{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,4,23]],"date-time":"2026-04-23T07:54:34Z","timestamp":1776930874719,"version":"3.51.2"},"publisher-location":"New York, NY, USA","reference-count":29,"publisher":"ACM","content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":[],"published-print":{"date-parts":[[2025,11,16]]},"DOI":"10.1145\/3731599.3767357","type":"proceedings-article","created":{"date-parts":[[2025,11,7]],"date-time":"2025-11-07T16:13:44Z","timestamp":1762532024000},"page":"172-178","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":0,"title":["Towards Enabling Hostile Multi-tenancy in Kubernetes"],"prefix":"10.1145","author":[{"ORCID":"https:\/\/orcid.org\/0009-0009-5929-537X","authenticated-orcid":false,"given":"Ali","family":"Kanso","sequence":"first","affiliation":[{"name":"Microsoft Corporation, Redmond, WA, USA"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0009-0006-3391-381X","authenticated-orcid":false,"given":"Slava","family":"Oks","sequence":"additional","affiliation":[{"name":"Microsoft Corporation, Redmond, Washington, USA"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0009-0006-6567-8228","authenticated-orcid":false,"given":"Mostafa","family":"Elzeiny","sequence":"additional","affiliation":[{"name":"Microsoft Corporation, Redmond, WA, USA"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0009-0009-5701-6824","authenticated-orcid":false,"given":"Gurpreet","family":"Virdi","sequence":"additional","affiliation":[{"name":"Microsoft Corporation, Redmond, WA, USA"}],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"320","published-online":{"date-parts":[[2025,11,15]]},"reference":[{"key":"e_1_3_3_1_1_2","volume-title":"Closing the HPC-Cloud Convergence Gap: Multi-Tenant Slingshot RDMA for Kubernetes. arXiv preprint arXiv:2508.09663","author":"Friese P. A.","year":"2025","unstructured":"Friese, P. A., Eleliemy, A., Haus, U.-U., & Schulz, M. (2025). Closing the HPC-Cloud Convergence Gap: Multi-Tenant Slingshot RDMA for Kubernetes. arXiv preprint arXiv:2508.09663"},{"key":"e_1_3_3_1_2_2","doi-asserted-by":"publisher","DOI":"10.1109\/HPCC-DSS-SmartCity-DependSys57074.2022.00068"},{"key":"e_1_3_3_1_3_2","unstructured":"Kubernetes Multi-tenancy Retrieved August 13 2025 from https:\/\/kubernetes.io\/docs\/concepts\/security\/multi-tenancy\/"},{"key":"e_1_3_3_1_4_2","volume-title":"Isolation Mechanisms, and Performance Evaluation. Turkish Journal of Computer and Mathematics Education (TURCOMAT), 9(2):811\u2013822","author":"Nimmagadda","year":"2018","unstructured":"S. Nimmagadda, Linux Namespaces and cgroups as OS Primitives for Lightweight Virtualization: Architecture, Isolation Mechanisms, and Performance Evaluation. Turkish Journal of Computer and Mathematics Education (TURCOMAT), 9(2):811\u2013822, 2018."},{"key":"e_1_3_3_1_5_2","volume-title":"Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security. 2019","author":"Gao X.","unstructured":"Gao, X., et al. \u201cBreaking the Resource Rein of Linux Control Groups.\u201d CCS \u201919: Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security. 2019"},{"key":"e_1_3_3_1_6_2","volume-title":"Retrieved","author":"Dirty COW","year":"2016","unstructured":"Dirty COW. 2016. CVE-2016-5195. Retrieved August 13, 2025, from https:\/\/dirtycow.ninja"},{"key":"e_1_3_3_1_7_2","volume-title":"Retrieved","author":"BleepingComputer","year":"2022","unstructured":"BleepingComputer. 