Summary: | A container platform allows various applications to be deployed or run after installation. A user can download or execute a container image with the required application. To apply the configuration management system, a container image uses a union filesystem composed of multiple layers. To provide stability, important application files must be protected from unauthorized access. However, the container image used for distributing an application does not have its own protection function, and it is not protected by the container platform. The access control function provided by the operating system cannot protect the applications because the container environment is not considered. In this study, a container image access control architecture is proposed that can ensure a safe application operating environment by denying unauthorized direct access to container images. The proposed architecture enforces the access control function after the container image is downloaded, denying unauthorized access to the container image layer directory. Because the access control function is provided at the kernel level, there is a security advantage that users cannot bypass. To verify this approach, the functions and performance were determined empirically according to the proposed architecture. Functional verification confirmed that the proposed architecture denies unauthorized access to the container base image and allows access only to authorized users. It was also confirmed that the proposed architecture ensures the performance of the container platform in the same way as before, and that the proposed container image access control architecture is sufficiently effective.
|