Securing the computing continuum with fine-grained automatic network policies

The increasing adoption of the computing continuum, where applications span across cloud, edge, and on-premise infrastructures, has introduced new challenges in securing network communications. In such heterogeneous and dynamic environments, Kubernetes has emerged as the standard platform for orchestrating containerized workloads. However, its native networking model and built-in NetworkPolicies are often insufficient to guarantee fine-grained and adaptive traffic control, especially in multi-cluster scenarios. This thesis investigates how to achieve precise and automated network isolation within Kubernetes-based multi-cluster topologies, with a focus on deployments extended through Liqo, an open-source framework for transparent multi-cluster resource sharing. The proposed solution introduces multiple Kubernetes controllers capable of observing shared resources between different clusters, and dynamically generate security policies mapped to low-level nftables firewall rules or through Kubernetes Network Policies. Specifically the aim is to define and enforce clear security boundaries around a Kubernetes cluster that is part of a multi-cluster topology. To achieve this, the proposed system introduces a mechanism for selectively blocking network traffic within a peered cluster by dynamically applying fine-grained filtering rules. This is accomplished through the combined use of low-level nftables rules for precise traffic control—and Kubernetes-native controllers. The controllers continuously monitor the environment and adapt network isolation strategies based on workload placement, origin, and namespace context. In doing so, this thesis delivers a flexible and extensible framework that automates network policy enforcement and reduces manual configuration overhead, while ensuring robust workload isolation across cluster boundaries.