KubeSpector : A Zero Trust Enhancement Model for Microservices Governance

Abstract

Problem : Passing over provisioned scopes for access tokens during service-to-service communication in Kubernetes deploy microservices governance is challenging when trying to ensure the Single Responsibility Principle and Zero trust of microservices. This issue often arises due to mistakes made during the development phase, which typically cannot be detected during general integration testing. This project focuses on addressing this issue by developing a integration tool to detect over-provisioned OAuth2 JWT access token scopes during service- to-service communication in a Kubernetes deployment. It is required to ensure a clear indication of expected and actual privileges for each route. Methodology : This research aims to tackle this issue by proposing an independent and separate mechanism for detecting over-scoped tokens within the service mesh pattern, specifically in Kubernetes-based microservices governance. By enhancing the ability to identify and manage over-scoped tokens, the proposed solution seeks to improve the overall security posture of microservices architectures. Results : The developed KubeSpector is designed to detect over-scoped access token requests, and when such over-provisioned requests are identified, it generates the necessary authorization policies. Once these policies are applied, the system achieves over 99% throughput while maintaining minimal impact on the CPU utilization and memory footprint of Kubernetes pods