Highly-Scalable Container Integrity Monitoring for Large-Scale Kubernetes Cluster

Abstract

Container integrity monitoring is defined as key requirements for regulatory compliance, such as PCI-DSS, in which any unexpected changes such as file updates or program runs must be logged for later audit. Syscall monitoring provides comprehensive monitoring of such change events on container, while it suffered from large amount of false alarms unless well-defined allowlist rules are coordinated before deploying container. Defining such comprehensive allowlist is not feasible especially when managing various kinds of application workloads in large-scale enterprise cluster. We propose new approach for identifying real anomaly of syscall events effectively without relying on any predefined allowlist configuration in this paper. Our novel filtering algorithm based on the knowledge acquired autonomously from Kubernetes cluster control plane reduces 99.999 % noise effectively and distilling only abnormal events in real time. Our experiment with real applications on more than 4000 containers demonstrates its effectiveness even on large-scale cluster.