Abstract:
Problem : Passing over provisioned scopes for access tokens during service-to-service
communication in Kubernetes deploy microservices governance is challenging when trying to
ensure the Single Responsibility Principle and Zero trust of microservices. This issue often
arises due to mistakes made during the development phase, which typically cannot be detected
during general integration testing. This project focuses on addressing this issue by developing
a integration tool to detect over-provisioned OAuth2 JWT access token scopes during service-
to-service communication in a Kubernetes deployment. It is required to ensure a clear
indication of expected and actual privileges for each route.
Methodology : This research aims to tackle this issue by proposing an independent and separate
mechanism for detecting over-scoped tokens within the service mesh pattern, specifically in
Kubernetes-based microservices governance. By enhancing the ability to identify and manage
over-scoped tokens, the proposed solution seeks to improve the overall security posture of
microservices architectures.
Results : The developed KubeSpector is designed to detect over-scoped access token requests,
and when such over-provisioned requests are identified, it generates the necessary
authorization policies. Once these policies are applied, the system achieves over 99%
throughput while maintaining minimal impact on the CPU utilization and memory footprint of
Kubernetes pods
