{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,2,7]],"date-time":"2026-02-07T13:16:04Z","timestamp":1770470164029,"version":"3.49.0"},"reference-count":99,"publisher":"Institute of Electrical and Electronics Engineers (IEEE)","issue":"2","license":[{"start":{"date-parts":[[2025,4,1]],"date-time":"2025-04-01T00:00:00Z","timestamp":1743465600000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/ieeexplore.ieee.org\/Xplorehelp\/downloads\/license-information\/IEEE.html"},{"start":{"date-parts":[[2025,4,1]],"date-time":"2025-04-01T00:00:00Z","timestamp":1743465600000},"content-version":"stm-asf","delay-in-days":0,"URL":"https:\/\/doi.org\/10.15223\/policy-029"},{"start":{"date-parts":[[2025,4,1]],"date-time":"2025-04-01T00:00:00Z","timestamp":1743465600000},"content-version":"stm-asf","delay-in-days":0,"URL":"https:\/\/doi.org\/10.15223\/policy-037"}],"funder":[{"name":"Research Fund KU Leuven"},{"name":"Flemish Research Programme Cybersecurity"},{"name":"EU H2020 MSCA-ITN action 5GhOSTS","award":["814035"],"award-info":[{"award-number":["814035"]}]}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["IEEE Trans. Netw. Serv. Manage."],"published-print":{"date-parts":[[2025,4]]},"DOI":"10.1109\/tnsm.2025.3531040","type":"journal-article","created":{"date-parts":[[2025,1,17]],"date-time":"2025-01-17T18:36:18Z","timestamp":1737138978000},"page":"2031-2058","source":"Crossref","is-referenced-by-count":5,"title":["Elastic Cross-Layer Orchestration of Network Policies in the Kubernetes Stack"],"prefix":"10.1109","volume":"22","author":[{"ORCID":"https:\/\/orcid.org\/0000-0002-2611-6883","authenticated-orcid":false,"given":"Gerald","family":"Budigiri","sequence":"first","affiliation":[{"name":"DistriNet, KU Leuven, Leuven, Belgium"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-4889-8326","authenticated-orcid":false,"given":"Christoph","family":"Baumann","sequence":"additional","affiliation":[{"name":"Ericsson Security Research, Ericsson AB, Stockholm, Sweden"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0001-7448-7681","authenticated-orcid":false,"given":"Eddy","family":"Truyen","sequence":"additional","affiliation":[{"name":"DistriNet, KU Leuven, Leuven, Belgium"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-7710-5092","authenticated-orcid":false,"given":"Wouter","family":"Joosen","sequence":"additional","affiliation":[{"name":"DistriNet, KU Leuven, Leuven, Belgium"}],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"263","reference":[{"key":"ref1","doi-asserted-by":"publisher","DOI":"10.1109\/COMST.2021.3062546"},{"key":"ref2","doi-asserted-by":"publisher","DOI":"10.1145\/2988336.2988337"},{"key":"ref3","volume-title":"Kubernetes: Production-grade container orchestration","year":"2024"},{"key":"ref4","doi-asserted-by":"publisher","DOI":"10.1109\/MSECP.2003.1236236"},{"key":"ref5","doi-asserted-by":"publisher","DOI":"10.1109\/CLOUD55607.2022.00022"},{"key":"ref6","doi-asserted-by":"publisher","DOI":"10.1016\/j.comcom.2018.03.011"},{"key":"ref7","doi-asserted-by":"publisher","DOI":"10.1145\/3274694.3274720"},{"key":"ref8","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-030-62974-8_10"},{"key":"ref9","doi-asserted-by":"publisher","DOI":"10.1109\/SecDev51306.2021.00022"},{"key":"ref10","doi-asserted-by":"publisher","DOI":"10.1093\/gigascience\/giab025"},{"key":"ref11","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-030-71017-0_22"},{"key":"ref12","first-page":"5971","article-title":"Cross