2022. Linux Kernel Bug Can Let Hackers Escape Kubernetes Containers. Retrieved August 13, 2025. https:\/\/www.bleepingcomputer.com\/news\/security\/linux-kernel-bug-can-let-hackers-escape-kubernetes-containers\/"},{"key":"e_1_3_3_1_8_2","volume-title":"New Linux Kernel cgroups Vulnerability Could Let Attackers Escape Container. Retrieved","author":"The Hacker News","year":"2025","unstructured":"The Hacker News, New Linux Kernel cgroups Vulnerability Could Let Attackers Escape Container. Retrieved August 13, 2025. https:\/\/thehackernews.com\/2022\/03\/new-linux-kernel-cgroups-vulnerability.html"},{"key":"e_1_3_3_1_9_2","unstructured":"Hussein Younes et al. 2025. KubeFence: API Call-Level Filtering to Enhance Multi-Tenancy Security in Kubernetes. arXiv:2504.11126 [cs.CR]."},{"key":"e_1_3_3_1_10_2","volume-title":"Retrieved","author":"Cloud Security Alliance","year":"2022","unstructured":"Cloud Security Alliance. 2022. Kubernetes Security Best Practices: Definitive Guide. Retrieved August 13, 2025, from: https:\/\/cloudsecurityalliance.org\/blog\/2022\/03\/03\/kubernetes-security-best-practices-definitive-guide"},{"key":"e_1_3_3_1_11_2","volume-title":"Retrieved","author":"Kubernetes Documentation","year":"2025","unstructured":"Kubernetes Documentation. 2025. Admission Control in Kubernetes. Retrieved September 11, 2025. https:\/\/kubernetes.io\/docs\/reference\/access-authn-authz\/admission-controllers\/ ."},{"key":"e_1_3_3_1_12_2","volume-title":"Retrieved","author":"Kyverno","year":"2023","unstructured":"Kyverno. 2023. Admission Controllers and Policy Enforcement in Kubernetes. Retrieved August 14, 2025. https:\/\/kyverno.io\/docs\/introduction\/admission-controllers\/"},{"key":"e_1_3_3_1_13_2","volume-title":"Retrieved","author":"Virtual Kubelet","year":"2025","unstructured":"Virtual Kubelet. 2025. Virtual Kubelet: Kubernetes Node Implementation Masquerading as a Kubelet. Retrieved August 14, 2025. https:\/\/virtual-kubelet.io\/"},{"key":"e_1_3_3_1_14_2","volume-title":"Retrieved","author":"Microsoft","year":"2023","unstructured":"Microsoft. 2023. Azure Container Instances. Retrieved August 14, 2025. https:\/\/azure.microsoft.com\/en-us\/products\/container-instances"},{"key":"e_1_3_3_1_15_2","volume-title":"Solving Kubernetes Multi-Tenancy Challenges with vCluster.","author":"Loft Labs","year":"2023","unstructured":"Loft Labs. (2023). Solving Kubernetes Multi-Tenancy Challenges with vCluster. Retrieved from https:\/\/www.loft.sh\/blog\/kubernetes-multi-tenancy-vcluster"},{"key":"e_1_3_3_1_16_2","volume-title":"Retrieved","author":"Microsoft","year":"2025","unstructured":"Microsoft.Virtual nodes on Azure Container Instances (AKS). Retrieved August 14, 2025. https:\/\/learn.microsoft.com\/en-us\/azure\/container-instances\/container-instances-virtual-nodes"},{"key":"e_1_3_3_1_17_2","unstructured":"Azure Virtual Network Retrieved August 14 2025. https:\/\/learn.microsoft.com\/en-us\/azure\/virtual-network\/virtual-networks-overview"},{"key":"e_1_3_3_1_18_2","unstructured":"Network isolation in Azure Kubernetes Service. Retrieved August 14 2025. https:\/\/learn.microsoft.com\/en-us\/azure\/aks\/concepts-network"},{"key":"e_1_3_3_1_19_2","unstructured":"ACI Confidential Containers Retrieved August 14 2025. https:\/\/learn.microsoft.com\/en-us\/azure\/container-instances\/container-instances-confidential-overview"},{"key":"e_1_3_3_1_20_2","unstructured":"Kubernetes