Citation :

Khaja Kamaluddin, 2023. "Network isolation for cloud-native applications in multi-tenant Architectures", ESP International Journal of Advancements in Computational Technology (ESP-IJACT)  Volume 1, Issue 3: 180-189.

Abstract :

This research examines the evolution of network isolation techniques with-in kubernetes-based containerized environment with an emphasis on early architectural patterns and their associated security constraints. It investigates the use of iptables and ebtables for packet filtering processes, as well the use of VXLAN based overlay networks for cross node communication. While these mechanisms are instrumental in supporting basic network segmentation, they were often complex to manage at scale, and had limited integration with identity aware security models. A comparison of key CNI plugins Calico, Flannel and Weave Net shows their weaknesses, strength and suitability in different deployment scenario. While there have been efforts with the introduction of Kubernetes Network Policies and early use of service mesh technologies, the first iteration of Kubernetes often suffered due to weak workload identity verification, inconsistent policy enforcement and limited traffic observation of east-west traffic. These weaknesses led to lateral movement within clusters as well as high risk in multi-tenant mode. The paper synthesizes these lessons to outline the practices that will yield stronger segmentation and Defense in depth in Container Ecosystems. It concludes with a future outlook of which the work to move towards identity driven, policy rich models of workload isolation pave the way for a more resilient cloud native security posture.

References :

[1] W. Cao et al., “Logstore: A cloud-native and multi-tenant log database,” in Proc. 2021 Int. Conf. Manage. Data, 2021.
[2] A. Khan, “Key characteristics of a container orchestration platform to enable a modern application,” IEEE Cloud Comput., vol. 4, no. 5, pp. 42–48, 2017.
[3] A. Ranjbar, M. Antikainen, and T. Aura, “Domain isolation in a multi-tenant software-defined network,” in Proc. 2015 IEEE/ACM 8th Int. Conf. Utility Cloud Comput. (UCC), 2015.
[4] M.-M. Bazm et al., “Isolation in cloud computing infrastructures: new security challenges,” Ann. Telecommun., vol. 74, pp. 197–209, 2019.
[5] S. G. Haugeland et al., “Migrating monoliths to microservices-based customizable multi-tenant cloud-native apps,” in Proc. 2021 47th Euromicro Conf. Softw. Eng. Adv. Appl. (SEAA), 2021.
[6] J. Dobaj et al., “A microservice architecture for the industrial internet-of-things,” in Proc. 23rd Eur. Conf. Pattern Lang. Programs, 2018.
[7] T. Laszewski et al., Cloud Native Architectures: Design High-Availability and Cost-Effective Applications for the Cloud. Packt Publishing Ltd, 2018.
[8] A. Balalaie, A. Heydarnoori, and P. Jamshidi, “Migrating to cloud-native architectures using microservices: an experience report,” in Eur. Conf. Serv.-Oriented Cloud Comput., Cham: Springer Int. Publishing, 2015.
[9] M. Tsechelidis, “Developing distributed systems with modular monoliths and microservices,” 2023.
[10] J. Watada et al., “Emerging trends, techniques and open issues of containerization: A review,” IEEE Access, vol. 7, pp. 152443–152472, 2019.
[11] K. Indrasiri and D. Kuruppu, gRPC: Up and Running: Building Cloud Native Applications with Go and Java for Docker and Kubernetes. O'Reilly Media, 2020.
[12] F. Soppelsa and C. Kaewkasi, Native Docker Clustering with Swarm. Packt Publishing Ltd, 2016.
[13] R. Krebs, Performance Isolation in Multi-Tenant Applications. Karlsruhe Institute of Technology, 2015.
[14] R. Jia et al., “A systematic review of scheduling approaches on multi-tenancy cloud platforms,” Inf. Softw. Technol., vol. 132, p. 106478, 2021.
[15] C. Zheng, Q. Zhuang, and F. Guo, “A multi-tenant framework for cloud container services,” in Proc. 2021 IEEE 41st Int. Conf. Distrib. Comput. Syst. (ICDCS), 2021.
[16] A. Terzolo, Enabling Multi-Tenancy and Fine-Grained Security in a Multi-Cluster Architecture. Politecnico di Torino, 2021.
[17] M. Uddin, S. Islam, and A. Al-Nemrat, “A dynamic access control model using authorising workflow and task-role-based access control,” IEEE Access, vol. 7, pp. 166676–166689, 2019.
[18] B. Burns et al., Kubernetes: Up and Running: Dive into the Future of Infrastructure. O'Reilly Media, Inc., 2022.
[19] R. Kumar and M. C. Trivedi, “Networking analysis and performance comparison of Kubernetes CNI plugins,” in Adv. Comput., Commun. Comput. Sci.: Proc. IC4S 2019. Springer Singapore, 2021.
[20] G. Budigiri et al., “Network policies in Kubernetes: Performance evaluation and security analysis,” in Proc. 2021 Joint Eur. Conf. Netw. Commun. & 6G Summit (EuCNC/6G Summit), 2021.
[21] S. Raghunathan, “Optimizing container communication: Navigating challenges and solutions in Kubernetes networking,” J. Sci. Eng. Res., vol. 8, no. 2, pp. 257–262, 2021.
[22] T. D. Zavarella, A Methodology for Using eBPF to Efficiently Monitor Network Behavior in Linux Kubernetes Clusters. Massachusetts Institute of Technology, 2022.
[23] A. K. Niazi and M. A. A. Usmani, “An analysis on scalable and faster iptables in Linux operating system,” I-Manager’s J. Comput. Sci., vol. 8, no. 2, 2020.
[24] X. Nguyen, “Network isolation for Kubernetes hard multi-tenancy,” 2020.
[25] B. Creane and A. Gupta, Kubernetes Security and Observability: A Holistic Approach to Securing Containers and Cloud Native Applications. O'Reilly Media, Inc., 2021.
[26] Z. Liu, Z. Qian, and N. Li, “An East-West-traffic governance system based on eBPF and centralized gateway,” in Proc. 2023 IEEE Int. Conf. Sensors, Electron. Comput. Eng. (ICSECE), 2023.
[27] Z. Butt, “Secure microservice communication between heterogeneous service meshes,” 2022.
[28] National Institute of Standards and Technology, “CVE-2019-5736 Detail,” Nat. Vulnerability Database, 2019. [Online]. Available: https://nvd.nist.gov/vuln/detail/CVE-2019-5736
[29] National Institute of Standards and Technology, “CVE-2020-8554 Detail,” Nat. Vulnerability Database, 2020. [Online]. Available: https://nvd.nist.gov/vuln/detail/CVE-2020-8554
[30] National Institute of Standards and Technology, “CVE-2020-8555 Detail,” Nat. Vulnerability Database, 2020. [Online]. Available: https://nvd.nist.gov/vuln/detail/CVE-2020-8555
[31] Jangid, J., Dixit, S., Malhotra, S., Saqib, M., Yashu, F., & Mehta, D. (2023). Enhancing security and efficiency in wireless mobile networks through blockchain. International Journal of Intelligent Systems and Applications in Engineering, 11(4), 958–969. https://ijisae.org/index.php/IJISAE/article/view/7309
[32] Yashu, F., Saqib, M., Malhotra, S., Mehta, D., Jangid, J., & Dixit, S. (2021). Thread mitigation in cloud-native application development. Webology, 18(6), 10160–10161. https://www.webology.org/abstract.php?id=5338s

Keywords :

Network Isolation, VXLAN, Mechanisms