container attacks: The bewildered eBPF on clouds","volume-title":"Proc. 32nd USENIX Secur. Symp. (USENIX Secur.)","author":"He"},{"key":"ref13","doi-asserted-by":"publisher","DOI":"10.1109\/HPCC-DSS-SmartCity-DependSys60770.2023.00073"},{"key":"ref14","volume-title":"Kubernetes Privilege Escalation: Excessive Permissions in Popular Platforms","year":"2022"},{"key":"ref15","volume-title":"Trampoline Pods: Node to Admin PrivEsc Built into Popular K8s Platforms","author":"Avrahami","year":"2022"},{"key":"ref16","doi-asserted-by":"publisher","DOI":"10.1109\/TNSM.2020.3047545"},{"key":"ref17","doi-asserted-by":"publisher","DOI":"10.1109\/EuCNC\/6GSummit51104.2021.9482526"},{"key":"ref18","doi-asserted-by":"publisher","DOI":"10.1145\/3412841.3441887"},{"key":"ref19","doi-asserted-by":"publisher","DOI":"10.1007\/s11227-022-04430-6"},{"key":"ref20","doi-asserted-by":"publisher","DOI":"10.1109\/CLOUD60044.2023.00036"},{"key":"ref21","doi-asserted-by":"publisher","DOI":"10.1145\/3616401"},{"key":"ref22","doi-asserted-by":"publisher","DOI":"10.1109\/CSF.2014.32"},{"key":"ref23","first-page":"579","article-title":"NetComplete: Practical network-wide configuration synthesis with autocompletion","volume-title":"Proc. 15th USENIX Symp. Netw. Syst. Design Implement. (NSDI)","author":"El-Hassany"},{"key":"ref24","doi-asserted-by":"publisher","DOI":"10.1109\/TPEC54980.2022.9750776"},{"key":"ref25","doi-asserted-by":"publisher","DOI":"10.1016\/j.cose.2022.102683"},{"key":"ref26","doi-asserted-by":"publisher","DOI":"10.1109\/TDSC.2020.2974727"},{"key":"ref27","doi-asserted-by":"publisher","DOI":"10.1109\/TNSM.2022.3176820"},{"key":"ref28","doi-asserted-by":"publisher","DOI":"10.1109\/CCGridW59191.2023.00044"},{"key":"ref29","doi-asserted-by":"publisher","DOI":"10.1109\/WIECON-ECE48653.2019.9019985"},{"key":"ref30","doi-asserted-by":"publisher","DOI":"10.1109\/TII.2021.3116085"},{"key":"ref31","doi-asserted-by":"publisher","DOI":"10.1109\/SOCC56010.2022.9908109"},{"key":"ref32","doi-asserted-by":"publisher","DOI":"10.1145\/3485832.3485907"},{"key":"ref33","doi-asserted-by":"publisher","DOI":"10.1109\/FNWF55208.2022.00046"},{"key":"ref34","first-page":"72","article-title":"All eyes on you: Distributed multi-dimensional IoT microservice anomaly detection","volume-title":"Proc. 14th Int. Conf. Netw. Service Manage. (CNSM)","author":"Pahl"},{"key":"ref35","doi-asserted-by":"publisher","DOI":"10.1007\/s10922-023-09728-1"},{"key":"ref36","volume-title":"Assigning pods to nodes","year":"2023"},{"key":"ref37","doi-asserted-by":"publisher","DOI":"10.1145\/3579856.3582835"},{"key":"ref38","doi-asserted-by":"publisher","DOI":"10.1109\/ICCCS57501.2023.10150672"},{"key":"ref39","volume-title":"An introduction to Kubernetes network policies for security people","author":"Harrison","year":"2019"},{"key":"ref40","volume-title":"OpenStack becomes \u2018de facto\u2019 private cloud","author":"Nunns","year":"2016"},{"key":"ref41","volume-title":"OpenStack docs security groups","year":"2024"},{"key":"ref42","volume-title":"Introducing