Namespaces. Retrieved August 14 2025. https:\/\/kubernetes.io\/docs\/concepts\/overview\/working-with-objects\/namespaces\/"},{"key":"e_1_3_3_1_21_2","unstructured":"Operator Pattern in Kubernetes. Retrieved August 14 2025. https:\/\/kubernetes.io\/docs\/concepts\/extend-kubernetes\/operator\/"},{"key":"e_1_3_3_1_22_2","volume-title":"Retrieved","author":"Spark Operator","year":"2025","unstructured":"Spark Operator RBAC permissions: build-tools\/helm\/spark-kubernetes-operator\/templates\/operator-rbac.yaml, Retrieved August 14, 2025. https:\/\/github.com\/apache\/spark-kubernetes-operator\/"},{"key":"e_1_3_3_1_23_2","unstructured":"ACI standby pools Retrieved August 14 2025. https:\/\/learn.microsoft.com\/en-us\/azure\/container-instances\/container-instances-standby-pool-overview"},{"key":"e_1_3_3_1_24_2","volume-title":"Retrieved","author":"Amazon Web Services","year":"2024","unstructured":"Amazon Web Services. 2024. AWS Fargate. Retrieved August 14, 2025, https:\/\/aws.amazon.com\/fargate\/"},{"key":"e_1_3_3_1_25_2","unstructured":"The Container Security Platform gVisor Retrieved August 14 2025. https:\/\/gvisor.dev"},{"key":"e_1_3_3_1_26_2","unstructured":"Open Infrastructure Foundation. 2024. Kata Containers. Available at: https:\/\/katacontainers.io"},{"key":"e_1_3_3_1_27_2","volume-title":"Retrieved","author":"Attilio Oliva","year":"2024","unstructured":"Attilio Oliva, 2024. Multi-Tenancy in Kubernetes Clusters. Master's thesis, Politecnico di Torino. Retrieved August 14, 2025: https:\/\/webthesis.biblio.polito.it\/secure\/33340\/1\/tesi.pdf ."},{"key":"e_1_3_3_1_28_2","volume-title":"Multi-Tenant Isolation in a Service Mesh. Master's thesis","author":"Baranova O.","unstructured":"Baranova, O. 2021. Multi-Tenant Isolation in a Service Mesh. Master's thesis, Aalto University. Available at: https:\/\/aaltodoc.aalto.fi\/items\/58a0bd81-9d46-4606-b665-d2623ead3f41"},{"key":"e_1_3_3_1_29_2","doi-asserted-by":"crossref","unstructured":"Zheng C. Zhuang Q. and Guo F. 2021. A Multi-Tenant Framework for Cloud Container Services. arXiv preprint arXiv:2103.13333. Available at: https:\/\/arxiv.org\/abs\/2103.13333","DOI":"10.1109\/ICDCS51616.2021.00042"}],"event":{"name":"SC Workshops '25: Workshops of the International Conference for High Performance Computing, Networking, Storage and Analysis","location":"St Louis MO USA","acronym":"SC Workshops '25","sponsor":["SIGHPC ACM Special Interest Group on High Performance Computing, Special Interest Group on High Performance Computing"]},"container-title":["Proceedings of the SC '25 Workshops of the International Conference for High Performance Computing, Networking, Storage and Analysis"],"original-title":[],"link":[{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3731599.3767357","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2026,1,9]],"date-time":"2026-01-09T19:28:08Z","timestamp":1767986888000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3731599.3767357"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2025,11,15]]},"references-count":29,"alternative-id":["10.1145\/3731599.3767357","10.1145\/3731599"],"URL":"https:\/\/doi.org\/10.1145\/3731599.3767357","relation":{},"subject":[],"published":{"date-parts":[[2025,11,15]]},"assertion":[{"value":"2025-11-15","order":3,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}