TY - GEN
T1 - KubeKeeper
T2 - 10th IEEE European Symposium on Security and Privacy, Euro S and P 2025
AU - Rostamipoor, Maryam
AU - Sadeghi, Aliakbar
AU - Polychronakis, Michalis
N1 - Publisher Copyright:
© 2025 IEEE.
PY - 2025
Y1 - 2025
N2 - Kubernetes has become the dominant platform for managing containerized applications, but its native Secrets management mechanisms introduce security vulnerabilities, especially in environments where third-party applications may have excessive permissions. In this paper, we present KubeKeeper, a comprehensive solution for protecting Kubernetes Secrets against leakage due to excessive permissions. KubeKeeper automatically encrypts Secrets and ensures that only explicitly authorized Pods can access their decrypted form. This is achieved by integrating with Kubernetes' admission control framework to transparently enforce access policies, without requiring changes to application code and with minimal integration effort into existing cluster infrastructure. We evaluated KubeKeeper on a diverse set of 498 Kubernetes applications and demonstrate that it successfully protects Secrets against all identified excessive permissions, without introducing performance degradation during execution or any significant overhead during Pod creation and deployment.
AB - Kubernetes has become the dominant platform for managing containerized applications, but its native Secrets management mechanisms introduce security vulnerabilities, especially in environments where third-party applications may have excessive permissions. In this paper, we present KubeKeeper, a comprehensive solution for protecting Kubernetes Secrets against leakage due to excessive permissions. KubeKeeper automatically encrypts Secrets and ensures that only explicitly authorized Pods can access their decrypted form. This is achieved by integrating with Kubernetes' admission control framework to transparently enforce access policies, without requiring changes to application code and with minimal integration effort into existing cluster infrastructure. We evaluated KubeKeeper on a diverse set of 498 Kubernetes applications and demonstrate that it successfully protects Secrets against all identified excessive permissions, without introducing performance degradation during execution or any significant overhead during Pod creation and deployment.
KW - Kubernetes
KW - Secrets management
KW - cloud computing
KW - excessive permissions
UR - https://www.scopus.com/pages/publications/105016113885
U2 - 10.1109/EuroSP63326.2025.00027
DO - 10.1109/EuroSP63326.2025.00027
M3 - Conference contribution
AN - SCOPUS:105016113885
T3 - Proceedings - IEEE 10th European Symposium on Security and Privacy, Euro S and P 2025
SP - 322
EP - 338
BT - Proceedings - IEEE 10th European Symposium on Security and Privacy, Euro S and P 2025
PB - Institute of Electrical and Electronics Engineers Inc.
Y2 - 30 June 2025 through 4 July 2025
ER -