Smelly Kube: a tool to detect security smells in Kubernetes manifests

Detalhes bibliográficos
Ano de defesa: 2024
Autor(a) principal: Borges, Vitor Oriel de Castro Nunes lattes
Outros Autores: https://orcid.org/0009-0003-8818-1263
Orientador(a): Correia, Luiz Henrique Andrade
Banca de defesa: Não Informado pela instituição
Tipo de documento: Dissertação
Tipo de acesso: Acesso aberto
Idioma: eng
Instituição de defesa: Universidade Federal de Lavras
Instituto de Ciências Exatas e Tecnológicas (ICET)
Programa de Pós-Graduação: Programa de Pós-Graduação em Ciência da Computação
Departamento: Departamento de Ciência da Computação
País: brasil
Palavras-chave em Português:
Kubernetes
Segurança de redes de computadores
Computação em nuvem
Segurança de software
Análise estática
Computer network security
Cloud computing
Software security
Static analysis
Área do conhecimento CNPq:
Ciências Exatas e da Terra
Link de acesso: https://repositorio.ufla.br/handle/1/60248
Resumo: The adoption of microservices-based architectures has become common in modern web applications. Kubernetes stands out as a leading platform for managing and orchestrating these services due to its scalability and ability to handle complex environments. However, security risks often arise when Kubernetes manifests are not carefully designed. To address this issue, the tool Smelly Kube (SK) was developed, following a client/server architecture: i) Client: a Visual Studio Code plugin that sends Kubernetes manifests to a Golang-based server via HTTP requests, providing developers with a straightforward interface for performing security checks directly in their development environment, and ii) Server: a Golang application that processes these manifests to detect and analyze security smells. This architecture ensures that developers can easily integrate security checks into their workflows using other tools and platforms by reusing the same server API. To validate the tool’s effectiveness, an experiment was conducted, applying SK to 2,107 Kubernetes applications after sanitizing 5,055 Cloud Native packages sourced from Artifact Hub. Another dataset of 183,225 Kubernetes manifests was provided from GitHub. The results demonstrated that SK successfully detected a wide range of security smells, providing valuable insights for developers and helping to improve the overall security of Kubernetes-based microservices.
id UFLA_d855f7863ceb68742b6ed87cbf0c9cf8
oai_identifier_str oai:repositorio.ufla.br:1/60248
network_acronym_str UFLA
network_name_str Repositório Institucional da UFLA
repository_id_str
spelling Durelli, Rafael SerapilhaMalheiros, Neumar CostaBorges, Hudson SilvaCorreia, Luiz Henrique Andradehttp://lattes.cnpq.br/2900171687070459Borges, Vitor Oriel de Castro Nuneshttps://orcid.org/0009-0003-8818-12632025-08-27T21:55:12Z2024-12-16BORGES, Vitor Oriel de Castro Nunes. Smelly Kube: a tool to detect security smells in Kubernetes manifests. 2025. 86 f. Dissertação (Mestrado em Ciência da Computação) – Universidade Federal de Lavras, Lavras, 2024.https://repositorio.ufla.br/handle/1/60248The adoption of microservices-based architectures has become common in modern web applications. Kubernetes stands out as a leading platform for managing and orchestrating these services due to its scalability and ability to handle complex environments. However, security risks often arise when Kubernetes manifests are not carefully designed. To address this issue, the tool Smelly Kube (SK) was developed, following a client/server