Security Groups for Pods","author":"Stefaniak","year":"2020"},{"key":"ref43","doi-asserted-by":"publisher","DOI":"10.1016\/s1353-4858(19)30034-0"},{"key":"ref44","volume-title":"Cisco ACI and Kubernetes Integration","year":"2022"},{"key":"ref45","volume-title":"NSX Container Plugin for Kubernetes and Tanzu Application Service\u2014Installation and Administration Guide","year":"2022"},{"key":"ref46","volume-title":"Illumio Core for Kubernetes and OpenShift","year":"2022"},{"key":"ref47","volume-title":"Prisma Cloud Microsegmentation Administrator\u2019s Guide","year":"2022"},{"key":"ref48","volume-title":"Local Policy Convergence Controller","year":"2022"},{"key":"ref49","first-page":"3971","article-title":"Automatic policy generation for inter-service access control of microservices","volume-title":"Proc. 30th USENIX Secur. Symp. (USENIX Secur.)","author":"Li"},{"key":"ref50","doi-asserted-by":"publisher","DOI":"10.1109\/AINIT59027.2023.10212857"},{"key":"ref51","first-page":"1","article-title":"Transparent microsegmentation in smart home IoT networks","volume-title":"Proc. 3rd USENIX Workshop Hot Topics Edge Comput. (HotEdge)","author":"Osman"},{"key":"ref52","doi-asserted-by":"publisher","DOI":"10.1109\/SIN54109.2021.9699232"},{"key":"ref53","volume-title":"Cross-layer management of security policies in cloud-native networking","author":"Budigiri","year":"2024"},{"key":"ref54","doi-asserted-by":"publisher","DOI":"10.1145\/3094405.3094406"},{"key":"ref55","volume-title":"Configure Calico Enterprise AWS Security Groups Integration","year":"2022"},{"key":"ref56","volume-title":"How to Continuously Audit and Limit Security Groups with AWS Firewall Manager","author":"Lepich","year":"2021"},{"key":"ref57","doi-asserted-by":"publisher","DOI":"10.1109\/INFOCOM.2016.7524508"},{"key":"ref58","doi-asserted-by":"publisher","DOI":"10.1109\/HOTI51249.2020.00024"},{"key":"ref59","doi-asserted-by":"publisher","DOI":"10.1109\/CloudCom49646.2020.00003"},{"key":"ref60","first-page":"81","article-title":"BASTION: A security enforcement network stack for container networks","volume-title":"Proc. USENIX Annu. Tech. Conf. (USENIX ATC)","author":"Nam"},{"key":"ref61","doi-asserted-by":"publisher","DOI":"10.1016\/j.jisa.2022.103351"},{"key":"ref62","doi-asserted-by":"publisher","DOI":"10.1145\/3029806.3029832"},{"key":"ref63","volume-title":"Half of 4 million public docker hub images found to have critical vulnerabilities","author":"Barua","year":"2020"},{"key":"ref64","volume-title":"Attacker\u2019s Tactics and Techniques in Unsecured Docker Daemons Revealed","author":"Chen","year":"2020"},{"key":"ref65","doi-asserted-by":"publisher","DOI":"10.1109\/COMSNETS53615.2022.9668504"},{"key":"ref66","first-page":"443","article-title":"Confine: Automated system call policy generation for container attack surface reduction","volume-title":"Proc. 23rd Int. Symp. Res. Attacks, Intrusions Def. (RAID)","author":"Ghavamnia"},{"key":"ref67","doi-asserted-by":"publisher","DOI":"10.1109\/JIOT.2024.3361452"},{"key":"ref68","first-page":"50","article-title":"A study on remote code execution vulnerability in web applications","volume-title":"Proc. Int. Conf. Cyber