Trusting the Cloud-Native Edge: Remotely Attested Kubernetes Workers

TL;DR

This paper introduces a hardware-backed architecture for securely enrolling and trusting edge Kubernetes nodes, enabling robust trust in physically accessible devices through attestation and dynamic credential management.

Contribution

It presents a novel architecture and open-source implementation that securely enrolls edge devices as trusted Kubernetes workers using hardware attestation and dynamic credential control.

Findings

Attestation and enrollment take approximately 20.91 seconds on average.

The architecture effectively attests and manages edge device trust with role-based access control.

The system prevents compromised nodes from accessing sensitive resources through dynamic credential revocation.

Abstract

A Kubernetes cluster typically consists of trusted nodes, running within the confines of a physically secure datacenter. With recent advances in edge orchestration, this is no longer the case. This poses a new challenge: how can we trust a device that an attacker has physical access to? This paper presents an architecture and open-source implementation that securely enrolls edge devices as trusted Kubernetes worker nodes. By providing boot attestation rooted in a hardware Trusted Platform Module, a strong base of trust is provided. A new custom controller directs a modified version of Keylime to cross the cloud-edge gap and securely deliver unique cluster credentials required to enroll an edge worker. The controller dynamically grants and revokes these credentials based on attestation events, preventing a possibly compromised node from accessing sensitive cluster resources. We provide both a qualitative and a quantitative evaluation of the architecture. The qualitative scenarios prove its ability to attest and enroll an edge device with role-based access control (RBAC) permissions that dynamically adjust to attestation events. The quantitative evaluation reflects an average of 10.28 seconds delay incurred on the startup time of the edge node due to attestation for a total average enrollment time of 20.91 seconds. The presented architecture thus provides a strong base of trust, securing a physically exposed edge device and paving the way for a robust and resilient edge computing ecosystem.