architecture: i) Client: a Visual Studio Code plugin that sends Kubernetes manifests to a Golang-based server via HTTP requests, providing developers with a straightforward interface for performing security checks directly in their development environment, and ii) Server: a Golang application that processes these manifests to detect and analyze security smells. This architecture ensures that developers can easily integrate security checks into their workflows using other tools and platforms by reusing the same server API. To validate the tool’s effectiveness, an experiment was conducted, applying SK to 2,107 Kubernetes applications after sanitizing 5,055 Cloud Native packages sourced from Artifact Hub. Another dataset of 183,225 Kubernetes manifests was provided from GitHub. The results demonstrated that SK successfully detected a wide range of security smells, providing valuable insights for developers and helping to improve the overall security of Kubernetes-based microservices.A adoção de arquiteturas baseadas em microserviços tornou-se comum em aplicações web modernas. O Kubernetes se destaca como uma plataforma líder para gerenciar e orquestrar esses serviços devido à sua escalabilidade e capacidade de lidar com ambientes complexos. No entanto, riscos de segurança frequentemente surgem quando os manifestos do Kubernetes não são cuidadosamente projetados. Para resolver essa questão, a ferramenta Smelly Kube (SK) foi desenvolvida, seguindo uma arquitetura cliente/servidor: i) Cliente: um plugin do Visual Studio Code que envia manifestos do Kubernetes para um servidor baseado em Golang via requisições HTTP, oferecendo aos desenvolvedores uma interface simples para realizar verificações de segurança diretamente em seu ambiente de desenvolvimento, e ii) Servidor: uma aplicação Golang que processa esses manifestos para detectar e analisar malcheiros de segurança. Essa arquitetura garante que os desenvolvedores possam integrar facilmente as verificações de segurança em seus fluxos de trabalho, reutilizando a mesma API do servidor com outros ferramentas e plataformas. Para validar a eficácia da ferramenta, foi realizado um experimento, aplicando o SK em 2.107 aplicações Kubernetes após a sanitização de 5.055 pacotes Cloud Native provenientes do Artifact Hub. Outro conjunto de dados, contendo 183.225 manifestos Kubernetes, foi fornecido do GitHub. Os resultados demonstraram que o SK detectou com sucesso uma ampla gama de malcheiros segurança, fornecendo insights valiosos para os desenvolvedores e ajudando a melhorar a segurança geral dos microserviços baseados em Kubernetes.Arquivo retido, a pedido da autora, até julho de 2026.TecnológicoTecnologia e produçãoODS 9: Indústria, inovação e infraestruturaUniversidade Federal de LavrasInstituto de Ciências Exatas e Tecnológicas (ICET)Programa de Pós-Graduação em Ciência da ComputaçãoUFLAbrasilDepartamento de Ciência da ComputaçãoAttribution 3.0 Brazilhttp://creativecommons.org/licenses/by/3.0/br/info:eu-repo/semantics/openAccessCiências Exatas e da TerraKubernetesSegurança de redes de computadoresComputação em nuvemSegurança de softwareAnálise estáticaComputer network securityCloud computingSoftware securityStatic analysisSmelly Kube: a tool to detect security smells in Kubernetes manifestsSmelly Kube: uma Ferramenta para detectar malcheiros de segurança em manifestos Kubernetesinfo:eu-repo/semantics/publishedVersioninfo:eu-repo/semantics/masterThesishttps://github.com/VitorOriel/ppgcc-uflaengreponame:Repositório