Papers
Topics
Authors
Recent
Search
2000 character limit reached

Trusting the Cloud-Native Edge: Remotely Attested Kubernetes Workers

Published 16 May 2024 in cs.CR | (2405.10131v1)

Abstract: A Kubernetes cluster typically consists of trusted nodes, running within the confines of a physically secure datacenter. With recent advances in edge orchestration, this is no longer the case. This poses a new challenge: how can we trust a device that an attacker has physical access to? This paper presents an architecture and open-source implementation that securely enrolls edge devices as trusted Kubernetes worker nodes. By providing boot attestation rooted in a hardware Trusted Platform Module, a strong base of trust is provided. A new custom controller directs a modified version of Keylime to cross the cloud-edge gap and securely deliver unique cluster credentials required to enroll an edge worker. The controller dynamically grants and revokes these credentials based on attestation events, preventing a possibly compromised node from accessing sensitive cluster resources. We provide both a qualitative and a quantitative evaluation of the architecture. The qualitative scenarios prove its ability to attest and enroll an edge device with role-based access control (RBAC) permissions that dynamically adjust to attestation events. The quantitative evaluation reflects an average of 10.28 seconds delay incurred on the startup time of the edge node due to attestation for a total average enrollment time of 20.91 seconds. The presented architecture thus provides a strong base of trust, securing a physically exposed edge device and paving the way for a robust and resilient edge computing ecosystem.

Definition Search Book Streamline Icon: https://streamlinehq.com
References (24)
  1. “Kubernetes: open-source system for automating deployment, scaling, and management of containerized applications.” [Online]. Available: https://kubernetes.io/
  2. T. Goethals, F. De Turck, and B. Volckaert, “Extending Kubernetes Clusters to Low-Resource Edge Devices Using Virtual Kubelets,” IEEE Transactions on Cloud Computing, vol. 10, no. 4, pp. 2623–2636, 10 2022.
  3. “KubeEdge: a Kubernetes Native Edge Computing Framework.” [Online]. Available: https://kubeedge.io/
  4. A. Goel and B. Thangaraju, “Authenticating Distributed Systems Using SPIRE over Kubernetes Cluster,” in 2022 IEEE International Conference on Electronics, Computing and Communication Technologies (CONECCT).   IEEE, 7 2022, pp. 1–6.
  5. G. P. Fernandez and A. Brito, “Secure container orchestration in the cloud,” in Proceedings of the 34th ACM/SIGAPP Symposium on Applied Computing.   New York, NY, USA: ACM, 4 2019, pp. 138–145.
  6. “Keylime: Bootstrap & Maintain Trust on the Edge / Cloud and IoT.” [Online]. Available: https://keylime.dev/
  7. M. S. Islam Shamim, F. Ahamed Bhuiyan, and A. Rahman, “XI Commandments of Kubernetes Security: A Systematization of Knowledge Related to Kubernetes Security Practices,” in 2020 IEEE Secure Development (SecDev).   IEEE, 9 2020, pp. 58–64.
  8. “Trust Edge: Trusted edge nodes for Kubernetes.” [Online]. Available: https://github.com/idlab-discover/trust-edge
  9. S. Kinney, “6 - Platform Configuration Registers,” in Trusted Platform Module Basics, ser. Embedded Technology, S. Kinney, Ed.   Burlington: Newnes, 2006, pp. 53–64. [Online]. Available: https://www.sciencedirect.com/science/article/pii/B9780750679602500075
  10. Cooper David, Polk William, Regenscheid Andrew, and Souppaya Muragiah, “Special Publication 800- 147: BIOS Protection Guidelines,” NIST, Gaithersburg, Tech. Rep., 4 2011.
  11. W. Arthur, D. Challener, and K. Goldman, “A Practical Guide to TPM 2.0.”   Apress, 2015, p. 152.
  12. H. Raj, S. Saroiu, A. Wolman, R. Aigner, J. Cox, P. England, C. Fenner, K. Kinshumann, J. Loeser, D. Mattoon, M. Nystrom, D. Robinson, R. Spiger, S. Thom, and D. Wooten, “fTPM: A Software-Only Implementation of a TPM Chip,” in 25th USENIX Security Symposium (USENIX Security 16).   Austin, TX: USENIX Association, 8 2016, pp. 841–856. [Online]. Available: https://www.usenix.org/conference/usenixsecurity16/technical-sessions/presentation/raj
  13. H. Sun, R. He, Y. Zhang, R. Wang, W. H. Ip, and K. L. Yung, “eTPM: A Trusted Cloud Platform Enclave TPM Scheme Based on Intel SGX Technology,” Sensors, vol. 18, no. 11, 2018. [Online]. Available: https://www.mdpi.com/1424-8220/18/11/3807
  14. “Trusted Platform Module Library Part 1: Architecture,” Trusted Computing Group, Tech. Rep., 11 2019.
  15. “Trusted Platform Module Library Part 3: Commands,” Trusted Computing Group, Tech. Rep., 11 2019.
  16. Trusted Computing Group, “Trusted Computing Group,” https://trustedcomputinggroup.org/.
  17. “tpm2-software: Developer community for those implementing APIs and infrastructure from the TCG TSS2 specifications.” [Online]. Available: https://github.com/tpm2-software
  18. N. Schear, P. T. Cable, T. M. Moyer, B. Richard, and R. Rudd, “Bootstrapping and maintaining trust in the cloud,” in Proceedings of the 32nd Annual Conference on Computer Security Applications.   New York, NY, USA: ACM, 12 2016, pp. 65–77.
  19. “keylime/attestation-operator: Keylime easily deployable on Kubernetes/Openshift.” [Online]. Available: https://github.com/keylime/attestation-operator
  20. D. G. Berbecaru and S. Sisinni, “Counteracting software integrity attacks on IoT devices with remote attestation: a prototype,” in 2022 26th International Conference on System Theory, Control and Computing (ICSTCC).   IEEE, 10 2022, pp. 380–385.
  21. “kubebuilder.” [Online]. Available: https://book.kubebuilder.io/
  22. “Helm: The package manager for Kubernetes.” [Online]. Available: https://helm.sh/
  23. “CloudNativeLab: Kubernetes testbed.” [Online]. Available: https://practicum.cloudnativelab.ilabt.imec.be/
  24. “Trust Benchmark: Benchmark results for trust edge architecture.” [Online]. Available: https://gitlab.ilabt.imec.be/edge-keylime/trust-benchmark

Summary

No one has generated a summary of this paper yet.

Paper to Video (Beta)

No one has generated a video about this paper yet.

Whiteboard

No one has generated a whiteboard explanation for this paper yet.

Open Problems

We haven't generated a list of open problems mentioned in this paper yet.

Continue Learning

We haven't generated follow-up questions for this paper yet.

Collections

Sign up for free to add this paper to one or more collections.

Tweets

Sign up for free to view the 2 tweets with 1 like about this paper.