Kubernetes Pods Remote Attestation

Cloud Computing is fundamentally changing how software is developed and deployed, offering users on-demand and scalable access to computing resources and services. However, this shift also brings substantial challenges related to security, privacy, and trust; largely due to its reliance on multi-tenant third-party infrastructure. To address these new arising problems, Trusted Computing and Remote Attestation have become essential. Trusted Computing is a set of principles and standardized technologies, promoted by the Trusted Computing Group, in order to build trust on a platform. Among the most significant results of this effort is the Trusted Platform Module (TPM), a crypto-processor that provides hardware-based security to the platform on which it is installed. The TPM specifically enables Remote Attestation, a process in which a remote party (verifier) verifies the integrity of a platform (attester) by evaluating cryptographic measurements that the TPM protects and signs, thereby ensuring their authenticity and integrity. While remote attestation is a well-established method for validating the integrity of physical nodes through the direct use of the TPM, its implementation becomes significantly more complex in cloud environments. These environments rely heavily on virtualization, particularly containerization, for which no consolidated or standardized attestation framework currently exists. Container-based virtualization has become widely used in cloud environments due to its greater flexibility and resource optimisation, especially compared to full virtualization. Building on the preceding discussion, this thesis aims to propose a novel framework, designed and developed from the ground up, to integrate seamlessly within Kubernetes, the de facto standard for the deployment, scaling, and management of cloud infrastructures. The proposed solution introduces a new architecture that adheres to the guidelines established by the Trusted Computing Group and other relevant standards, whose primary objective is to provide attestation capabilities over Pods, which represent the smallest execution units in Kubernetes, each corresponding to a set of one or more containers. The development emphasizes creating a modular and flexible system to accommodate future enhancements and broader validation.