Abstract: In an approach for securing container workloads, a processor encrypts workload binaries. A processor uploads the workload binaries to a software repository. A processor encrypts a workload definition. A processor replaces the workload definition with a mock workload definition. A processor references the encrypted workload definition in the mock workload definition. A processor submits the mock workload definition to a master node.

Abstract: Described are techniques for secure workload configuration including a method comprising receiving a workload definition file at a worker node and from a master node, where the workload definition file comprises an encrypted immutable definition, a partially immutable definition with a predefined range of values and a first value modified by the master node, and a variable definition with a second value modified by the master node. The method further comprises decrypting, by the worker node, the encrypted immutable definition to generate a decrypted immutable definition. The method further comprises verifying, by the worker node, that the first value satisfies the predefined range of values. The method further comprises, in response to decrypting the encrypted immutable definition and verifying that the first value satisfies the predefined range of values, executing a workload based on the workload definition file in a virtual computing environment.

Abstract: Method, apparatus, and computer program product are provided for dynamically changing containerized workload isolation in response to detection of a triggering factor. In some embodiments, workload is containerized using a default container runtime (e.g., runC) that spawns one or more cgroup-based containers on a compute node using resource limiting capabilities of the compute node's host kernel including cgroups and namespaces. In some embodiments, in response to a triggering factor, such as a host kernel vulnerability, at least some of the containerized workload is migrated from running in the one or more cgroup-based containers to one or more virtual machines (VMs) launched by a standby container runtime (e.g., runV). In some embodiments, the cgroups and namespaces of the one or more cgroup-based containers are live migrated, without service interruption, to one or more VM runtimes on the one or more VMs using CRIU—checkpoint/restore in userspace.

Abstract: In an approach for securing container workloads, a processor encrypts workload binaries. A processor uploads the workload binaries to a software repository. A processor encrypts a workload definition. A processor replaces the workload definition with a mock workload definition. A processor references the encrypted workload definition in the mock workload definition. A processor submits the mock workload definition to a master node.

Abstract: Described are techniques for secure workload configuration including a method comprising receiving a workload definition file at a worker node and from a master node, where the workload definition file comprises an encrypted immutable definition, a partially immutable definition with a predefined range of values and a first value modified by the master node, and a variable definition with a second value modified by the master node. The method further comprises decrypting, by the worker node, the encrypted immutable definition to generate a decrypted immutable definition. The method further comprises verifying, by the worker node, that the first value satisfies the predefined range of values. The method further comprises, in response to decrypting the encrypted immutable definition and verifying that the first value satisfies the predefined range of values, executing a workload based on the workload definition file in a virtual computing environment.

Abstract: Method, apparatus, and computer program product are provided for dynamically changing containerized workload isolation in response to detection of a triggering factor. In some embodiments, workload is containerized using a default container runtime (e.g., runC) that spawns one or more cgroup-based containers on a compute node using resource limiting capabilities of the compute node's host kernel including cgroups and namespaces. In some embodiments, in response to a triggering factor, such as a host kernel vulnerability, at least some of the containerized workload is migrated from running in the one or more cgroup-based containers to one or more virtual machines (VMs) launched by a standby container runtime (e.g., runV). In some embodiments, the cgroups and namespaces of the one or more cgroup-based containers are live migrated, without service interruption, to one or more VM runtimes on the one or more VMs using CRIU—checkpoint/restore in userspace.

Abstract: Methods, systems, and computer-readable mediums containing programmed instructions are disclosed for detecting an intrusion in a communications network. Data packets processed by a transport layer of a network protocol associated with the communications network are scanned using signatures from a repository of the signatures. A determination is made if the scanned data packets are malicious. One or more actions are taken if any data packets are determined to be malicious. Methods, systems, and computer-readable mediums containing programmed instructions are also disclosed for preventing an intrusion in a communications network.

Abstract: Methods, systems, and computer-readable mediums containing programmed instructions are disclosed for detecting an intrusion in a communications network. Data packets processed by a transport layer of a network protocol associated with the communications network are scanned using signatures from a repository of the signatures. A determination is made if the scanned data packets are malicious. One or more actions are taken if any data packets are determined to be malicious. Methods, systems, and computer-readable mediums containing programmed instructions are also disclosed for preventing an intrusion in a communications network.