technology. Kubernetes brought a new vision of containers, since in reality it is not containers that are executed, but Pods, which can be considered improved containers. The basic operation of Kubernetes groups several Nodes, which can be virtual machines, physical machines, or even an instance in the cloud. One of the Nodes will be the main one where the Control Plane will be hosted, which is considered the brain of a Kubernetes cluster. This consists of several components with different tasks, including all communication between Pods and even with the outside world, which passes through the API Server. Another component monitors all running Pods and compares them with the desired state for the cluster, which in turn is stored in another component of the Control Plane. Although it seems like an excellent solution for migrating to microservices, companies are beginning to fear some security flaws that may exist. But even more worrying for these same companies is knowing whether they are maintaining the same level of security maturity in their system. This problem is the main focus of this work, since the intended result is to provide a security checklist to be applied to clusters in order to determine the cluster’s security maturity level and how it can be improved. Throughout the document, an in-depth analysis of Kubernetes will be carried out in order to understand the critical points of a Kubernetes cluster that must be analyzed in depth to ensure its total security. With this analysis completed, a checklist will be drawn up, which will provide information on how to perform the verification and, if necessary, an explanation of how to improve these points.
    2025-10-27Master thesis Open access Show more