Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Trusting the Cloud-Native Edge: Remotely Attested Kubernetes Workers

Jordi Thijsman, Merlijn Sebrechts, Filip De Turck, Bruno Volckaert

TL;DR

This work tackles securing Kubernetes clusters with physically exposed edge devices by proposing a hardware-backed boot attestation framework built around TPMs and a modified Keylime workflow, enabling automated enrollment of edge workers as trusted cluster nodes. The authors introduce TrustKubernetes, a cloud-edge architecture featuring an EdgeNode CRD, a Kubebuilder controller, and Keylime-based registrar, verifier, and tenant components to deliver per-edge credentials and enforce continuous attestation with RBAC adjustments. Key contributions include end-to-end enrollment workflow, dynamic RBAC policy adaptation in response to attestation events, and an open-source implementation; the evaluation shows an average attestation overhead of $10.28$ seconds and total enrollment time of $20.91$ seconds. The approach provides a strong root of trust for edge deployments and enables granular, attestation-driven access control, paving the way for more secure and scalable cloud-edge ecosystems.

Abstract

A Kubernetes cluster typically consists of trusted nodes, running within the confines of a physically secure datacenter. With recent advances in edge orchestration, this is no longer the case. This poses a new challenge: how can we trust a device that an attacker has physical access to? This paper presents an architecture and open-source implementation that securely enrolls edge devices as trusted Kubernetes worker nodes. By providing boot attestation rooted in a hardware Trusted Platform Module, a strong base of trust is provided. A new custom controller directs a modified version of Keylime to cross the cloud-edge gap and securely deliver unique cluster credentials required to enroll an edge worker. The controller dynamically grants and revokes these credentials based on attestation events, preventing a possibly compromised node from accessing sensitive cluster resources. We provide both a qualitative and a quantitative evaluation of the architecture. The qualitative scenarios prove its ability to attest and enroll an edge device with role-based access control (RBAC) permissions that dynamically adjust to attestation events. The quantitative evaluation reflects an average of 10.28 seconds delay incurred on the startup time of the edge node due to attestation for a total average enrollment time of 20.91 seconds. The presented architecture thus provides a strong base of trust, securing a physically exposed edge device and paving the way for a robust and resilient edge computing ecosystem.

Trusting the Cloud-Native Edge: Remotely Attested Kubernetes Workers

TL;DR

This work tackles securing Kubernetes clusters with physically exposed edge devices by proposing a hardware-backed boot attestation framework built around TPMs and a modified Keylime workflow, enabling automated enrollment of edge workers as trusted cluster nodes. The authors introduce TrustKubernetes, a cloud-edge architecture featuring an EdgeNode CRD, a Kubebuilder controller, and Keylime-based registrar, verifier, and tenant components to deliver per-edge credentials and enforce continuous attestation with RBAC adjustments. Key contributions include end-to-end enrollment workflow, dynamic RBAC policy adaptation in response to attestation events, and an open-source implementation; the evaluation shows an average attestation overhead of seconds and total enrollment time of seconds. The approach provides a strong root of trust for edge deployments and enables granular, attestation-driven access control, paving the way for more secure and scalable cloud-edge ecosystems.

Abstract

A Kubernetes cluster typically consists of trusted nodes, running within the confines of a physically secure datacenter. With recent advances in edge orchestration, this is no longer the case. This poses a new challenge: how can we trust a device that an attacker has physical access to? This paper presents an architecture and open-source implementation that securely enrolls edge devices as trusted Kubernetes worker nodes. By providing boot attestation rooted in a hardware Trusted Platform Module, a strong base of trust is provided. A new custom controller directs a modified version of Keylime to cross the cloud-edge gap and securely deliver unique cluster credentials required to enroll an edge worker. The controller dynamically grants and revokes these credentials based on attestation events, preventing a possibly compromised node from accessing sensitive cluster resources. We provide both a qualitative and a quantitative evaluation of the architecture. The qualitative scenarios prove its ability to attest and enroll an edge device with role-based access control (RBAC) permissions that dynamically adjust to attestation events. The quantitative evaluation reflects an average of 10.28 seconds delay incurred on the startup time of the edge node due to attestation for a total average enrollment time of 20.91 seconds. The presented architecture thus provides a strong base of trust, securing a physically exposed edge device and paving the way for a robust and resilient edge computing ecosystem.
Paper Structure (12 sections, 4 figures)

This paper contains 12 sections, 4 figures.

Table of Contents

  1. Introduction
  2. Background and related work
  3. TPMs and the boot process
  4. Keylime
  5. Architecture
  6. Enrollment workflow
  7. Registration of edge device
  8. Generation of RBAC credentials
  9. Enrollment of edge node
  10. Evaluation results
  11. Future work
  12. Conclusion

Figures (4)

  • Figure 1: A measured boot extends a digest of each part of the boot chain into the TPM, this is in contrast with a secure boot which only verifies a part's signature.
  • Figure 2: An overview of the Keylime architecture: a system administrator uses the Keylime tenant CLI to set up attestation of a device that runs an agent and deliver a payload.
  • Figure 3: An overview of our architecture: the attestation controller interacts with the tenant API to enroll a trusted edge device into the cluster, it monitors the EdgeNode custom resource for attestation events and adjust RBAC permissions accordingly.
  • Figure 5: Attestation takes on average 10.28 seconds for a total node registration time of 20.91 seconds.