Using LSMs to Strengthen Access Control of Applications that use hostPath in Kubernetes Clusters
Abstract
This paper presents a methodology to enhance the security of Kubernetes clusters using hostPath volumes, a feature that introduces considerable risks due to direct host access. Our approach leverages Linux Security Modules (LSMs) to enforce access control between workloads and host nodes, aligning with Zero Trust principles. The proposed solution is demonstrated through integration with the SPIFFE CSI Driver within the SPIRE framework. Experimental results show that, among various performance metrics, only the SPIRE Agent’s identity synchronization latency increased notably, around 29.68%. While this overhead appears significant, it may be acceptable in less time-sensitive scenarios, particularly when balanced against the improved security posture achieved.References
Deng, S., Zhao, H., Huang, B., Zhang, C., Chen, F., Deng, Y., Yin, J., Dustdar, S., and Zomaya, A. Y. (2024). Cloud-native computing: A survey from the perspective of services. Proceedings of the IEEE, 112(1):12–46.
D’Silva, D. and Ambawade, D. D. (2021). Building a zero trust architecture using kubernetes. In 2021 6th International Conference for Convergence in Technology (I2CT), pages 1–8.
Findlay, W., Somayaji, A., and Barrera, D. (2020). bpfbox: Simple precise process confinement with ebpf. In Proceedings of the 2020 ACM SIGSAC Conference on Cloud Computing Security Workshop, CCSW’20, page 91–103.
Garfinkel, T. and Rosenblum, M. (2003). A virtual machine introspection based architecture for intrusion detection. In Proceedings of the Network and Distributed System Security Symposium (NDSS).
Ghavamnia, S., Palit, T., Benameur, A., and Polychronakis, M. (2020). Confine: Automated system call policy generation for container attack surface reduction. In 23rd International Symposium on Research in Attacks, Intrusions and Defenses (RAID 2020), pages 443–458, San Sebastian. USENIX Association.
Gunathilake, K. and Ekanayake, I. (2024). K8s pro sentinel: Extend secret security in kubernetes cluster. In 2024 9th International Conference on Information Technology Research (ICITR), pages 1–5.
Gülcü, B., Karaaslan, E., and Kantarcioglu, M. (2021). Security challenges in kubernetes. ACM Transactions on Privacy and Security (TOPS), 24(3):1–27.
Islam Shamim, M. S., Ahamed Bhuiyan, F., and Rahman, A. (2020). Xi commandments of kubernetes security: A systematization of knowledge related to kubernetes security practices. In 2020 IEEE Secure Development (SecDev), pages 58–64.
KubeArmor (2025). Kubearmor: Runtime security enforcement engine based on linux security modules. [link]. Accessed: 2025-04-07.
Lee, J., Kim, H., and Cho, Y. (2022). Kubearmor: Runtime security enforcement with lsms in kubernetes. In IEEE Symposium on Security and Privacy Workshops (SPW).
Mirantis (2022). Securing kubernetes csi drivers: Challenges and recommendations. [link].
Ohm, M., Plate, H., Sykosch, A., and Meier, M. (2020). Backstabber’s knife collection: A review of open source software supply chain attacks. In Detection of Intrusions and Malware, and Vulnerability Assessment: 17th International Conference, DIMVA 2020, Lisbon, Portugal, June 24–26, 2020, Proceedings 17, pages 23–43. Springer.
Peck, M., Morag, A., and Sergent, R. (2019). Hacking kubernetes: Threat matrix and mitigation strategies. [link]. CNCF Whitepaper.
Pereira Ferreira, A. and Sinnott, R. (2019). A performance evaluation of containers running on managed kubernetes services. In 2019 IEEE International Conference on Cloud Computing Technology and Science (CloudCom), pages 199–208.
Perera, H. P. D. S., Reza, B., De Silva, H. S. T., Karunarathne, A. D. H. U., Ganegoda, B., and Senarathne, A. (2022). Docker container security orchestration and posture management tool. In 2022 13th International Conference on Computing Communication and Networking Technologies (ICCCNT), pages 1–6.
Rodigari, S., O’Shea, D., McCarthy, P., McCarry, M., and McSweeney, S. (2021). Performance analysis of zero-trust multi-cloud. In 2021 IEEE 14th International Conference on Cloud Computing (CLOUD), pages 730–732.
Rose, S., Borchert, O., Mitchell, S., and Connelly, S. (2020). Zero trust architecture. Technical Report SP 800-207, National Institute of Standards and Technology (NIST).
SE-RAN-5G (2025). 5g-kubearmor: critical security extensions to sd-ran’s nrt-ric. [link]. Accessed: 2025-04-07.
Shostack, A. (2014). Threat modeling: Designing for security. John wiley & sons.
Smalley, S., Fraser, T., and Vance, C. (2001). Linux security modules: General security hooks for linux.
SPIFFE (2023). Spiffe csi driver documentation. [link]. Accessed: 2025-04-07.
SPIFFE (2025). Spiffe: Secure production identity framework for everyone. [link]. Accessed: 2025-04-07.
van Vugt, T. M. and Malik, T. (2023). A practical analysis of open-source security tools in microservice kubernetes environments. In 2023 Cyber Research Conference - Ireland (Cyber-RCI), pages 1–8.
Vasilenko, D. and Mahesh, K. (2019). Dynamic tenant provisioning and service orchestration in hybrid cloud. International Journal on Cloud Computing: Services and Architecture, 9:1.
Zeng, Q., Kavousi, M., Luo, Y., Jin, L., and Chen, Y. (2023). Full-stack vulnerability analysis of the cloud-native platform. Computers & Security, 129:103173.