Secur. Comput. Sci. (ICONCS)","author":"Biswas"},{"key":"ref69","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2021.23055"},{"key":"ref70","doi-asserted-by":"publisher","DOI":"10.1109\/SP46215.2023.10179304"},{"key":"ref71","volume-title":"CVE-2020-8559: Privilege escalation from compromised node to cluster","year":"2020"},{"key":"ref72","doi-asserted-by":"publisher","DOI":"10.13052\/jicts2245-800X.1132"},{"key":"ref73","doi-asserted-by":"publisher","DOI":"10.14722\/madweb.2022.23010"},{"key":"ref74","volume-title":"Regresshion: Remote Unauthenticated Code Execution Vulnerability in OpenSSH Server","year":"2024"},{"key":"ref75","doi-asserted-by":"publisher","DOI":"10.1109\/SoutheastCon45413.2021.9401881"},{"key":"ref76","doi-asserted-by":"publisher","DOI":"10.1109\/ICCINS58907.2023.10450114"},{"key":"ref77","doi-asserted-by":"publisher","DOI":"10.1109\/NOMS56928.2023.10154330"},{"key":"ref78","doi-asserted-by":"publisher","DOI":"10.1109\/i-PACT58649.2023.10434368"},{"key":"ref79","volume-title":"Kubeletctl Tool","year":"2022"},{"key":"ref80","volume-title":"GateKeeper","year":"2023"},{"key":"ref81","volume-title":"OpenStack configuration reference","year":"2016"},{"key":"ref82","doi-asserted-by":"publisher","DOI":"10.1109\/TPDS.2022.3174631"},{"key":"ref83","doi-asserted-by":"publisher","DOI":"10.1002\/smr.2467"},{"key":"ref84","volume-title":"k8-scalar\/grasshopper","author":"Budigiri","year":"2024"},{"key":"ref85","doi-asserted-by":"publisher","DOI":"10.1002\/9781118821930"},{"key":"ref86","volume-title":"Netperf","year":"2022"},{"key":"ref87","doi-asserted-by":"publisher","DOI":"10.1145\/3341105.3374034"},{"key":"ref88","doi-asserted-by":"publisher","DOI":"10.1109\/MASCOTS.2018.00030"},{"key":"ref89","doi-asserted-by":"publisher","DOI":"10.1109\/ICCAC.2015.17"},{"key":"ref90","volume-title":"Horizontal pod Autoscaling","year":"2022"},{"key":"ref91","volume-title":"Operator pattern","year":"2023"},{"key":"ref92","volume-title":"The path less Traveled: Abusing Kubernetes defaults","year":"2019"},{"key":"ref93","volume-title":"Grasshopper","author":"Truyen","year":"2025"},{"key":"ref94","volume-title":"Grasshopper","author":"Truyen","year":"2025"},{"key":"ref95","volume-title":"Considerations for large clusters","year":"2023"},{"key":"ref96","doi-asserted-by":"publisher","DOI":"10.1145\/3342195.3387517"},{"key":"ref97","doi-asserted-by":"publisher","DOI":"10.1109\/ICIN60470.2024.10494432"},{"key":"ref98","volume-title":"Kata containers","year":"2024"},{"key":"ref99","volume-title":"Confidential containers","year":"2024"}],"container-title":["IEEE Transactions on Network and Service Management"],"original-title":[],"link":[{"URL":"http:\/\/xplorestaging.ieee.org\/ielx8\/4275028\/10973774\/10844916.pdf?arnumber=10844916","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,4,23]],"date-time":"2025-04-23T05:32:41Z","timestamp":1745386361000},"score":1,"resource":{"primary":{"URL":"https:\/\/ieeexplore.ieee.org\/document\/10844916\/"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2025,4]]},"references-count":99,"journal-issue":{"issue":"2"},"URL":"https:\/\/doi.org\/10.1109\/tnsm.2025.3531040","relation":{},"ISSN":["1932-4537","2373-7379"],"issn-type":[{"value":"1932-4537","type":"electronic"},{"value":"2373-7379","type":"electronic"}],"subject":[],"published":{"date-parts":[[2025,4]]}}}