DEVELOPMENT OF AN ACCESS CONTROLLER MODEL FOR KUBERNETES SECURITY WITH PROVABLE PAC GUARANTEES BASED ON ENTROPY

Authors

DOI:

https://doi.org/10.28925/2663-4023.2026.33.1271

Keywords:

Kubernetes, cybersecurity, classification,, Kubernetes, entropy, PAC learning, anomaly detection, container orchestration, DevSecOps, reinforcement learning

Abstract

The article proposes a mathematical model of an RL-Admit Admission Controller to ensure security in Kubernetes container orchestration environments. Unlike traditional solutions such as OPA Gatekeeper and Kyverno, which rely on static declarative policies, the proposed approach combines reinforcement learning, information-entropic analysis of requests, and PAC learning (Probably Approximately Correct) theory. The task of validating requests to the API server is formalized as a Partially Observable Markov Decision Process (POMDP), whose optimal admission/rejection policy is learned using the Proximal Policy Optimization (PPO) algorithm. The anomalousness of each request is quantitatively assessed through Shannon entropy relative to a reference distribution of safe configurations, while applying the PAC framework enables mathematically proven bounds on classification error probabilities ε and δ. This eliminates a key drawback of existing intelligent protection systems – the lack of reliability guarantees – which is unacceptable for critical infrastructure. Experimental studies on test clusters confirmed the model's ability to detect complex attack vectors (privileged containers, unauthorized RBAC changes, runc escape, supply chain attacks). The full RL-Admit model with PAC guarantees and entropy achieves a true positive rate (TPR) of up to 96-97% at a false positive rate (FPR) of 0.6% after 50,000 requests and detects all 8 zero-day attack types, whereas static policies block only a few of them. Meanwhile, the system responds to attacks in an average of 1 minute compared to 38-45 minutes for static policies, adding only a negligible request processing delay of approximately 24 ms. The results have practical significance for building Zero Trust adaptive protection systems in dynamic cloud environments and integrating them into DevSecOps processes.

Downloads

Download data is not yet available.

References

Luo, X., et al. (2023). DeepInspect: A deep learning approach for secure Kubernetes admission control. Journal of Cloud Computing, 12(1), 45-62. https://doi.org/10.1007/s13174-023-00342-w

Alghawli, A. S. A., & Radivilova, T. (2024). Resilient cloud cluster with DevSecOps security model, automates data analysis, vulnerability search and risk calculation. Alexandria Engineering Journal, 107, 136-149. https://doi.org/10.1016/j.aej.2024.07.036

Sadeghi, A. (2025). Mathematical foundations of provable security in container orchestration (Preprint). arXiv. https://arxiv.org/abs/2501.12345

Silverthorne, V., & Hendrick, S. (2024). Approaching a decade of code, cloud, and change 2024. Cloud Native Computing Foundation. https://www.cncf.io/reports/cncf-annual-survey-2024/

Martin, A. (2021). Kubernetes security: Attacking and defending Kubernetes (1st ed.). O’Reilly Media.

Radivilova, T., Kirichenko, L., Alghawli, A. S., Ageyev, D., Mulesa, O., Baranovskyi, O., Ilkov, A., Kulbachnyi, V., & Bondarenko, O. (2022). Statistical and signature analysis methods of intrusion detection. In R. Oliynykov, O. Kuznetsov, O. Lemeshko, & T. Radivilova (Eds.), Information security technologies in decentralized distributed networks (Vol. 115, pp. 77-95). Springer. https://doi.org/10.1007/978-3-030-95161-0_5

Dobrynin, I., Radivilova, T., Maltseva, N., & Ageyev, D. (2018). Use of approaches to the methodology of factor analysis of information risks for the quantitative assessment of information risks based on the formation of cause-and-effect links. In 2018 International Scientific-Practical Conference Problems of Infocommunications. Science and Technology (PIC S&T) (pp. 229-232). IEEE. https://doi.org/10.1109/INFOCOMMST.2018.8632022

Mulesa, O., Horvat, P., Radivilova, T., Sabadosh, V., Baranovskyi, O., & Duran, S. (2023). Design of mechanisms for ensuring the execution of tasks in project planning. Eastern-European Journal of Enterprise Technologies, 2(4(122)), 16-22. https://doi.org/10.15587/1729-4061.2023.277585

Radivilova, T., Kirichenko, L., Pantelieiev, V., Mazepa, A., & Bilodid, V. (2024). Analysis of authentication methods for full-stack applications and implementation of a web application with an integrated authentication system. Innovative Technologies and Scientific Solutions for Industries, 3(29), 76-90. https://doi.org/10.30837/2522-9818.2024.3.076

Radivilova, T., Kirichenko, L., Tawalbeh, M., & Ilkov, A. (2021). Anomaly detection in telecommunication traffic by statistical methods. Cybersecurity: Education, Science, Technique, 3(11), 183-194. https://doi.org/10.28925/2663-4023.2021.11.183194

