Abstract: Cognitive determination of whether a message is suitable for sending over a data communications network can include extracting tokens from the message prior to transmitting the message. One or more intended recipients of the message can be determined from the tokens. A machine learning classification model corresponding to the one or more recipients of the message can be selected. The machine learning classification model can be constructed based on tokens extracted from prior messages, which are combined to create a plurality of documents for training the machine learning classification model. The one or more tokens extracted from the message can be classified using the machine learning classification model. An alert message can be generated in response to determining based on the classifying that the message is unsuited for sending.

Abstract: An approach for protecting container image and runtime data from host access may be presented. Container systems have allowed for more efficient utilization of computing resources, removing the requirement of a hypervisor, and packaging all necessary dependencies within an application. Preventing host access to container image and runtime data can be advantageous for a multitude of reasons. The approach herein may include, flattening a plurality of root file system of a one or more container images into a single layer. The approach may also include generating a container base image for each of the one or more flattened root file system. The approach may include encrypting each of the generated container base images with the flattened root file system.

Abstract: An approach is provided for securing a secret for usage by an application utilizing a client to retrieve secrets. A request is sent from a client in a workload container within a trusted execution environment (TEE) to retrieve an encrypted secret from an application programming interface (API) server outside the TEE. The request is hooked and sent to the API server by a proxy or a secret proxy plugin within the TEE. The secret is received from the API server by the proxy or secret proxy plugin. An agent within the TEE is called to request a private key. The agent obtains the private key. The secret is decrypted by using the private key. The decrypted secret is returned to the client by the proxy or secret proxy plugin, which ensures that a plain text version of sensitive information in the decrypted secret is not accessible outside the TEE.

Abstract: Embodiments are directed to a container storage system in remote pods. A worker node virtual machine determines that a volume is available for attachment to the worker node virtual machine. An intermediary software of the worker node virtual machine causes a pod container storage interface to attach the volume to a pod virtual machine. in response to attaching the volume to the pod virtual machine, the intermediary software of the worker node virtual machine causes the pod container storage interface to mount the volume to the pod virtual machine such that the volume is available for use by the pod virtual machine.

Abstract: Aspects include providing isolation between a plurality of containers in a pod that are each executing on a different virtual machine (VM) on a host computer. Providing the isolation includes converting a data packet into a serial format for communicating with the host computer. The converted data packet is sent to a router executing on the host computer. The router determines a destination container in the plurality of containers based at least in part on content of the converted data packet and routes the converted data packet to the destination container.

Abstract: Managing execution of eBPF program capabilities is provided. A comparison of a currently in use helper-id list with an allowable helper-id list of an eBPF program is performed. It is determined whether a set of unallowable helper-ids exists that is included in the currently in use helper-id list but not in the allowable helper-id list based on the comparison. A blocked helper-id list of the eBPF program that includes the set of unallowable helper-ids and a corresponding unallowable capability of each respective unallowable helper-id is generated in response to determining that the set of unallowable helper-ids does exist. The set of unallowable helper-ids and the corresponding unallowable capability of each respective unallowable helper-id is removed from bytecode of the eBPF program in order to have only allowable helper-ids remain in the bytecode along with corresponding allowable capabilities of the eBPF program.

Abstract: Described are techniques for modifying existing driver plugin behavior using a plugin wrapper to enable driver compatibility with an unsupported container deployment model. The techniques include intercepting, by a plugin wrapper operating as part of a container orchestration system, an allocation request intended for a driver plugin, where the allocation request is for allocating a computing resource to a containerized application deployed using a container deployment model not supported by the driver plugin. The techniques further include modifying, by the plugin wrapper, the allocation request to correspond to specifications of the container deployment model, thereby forming a modified request to allocate the computing resource to the containerized application.

Abstract: In a method for encryption of sensitive data, an encrypted user private key is received in a Trusted Execution Environment (TEE) in a worker node in a container management system, the encrypted user private key being an encrypted version of a user private key for decrypting a message from a user in the container management system. The user private key is obtained in the TEE, and the encrypted user private key being decrypted into the user private key with a provider private key that is received from an encryption manager for managing the container management system. With these embodiments, the user private key may be transmitted to the worker node safely, such that the worker node may use the user private key to decrypt messages from the user. Therefore, the security level of the container management system may be increased.

Abstract: A system may include a memory and a processor in communication with the memory. The processor may be configured to perform operations that include generating a key pair and encrypting a data credential with a public key to make a data credential secret. The operations may further include storing the data credential secret in a cluster on a host and deploying a workload on the cluster. The operations may also include establishing an empty bundle in the host and generating a pod trusted execution environment.

Abstract: Described are techniques for modifying existing driver plugin behavior using a plugin wrapper to enable driver compatibility with an unsupported container deployment model. The techniques include intercepting, by a plugin wrapper operating as part of a container orchestration system, an allocation request intended for a driver plugin, where the allocation request is for allocating a computing resource to a containerized application deployed using a container deployment model not supported by the driver plugin. The techniques further include modifying, by the plugin wrapper, the allocation request to correspond to specifications of the container deployment model, thereby forming a modified request to allocate the computing resource to the containerized application.

