Trusting the Cloud-Native Edge: Remotely Attested Kubernetes Workers
Abstract: A Kubernetes cluster typically consists of trusted nodes, running within the confines of a physically secure datacenter. With recent advances in edge orchestration, this is no longer the case. This poses a new challenge: how can we trust a device that an attacker has physical access to? This paper presents an architecture and open-source implementation that securely enrolls edge devices as trusted Kubernetes worker nodes. By providing boot attestation rooted in a hardware Trusted Platform Module, a strong base of trust is provided. A new custom controller directs a modified version of Keylime to cross the cloud-edge gap and securely deliver unique cluster credentials required to enroll an edge worker. The controller dynamically grants and revokes these credentials based on attestation events, preventing a possibly compromised node from accessing sensitive cluster resources. We provide both a qualitative and a quantitative evaluation of the architecture. The qualitative scenarios prove its ability to attest and enroll an edge device with role-based access control (RBAC) permissions that dynamically adjust to attestation events. The quantitative evaluation reflects an average of 10.28 seconds delay incurred on the startup time of the edge node due to attestation for a total average enrollment time of 20.91 seconds. The presented architecture thus provides a strong base of trust, securing a physically exposed edge device and paving the way for a robust and resilient edge computing ecosystem.
- “Kubernetes: open-source system for automating deployment, scaling, and management of containerized applications.” [Online]. Available: https://kubernetes.io/
- T. Goethals, F. De Turck, and B. Volckaert, “Extending Kubernetes Clusters to Low-Resource Edge Devices Using Virtual Kubelets,” IEEE Transactions on Cloud Computing, vol. 10, no. 4, pp. 2623–2636, 10 2022.
- “KubeEdge: a Kubernetes Native Edge Computing Framework.” [Online]. Available: https://kubeedge.io/
- A. Goel and B. Thangaraju, “Authenticating Distributed Systems Using SPIRE over Kubernetes Cluster,” in 2022 IEEE International Conference on Electronics, Computing and Communication Technologies (CONECCT). IEEE, 7 2022, pp. 1–6.
- G. P. Fernandez and A. Brito, “Secure container orchestration in the cloud,” in Proceedings of the 34th ACM/SIGAPP Symposium on Applied Computing. New York, NY, USA: ACM, 4 2019, pp. 138–145.
- “Keylime: Bootstrap & Maintain Trust on the Edge / Cloud and IoT.” [Online]. Available: https://keylime.dev/
- M. S. Islam Shamim, F. Ahamed Bhuiyan, and A. Rahman, “XI Commandments of Kubernetes Security: A Systematization of Knowledge Related to Kubernetes Security Practices,” in 2020 IEEE Secure Development (SecDev). IEEE, 9 2020, pp. 58–64.
- “Trust Edge: Trusted edge nodes for Kubernetes.” [Online]. Available: https://github.com/idlab-discover/trust-edge
- S. Kinney, “6 - Platform Configuration Registers,” in Trusted Platform Module Basics, ser. Embedded Technology, S. Kinney, Ed. Burlington: Newnes, 2006, pp. 53–64. [Online]. Available: https://www.sciencedirect.com/science/article/pii/B9780750679602500075
- Cooper David, Polk William, Regenscheid Andrew, and Souppaya Muragiah, “Special Publication 800- 147: BIOS Protection Guidelines,” NIST, Gaithersburg, Tech. Rep., 4 2011.
- W. Arthur, D. Challener, and K. Goldman, “A Practical Guide to TPM 2.0.” Apress, 2015, p. 152.
- H. Raj, S. Saroiu, A. Wolman, R. Aigner, J. Cox, P. England, C. Fenner, K. Kinshumann, J. Loeser, D. Mattoon, M. Nystrom, D. Robinson, R. Spiger, S. Thom, and D. Wooten, “fTPM: A Software-Only Implementation of a TPM Chip,” in 25th USENIX Security Symposium (USENIX Security 16). Austin, TX: USENIX Association, 8 2016, pp. 841–856. [Online]. Available: https://www.usenix.org/conference/usenixsecurity16/technical-sessions/presentation/raj
- H. Sun, R. He, Y. Zhang, R. Wang, W. H. Ip, and K. L. Yung, “eTPM: A Trusted Cloud Platform Enclave TPM Scheme Based on Intel SGX Technology,” Sensors, vol. 18, no. 11, 2018. [Online]. Available: https://www.mdpi.com/1424-8220/18/11/3807
- “Trusted Platform Module Library Part 1: Architecture,” Trusted Computing Group, Tech. Rep., 11 2019.
- “Trusted Platform Module Library Part 3: Commands,” Trusted Computing Group, Tech. Rep., 11 2019.
- Trusted Computing Group, “Trusted Computing Group,” https://trustedcomputinggroup.org/.
- “tpm2-software: Developer community for those implementing APIs and infrastructure from the TCG TSS2 specifications.” [Online]. Available: https://github.com/tpm2-software
- N. Schear, P. T. Cable, T. M. Moyer, B. Richard, and R. Rudd, “Bootstrapping and maintaining trust in the cloud,” in Proceedings of the 32nd Annual Conference on Computer Security Applications. New York, NY, USA: ACM, 12 2016, pp. 65–77.
- “keylime/attestation-operator: Keylime easily deployable on Kubernetes/Openshift.” [Online]. Available: https://github.com/keylime/attestation-operator
- D. G. Berbecaru and S. Sisinni, “Counteracting software integrity attacks on IoT devices with remote attestation: a prototype,” in 2022 26th International Conference on System Theory, Control and Computing (ICSTCC). IEEE, 10 2022, pp. 380–385.
- “kubebuilder.” [Online]. Available: https://book.kubebuilder.io/
- “Helm: The package manager for Kubernetes.” [Online]. Available: https://helm.sh/
- “CloudNativeLab: Kubernetes testbed.” [Online]. Available: https://practicum.cloudnativelab.ilabt.imec.be/
- “Trust Benchmark: Benchmark results for trust edge architecture.” [Online]. Available: https://gitlab.ilabt.imec.be/edge-keylime/trust-benchmark
Paper Prompts
Sign up for free to create and run prompts on this paper using GPT-5.
Top Community Prompts
Collections
Sign up for free to add this paper to one or more collections.