Radivilova, T., Dobrynin, I., Pantelieiev, V., Fisenko, D., Mazepa, A., & Bilodid, V. (2025). Analysis of methods for predicting insider threats based on Twitter social network data analysis. Cybersecurity: Education, Science, Technique, 4(28), 478-489. https://doi.org/10.28925/2663-4023.2025.28.818

Mushtaq, S., Mohsin, M., & Mushtaq, M. M. (2025). A systematic literature review on the implementation and challenges of zero trust architecture across domains. Sensors, 25(19), 6118. https://doi.org/10.3390/s25196118

Jian, Z., Xie, X., Fang, Y., Jiang, Y., Lu, Y., Dash, A., et al. (2024). DRS: A deep reinforcement learning enhanced Kubernetes scheduler for microservice-based systems. Software: Practice and Experience, 54(10), 2102-2126. https://doi.org/10.1002/spe.3284

Qian, H., Mao, W., Wang, C., Franke, H., Youssef, A., Kalbarczyk, Z. T., Başar, T., & Iyer, R. K. (2023). AWARE: Automate workload autoscaling with reinforcement learning in production cloud systems. In 2023 USENIX Annual Technical Conference (USENIX ATC 23) (pp. 387-402). USENIX Association.

Huang, J., Xiao, C., & Wu, W. (2020). RLSK: A job scheduler for federated Kubernetes clusters based on reinforcement learning. In 2020 IEEE International Conference on Cloud Engineering (IC2E) (pp. 116-123). IEEE. https://doi.org/10.1109/IC2E48712.2020.00019

Bousquet, O., et al. (2022). Theory of learning: From PAC guarantees to modern neural networks. Cambridge University Press.

Dhar, M. K., Hasan, S. M. N., Otushi, T. R., & Khan, M. (2020). Entropy-based feature selection for data clustering using k-means and k-medoids algorithms. In 2020 Fifth International Conference on Research in Computational Intelligence and Communication Networks (ICRCICN) (pp. 36-40). IEEE. https://doi.org/10.1109/ICRCICN50933.2020.9296186

Kumar, B., Verma, A., & Verma, P. (2026). Critical insights into runtime scheduling, image, storage, and networking challenges in modern Kubernetes environments. Computer Science Review, 59, Article 100851. https://doi.org/10.1016/j.cosrev.2025.100851

Schulman, J., Wolski, F., Dhariwal, P., Radford, A., & Klimov, O. (2017). Proximal policy optimization algorithms. arXiv. https://arxiv.org/abs/1707.06347

Patil, P., & Varsha, A. (2007). An autonomous distributed admission control scheme for IEEE 802.11 DCF. In The Fourth International Conference on Heterogeneous Networking for Quality, Reliability, Security and Robustness (QShine 2007) (pp. 1-7). IEEE. https://doi.org/10.1109/QSHINE.2007.4444555

Lu, X., Yin, B., & Zhang, H. (2016). A reinforcement-learning approach for admission control in distributed network service systems. Journal of Combinatorial Optimization, 31(3), 1241-1268. https://doi.org/10.1007/s10878-014-9820-3

Subramanian, J., Sinha, A., Seraj, R., & Mahajan, A. (2022). Approximate information state for approximate planning and reinforcement learning in partially observed systems. Journal of Machine Learning Research, 23(12), 1-83.

Raeis, M., Tizghadam, A., & Leon-Garcia, A. (2020). Reinforcement learning-based admission control in delay-sensitive service systems. In GLOBECOM 2020 – IEEE Global Communications Conference (pp. 1-6). IEEE. https://doi.org/10.1109/GLOBECOM42002.2020.9348128

Kirichenko, L., & Radivilova, T. (2017). Analyzes of the distributed system load with multifractal input data flows. In 2017 14th International Conference The Experience of Designing and Application of CAD Systems in Microelectronics (CADSM) (pp. 260-264). IEEE. https://doi.org/10.1109/CADSM.2017.7916130

Luo, X., et al. (2023). DeepInspect: A deep learning approach for secure Kubernetes admission control. Journal of Cloud Computing, 12(1), 45-62. https://doi.org/10.1007/s13174-023-00342-w

Downloads


Abstract views: 7

Published

2026-06-25

How to Cite

Mazepa, A., & Bilodid, V. (2026). DEVELOPMENT OF AN ACCESS CONTROLLER MODEL FOR KUBERNETES SECURITY WITH PROVABLE PAC GUARANTEES BASED ON ENTROPY. Electronic Professional Scientific Journal «Cybersecurity: Education, Science, Technique», 1(33), 791–804. https://doi.org/10.28925/2663-4023.2026.33.1271

Issue

Vol. 1 No. 33 (2026): Cybersecurity: Education, Science, Technique

Section

Articles

License

Copyright (c) 2026 Артем Мазепа, Володимир Білодід

Creative Commons License

This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.