This repository showcases the security features and capabilities developed as part of the WP5 contributions to the FLUIDOS project, presented in a unified view. For each security feature, we provide documentation, integration files, links to demos or testbeds and relevant research topics that validate each implementation or design choice.
Moreover, it includes general instructions to support partners during the integration process.
| Name | Description |
|---|---|
| Cyber Deception | The Cyber Deception feature, part of the FLUIDOS Cyber Security services designed to improve the overall security of the ecosystem, is willing to provide Cloud Native Cyber Deception as a Service (CDaaS) integrated into the FLUIDOS continuum. |
| Intent-based border protection | The intent-based border protection is designed to secure dynamic workloads within the shared and heterogeneous infrastructure of the FLUIDOS continuum. Thanks to high-level user-defined intents, the solution eases the configuration of secure communication boundaries as soon as new resources are acquired, aligning consumer intents with provider network authorizations. |
| AuthZ and AuthN Privacy & Security Manager | The Privacy and Security Manager (PSM) is a key component in the FLUIDOS architecture, responsible for coordinating and enforcing security and privacy policies throughout the system. |
| MAGI | MAGI is an eBPF-based solution that intercepts and blocks rogue container image downloads in Kubernetes nodes. |
| FLAD | FLAD (a Federated Learning approach to DDoS Attack Detection) is an adaptive Federated Learning (FL) approach for training feed-forward neural networks. |
| BeaCon | BeaCon enables FLUIDOS providers to automatically discover the syscalls and capabilities invoked by applications running inside containers. |
| Attestation and Trusted computing (TEE) | FLUIDOS integrates Trusted Execution Environments (TEEs) into its architecture as a security layer to guarantee data confidentiality and code integrity. |
| Node Security Policies Enforcement | Series of solutions using seccomp and capabilities to minimizing Docker Container privileges for Node Security Policy Enforcement. |
| Container Registry Validation | Assessment of the public and private repositories to ensure the security of the application on the FLUIDOS node. |
| Trusted Edge | FLUIDOS integration with the SPIFFE/SPIRE framework to provide authentication and encryption between the edge infrastructure and IoT devices. |
Native security features embedded directly into the FLUIDOS protocol and architecture.
Integrated by Design features are natively embedded into the FLUIDOS architecture. They ensure that security functionalities are inherently available as part of the platform without requiring separate installation, configuration, or orchestration steps.
Installed security features enhancing the node or infrastructure independently of the FLUIDOS core protocol.
A Security Application is any additional security feature that can be installed by administrators or users independently from the FLUIDOS core protocol. It enhances security at the node or infrastructure level without requiring integration with the FLUIDOS orchestration or advertisement mechanisms. Security Applications typically address specific user needs, such as monitoring, local cyber deception, or multi-tenancy support, and can be deployed based on the administrator’s decision.
Security features provided by the node, either pre-installed or deployable on demand, enabling adaptable security integration within FLUIDOS.
Security capabilities already installed on the FLUIDOS node and advertised by enriching the node’s FLAVOR metadata with additional fields. These features may be optionally configured depending on the requesting application’s needs, with no additional and on-demand deployment required. This model is simple to use and leverages existing node functionality without modifying the FLUIDOS node code.
Security capabilities not pre-installed on the node but dynamically deployable and activatable by FLUIDOS through a specific Service category or ServiceBlueprint. When such a capability is requested, the node provisions it at runtime, enabling generic and reusable security service integration. This model offers greater flexibility but requires extending the FLUIDOS node to recognize the new service category, define its parameters and default values, and implement the corresponding deployment logic.
| Feature Type | Advertisement | Deployment Action | Examples | Integration Strategy |
|---|---|---|---|---|
| Integrated by Design | None | Native, always present | Privacy & Security Manager | Already part of FLUIDOS base components. No external integration needed |
| Security Application | None | Manual deployment, always-on | BeaCon, FLAD | Part of the FLUIDOS node. No external integration needed |
| Security Node Capability | FLAVOR fields or Service category | Pre-installed (Embedded) or dynamic (Custom) | MAGI, TEE, Cyber Deception, Intent-based Border Protection | Embedded: enrich FLAVOR metadata; Custom: define Service category, implement runtime deployment logic |
Expose the capability via security-feature field in node FLAVOR and validate through the Meta-Orchestrator.
- Expose Capability in Node FLAVOR
- Each node includes a
FLAVORCRD. - Add a
security-featureattribute insideadditionalProperties. - This attribute lists the security features currently pre-installed and available on the node.
- Each node includes a
- Declare Intent to Use the Capability
- If using the Meta-Orchestrator:
- Add the desired
security-featurevia an annotation in the workload manifest. - Example:
annotations: fluidos-intent-<feature-name>: "true"
- Optional configuration parameters can be passed and validated through the related validation function.
- Add the desired
- If using the Bastion Orchestrator:
- Express the requirement by defining the appropriate policy via Medium-Level Security Policy Language (MSPL) statement.
- More information can be found here
Examples:
- If using the Meta-Orchestrator:
- Extend Meta-Orchestrator Validation
- Visit and fork the Meta-Orchestrator repository
- Edit
fluidos_model_orchestrator/common.py:- Register the new intent in the
KnownIntentfunction. - Implement
validate_<feature-name>()to check that:- the requested
security-featureis listed in the node’s FLAVOR. - all required parameters are valid.
- the requested
- Register the new intent in the
- Submit the change as a pull request to the Meta-Orchestrator repository.
- Patch FLAVOR on Nodes
- On each node offering the capability, patch its
FLAVORto include the correctsecurity-featurevalue(s). - Example patch file:
spec: flavorType: typeData: properties: additionalProperties: security_features: <feature-name>: true
- On each node offering the capability, patch its
- Test the Intent and Validation
- Use existing unit tests to verify Intent matching:
- Other examples and mockups can be found here:
- Run End-to-End Validation
- Launch an end-to-end test using the Meta-Orchestrator with
Kops, verifying that a workload requesting the security feature is correctly scheduled.
- Launch an end-to-end test using the Meta-Orchestrator with
High-level steps to integrate a new security feature deployable via FLAVOR service category.
- Define the Service Category
- Name the category and define needed parameters and defaults.
- Update the FLUIDOS Node
- Add the category to the node codebase.
- Handle parameter mapping and deployment logic.
- Ensure Permissions
- Check RBAC allows resource creation and management.
- Test and Document
- Validate functionality and document service usage.
References
- Node Integration Example: fluidos-project/node#114
- Ontology: https://github.com/fluidos-project/fluidos-ontology
- REAR Models: https://github.com/fluidos-project/REAR-data-models
- FLAVOR Schema: https://github.com/fluidos-project/REAR-data-models/blob/master/models/schemas/flavor.schema.json
In order for every partner to test the implementation of each security feature a FLUIDOS testbed should be created. Here are pointers to the documentation for creating a testbed: