Architecture of Remote Verification of Kubernetes Containerized Applications for Edge Devices Based on Raspberry Pi

Authors

DOI:

https://doi.org/10.32515/2664-262X.2026.13(44).73-82

Keywords:

Verification process, Edge devices, TPM module, Raspberry Pi, Integrity Measurement Architecture (IMA)

Abstract

This study addresses the security gap in edge computing environments by proposing a specialized architecture for the remote verification of Kubernetes pods. While traditional frameworks like Keylime focus on node-level integrity, they fail to provide the granularity required for microservice-oriented infrastructures where multiple isolated workloads (pods) run on a single node.

The proposed architecture natively integrates into the Kubernetes ecosystem using standard extensibility mechanisms, specifically Custom Resource Definitions (CRDs) and custom controllers, allowing verification logic to operate as a seamless part of the cluster’s control plane without requiring changes to the core Kubernetes code. The system is specifically optimized for resource-constrained edge devices, such as the Raspberry Pi 3 Model B, utilizing the Infineon OPTIGA SLB 9670 hardware TPM 2.0 module as a hardware root of trust.

To achieve granular pod-level attestation, the architecture leverages the Linux Integrity Measurement Architecture (IMA). A key technical innovation includes a kernel modification that introduces the cgroup-path attribute to the IMA measurement template, enabling the system to uniquely associate cryptographic measurements with specific Kubernetes pods. The architecture consists of several core components: a Registrar module for key management, a Verifier for evaluating evidence against trusted whitelists, and a Node Agent that generates cryptographic quotes via gRPC.

Experimental results obtained from a deployed cluster show that the proposed solution completes a full verification cycle in 4.2 seconds for a single pod, significantly outperforming the 7.3 seconds required by the Keylime framework for a similar process. Furthermore, unlike traditional tools, this architecture enables precise remediation, such as terminating only the compromised pod without the need to reboot or isolate the entire worker node, thus preserving the availability of other edge services.

Author Biographies

Andrii Nicheporuk , Khmelnytskyi National University, Khmelnytskyi, Ukraine

Associate Professor, PhD in Information Technology (Candidate of Technical Sciences), Associate Professor of Computer engineering and information systems department

Vadym Hurskyi, Khmelnytskyi National University, Khmelnytskyi, Ukraine

Master’s student in Computer Engineering, Khmelnytskyi National University

References

Список літератури

1. Mo W., Wang T., Zhang S., Zhang J. An active and verifiable trust evaluation approach for edge computing. J. Cloud Comput. 2020. Vol. 9. P. 51. doi: 10.1186/s13677-020-00202-w

2. Rostampour S., Bagheri N., Bendavid Y., Safkhani M., Kumari S., Rodrigues J. J. An authentication protocol for next generation of constrained Iot systems. IEEE Internet Things Journal. 2022. Vol. 9. P. 21493–21504. doi: 10.1109/JIOT.2022.3184293

3. Chen B., Wan J., Celesti A., Li D., Abbas H., Zhang Q. Edge Computing in IoT-Based Manufacturing. IEEE Commun. Mag. 2018. № 56. P. 103–109.

4. Rupanetti D., Kaabouch N. Combining Edge Computing-Assisted Internet of Things Security with Artificial Intelligence: Applications, Challenges, and Opportunities. Applied Science 2024. № 14. P. 7104.

5. Keylime: remote boot attestation and runtime integrity management solution. Cloud Native Computing Foundation (CNCF). URL: https://keylime.dev/ (дата звернення: 10.02.2026)

6. Zaritto F. Kubernetes Pods Remote Attestation : PhD Thesis. Politecnico di Torino, 2024. 102 p.

7. Zaritto F., Bravi E., Sisinni S., Lioy A. Extending Kubernetes for Pods Integrity Verification. Journal of Network and Systems Management. 2026. Vol 34, 14.

8. Scopelliti G., Amir-Mohammadian S., Csallner C. Trusting the Cloud-Native Edge: Remotely Attested Kubernetes Workers. 2024. arxiv.org/abs/2405.10131.

