Take Over the Whole Cluster: Attacking Kubernetes via Excessive Permissions of Third-party Applications

“…For instance, while the former want the best (network) performance for their workloads and also potentially exclusive access to certain compute infrastructure and accelerators, the latter are mainly concerned with optimizing the usage of hardware resources and ensuring different tenants are properly isolated. Naturally, CAs strive to honor service level agreements with their customers, but they also need to protect the clusters from potentially malicious tenants and thus may want to restrict accumulation of privileged workloads on a single node [3] or restrict the possibility for lateral movement of attackers by least privilege network firewall rules [1], [4]. Any kind of network segmentation solution must take both parties' requirements into account and attempt to reconcile them optimally.…”

Towards Intent-Based Scheduling for Performance and Security in Edge-to-Cloud Networks

“…For instance, while the former want the best (network) performance for their workloads and also potentially exclusive access to certain compute infrastructure and accelerators, the latter are mainly concerned with optimizing the usage of hardware resources and ensuring different tenants are properly isolated. Naturally, CAs strive to honor service level agreements with their customers, but they also need to protect the clusters from potentially malicious tenants and thus may want to restrict accumulation of privileged workloads on a single node [3] or restrict the possibility for lateral movement of attackers by least privilege network firewall rules [1], [4]. Any kind of network segmentation solution must take both parties' requirements into account and attempt to reconcile them optimally.…”

Towards Intent-Based Scheduling for Performance and Security in Edge-to-Cloud Networks

Attribute-based policies through microservices in a smart home scenario

Bugs in Pods: Understanding Bugs in Container Runtime Systems