Towards Automated Security Policy Management in Kubernetes

Kubernetes network security is critical for protecting containerized applications, but by default, the platform provides no way to enforce security policies beyond basic NetworkPolicy resources with limited capabilities. Nowadays, there are different security tools to enforce network policies and among the others the main are Cilium, Calico, KubeArmor, and Tetragon. Each tool has its own policy specification language, creating a fragmented security environment. This forces organizations into vendor lock-in, makes migration between solutions difficult and expensive and prevents the adoption of the best security strategy that combines capabilities from different tools. Security engineers, or even worse developers, to whom security is often delegated to, are forced to learn multiple policy languages and manually translate them when changing tools. This thesis addresses the interoperability challenge through an abstraction layer that split policy definitions from its tool-specific language. The abstraction layer provides a model for representing network security policies and it is independent of any security enforcement mechanism. This work has identified common security primitives and functionalities shared across different tools and hasencoded them in the abstract model. The project aim was to create a unifying framework which consists of two main components: a translator which maps abstract policies to the tool-specific format and an analyzer for reverse-engineering existing policies. The translator can also detect feature incompatibilities. The framework has undergone a series of correctness validation tests, including round-trip translation tests and behavioural equivalence verification in live multi-cluster Kubernetes environments. Security policy management in heterogeneous Kubernetes environments remains a significant challenge and this project provides a foundation for automated security orchestration by enabling tool-agnostic policy management. It reduces operational complexity and supports different security architectures, while providing a foundation for future automated security orchestration capabilities.