Ines Muka
An in-depth comparative analysis of Kubernetes authorization mechanisms for fine-grained access control.
Rel. Riccardo Sisto, Fulvio Valenza, Daniele Bringhenti, Francesco Pizzato. Politecnico di Torino, Corso di laurea magistrale in Ingegneria Informatica (Computer Engineering), 2025
![[img]](https://webthesis.biblio.polito.it/secure/style/images/fileicons/application_pdf.png)
|
PDF (Tesi_di_laurea)
- Tesi
Licenza: Creative Commons Attribution Non-commercial No Derivatives. Download (5MB) |
| Abstract: |
Cloud computing delivers on-demand computing resources over the internet, driving modern infrastructure with unparalleled scalability, cost-efficiency, and adaptability. Moreover, Kubernetes has become the de facto standard for cloud orchestration tool for this paradigm, automating the deployment and administration of containerized applications across clusters. This dynamic, multi-tenant environment enables shared resources across various users, teams, and microservices. However, it poses security vulnerabilities if permissions are improperly managed. Consequently, granular access control is essential, ensuring tenant isolation while maintaining the operational advantages of Kubernetes. The goal of this thesis is to present an in-depth comparative analysis of Kubernetes authorization mechanisms for fine-grained access control. First, an analysis of native and open-source Kubernetes authorization mechanisms has been carried out. In particular, the considered mechanisms include Role-Based Access Control (RBAC), Attribute-Based Access Control (ABAC), and Webhook for native solutions, alongside Open Policy Agent (OPA) representing Policy-Based Access Control (PBAC) and SpiceDB representing Relationship-Based Access Control (ReBAC) for the open-source alternatives. Then, for comparison, they have been assessed against multi-tenant scenarios that closely mirror real-world conditions. Last, this work is concluded with a complete cross-evaluation of the complexity, granularity, scalability, and performance of each authorization mechanism and the paradigm it stands for As a result, this work provides a practitioner’s guide to selecting, implementing, and optimizing authorization mechanisms. As future research work, this analysis could be extended to integrate real-time threat response and automated validation tools. |
|---|---|
| Relatori: | Riccardo Sisto, Fulvio Valenza, Daniele Bringhenti, Francesco Pizzato |
| Anno accademico: | 2024/25 |
| Tipo di pubblicazione: | Elettronica |
| Numero di pagine: | 108 |
| Soggetti: | |
| Corso di laurea: | Corso di laurea magistrale in Ingegneria Informatica (Computer Engineering) |
| Classe di laurea: | Nuovo ordinamento > Laurea magistrale > LM-32 - INGEGNERIA INFORMATICA |
| Aziende collaboratrici: | Politecnico di Torino |
| URI: | http://webthesis.biblio.polito.it/id/eprint/36461 |
 |
Modifica (riservato agli operatori) |
Licenza Creative Commons - Attribuzione 3.0 Italia