Politecnico di Torino (logo)

Enabling Fine-Grained Security for Liquid Computing in Multi-Cluster Kubernetes Environments

Francesco D'Anzi

Enabling Fine-Grained Security for Liquid Computing in Multi-Cluster Kubernetes Environments.

Rel. Fulvio Giovanni Ottavio Risso. Politecnico di Torino, Corso di laurea magistrale in Ingegneria Informatica (Computer Engineering), 2023

PDF (Tesi_di_laurea) - Tesi
Licenza: Creative Commons Attribution Non-commercial No Derivatives.

Download (2MB) | Preview

Cloud computing has revolutionized the way of deploying and managing applications. Among the numerous technologies that have emerged to facilitate cloud-native application deployment, Kubernetes stands out as a cornerstone for container orchestration, simplifying application scaling and management and providing organizations with the agility required to thrive in the cloud-native era. While Kubernetes serves as a powerful foundation for cloud-native applications, the need for multi-cluster architectures enabling the creation of federated clusters that act as a single entity has grown, driven by requirements for geographic distribution, redundancy and diverse infrastructure resources. "Liquid computing" is a paradigm that proposes to realize multi-cluster environments, creating a continuum of computing resources. This concept is followed by Liqo, an open-source project started at Politecnico di Torino, that allows the building of multi-cluster topologies within Kubernetes. The goal of this thesis is to enable fine-grained security for connectivity in Liqo. The current model of full pod-to-pod connectivity lacks granularity and control: to address this limitation, the thesis presents a solution that allows a single cluster in a Liqo environment to selectively contact its pods offloaded in other clusters and the endpoints of offloaded services hosted by it. This approach enhances security while maintaining the flexibility and scalability benefits of liquid computing. The implementation of this solution involves the development of two custom controllers responsible for enforcing connectivity restrictions, which manage Iptables firewall rules for each cluster, ensuring that communication occurs only within the defined constraints. Lastly, it is presented a practical use case achievable thanks to the new feature: the creation of data spaces, realized offloading workloads in the cluster that hosts data of interest.

Relators: Fulvio Giovanni Ottavio Risso
Academic year: 2023/24
Publication type: Electronic
Number of Pages: 95
Corso di laurea: Corso di laurea magistrale in Ingegneria Informatica (Computer Engineering)
Classe di laurea: New organization > Master science > LM-32 - COMPUTER SYSTEMS ENGINEERING
Aziende collaboratrici: UNSPECIFIED
URI: http://webthesis.biblio.polito.it/id/eprint/28635
Modify record (reserved for operators) Modify record (reserved for operators)