Zhu, H. and Gehrmann, C. (2022). Kub-sec, an automatic kubernetes cluster apparmor profile generation engine. In 2022 14th International Conference on COMmunication Systems & NETworkS (COMSNETS), pages 129–137.
D’Silva, D. and Ambawade, D. D. (2021). Building a zero trust architecture using kubernetes. In 2021 6th International Conference for Convergence in Technology (I2CT), pages 1–8.
Findlay, W., Somayaji, A., and Barrera, D. (2020). bpfbox: Simple precise process confinement with ebpf. In Proceedings of the 2020 ACM SIGSAC Conference on Cloud Computing Security Workshop, CCSW’20, page 91–103.
Garfinkel, T. and Rosenblum, M. (2003). A virtual machine introspection based architecture for intrusion detection. In Proceedings of the Network and Distributed System Security Symposium (NDSS).
Ghavamnia, S., Palit, T., Benameur, A., and Polychronakis, M. (2020). Confine: Automated system call policy generation for container attack surface reduction. In 23rd International Symposium on Research in Attacks, Intrusions and Defenses (RAID 2020), pages 443–458, San Sebastian. USENIX Association.
Gunathilake, K. and Ekanayake, I. (2024). K8s pro sentinel: Extend secret security in kubernetes cluster. In 2024 9th International Conference on Information Technology Research (ICITR), pages 1–5.
Gülcü, B., Karaaslan, E., and Kantarcioglu, M. (2021). Security challenges in kubernetes. ACM Transactions on Privacy and Security (TOPS), 24(3):1–27.
Islam Shamim, M. S., Ahamed Bhuiyan, F., and Rahman, A. (2020). Xi commandments of kubernetes security: A systematization of knowledge related to kubernetes security practices. In 2020 IEEE Secure Development (SecDev), pages 58–64.
KubeArmor (2025). Kubearmor: Runtime security enforcement engine based on linux security modules. [link]. Accessed: 2025-04-07.
Lee, J., Kim, H., and Cho, Y. (2022). Kubearmor: Runtime security enforcement with lsms in kubernetes. In IEEE Symposium on Security and Privacy Workshops (SPW).
Mirantis (2022). Securing kubernetes csi drivers: Challenges and recommendations. [link].
Ohm, M., Plate, H., Sykosch, A., and Meier, M. (2020). Backstabber’s knife collection: A review of open source software supply chain attacks. In Detection of Intrusions and Malware, and Vulnerability Assessment: 17th International Conference, DIMVA 2020, Lisbon, Portugal, June 24–26, 2020, Proceedings 17, pages 23–43. Springer.
Peck, M., Morag, A., and Sergent, R. (2019). Hacking kubernetes: Threat matrix and mitigation strategies. [link]. CNCF Whitepaper.
Pereira Ferreira, A. and Sinnott, R. (2019). A performance evaluation of containers running on managed kubernetes services. In 2019 IEEE International Conference on Cloud Computing Technology and Science (CloudCom), pages 199–208.
Perera, H. P. D. S., Reza, B., De Silva, H. S. T., Karunarathne, A. D. H. U., Ganegoda, B., and Senarathne, A. (2022). Docker container security orchestration and posture management tool. In 2022 13th International Conference on Computing Communication and Networking Technologies (ICCCNT), pages 1–6.
Rodigari, S., O’Shea, D., McCarthy, P., McCarry, M., and McSweeney, S. (2021). Performance analysis of zero-trust multi-cloud. In 2021 IEEE 14th International Conference on Cloud Computing (CLOUD), pages 730–732.
Rose, S., Borchert, O., Mitchell, S., and Connelly, S. (2020). Zero trust architecture. Technical Report SP 800-207, National Institute of Standards and Technology (NIST).
SE-RAN-5G (2025). 5g-kubearmor: critical security extensions to sd-ran’s nrt-ric. [link]. Accessed: 2025-04-07.
Shostack, A. (2014). Threat modeling: Designing for security. John wiley & sons.
Smalley, S., Fraser, T., and Vance, C. (2001). Linux security modules: General security hooks for linux.
SPIFFE (2023). Spiffe csi driver documentation. [link]. Accessed: 2025-04-07.
SPIFFE (2025). Spiffe: Secure production identity framework for everyone. [link]. Accessed: 2025-04-07.
van Vugt, T. M. and Malik, T. (2023). A practical analysis of open-source security tools in microservice kubernetes environments. In 2023 Cyber Research Conference - Ireland (Cyber-RCI), pages 1–8.
Vasilenko, D. and Mahesh, K. (2019). Dynamic tenant provisioning and service orchestration in hybrid cloud. International Journal on Cloud Computing: Services and Architecture, 9:1.
Zeng, Q., Kavousi, M., Luo, Y., Jin, L., and Chen, Y. (2023). Full-stack vulnerability analysis of the cloud-native platform. Computers & Security, 129:103173.
Zhu, H. and Gehrmann, C. (2022). Kub-sec, an automatic kubernetes cluster apparmor profile generation engine. In 2022 14th International Conference on COMmunication Systems & NETworkS (COMSNETS), pages 129–137.
Published
2025-09-01
How to Cite
MEDEIROS, Ronaldo; SAMPAIO, Lília; AGRA, Raphael; GOMES, Reinaldo.
Using LSMs to Strengthen Access Control of Applications that use hostPath in Kubernetes Clusters. In: BRAZILIAN SYMPOSIUM ON CYBERSECURITY (SBSEG), 25. , 2025, Foz do Iguaçu/PR.
Anais [...].
Porto Alegre: Sociedade Brasileira de Computação,
2025
.
p. 938-954.
DOI: https://doi.org/10.5753/sbseg.2025.11402.
