Design and Implementation of a Framework for Validating Kubernetes Policies through Automatic Test Generation

Masters’ thesis by Maximilian Bischoff, September 2018


In this thesis, a framework for validating kubernetes policies through automatic test generation is designed and implemented. At first kubernetes and its policies as well as possibilities for testing them are discussed. Then a design and its application to different kinds of policies is described. Afterwards the design is specified for NetworkPolicies and specifics of generating and executing tests are discussed. Finally, the features of the framework and its applicability to different networking solutions as well as its performance and scalability in terms of cluster size, policy count and tested resources are evaluated.

It is found that the framework generates sufficient test cases that are executed effectively. Furthermore, variations in test success rate for single networking solutions are observed, while overall feature coverage across solutions is high. The results show that the framework scales well with cluster size and tested resources. An existing performance issue for very high numbers of policies is identified.

1.1. Motivation

The continuously growing cloud market created a demand for software which leverages its capacities, especially its central characteristic of flexibility. Linux containers are a useful tool set for running applications flexibly in a virtual environment such as the cloud with less performance overhead than virtual machines (VM). When running container based distributed systems, there is an additional need for orchestrating and managing these containers. That opened a new niche for container management frameworks [4] In 2015 Google released its candidate for this niche, kubernetes, into the public. Kubernetes builds upon the experiences of Google’s prior works in that area, Borg, with the additional goal of working in any non-Google environment, which neither of its predecessors could have fulfilled. Today kubernetes is one of the most popular software solutions for container orchestration and management and even became the most discussed project on GitHub in 2017.

As most modern technologies, the cloud is not exempt from security issues. Having multiple applications from different customers running on the same hardware creates a special need for protection of the platform and customers, often formalized through a service level agreement. This need can be addressed through securing the virtual network as well as the underlying hardware from unwanted access by the applications running on top of it. Recent flaws on hardware level such as Meltdown, Spectre and especially the current SpectreNG vulnerabilities create an additional need for hardening on every application layer including the container and cluster levels of cloud applications. In kubernetes, container communication can be restricted through network policies, while container-host relationships can be set on an application basis with cluster wide policies regulating which settings are allowed.

inovex is a German IT project company with over 300 employees. One of its focus sectors is Data Center which includes multiple topics such as DevOps Engineering, Cloud, Hosting and Operations. For these topics kubernetes is one of the key technologies and has proven itself in multiple projects. To ensure security and quality of a kubernetes cluster, policy validation is of high interest for inovex.


Get in touch!

Christian Meder

Chief Technology Officer