Details

Rootless containers in Kubernetes environment
ID Gorjan Novak, Anže (Author), ID Ciglarič, Mojca (Mentor) More about this mentor... This link opens in a new window, ID Baunach, Marcel (Mentor) More about this mentor... This link opens in a new window, ID Pančur, Matjaž (Comentor), ID Krisper, Michael (Comentor)

.pdfPDF - Presentation file, Download (1,31 MB)
MD5: 4E71D815E42F8B4E520B5527F818CB27

Abstract
In recent years, containerization has revolutionized the way software is developed, deployed, and managed, offering a lightweight alternative to traditional virtual machines. However, the traditional approach requires root privileges, which poses security challenges, as a container escape attack could compromise the entire host system. To address this, the rootless approach offers a promising alternative, eliminating the requirement for root-level access and thus enhancing security. With Kubernetes leading the way in containerized application orchestration, some Kubernetes distributions are beginning to implement this approach, running all components without root permissions. This thesis explores the concept and challenges of rootless container technology in Kubernetes, evaluating its maturity, performance, limitations, security implications, and potential applications. Through extensive benchmarking, we evaluate various aspects, including network, disk, and CPU performance in both rootless and rootful modes. Our findings reveal that while rootless Kubernetes significantly enhances security by minimizing the risk associated with container escape vulnerabilities, it does so at the expense of reduced network and disk performance. We also highlight the current limitations of rootless Kubernetes, such as its complexity, experimental nature, and the lack of multi-node cluster support, which currently limit its practical applications.

Language:English
Keywords:rootless containers, Kubernetes, container security
Work type:Master's thesis/paper
Typology:2.09 - Master's Thesis
Organization:FRI - Faculty of Computer and Information Science
Year:2024
PID:20.500.12556/RUL-155378 This link opens in a new window
COBISS.SI-ID:192115971 This link opens in a new window
Publication date in RUL:28.03.2024
Views:983
Downloads:121
Metadata:XML DC-XML DC-RDF
:
GORJAN NOVAK, Anže, 2024, Rootless containers in Kubernetes environment [online]. Master’s thesis. [Accessed 25 April 2025]. Retrieved from: https://repozitorij.uni-lj.si/IzpisGradiva.php?lang=eng&id=155378
Copy citation
Share:Bookmark and Share

Secondary language

Language:Slovenian
Title:Vsebniki brez korenskega dostopa v okolju Kubernetes
Abstract:
V zadnjih letih je tehnologija vsebnikov korenito spremenila način razvoja, nameščanja in upravljanja programske opreme ter ponudila lažjo alternativo tradicionalnim virtualnim računalnikom. Vendar pa tradicionalni pristop zahteva korenski dostop, kar predstavlja varnostne izzive, saj lahko napad za pridobitev dostopa do gostiteljskega sistema preko vsebnika ogrozi celoten gostiteljski sistem. Pristop brez korenskih pravic ponuja obetavno alternativo, saj odpravlja zahtevo po skrbniškem dostopu in s tem povečuje varnost. Ker je Kubernetes vodilni na področju orkestracije aplikacij v vsebnikih, so nekatere distribucije Kubernetes začele implementirati ta pristop, pri čemer se vse komponente izvajajo brez korenskih dovoljenj. To magistrsko delo raziskuje koncept in izzive tehnologije vsebnikov brez korenskega dostopa v sistemu Kubernetes ter ocenjuje njeno zrelost, zmogljivost, omejitve, varnostne posledice in potencialna področja uporabe. Z obsežno primerjalno analizo ocenjujemo različne vidike, vključno z zmogljivostjo omrežja, diska in procesorja, v načinih brez korenskega dostopa in s korenskim dostopom. Naše ugotovitve razkrivajo, da Kubernetes brez korenskega dostopa sicer bistveno poveča varnost, saj zmanjša tveganje, povezano z ranljivostmi pobega iz vsebnika, vendar to stori na račun zmanjšane zmogljivosti omrežja in diska. Izpostavljamo tudi trenutne omejitve sistema Kubernetes brez korenskega dostopa, kot so njegova zapletenost, eksperimentalna narava in pomanjkanje podpore za gruče z več vozlišči, ki trenutno omejujejo njegovo praktično uporabo.

Keywords:vsebniki brez korenskega dostopa, Kubernetes, varnost vsebnikov

Similar documents

Similar works from RUL:No similar works found
Similar works from other Slovenian collections:
  1. Innovation leaders, modest innovators and non-innovative SMEs in Slovakia
  2. ǂThe ǂrelationship between internationalization and innovation in SMEs
  3. Analiza vstopnih oblik malih in srednje velikih proizvodnih podjetij na avstrijsko tržišče
  4. Energetska ozaveščenost v slovenskih malih in srednje velikih podjetjih
  5. Using cloud CRM services in small and medium - sized enterprises

Back