Exploring Security Enhancements in Kubernetes CNI: A Deep Dive Into Network Policies
With the explosive growth of Kubernetes adoption, Container Network Interfaces (CNIs) have become critical components for configuring and securing container networks, but a comprehensive analysis of their security capabilities and performance impact is noticeably lacking. Our study conducts a compre...
Saved in:
| Main Authors: | , , |
|---|---|
| Format: | Article |
| Language: | English |
| Published: |
IEEE
2025-01-01
|
| Series: | IEEE Access |
| Subjects: | |
| Online Access: | https://ieeexplore.ieee.org/document/10896680/ |
| Tags: |
Add Tag
No Tags, Be the first to tag this record!
|
| _version_ | 1849764397260472320 |
|---|---|
| author | Bom Kim Jinwoo Kim Seungsoo Lee |
| author_facet | Bom Kim Jinwoo Kim Seungsoo Lee |
| author_sort | Bom Kim |
| collection | DOAJ |
| description | With the explosive growth of Kubernetes adoption, Container Network Interfaces (CNIs) have become critical components for configuring and securing container networks, but a comprehensive analysis of their security capabilities and performance impact is noticeably lacking. Our study conducts a comprehensive security analysis of the major CNI plugins (Cilium, Calico, WeaveNet, Kube-router, and Antrea) in cloud-native environments with Kubernetes through extensive evaluation of Layer 3/4 policy processing, policy complexity scaling, pod scalability, and Layer 7 policy processing. The experimental results show that eBPF-based Cilium maintains 8.9K Mbps throughput under complex L3/4 policies, but drops to 94 Mbps with L7 processing, while Antrea achieves 6.6K Mbps at L7 through HTTP filtering, with performance degrading as policy complexity increases. Under high concurrent pod loads, iptables-based CNIs show a 60-70% reduction in throughput, while Cilium maintains performance within 10% of baseline. These results reveal critical trade-offs between architectural choices and security capabilities, and provide practical guidelines for CNI selection based on specific operational and security requirements in cloud-native environments. |
| format | Article |
| id | doaj-art-ee6b355d32474ca192c27aa1688a83f1 |
| institution | DOAJ |
| issn | 2169-3536 |
| language | English |
| publishDate | 2025-01-01 |
| publisher | IEEE |
| record_format | Article |
| series | IEEE Access |
| spelling | doaj-art-ee6b355d32474ca192c27aa1688a83f12025-08-20T03:05:09ZengIEEEIEEE Access2169-35362025-01-0113353223533810.1109/ACCESS.2025.354384110896680Exploring Security Enhancements in Kubernetes CNI: A Deep Dive Into Network PoliciesBom Kim0https://orcid.org/0009-0006-5983-0844Jinwoo Kim1https://orcid.org/0000-0003-1303-8668Seungsoo Lee2https://orcid.org/0000-0002-6883-1869Incheon National University, Incheon, Republic of KoreaKwangwoon University, Seoul, Republic of KoreaIncheon National University, Incheon, Republic of KoreaWith the explosive growth of Kubernetes adoption, Container Network Interfaces (CNIs) have become critical components for configuring and securing container networks, but a comprehensive analysis of their security capabilities and performance impact is noticeably lacking. Our study conducts a comprehensive security analysis of the major CNI plugins (Cilium, Calico, WeaveNet, Kube-router, and Antrea) in cloud-native environments with Kubernetes through extensive evaluation of Layer 3/4 policy processing, policy complexity scaling, pod scalability, and Layer 7 policy processing. The experimental results show that eBPF-based Cilium maintains 8.9K Mbps throughput under complex L3/4 policies, but drops to 94 Mbps with L7 processing, while Antrea achieves 6.6K Mbps at L7 through HTTP filtering, with performance degrading as policy complexity increases. Under high concurrent pod loads, iptables-based CNIs show a 60-70% reduction in throughput, while Cilium maintains performance within 10% of baseline. These results reveal critical trade-offs between architectural choices and security capabilities, and provide practical guidelines for CNI selection based on specific operational and security requirements in cloud-native environments.https://ieeexplore.ieee.org/document/10896680/Container network interfacecloud securitycontainer securitynetwork policy |
| spellingShingle | Bom Kim Jinwoo Kim Seungsoo Lee Exploring Security Enhancements in Kubernetes CNI: A Deep Dive Into Network Policies IEEE Access Container network interface cloud security container security network policy |
| title | Exploring Security Enhancements in Kubernetes CNI: A Deep Dive Into Network Policies |
| title_full | Exploring Security Enhancements in Kubernetes CNI: A Deep Dive Into Network Policies |
| title_fullStr | Exploring Security Enhancements in Kubernetes CNI: A Deep Dive Into Network Policies |
| title_full_unstemmed | Exploring Security Enhancements in Kubernetes CNI: A Deep Dive Into Network Policies |
| title_short | Exploring Security Enhancements in Kubernetes CNI: A Deep Dive Into Network Policies |
| title_sort | exploring security enhancements in kubernetes cni a deep dive into network policies |
| topic | Container network interface cloud security container security network policy |
| url | https://ieeexplore.ieee.org/document/10896680/ |
| work_keys_str_mv | AT bomkim exploringsecurityenhancementsinkubernetescniadeepdiveintonetworkpolicies AT jinwookim exploringsecurityenhancementsinkubernetescniadeepdiveintonetworkpolicies AT seungsoolee exploringsecurityenhancementsinkubernetescniadeepdiveintonetworkpolicies |