I wrote my bachelor’s thesis on the issue of security in container orchestration, specifically in Kubernetes:
Containerisation is increasingly gaining traction to run modern applications in distributed environments. To run containers on a large scale and with high availability, container orchestration systems are commonly employed. The most widely used container orchestration system today is Kubernetes, which is highly flexible, but also comes with significant complexity.
In this thesis, we analyse the security of Kubernetes architectures. To do so, we create a layer model to give a holistic view of all relevant aspects. We demonstrate how an example application can securely run in a Kubernetes cluster and which configurations are necessary to strengthen security by employing multiple redundant barriers.
Our research shows that most Kubernetes installers already come with reasonably secure default configurations. However, custom adaptations in consideration of the deployed applications and their requirements to the runtime environment are imperative for secure cluster setup.
In short, I tried to get a holistic view of the relevant security aspects of container orchestration in Kubernetes and categorised them into a layer model.
I demonstrated my model with a sample architecture run on Google Kubernetes Engine. At the time of this writing, most Kubernetes installers already come with relatively secure default setups. However, there are still plenty of pitfalls and things to look out for in order not to end up in a bad place.
If you’re interested, you can read my full thesis here.