{"id":"https://openalex.org/W4416004505","doi":"https://doi.org/10.1145/3731599.3767357","title":"Towards Enabling Hostile Multi-tenancy in Kubernetes","display_name":"Towards Enabling Hostile Multi-tenancy in Kubernetes","publication_year":2025,"publication_date":"2025-11-07","ids":{"openalex":"https://openalex.org/W4416004505","doi":"https://doi.org/10.1145/3731599.3767357"},"language":null,"primary_location":{"id":"doi:10.1145/3731599.3767357","is_oa":true,"landing_page_url":"https://doi.org/10.1145/3731599.3767357","pdf_url":null,"source":null,"license":"cc-by-nd","license_id":"https://openalex.org/licenses/cc-by-nd","version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"Proceedings of the SC '25 Workshops of the International Conference for High Performance Computing, Networking, Storage and Analysis","raw_type":"proceedings-article"},"type":"article","indexed_in":["crossref"],"open_access":{"is_oa":true,"oa_status":"gold","oa_url":"https://doi.org/10.1145/3731599.3767357","any_repository_has_fulltext":null},"authorships":[{"author_position":"first","author":{"id":"https://openalex.org/A5120297701","display_name":"Ali Kanso","orcid":"https://orcid.org/0009-0009-5929-537X"},"institutions":[{"id":"https://openalex.org/I1290206253","display_name":"Microsoft (United States)","ror":"https://ror.org/00d0nc645","country_code":"US","type":"company","lineage":["https://openalex.org/I1290206253"]}],"countries":["US"],"is_corresponding":true,"raw_author_name":"Ali Kanso","raw_affiliation_strings":["Microsoft Corporation, Redmond, WA, USA"],"raw_orcid":"https://orcid.org/0009-0009-5929-537X","affiliations":[{"raw_affiliation_string":"Microsoft Corporation, Redmond, WA, USA","institution_ids":["https://openalex.org/I1290206253"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5072265241","display_name":"Slava Oks","orcid":"https://orcid.org/0009-0006-3391-381X"},"institutions":[{"id":"https://openalex.org/I1290206253","display_name":"Microsoft (United States)","ror":"https://ror.org/00d0nc645","country_code":"US","type":"company","lineage":["https://openalex.org/I1290206253"]}],"countries":["US"],"is_corresponding":false,"raw_author_name":"Slava Oks","raw_affiliation_strings":["Microsoft Corporation, Redmond, Washington, USA"],"raw_orcid":"https://orcid.org/0009-0006-3391-381X","affiliations":[{"raw_affiliation_string":"Microsoft Corporation, Redmond, Washington, USA","institution_ids":["https://openalex.org/I1290206253"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5120297702","display_name":"Mostafa Elzeiny","orcid":"https://orcid.org/0009-0006-6567-8228"},"institutions":[{"id":"https://openalex.org/I1290206253","display_name":"Microsoft (United States)","ror":"https://ror.org/00d0nc645","country_code":"US","type":"company","lineage":["https://openalex.org/I1290206253"]}],"countries":["US"],"is_corresponding":false,"raw_author_name":"Mostafa Elzeiny","raw_affiliation_strings":["Microsoft Corporation, Redmond, WA, USA"],"raw_orcid":"https://orcid.org/0009-0006-6567-8228","affiliations":[{"raw_affiliation_string":"Microsoft Corporation, Redmond, WA, USA","institution_ids":["https://openalex.org/I1290206253"]}]},{"author_position":"last","author":{"id":"https://openalex.org/A5048268548","display_name":"Gurpreet Virdi","orcid":"https://orcid.org/0009-0009-5701-6824"},"institutions":[{"id":"https://openalex.org/I1290206253","display_name":"Microsoft (United States)","ror":"https://ror.org/00d0nc645","country_code":"US","type":"company","lineage":["https://openalex.org/I1290206253"]}],"countries":["US"],"is_corresponding":false,"raw_author_name":"Gurpreet Virdi","raw_affiliation_strings":["Microsoft Corporation, Redmond, WA, USA"],"raw_orcid":"https://orcid.org/0009-0009-5701-6824","affiliations":[{"raw_affiliation_string":"Microsoft Corporation, Redmond, WA, USA","institution_ids":["https://openalex.org/I1290206253"]}]}],"institutions":[],"countries_distinct_count":1,"institutions_distinct_count":4,"corresponding_author_ids":["https://openalex.org/A5120297701"],"corresponding_institution_ids":["https://openalex.org/I1290206253"],"apc_list":null,"apc_paid":null,"fwci":0.0,"has_fulltext":false,"cited_by_count":1,"citation_normalized_percentile":{"value":0.41513122,"is_in_top_1_percent":false,"is_in_top_10_percent":false},"cited_by_percentile_year":null,"biblio":{"volume":null,"issue":null,"first_page":"172","last_page":"178"},"is_retracted":false,"is_paratext":false,"is_xpac":false,"primary_topic":{"id":"https://openalex.org/T10927","display_name":"Access