Kunerva: Automated Network Policy Discovery Framework for Containers

Abstract

Containerization has gained significant popularity in cloud-native applications, offering lightweight and portable capabilities, with container orchestration platforms such as Kubernetes, simplifying deployment and management. However, the presence of human errors, especially misconfigurations, continues to pose substantial security risks to containers. One specific challenge lies in generating effective network security policies, given the intricate nature of label-based container management and the dynamic characteristics of container deployments. This paper introduces KUNERVA, an innovative and automated solution specifically designed to tackle the critical security challenge in container environments. KUNERVA focuses on policy discovery utilizing network logs to generate a minimum set of network security policies to achieve maximum network traffic coverage while ensuring the security isolation between containers. To enhance the reliability of the generated policies, KUNERVA seamlessly integrates with a policy enforcement system, Gatekeeper, for accurate policy verification. Consequently, KUNERVA ensures the discovery of an efficient and effective network policy set, blocking the enforcement of malicious network policies.