Abstract:
As Kubernetes becomes the go-to orchestration platform for cloud-native applications, its dynamic and multi-tenant nature introduces complex runtime security challenges. Conventional security solutions such as firewalls, traditional intrusion detection systems (IDS), and user-space RASP implementations struggle to provide effective protection within these environments. These legacy approaches often fail to offer real-time visibility, suffer from high resource consumption, and lack the granularity to detect sophisticated threats such as privilege escalation, container escape, and lateral movement. To address this gap, this research proposes a novel Runtime Application Self-Protection (RASP) framework designed explicitly for Kubernetes and built on the Extended Berkeley Packet Filter (eBPF) technology. The architecture comprises a lightweight pod-level agent and a centralized controller, communicating over gRPC with mutual TLS. The system performs real-time syscall monitoring (e.g., execve, connect, setuid), classifies events using a configurable rule engine, and dispatches alerts through Slack integrations. Additionally, telemetry is exported to the ELK stack for long-term forensic visibility and machine learning readiness.
The system was rigorously evaluated in realistic Kubernetes environments, including simulated adversarial conditions. Results demonstrate that the framework achieves event classification latency under 30ms, with an average CPU overhead of less than 3% and memory usage below 150MB, validating its suitability for production-grade deployments. Alert accuracy exceeded 97.6% true positive rates with zero false positives under tuned rulesets. The architecture proved resilient, with 100% telemetry recovery during controller failover scenarios, and scalability across heterogeneous clusters was confirmed. Full CI/CD automation was implemented using GitHub Actions and ArgoCD, enabling reproducible, secure deployments. This work represents a technically robust and academically novel contribution to runtime container security, establishing a practical foundation for future enforcement logic and intelligent anomaly detection in Kubernetes-native ecosystems.