Control and Trust","score":0.39410001039505005,"subfield":{"id":"https://openalex.org/subfields/3312","display_name":"Sociology and Political Science"},"field":{"id":"https://openalex.org/fields/33","display_name":"Social Sciences"},"domain":{"id":"https://openalex.org/domains/2","display_name":"Social Sciences"}},"topics":[{"id":"https://openalex.org/T10927","display_name":"Access Control and Trust","score":0.39410001039505005,"subfield":{"id":"https://openalex.org/subfields/3312","display_name":"Sociology and Political Science"},"field":{"id":"https://openalex.org/fields/33","display_name":"Social Sciences"},"domain":{"id":"https://openalex.org/domains/2","display_name":"Social Sciences"}},{"id":"https://openalex.org/T11424","display_name":"Security and Verification in Computing","score":0.2777000069618225,"subfield":{"id":"https://openalex.org/subfields/1702","display_name":"Artificial Intelligence"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T10714","display_name":"Software-Defined Networks and 5G","score":0.15729999542236328,"subfield":{"id":"https://openalex.org/subfields/1705","display_name":"Computer Networks and Communications"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}}],"keywords":[{"id":"https://openalex.org/keywords/mandatory-access-control","display_name":"Mandatory access control","score":0.7146999835968018},{"id":"https://openalex.org/keywords/provisioning","display_name":"Provisioning","score":0.7117999792098999},{"id":"https://openalex.org/keywords/container","display_name":"Container (type theory)","score":0.6912000179290771},{"id":"https://openalex.org/keywords/cloud-computing","display_name":"Cloud computing","score":0.6007000207901001},{"id":"https://openalex.org/keywords/isolation","display_name":"Isolation (microbiology)","score":0.5415999889373779},{"id":"https://openalex.org/keywords/virtualization","display_name":"Virtualization","score":0.5322999954223633},{"id":"https://openalex.org/keywords/temporal-isolation-among-virtual-machines","display_name":"Temporal isolation among virtual machines","score":0.5149000287055969},{"id":"https://openalex.org/keywords/access-control","display_name":"Access control","score":0.5034999847412109},{"id":"https://openalex.org/keywords/virtual-machine","display_name":"Virtual machine","score":0.4738999903202057},{"id":"https://openalex.org/keywords/orchestration","display_name":"Orchestration","score":0.4675999879837036}],"concepts":[{"id":"https://openalex.org/C41008148","wikidata":"https://www.wikidata.org/wiki/Q21198","display_name":"Computer science","level":0,"score":0.7746999859809875},{"id":"https://openalex.org/C2777407602","wikidata":"https://www.wikidata.org/wiki/Q1888932","display_name":"Mandatory access control","level":4,"score":0.7146999835968018},{"id":"https://openalex.org/C172191483","wikidata":"https://www.wikidata.org/wiki/Q1071806","display_name":"Provisioning","level":2,"score":0.7117999792098999},{"id":"https://openalex.org/C2781018962","wikidata":"https://www.wikidata.org/wiki/Q5164884","display_name":"Container (type theory)","level":2,"score":0.6912000179290771},{"id":"https://openalex.org/C79974875","wikidata":"https://www.wikidata.org/wiki/Q483639","display_name":"Cloud computing","level":2,"score":0.6007000207901001},{"id":"https://openalex.org/C2775941552","wikidata":"https://www.wikidata.org/wiki/Q25212305","display_name":"Isolation (microbiology)","level":2,"score":0.5415999889373779},{"id":"https://openalex.org/C513985346","wikidata":"https://www.wikidata.org/wiki/Q270471","display_name":"Virtualization","level":3,"score":0.5322999954223633},{"id":"https://openalex.org/C142355369","wikidata":"https://www.wikidata.org/wiki/Q7698919","display_name":"Temporal isolation among virtual machines","level":4,"score":0.5149000287055969},{"id":"https://openalex.org/C527821871","wikidata":"https://www.wikidata.org/wiki/Q228502","display_name":"Access