9. Goethals T., De Turck F., Volckaert B. Extending Kubernetes Clusters to Low-Resource Edge Devices Using Virtual Kubelets. IEEE Transactions on Cloud Computing. 2020, vol. 10, no. 4, pp. 2623-2636.

10. Fernandez G. P., Brito A. Secure container orchestration in the cloud: policies and implementation. Proceedings of the 34th ACM/SIGAPP Symposium on Applied Computing. New York, NY : ACM, 2019. P. 138–145.

11. Косаревський Б. В., Тецький А. Г. Сучасні підходи до розгортання інфраструктури мобільних інтелектуальних систем. Сучасний стан наукових досліджень та технологій в промисловості. 2025. № 2(32), с. 33–48.

12. Коваленко О. Є. Інтелектуалізація граничних обчислень Інтернету речей. Математичні машини і системи. 2024. № 3–4. С. 50–68.

References

1. Mo, W., Wang T., Zhang S., Zhang J. (2020) An active and verifiable trust evaluation approach for edge computing. J. Cloud Comput. 9, 51. doi: 10.1186/s13677-020-00202-w

2. Rostampour, S., Bagheri, N., Bendavid, Y., Safkhani, M., Kumari, S., Rodrigues, J. J. (2022) An authentication protocol for next generation of constrained Iot systems. IEEE Internet Things Journal. 9, 21493-21504. doi: 10.1109/JIOT.2022.3184293

3. Chen, B., Wan, J., Celesti, A., Li, D., Abbas, H., Zhang, Q. (2018) Edge Computing in IoT-Based Manufacturing. IEEE Commun. Mag. 56, 103–109.

4. Rupanetti, D., Kaabouch, N. (2024) Combining Edge Computing-Assisted Internet of Things Security with Artificial Intelligence: Applications, Challenges, and Opportunities. Applied Science. 14, 7104.

5. Keylime: remote boot attestation and runtime integrity management solution. (2026, February 10). Cloud Native Computing Foundation (CNCF). https://keylime.dev/

6. Zaritto, F. Kubernetes Pods Remote Attestation (2024): PhD Thesis. Politecnico di Torino.

7. Zaritto, F., Bravi, E., Sisinni, S., Lioy, A. (2026) Extending Kubernetes for Pods Integrity Verification. Journal of Network and Systems Management. 34, 14.

8. Scopelliti, G., Amir-Mohammadian, S., Csallner, C. (2024) Trusting the Cloud-Native Edge: Remotely Attested Kubernetes Workers. arxiv.org/abs/2405.10131.

9. Goethals, T., De Turck, F., Volckaert, B. Extending Kubernetes Clusters to Low-Resource Edge Devices Using Virtual Kubelets (2020). IEEE Transactions on Cloud Computing. 10 (4), 2623-2636.

10. Fernandez, G. P., Brito, A. Secure container orchestration in the cloud: policies and implementation (2019). Proceedings of the 34th ACM/SIGAPP Symposium on Applied Computing. New York, NY : ACM 138-145.

11. Kosarevskyi, B. V., Tetskyi, A. H. (2025) Suchasni pidkhody do rozghortannia infrastruktury mobilnykh intelektualnykh system. Suchasnyi stan naukovykh doslidzhen ta tekhnolohii v promyslovosti. 2(32), 33–48.

12. Kovalenko, O. Ye. (2024) Intelektualizatsiia hranychnykh obchyslen Internetu rechei. Matematychni mashyny i systemy. 3–4, 50–68.

Downloads

Published

2026-03-27

How to Cite

Nicheporuk, A., & Hurskyi, V. (2026). Architecture of Remote Verification of Kubernetes Containerized Applications for Edge Devices Based on Raspberry Pi. Central Ukrainian Scientific Bulletin. Technical Sciences, (13(44), 73–82. https://doi.org/10.32515/2664-262X.2026.13(44).73-82

Issue

No. 13(44) (2026): Central Ukrainian Scientific Bulletin. Technical Sciences

Section

Computer Engineering

License

Copyright (c) 2026 Andrii Nicheporuk, Vadym Hurskyi

Creative Commons License

This work is licensed under a Creative Commons Attribution 4.0 International License.