A formal approach for the identification of redundant authorization policies in Kubernetes

Application containerization allows for efficient resource utilization and improved performance when compared to traditional virtualization techniques. However, managing multiple containers and providing services such as load balancing and fault tolerance is a challenging aspect. This led to the inception of Kubernetes, which allows for building resilient containerized distributed systems. The authorization process provided by Kubernetes is well-defined and thorough; however, the policies are prone to redundancy conflict. The size of an authorization policy has a direct impact on its manageability and performance of the evaluation process. Redundant rules in an access control policy increase the size of the policy and may induce unexpected side effects. In this paper, we have proposed an approach for the identification of redundancy conflicts in the authorization policies supported by Kubernetes. The proposed approach is formal and based on Event-Calculus, a logic programming formalism. The proposed approach can model different authorization modes (such as ABAC and RBAC) as supported by Kubernetes and allows for the identification of redundant policies amongst attributes, roles, and their combinations. We have provided tool support to convert the Kubernetes policyobjects to Event-Calculus models and then to automatically invoke the reasoner on the converted models and display any identified conflicts. We have also detailed the performance evaluation results to justify the practicality of the proposed approach.