Inside Job: Defending Kubernetes Clusters Against Network Misconfigurations

Thumbnail Image

Files

Inside_Job_Defending_Kubernetes_Clusters_Against_Network_Misconfigurations.pdf (1.39 MB)

Access rights

openAccess
CC BY
publishedVersion

URL

Journal Title

Journal ISSN

Volume Title

A1 Alkuperäisartikkeli tieteellisessä aikakauslehdessä
This publication is imported from Aalto University research portal.
View publication in the Research portal (opens in new window)
View/Open full text file from the Research portal (opens in new window)
Unless otherwise stated, all rights belong to the author. You may download, display and print this publication for Your own personal use. Commercial use is prohibited.

Authors

Date

2025-09-04

Department

Department of Computer Science

Major/Subject

Mcode

Degree programme

Language

en

Pages

Series

Proceedings of the ACM on Networking, Volume 3, issue CoNEXT3, pp. 1-25

Abstract

Kubernetes has emerged as the de facto standard for container orchestration. Unfortunately, its increasing popularity has also made it an attractive target for malicious actors. Despite extensive research on securing Kubernetes, little attention has been paid to the impact of network configuration on the security of application deployments. This paper addresses this gap by conducting a comprehensive analysis of network misconfigurations in a Kubernetes cluster with specific reference to lateral movement. Accordingly, we carried out an extensive evaluation of 287 open-source applications belonging to six different organizations, ranging from IT companies and public entities to non-profits. As a result, we identified 634 misconfigurations, well beyond what could be found by solutions in the state of the art. We responsibly disclosed our findings to the concerned organizations and engaged in a discussion to assess their severity. As of now, misconfigurations affecting more than thirty applications have been fixed with the mitigations we proposed.

Description

Keywords

Other note

DOI

10.1145/3749220

Citation

Bufalino, J, Martin Navarro, J, Di Francesco, M & Aura, T 2025, 'Inside Job: Defending Kubernetes Clusters Against Network Misconfigurations', Proceedings of the ACM on Networking, vol. 3, no. CoNEXT3, 20, pp. 1-25. https://doi.org/10.1145/3749220

Permanent link to this item

https://urn.fi/URN:NBN:fi:aalto-202510298606

Collections

[article-cris] Perustieteiden korkeakoulu / SCI