Institucional da UFLAinstname:Universidade Federal de Lavras (UFLA)instacron:UFLAORIGINALTexto completoTexto completoapplication/pdf2004824https://repositorio.ufla.br/bitstreams/33fc8cbe-4a6e-4ad1-8717-b0c295060fba/download61bddd5b6ad69a6a46ab1211d457fc0cMD51trueAnonymousREAD2026-08-05Impactos da pesquisaImpactos da pesquisaapplication/pdf307825https://repositorio.ufla.br/bitstreams/0d8cba24-fe42-45be-bc40-af3cf0fdf28c/downloade8265510f1588f0e6ca9c59ab9bac831MD52falseAnonymousREAD2026-08-05LICENSElicense.txtlicense.txttext/plain; charset=utf-8955https://repositorio.ufla.br/bitstreams/1a55e1d5-4281-4077-91c8-d99f6dc32924/downloaddc1a173fe9489e283d3a1f54f6ab2ab9MD53falseAnonymousREADCC-LICENSElicense_rdflicense_rdfapplication/rdf+xml; charset=utf-81025https://repositorio.ufla.br/bitstreams/3b81b0bd-fff8-4c1d-b2e3-22b6209079a4/download5a033ee506f3a0a175bee8fc81f0bd66MD54falseAnonymousREADTEXTTexto completo.txtTexto completo.txtExtracted texttext/plain100372https://repositorio.ufla.br/bitstreams/97ba28f9-fa4f-4a7b-8bb7-5b94f6d2b598/downloada20308822c0a3b9a3ae49a87d9e9d561MD55falseAnonymousREAD2026-08-05Impactos da pesquisa.txtImpactos da pesquisa.txtExtracted texttext/plain6366https://repositorio.ufla.br/bitstreams/c1a63030-0eae-4fc4-86ac-eb42c030d440/download2c150f0d18f3edd74ce5448b43f2fe31MD57falseAnonymousREAD2026-08-05THUMBNAILTexto completo.jpgTexto completo.jpgGenerated Thumbnailimage/jpeg3059https://repositorio.ufla.br/bitstreams/b8b2a130-a583-4a3a-afcc-c4e2126749e1/download084d1f793885f91f1965a87ce989677aMD56falseAnonymousREAD2026-08-05Impactos da pesquisa.jpgImpactos da pesquisa.jpgGenerated Thumbnailimage/jpeg5176https://repositorio.ufla.br/bitstreams/167f42a3-60a5-494c-8158-949215eeaf1c/download242ba0d6b5ac62a2847caec2c137ae02MD58falseAnonymousREAD2026-08-051/602482025-09-08 09:19:17.647http://creativecommons.org/licenses/by/3.0/br/Attribution 3.0 Brazilembargo2026-08-05oai:repositorio.ufla.br:1/60248https://repositorio.ufla.brRepositório InstitucionalPUBhttps://repositorio.ufla.br/server/oai/requestnivaldo@ufla.br || repositorio.biblioteca@ufla.bropendoar:2025-09-08T12:19:17Repositório Institucional da UFLA - Universidade Federal de Lavras (UFLA)falseREVDTEFSQcOHw4NPIERFIERJU1RSSUJVScOHw4NPIE7Dg08tRVhDTFVTSVZBCk8gcmVmZXJpZG8gYXV0b3I6CgphKSBEZWNsYXJhIHF1ZSBvIGRvY3VtZW50byBlbnRyZWd1ZSDDqSBzZXUgdHJhYmFsaG8gb3JpZ2luYWwsIGUgcXVlIGRldMOpbSBvIGRpcmVpdG8gZGUgY29uY2VkZXIgb3MgZGlyZWl0b3MgY29udGlkb3MgbmVzdGEgbGljZW7Dp2EuIERlY2xhcmEgdGFtYsOpbSBxdWUgYSBlbnRyZWdhIGRvIGRvY3VtZW50byBuw6NvIGluZnJpbmdlLCB0YW50byBxdWFudG8gbGhlIMOpIHBvc3PDrXZlbCBzYWJlciwgb3MgZGlyZWl0b3MgZGUgcXVhbHF1ZXIgb3V0cmEgcGVzc29hIG91ICBlbnRpZGFkZS4KCmIpIFNlIG8gZG9jdW1lbnRvIGVudHJlZ3VlIGNvbnTDqW0gbWF0ZXJpYWwgZG8gcXVhbCBuw6NvIGRldMOpbSBvcyBkaXJlaXRvcyBkZSBhdXRvciwgZGVjbGFyYSBxdWUgb2J0ZXZlIGF1dG9yaXphw6fDo28gZG8gZGV0ZW50b3IgZG9zIGRpcmVpdG9zIGRlIGF1dG9yIHBhcmEgY29uY2VkZXIgw6AgVW5pdmVyc2lkYWRlIEZlZGVyYWwgZGUgTGF2cmFzIG9zIGRpcmVpdG9zIHJlcXVlcmlkb3MgcG9yIGVzdGEgbGljZW7Dp2EsIGUgcXVlIGVzc2UgbWF0ZXJpYWwgY3Vqb3MgZGlyZWl0b3Mgc8OjbyBkZSB0ZXJjZWlyb3MgZXN0w6EgY2xhcmFtZW50ZSBpZGVudGlmaWNhZG8gZSByZWNvbmhlY2lkbwpubyB0ZXh0byBvdSBjb250ZcO6ZG8gZG8gZG9jdW1lbnRvIGVudHJlZ3VlLiBTZSBvIGRvY3VtZW50byBlbnRyZWd1ZSDDqSBiYXNlYWRvIGVtIHRyYWJhbGhvIGZpbmFuY2lhZG8gb3UgYXBvaWFkbyBwb3Igb3V0cmEgaW5zdGl0dWnDp8OjbyBxdWUgbsOjbyBhIFVuaXZlcnNpZGFkZSBGZWRlcmFsIGRlIExhdnJhcywgZGVjbGFyYSBxdWUgY3VtcHJpdSBxdWFpc3F1ZXIgb2JyaWdhw6fDtWVzIGV4aWdpZGFzIHBlbG8gcmVzcGVjdGl2byBjb250cmF0byBvdSBhY29yZG8uCg==
dc.title.none.fl_str_mv Smelly Kube: a tool to detect security smells in Kubernetes manifests
