Abstract As cloud-native technologies continue to evolve, containerization and orchestration have become fundamental for deploying microservices. However, this advancement introduces significant security vulnerabilities, particularly due to vulnerabilities and misconfigurations that grant attackers excessive control over clusters. Existing works, including model-based learning and static rule-based approaches, suffer from limitations such as false positives and maintenance overhead, which pose significant challenges to cloud-native security. To mitigate intrusion targeting container orchestration, we present ShadowKube , an innovative active defense framework tailored for Kubernetes. ShadowKube integrates behavioral monitoring with shadow honeypots to effectively detect and neutralize anomalous behavior. By establishing behavioral baselines to identify deviations and converting compromised nodes into honeypots, ShadowKube isolates and traps attackers, thereby mitigating the threats they pose. Comprehensive evaluations demonstrate ShadowKube ’s ability to detect and migrate exploitations across 43 severe CVEs and 7 common misconfiguration types. Deployment in a live environment further validates its effectiveness, with ShadowKube identifying 635 attack attempts, successfully decoying 23 active attacks. Additionally, ShadowKube could isolate attackers and convert affected nodes into honeypots within seconds. These results highlight ShadowKube ’s efficacy as a robust solution for enhancing security in Kubernetes clusters, offering a proactive defense mechanism against both current and emerging threats.
Chen et al. (Mon,) studied this question.