IEEE Access (Jan 2024)
KubeAegis: A Unified Security Policy Management Framework for Containerized Environments
Abstract
Recently, containers have become the standard for cloud-native service delivery, ensuring scalability and reliability. However, they are also prime targets for various security attacks that exploit vulnerabilities. In particular, deploying security policies in dynamic cloud-native environments presents significant challenges, such as misconfigurations arising from the heterogeneity of different security policies. Despite numerous attempts to address these challenges, existing solutions often lack a unified framework for consistently managing and enforcing heterogeneous security policies across network, system, and cluster layers. Current approaches typically focus on isolated aspects of security rather than providing a comprehensive policy management solution. This fragmentation leads to inconsistencies, inefficiencies, and potential security gaps. To address these challenges, in this paper, we propose KubeAegis, an advanced and unified policy management framework designed to manage the integration, verification, and enforcement of heterogeneous security policies at the network, system, and cluster levels. Our framework enables centralized management of security policies, simplifying the integration of new security tools through an adapter-based approach and API recommendation mechanisms. We also incorporate a pre-validation process to detect potential misconfigurations before policy enforcement and to enable real-time tracking of policies applied to containers. Our evaluation demonstrates the effectiveness of KubeAegis in integrating and managing network, system, and cluster security policies in real cloud-native environments, providing extensive coverage and achieving a minimal translation delay of approximately 17ms.
Keywords
