KGSecConfig: A Knowledge Graph Based Approach for Secured Container Orchestrator Configuration

TL;DR

This paper introduces KGSecConfig, a knowledge graph-based system that automates and improves the security configuration process for container orchestrators like Kubernetes and Docker, reducing errors and enhancing security.

Contribution

The paper presents a novel knowledge graph approach for automating security configuration in container orchestrators, integrating heterogeneous data sources for improved security management.

Findings

Achieved 0.98 accuracy in configuration option extraction.

Achieved 0.94 accuracy in concept extraction.

Demonstrated automated mitigation of misconfigurations in Kubernetes.

Abstract

Container Orchestrator (CO) is a vital technology for managing clusters of containers, which may form a virtualized infrastructure for developing and operating software systems. Like any other software system, securing CO is critical, but can be quite challenging task due to large number of configurable options. Manual configuration is not only knowledge intensive and time consuming, but also is error prone. For automating security configuration of CO, we propose a novel Knowledge Graph based Security Configuration, KGSecConfig, approach. Our solution leverages keyword and learning models to systematically capture, link, and correlate heterogeneous and multi-vendor configuration space in a unified structure for supporting automation of security configuration of CO. We implement KGSecConfig on Kubernetes, Docker, Azure, and VMWare to build secured configuration knowledge graph. Our evaluation results show 0.98 and 0.94 accuracy for keyword and learning-based secured configuration option and concept extraction, respectively. We also demonstrate the utilization of the knowledge graph for automated misconfiguration mitigation in a Kubernetes cluster. We assert that our knowledge graph based approach can help in addressing several challenges, e.g., misconfiguration of security, associated with manually configuring the security of CO.