{"metadata":{"_oai":{"id":"oai:ipsj.ixsq.nii.ac.jp:00214546","sets":["6164:6165:6462:10749"]},"path":["10749"],"owner":"44499","recid":"214546","title":["マニフェスト署名検証に基づくKubernetesリソースのインテグリティ保護"],"pubdate":{"attribute_name":"公開日","attribute_value":"2021-10-19"},"_buckets":{"deposit":"4dc6682a-3ced-4a9b-8244-4d77296caa19"},"_deposit":{"id":"214546","pid":{"type":"depid","value":"214546","revision_id":0},"owners":[44499],"status":"published","created_by":44499},"item_title":"マニフェスト署名検証に基づくKubernetesリソースのインテグリティ保護","author_link":["551402","551403","551401","551404","551406","551400","551399","551405"],"item_titles":{"attribute_name":"タイトル","attribute_value_mlt":[{"subitem_title":"マニフェスト署名検証に基づくKubernetesリソースのインテグリティ保護"},{"subitem_title":"Integrity Protection for Kubernetes Resource Based on Manifest Signature Verification","subitem_title_language":"en"}]},"item_keyword":{"attribute_name":"キーワード","attribute_value_mlt":[{"subitem_subject":"クラウド，Kubernetes，インテグリティ，署名","subitem_subject_scheme":"Other"}]},"item_type_id":"18","publish_date":"2021-10-19","item_language":{"attribute_name":"言語","attribute_value_mlt":[{"subitem_language":"jpn"}]},"item_18_text_3":{"attribute_name":"著者所属","attribute_value_mlt":[{"subitem_text_value":"IBM東京基礎研究所"},{"subitem_text_value":"IBM東京基礎研究所"},{"subitem_text_value":"IBM東京基礎研究所"},{"subitem_text_value":"IBM東京基礎研究所"}]},"item_18_text_4":{"attribute_name":"著者所属(英)","attribute_value_mlt":[{"subitem_text_value":"IBM Research-Tokyo","subitem_text_language":"en"},{"subitem_text_value":"IBM Research-Tokyo","subitem_text_language":"en"},{"subitem_text_value":"IBM Research-Tokyo","subitem_text_language":"en"},{"subitem_text_value":"IBM Research-Tokyo","subitem_text_language":"en"}]},"item_publisher":{"attribute_name":"出版者","attribute_value_mlt":[{"subitem_publisher":"情報処理学会","subitem_publisher_language":"ja"}]},"publish_status":"0","weko_shared_id":-1,"item_file_price":{"attribute_name":"Billing file","attribute_type":"file","attribute_value_mlt":[{"url":{"url":"https://ipsj.ixsq.nii.ac.jp/record/214546/files/IPSJCSS2021146.pdf","label":"IPSJCSS2021146.pdf"},"date":[{"dateType":"Available","dateValue":"2023-10-19"}],"format":"application/pdf","billing":["billing_file"],"filename":"IPSJCSS2021146.pdf","filesize":[{"value":"1.1 MB"}],"mimetype":"application/pdf","priceinfo":[{"tax":["include_tax"],"price":"660","billingrole":"5"},{"tax":["include_tax"],"price":"330","billingrole":"6"},{"tax":["include_tax"],"price":"0","billingrole":"30"},{"tax":["include_tax"],"price":"0","billingrole":"46"},{"tax":["include_tax"],"price":"0","billingrole":"44"}],"accessrole":"open_date","version_id":"084f5b7d-a333-4b91-9aa6-7c6fc26d981e","displaytype":"detail","licensetype":"license_note","license_note":"Copyright (c) 2021 by the Information Processing Society of Japan"}]},"item_18_creator_5":{"attribute_name":"著者名","attribute_type":"creator","attribute_value_mlt":[{"creatorNames":[{"creatorName":"工藤, 瑠璃子"}],"nameIdentifiers":[{}]},{"creatorNames":[{"creatorName":"北原, 啓州"}],"nameIdentifiers":[{}]},{"creatorNames":[{"creatorName":"ガジャーナ, クガムーテ"}],"nameIdentifiers":[{}]},{"creatorNames":[{"creatorName":"渡邊, 裕治"}],"nameIdentifiers":[{}]}]},"item_18_creator_6":{"attribute_name":"著者名(英)","attribute_type":"creator","attribute_value_mlt":[{"creatorNames":[{"creatorName":"Ruriko, Kudo","creatorNameLang":"en"}],"nameIdentifiers":[{}]},{"creatorNames":[{"creatorName":"Hirokuni, Kitahara","creatorNameLang":"en"}],"nameIdentifiers":[{}]},{"creatorNames":[{"creatorName":"Kugamoorthy, Gajananan","creatorNameLang":"en"}],"nameIdentifiers":[{}]},{"creatorNames":[{"creatorName":"Yuji, Watanabe","creatorNameLang":"en"}],"nameIdentifiers":[{}]}]},"item_resource_type":{"attribute_name":"資源タイプ","attribute_value_mlt":[{"resourceuri":"http://purl.org/coar/resource_type/c_5794","resourcetype":"conference paper"}]},"item_18_description_7":{"attribute_name":"論文抄録","attribute_value_mlt":[{"subitem_description":"政府や金融機関向けの高い保護レベルが要求される環境では，クラウド上のインテグリティ維持は重要な要件であり，米国のセキュリティ基準である NIST SP 800-53 では，電子署名の無いリソース作成は防がなければいけないと定められている．クラウドのプラットフォームである Kubernetes では，クラスターやアプリケーションの設定は Kubernetes リソースで定義される．この Kubernetes リソースは YAML マニフェストで表現される API リソースであるため，マニフェストに署名をつけて，Kubernetes API の呼び出し時にその署名を検証すれば，強力なクラウドのインテグリティ保護になる．このような検証処理は admission controller という機構を用いることで差し込むことができるが，実際にこの仕組みを実クラスタ上で実現する際には解決しなければならない技術課題が存在する．本稿では，それらの課題を解き，admission controller における署名検証に基づいた Kubernetes リソースのインテグリティ保護手法を提案し，実クラスタ上の評価実験から手法の有効性を示す．","subitem_description_type":"Other"}]},"item_18_description_8":{"attribute_name":"論文抄録(英)","attribute_value_mlt":[{"subitem_description":"Integrity of the cloud is the most important requirement for mission-critical enterprise workloads. NIST SP 800-53 states that information systems must prevent the installation of any components that have not been verified digitally with a signed certificate that is recognized and approved by the organization's information system. On a Kubernetes cluster, the admission controller can control requests for application installation, and it would be a powerful protection tool if it could control requests for Kubernetes resources based on signature verification. However, there are various technical challenges when it comes to verifying the signature for a Kubernetes resource at the admission controller because a signed resource is rewritten automatically by internal cluster work and many requests that include internal mutation without a signature are generated. In this work, we propose an approach to protect the integrity of a Kubernetes resource with signature verification at the admission controller.","subitem_description_type":"Other"}]},"item_18_biblio_info_10":{"attribute_name":"書誌情報","attribute_value_mlt":[{"bibliographicPageEnd":"1100","bibliographic_titles":[{"bibliographic_title":"コンピュータセキュリティシンポジウム2021論文集"}],"bibliographicPageStart":"1093","bibliographicIssueDates":{"bibliographicIssueDate":"2021-10-19","bibliographicIssueDateType":"Issued"}}]},"relation_version_is_last":true,"weko_creator_id":"44499"},"id":214546,"updated":"2025-01-19T16:34:59.356466+00:00","links":{},"created":"2025-01-19T01:15:21.528609+00:00"}