dc.title.alternative.none.fl_str_mv Smelly Kube: uma Ferramenta para detectar malcheiros de segurança em manifestos Kubernetes
title Smelly Kube: a tool to detect security smells in Kubernetes manifests
spellingShingle Smelly Kube: a tool to detect security smells in Kubernetes manifests
Borges, Vitor Oriel de Castro Nunes
Ciências Exatas e da Terra
Kubernetes
Segurança de redes de computadores
Computação em nuvem
Segurança de software
Análise estática
Computer network security
Cloud computing
Software security
Static analysis
title_short Smelly Kube: a tool to detect security smells in Kubernetes manifests
title_full Smelly Kube: a tool to detect security smells in Kubernetes manifests
title_fullStr Smelly Kube: a tool to detect security smells in Kubernetes manifests
title_full_unstemmed Smelly Kube: a tool to detect security smells in Kubernetes manifests
title_sort Smelly Kube: a tool to detect security smells in Kubernetes manifests
author Borges, Vitor Oriel de Castro Nunes
author_facet Borges, Vitor Oriel de Castro Nunes
https://orcid.org/0009-0003-8818-1263
author_role author
author2 https://orcid.org/0009-0003-8818-1263
author2_role author
dc.contributor.referee.none.fl_str_mv Durelli, Rafael Serapilha
Malheiros, Neumar Costa
Borges, Hudson Silva
dc.contributor.advisor1.fl_str_mv Correia, Luiz Henrique Andrade
dc.contributor.authorLattes.fl_str_mv http://lattes.cnpq.br/2900171687070459
dc.contributor.author.fl_str_mv Borges, Vitor Oriel de Castro Nunes
https://orcid.org/0009-0003-8818-1263
contributor_str_mv Correia, Luiz Henrique Andrade
dc.subject.cnpq.fl_str_mv Ciências Exatas e da Terra
topic Ciências Exatas e da Terra
Kubernetes
Segurança de redes de computadores
Computação em nuvem
Segurança de software
Análise estática
Computer network security
Cloud computing
Software security
Static analysis
dc.subject.por.fl_str_mv Kubernetes
Segurança de redes de computadores
Computação em nuvem
Segurança de software
Análise estática
Computer network security
Cloud computing
Software security
Static analysis
description The adoption of microservices-based architectures has become common in modern web applications. Kubernetes stands out as a leading platform for managing and orchestrating these services due to its scalability and ability to handle complex environments. However, security risks often arise when Kubernetes manifests are not carefully designed. To address this issue, the tool Smelly Kube (SK) was developed, following a client/server architecture: i) Client: a Visual Studio Code plugin that sends Kubernetes manifests to a Golang-based server via HTTP requests, providing developers with a straightforward interface for performing security checks directly in their development environment, and ii) Server: a Golang application that processes these manifests to detect and analyze security smells. This architecture ensures that developers can easily integrate security checks into their workflows using other tools and platforms by reusing the same server API. To validate the tool’s effectiveness, an experiment was conducted, applying SK to 2,107 Kubernetes applications after sanitizing 5,055 Cloud Native packages sourced from Artifact Hub. Another dataset of 183,225 Kubernetes manifests was provided from GitHub. The results demonstrated that SK successfully detected a wide range of security smells, providing valuable insights for developers and helping to improve the overall security of Kubernetes-based microservices.
publishDate 2024
dc.date.issued.fl_str_mv 2024-12-16
dc.date.accessioned.fl_str_mv 2025-08-27T21:55:12Z
dc.type.status.fl_str_mv info:eu-repo/semantics/publishedVersion
dc.type.driver.fl_str_mv info:eu-repo/semantics/masterThesis
format masterThesis
status_str publishedVersion
dc.identifier.citation.fl_str_mv BORGES, Vitor Oriel de Castro Nunes. Smelly Kube: a tool to detect security smells in Kubernetes manifests. 2025. 86 f. Dissertação (Mestrado em Ciência da Computação) – Universidade Federal de Lavras, Lavras, 2024.
dc.identifier.uri.fl_str_mv https://repositorio.ufla.br/handle/1/60248
identifier_str_mv BORGES, Vitor Oriel de Castro Nunes. Smelly Kube: a tool to detect security smells in Kubernetes manifests. 2025. 86 f. Dissertação (Mestrado em Ciência da Computação) – Universidade Federal de Lavras, Lavras, 2024.
url https://repositorio.ufla.br/handle/1/60248
dc.language.iso.fl_str_mv eng
language eng
dc.relation.dadosabertos.none.fl_str_mv https://github.com/VitorOriel/ppgcc-ufla
dc.rights.driver.fl_str_mv Attribution 3.0 Brazil
http://creativecommons.org/licenses/by/3.0/br/
info:eu-repo/semantics/openAccess
rights_invalid_str_mv Attribution 3.0 Brazil
http://creativecommons.org/licenses/by/3.0/br/
eu_rights_str_mv openAccess
dc.publisher.none.fl_str_mv Universidade Federal de Lavras
Instituto de Ciências Exatas e Tecnológicas (ICET)
dc.publisher.program.fl_str_mv Programa de Pós-Graduação em Ciência da Computação
dc.publisher.initials.fl_str_mv UFLA
dc.publisher.country.fl_str_mv brasil
dc.publisher.department.fl_str_mv Departamento de Ciência da Computação
publisher.none.fl_str_mv Universidade Federal de Lavras
Instituto de Ciências Exatas e Tecnológicas (ICET)
dc.source.none.fl_str_mv reponame:Repositório Institucional da UFLA
instname:Universidade Federal de Lavras (UFLA)
instacron:UFLA
instname_str Universidade Federal de Lavras (UFLA)
instacron_str UFLA
institution UFLA
reponame_str Repositório Institucional da UFLA
collection Repositório Institucional da UFLA
bitstream.url.fl_str_mv https://repositorio.ufla.br/bitstreams/33fc8cbe-4a6e-4ad1-8717-b0c295060fba/download
https://repositorio.ufla.br/bitstreams/0d8cba24-fe42-45be-bc40-af3cf0fdf28c/download
https://repositorio.ufla.br/bitstreams/1a55e1d5-4281-4077-91c8-d99f6dc32924/download
https://repositorio.ufla.br/bitstreams/3b81b0bd-fff8-4c1d-b2e3-22b6209079a4/download
https://repositorio.ufla.br/bitstreams/97ba28f9-fa4f-4a7b-8bb7-5b94f6d2b598/download
https://repositorio.ufla.br/bitstreams/c1a63030-0eae-4fc4-86ac-eb42c030d440/download
https://repositorio.ufla.br/bitstreams/b8b2a130-a583-4a3a-afcc-c4e2126749e1/download
https://repositorio.ufla.br/bitstreams/167f42a3-60a5-494c-8158-949215eeaf1c/download
bitstream.checksum.fl_str_mv 61bddd5b6ad69a6a46ab1211d457fc0c
e8265510f1588f0e6ca9c59ab9bac831
dc1a173fe9489e283d3a1f54f6ab2ab9
5a033ee506f3a0a175bee8fc81f0bd66
a20308822c0a3b9a3ae49a87d9e9d561
2c150f0d18f3edd74ce5448b43f2fe31
084d1f793885f91f1965a87ce989677a
242ba0d6b5ac62a2847caec2c137ae02
bitstream.checksumAlgorithm.fl_str_mv MD5
MD5
MD5
MD5
MD5
MD5
MD5
MD5
repository.name.fl_str_mv Repositório Institucional da UFLA - Universidade Federal de Lavras (UFLA)
repository.mail.fl_str_mv nivaldo@ufla.br || repositorio.biblioteca@ufla.br
_version_ 1854947776744390656

Registros relacionados