Abstract: Virtual machine management is provided. A virtual machine is started automatically based on a custom resource definition of the virtual machine in response to the receiving the custom resource definition of the virtual machine. A container is generated to run an application workload in the virtual machine based on a container configuration file in response to the virtual machine starting. The application workload is deployed on the container automatically based on a container image corresponding to the container. The application workload is run on the container automatically in accordance with a definition of the application workload.

Abstract: A method, system, and computer program product are disclosed for securely orchestrating containers in a container orchestration environment. The containers comprise confidential containers running in a trusted execution environment (TEE) and standard containers running in the container orchestration environment. The containers are securely orchestrated without modifying the containers, container runtimes, and platforms, protecting sensitive data and code of the containers by restricting access to containers.

Abstract: Embodiments are directed to deploying a workload on the best/highest performance node. Nodes configured to accommodate a request for a workload are selected. Information is collected on each of the selected nodes and the workload. Predicted response times expected for the workload running on each of the selected nodes are determined. The workload is deployed on a node of the selected nodes, the node having a corresponding predicted response time for the workload, the workload being deployed on the node based at least in part on the corresponding predicted response time.

Abstract: User data security is provided. Encrypted user data are identified in a virtual machine. A private key of a public/private cryptographic key pair corresponding to a user is retrieved. The encrypted user data is decrypted within the virtual machine utilizing the private key corresponding to the user to form decrypted user data. The encrypted user data are replaced in the virtual machine with the decrypted user data. The decrypted user data is processed in the virtual machine to perform a service in a cloud environment.

Abstract: A system may include a memory and a processor in communication with the memory configured to perform operations. The may operations include obtaining transaction logs in blocks from nodes of a data storage system. The operations may include, for each transaction log, splitting the transaction log into log entries, grouping log entries into groups associated with a same data source, and writing the log entries of the groups to empty blocks such that log entries from different groups do not share a same block. The operations may include identifying a same sequence of log entries from the written transaction logs and uploading first blocks of a first transaction log, including the same sequence of log entries, to an object-based storage without uploading second blocks of a second transaction log including the same sequence of log entries to the object-based storage.

Abstract: An approach for protecting container image and runtime data from host access may be presented. Container systems have allowed for more efficient utilization of computing resources, removing the requirement of a hypervisor, and packaging all necessary dependencies within an application. Preventing host access to container image and runtime data can be advantageous for a multitude of reasons. The approach herein may include, flattening a plurality of root file system of a one or more container images into a single layer. The approach may also include generating a container base image for each of the one or more flattened root file system. The approach may include encrypting each of the generated container base images with the flattened root file system.

Abstract: A system may include a memory and a processor in communication with the memory configured to perform operations. The may operations include obtaining transaction logs in blocks from nodes of a data storage system. The operations may include, for each transaction log, splitting the transaction log into log entries, grouping log entries into groups associated with a same data source, and writing the log entries of the groups to empty blocks such that log entries from different groups do not share a same block. The operations may include identifying a same sequence of log entries from the written transaction logs and uploading first blocks of a first transaction log, including the same sequence of log entries, to an object-based storage without uploading second blocks of a second transaction log including the same sequence of log entries to the object-based storage.

Abstract: Cognitive determination of whether a message is suitable for sending over a data communications network can include extracting tokens from the message prior to transmitting the message. One or more intended recipients of the message can be determined from the tokens. A machine learning classification model corresponding to the one or more recipients of the message can be selected. The machine learning classification model can be constructed based on tokens extracted from prior messages, which are combined to create a plurality of documents for training the machine learning classification model. The one or more tokens extracted from the message can be classified using the machine learning classification model. An alert message can be generated in response to determining based on the classifying that the message is unsuited for sending.

Abstract: Cognitive determination of whether a message is suitable for sending over a data communications network can include extracting tokens from the message prior to transmitting the message. One or more intended recipients of the message can be determined from the tokens. A machine learning classification model corresponding to the one or more recipients of the message can be selected. The machine learning classification model can be constructed based on tokens extracted from prior messages, which are combined to create a plurality of documents for training the machine learning classification model. The one or more tokens extracted from the message can be classified using the machine learning classification model. An alert message can be generated in response to determining based on the classifying that the message is unsuited for sending.

Abstract: A computer-implemented method to limit access to sensitive information by filtering log files. The method includes deploying a first pod on a node of a cloud computing system, where the first pod includes a first container configured to run an application. The method also includes generating a first log file for the first container, where the first log file includes a set of actions performed by the application for a period of time. The method further includes filtering, by a filter, the first log file wherein the filter is configured to remove a type of sensitive data from the first log file. The method includes exporting, in response to the filtering, the first log file to the node. Advantageously, this can prevent various parties from accessing sensitive data that is contained in log files.