Estimation of causal structure for eliminating rogue resources in Kubernetes clusters

In collaboration with:
University of Amsterdam SUE Logo
Back to overview

Download research

* required

By submitting this form, you confirm that you have read and understood our privacy statement.

In collaboration with the University of Amsterdam

This research explores methods for defining and detecting rogue resources in Kubernetes deployments. It analyzes factors that influence the effectiveness of detection, with the aim of improving the security and efficiency of clusters.

Causal structure estimation for eliminating rogue resources in Kubernetes clusters

Software engineers working on larger software systems often split them into microservices (MSA). As these systems become larger or more complex, or the requirements become more dynamic, the orchestration of these microservices becomes increasingly complicated. For this reason, various frameworks for deploying, managing, and monitoring microservice or cloud infrastructure systems in so-called "clusters" have gained popularity. The most prominent of these is Kubernetes (K8s), typically used in combination with a configuration system such as Helm or Terraform, often referred to as "Infrastructure as Code" (IaC).

The problem of rogue resources

In practice, we see that the intended state of the cluster, as tracked by developers, documentation, and these configuration frameworks, may differ from the actual situation. One problem that can arise in such cases is that infrastructure (such as containers, microservices, network namespaces, storage units, etc.) remains active in the live cluster environment, even though it is no longer critical to the system. These resources are referred to as "rogue resources."

Risks and challenges of rogue resources

Rogue resources cause various problems, including an increased attack surface, waste of energy and/or financial resources, and a greater chance of deviant behavior. When the cluster and associated documentation are clear and can easily fit into the working memory of one or a few people, rogue resources can often be removed manually. However, in poorly documented or highly complex systems, it is considerably more difficult to identify and eliminate these rogue resources.

Detection of rogue resources

Essentially, detecting rogue resources boils down to performing a thorough root cause analysis (RCA) of the expected functioning of the system and identifying deployed infrastructure that is not part of the causal structure. Automated tools that can help prioritize the search for these resources have the potential to offer significant value in this regard.

Research design and objectives

This project takes the first steps toward developing such tools. To keep the scope of the research manageable, we have chosen to use Kubernetes as the exclusive basis and to limit ourselves to investigating methods for identifying rogue resources. We therefore formulate the following research questions:

  1. How do we define rogue resources?
  2. How can we detect rogue resources in a Kubernetes deployment?
  3. What factors indicate whether resources are rogue?
  4. How does the effectiveness of rogue resource detection vary depending on the availability of these factors?
Download
Share this:
Share this:
Table of Contents

Related research

In collaboration with Utrecht University

Service Level Objective-Aware Infrastructure as Code Generation: Bridging AI and Cloud Deployment Constraints

This research investigates the automation of Infrastructure as Code (IaC) in cloud-native environments using Large Language Models and Service Level Objectives (SLOs). It analyzes how AI-driven IaC can simplify complex cloud designs and enable dynamic deployments while ensuring performance and reliability.
Expertise: Application Modernization, Data & AI, Platform Engineering
Read more
In collaboration with Fontys University of Applied Sciences

Generative AI for Infrastructure-as-Code Configurations in Response to Drift Detection

Making a small manual change to existing IaC code can be a labor-intensive and error-prone task. This paper provides an overview of Large Language Models (LLMs) and techniques for effectively addressing configuration drift.
Expertise: Application Modernization, Data & AI, Platform Engineering
Read more
In collaboration with the University of Amsterdam

Remediating Rogue Resources in an Infrastructure as Code Multi-Cloud Environment

In this research project, we have focused on the detection and remediation of resources outside of a certain "state" that affect resources inside the "state," which we define as "rogue resources." We define "state" as "the collection of IaC-managed resources." Rogue resources can introduce several problems for the defined state.
Expertise: Cloud Migration, Platform Engineering
Read more
Privacy overview
This website uses cookies. We use cookies to ensure that our website and services function properly, to gain insight into the use of our website, and to improve our products and marketing. For more information, please read our privacy and cookie policy.