control","level":2,"score":0.5034999847412109},{"id":"https://openalex.org/C25344961","wikidata":"https://www.wikidata.org/wiki/Q192726","display_name":"Virtual machine","level":2,"score":0.4738999903202057},{"id":"https://openalex.org/C199168358","wikidata":"https://www.wikidata.org/wiki/Q3367000","display_name":"Orchestration","level":3,"score":0.4675999879837036},{"id":"https://openalex.org/C120314980","wikidata":"https://www.wikidata.org/wiki/Q180634","display_name":"Distributed computing","level":1,"score":0.46230000257492065},{"id":"https://openalex.org/C154908896","wikidata":"https://www.wikidata.org/wiki/Q2167404","display_name":"Security policy","level":2,"score":0.45669999718666077},{"id":"https://openalex.org/C31258907","wikidata":"https://www.wikidata.org/wiki/Q1301371","display_name":"Computer network","level":1,"score":0.43630000948905945},{"id":"https://openalex.org/C62611344","wikidata":"https://www.wikidata.org/wiki/Q1062658","display_name":"Node (physics)","level":2,"score":0.4302000105381012},{"id":"https://openalex.org/C26517878","wikidata":"https://www.wikidata.org/wiki/Q228039","display_name":"Key (lock)","level":2,"score":0.4009999930858612},{"id":"https://openalex.org/C112904061","wikidata":"https://www.wikidata.org/wiki/Q1077480","display_name":"Hypervisor","level":4,"score":0.396699994802475},{"id":"https://openalex.org/C145428669","wikidata":"https://www.wikidata.org/wiki/Q471748","display_name":"Exception handling","level":2,"score":0.3953999876976013},{"id":"https://openalex.org/C162307627","wikidata":"https://www.wikidata.org/wiki/Q204833","display_name":"Enhanced Data Rates for GSM Evolution","level":2,"score":0.39089998602867126},{"id":"https://openalex.org/C2775892892","wikidata":"https://www.wikidata.org/wiki/Q6509517","display_name":"Revocation","level":3,"score":0.38609999418258667},{"id":"https://openalex.org/C111919701","wikidata":"https://www.wikidata.org/wiki/Q9135","display_name":"Operating system","level":1,"score":0.38260000944137573},{"id":"https://openalex.org/C148417208","wikidata":"https://www.wikidata.org/wiki/Q4825882","display_name":"Authentication (law)","level":2,"score":0.3749000132083893},{"id":"https://openalex.org/C2775924081","wikidata":"https://www.wikidata.org/wiki/Q55608371","display_name":"Control (management)","level":2,"score":0.3707999885082245},{"id":"https://openalex.org/C38652104","wikidata":"https://www.wikidata.org/wiki/Q3510521","display_name":"Computer security","level":1,"score":0.367900013923645},{"id":"https://openalex.org/C2776831232","wikidata":"https://www.wikidata.org/wiki/Q966812","display_name":"Trusted Computing","level":2,"score":0.36469998955726624},{"id":"https://openalex.org/C206345919","wikidata":"https://www.wikidata.org/wiki/Q20380951","display_name":"Resource (disambiguation)","level":2,"score":0.35920000076293945},{"id":"https://openalex.org/C109297577","wikidata":"https://www.wikidata.org/wiki/Q161157","display_name":"Password","level":2,"score":0.3276999890804291},{"id":"https://openalex.org/C2776874963","wikidata":"https://www.wikidata.org/wiki/Q4112081","display_name":"Virtual network","level":2,"score":0.32760000228881836},{"id":"https://openalex.org/C138236772","wikidata":"https://www.wikidata.org/wiki/Q25098575","display_name":"Edge device","level":3,"score":0.30149999260902405},{"id":"https://openalex.org/C196903269","wikidata":"https://www.wikidata.org/wiki/Q6059063","display_name":"Intrusion tolerance","level":3,"score":0.2921999990940094},{"id":"https://openalex.org/C123657996","wikidata":"https://www.wikidata.org/wiki/Q12271","display_name":"Architecture","level":2,"score":0.29120001196861267},{"id":"https://openalex.org/C2992317946","wikidata":"https://www.wikidata.org/wiki/Q712144","display_name":"De facto","level":2,"score":0.2874000072479248},{"id":"https://openalex.org/C43214815","wikidata":"https://www.wikidata.org/wiki/Q7310987","display_name":"Reliability (semiconductor)","level":3,"score":0.2815999984741211},{"id":"https://openalex.org/C69016650","wikidata":"https://www.wikidata.org/wiki/Q1364211","display_name":"Multitenancy","level":5,"score":0.2752000093460083},{"id":"https://openalex.org/C2779777834","wikidata":"https://www.wikidata.org/wiki/Q4202277","display_name":"Enforcement","level":2,"score":0.27079999446868896},{"id":"https://openalex.org/C2164484","wikidata":"https://www.wikidata.org/wiki/Q5170150","display_name":"Core (optical fiber)","level":2,"score":0.27070000767707825},{"id":"https://openalex.org/C168167062","wikidata":"https://www.wikidata.org/wiki/Q1117970","display_name":"Component (thermodynamics)","level":2,"score":0.2624000012874603},{"id":"https://openalex.org/C121822524","wikidata":"https://www.wikidata.org/wiki/Q5157582","display_name":"Computer security model","level":2,"score":0.25209999084472656}],"mesh":[],"locations_count":1,"locations":[{"id":"doi:10.1145/3731599.3767357","is_oa":true,"landing_page_url":"https://doi.org/10.1145/3731599.3767357","pdf_url":null,"source":null,"license":"cc-by-nd","license_id":"https://openalex.org/licenses/cc-by-nd","version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"Proceedings of the SC '25 Workshops of the International Conference for High Performance Computing, Networking, Storage and Analysis","raw_type":"proceedings-article"}],"best_oa_location":{"id":"doi:10.1145/3731599.3767357","is_oa":true,"landing_page_url":"https://doi.org/10.1145/3731599.3767357","pdf_url":null,"source":null,"license":"cc-by-nd","license_id":"https://openalex.org/licenses/cc-by-nd","version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"Proceedings of the SC '25 Workshops of the International Conference for High Performance Computing, Networking, Storage and Analysis","raw_type":"proceedings-article"},"sustainable_development_goals":[],"awards":[],"funders":[],"has_content":{"pdf":false,"grobid_xml":false},"content_urls":null,"referenced_works_count":2,"referenced_works":["https://openalex.org/W3204088724","https://openalex.org/W4361020030"],"related_works":[],"abstract_inverted_index":{"Kubernetes":[0,109],"has":[1],"become":[2],"the":[3,17,41,107,135],"de":[4],"facto":[5],"standard":[6],"for":[7,67],"container":[8,153],"orchestration,":[9],"yet":[10],"its":[11],"core":[12],"design":[13],"does":[14],"not":[15],"address":[16],"requirements":[18],"of":[19,39],"hostile":[20,156],"multi-tenancy.":[21,77],"Native":[22],"constructs":[23],"such":[24],"as":[25,65],"namespaces,":[26],"role-based":[27],"access":[28],"control,":[29],"and":[30,69,124,158],"admission":[31,129],"controllers":[32],"offer":[33],"logical":[34],"separation":[35],"but":[36],"fall":[37],"short":[38],"delivering":[40],"strong":[42],"isolation":[43,141],"guarantees":[44],"needed":[45],"in":[46,155],"untrusted,":[47],"adversarial":[48],"environments.":[49,160],"This":[50],"paper":[51],"introduces":[52],"a":[53,83,92,148],"Kubernetes-compatible":[54],"architecture":[55],"that":[56,95,134],"combines":[57],"per-tenant":[58],"virtual":[59,63,85,93],"control":[60,86],"planes,":[61],"hypervisor-backed":[62],"machines":[64],"sandboxes":[66,100],"containers,":[68],"automated":[70],"policy":[71,112],"enforcement":[72],"to":[73,91,151],"achieve":[74],"secure,":[75],"isolation-centric":[76],"Each":[78],"tenant":[79],"is":[80],"provisioned":[81],"with":[82,142],"dedicated":[84],"plane":[87],"(via":[88],"vCluster)":[89],"connected":[90],"node":[94],"schedules":[96],"workloads":[97],"into":[98],"VM-based":[99],"(with":[101],"Azure":[102],"Container":[103],"Instances)":[104],"while":[105],"maintaining":[106],"familiar":[108],"API.":[110],"A":[111],"engine":[113],"(Kyverno)":[114],"automatically":[115],"hardens":[116],"namespaces":[117],"by":[118],"enforcing":[119],"network":[120],"segmentation,":[121],"resource":[122],"governance,":[123],"strict":[125],"security":[126],"contexts":[127],"at":[128],"time.":[130],"Evaluation":[131],"results":[132],"show":[133],"proposed":[136],"model":[137],"significantly":[138],"improves":[139],"inter-tenant":[140],"negligible":[143],"runtime":[144],"performance":[145],"overhead,":[146],"offering":[147],"practical":[149],"pathway":[150],"zero-trust":[152],"orchestration":[154],"cloud":[157],"edge":[159]},"counts_by_year":[],"updated_date":"2026-03-27T05:58:40.876381","created_date":"2025-11-07T00:00:00"}