Kubernetes workload identity federation
This thesis addresses the complexity of securely managing workload identities across single-cloud, multi-cloud, and multi-cluster Kubernetes environments. Grounded in a thorough review of pertinent security standards and regulations—such as GDPR, ISO/IEC 27001, ISO/IEC 27002, and NIST’s Secure Softw...
| Autor: | |
|---|---|
| Tipo de recurso: | tesis de maestría |
| Fecha de publicación: | 2025 |
| País: | España |
| Institución: | Universitat Oberta de Catalunya (UOC) |
| Repositorio: | O2, repositorio institucional de la UOC |
| OAI Identifier: | oai:openaccess.uoc.edu:10609/152143 |
| Acceso en línea: | https://hdl.handle.net/10609/152143 |
| Access Level: | acceso abierto |
| Palabra clave: | kubernetes security workload identity OpenID Connect (OIDC) SPIFFE/SPIRE kubernetes seguridad Computer security -- FMDP Seguretat informàtica -- TFM |
| Sumario: | This thesis addresses the complexity of securely managing workload identities across single-cloud, multi-cloud, and multi-cluster Kubernetes environments. Grounded in a thorough review of pertinent security standards and regulations—such as GDPR, ISO/IEC 27001, ISO/IEC 27002, and NIST’s Secure Software Development Framework—the work proposes a simplified federation model leveraging the Kubernetes Service Account token issuer, SPIFFE/SPIRE, and a Mutating Admission Webhook. A comprehensive examination of native workload identity solutions offered by major cloud providers (AWS, Azure, and Google Cloud) informed the design of the open-source Federid implementation. Federid provides a cloud-agnostic approach to workload identity federation across any OpenID Connect (OIDC) Identity Provider. Methodologically, the research involved designing this federation model, implementing Federid, and validating its effectiveness through proof-of-concept scenarios including Kubernetes access, single-cloud, multi-cloud, and multi-cluster deployments. Feasibility was confirmed on major cloud providers, ensuring extensibility for additional OIDC integrations. Practical contributions include corrections and enhancements to upstream projects such as Kubernetes and SPIFFE, improving both reliability and clarity in those codebases. Results show that Federid significantly simplifies credential provisioning, strengthens scalability, and aligns with recognized industry standards, thereby reducing complexity in heterogeneous cloud infrastructures. These achievements highlight Federid’s potential for broad adoption within the cloud-native ecosystem. In conclusion, this thesis advances workload identity federation by delivering a robust, scalable, and standards-compliant framework. Future research will focus on extending Federid to additional OIDC providers and refining its architecture to meet evolving security and orchestration requirements in cloud-native environments. |
|---|