DevSecOps Platform for Kubernetes: eBPF Enforcement, Zero Trust, GitOps, and Quality Gates
Project description
Framed with William Newman’s Design Challenge model, it sets out to design a DevSecOps platform combining IaC, GitOps, eBPF-based security, and automated CI/CD scanning, so that DevOps engineers, developers, and security teams working in a cloud-native Kubernetes environment can securely build, scan, deploy, enforce, and observe containerized applications, protected by CI quality gates, kernel-level runtime threat blocking, zero-trust identity enforcement, and maintainable quality control standards.
The main research question is: How can eBPF-based security, GitOps automation, zero-trust identity management, and automated quality control be combined into a DevSecOps platform on AWS EKS that is secure, observable, and scales with the organisation? It breaks down into three core sub-questions and one optional exploration:
SQ1 - CI/CD Quality Gates: How should CI quality gates be configured to block critical vulnerabilities while managing accepted risks through policy exceptions?
SQ2 - eBPF Security & Zero Trust: How can kernel-level enforcement (Cilium/Tetragon) and identity-aware access control (Keycloak OIDC) be combined to enforce zero-trust in a Kubernetes cluster?
SQ3 - GitOps & Observability: How can ArgoCD ensure a reproducible Kubernetes environment with drift correction and integrated Prometheus observability?
SQ4 (Nice to Have) - AI-Assisted Development: Can AI tooling improve development quality and troubleshooting speed?
Context
Modern applications are no longer single programs but dozens of small services, each in its own container, orchestrated by Kubernetes. That shift has outpaced the tools meant to secure it: traditional firewalls cannot see traffic between services, hand-written security policies drift out of date, and a growing share of code is produced by AI assistants whose output rarely receives a security review.
Bureau Veritas Cybersecurity (formerly Secura) sits in the middle of that transition. Most departments run their workloads on virtual machines, and the Product Development and AI departments are planning a migration to Kubernetes, building on earlier exploratory PoCs. The migration brings exactly the gaps above with it: no visibility into east-west cluster traffic, no automated quality gates in the deployment pipeline, and manual configuration that leads to policy drift and unreproducible environments.
This graduation project is a focused Proof of Concept that closes that gap using open-source tooling from the Cloud Native Computing Foundation
Results
A developer pushing a change to GitLab triggers a pipeline of quality gates: linters, SonarQube code analysis, Gitleaks secret scans, and Trivy image and IaC checks. ArgoCD then syncs the change into the cluster, eBPF probes in the kernel enforce policy on every running container, Keycloak handles identity and SSO, and live dashboards confirm what happened. The same gates apply to human and AI-generated code alike.
The project used AI assistants across development and troubleshooting, spanning local and proprietary models, wrappers, and agentic workflows, as part of the research.
To prove the platform holds up, the intentionally vulnerable DVWA and Google Hipster Shop, a microservices demo, were attacked with scripted exploits, Nuclei template scans and fuzzing, and k6 load tests. Cilium blocked unauthorised service traffic at lower overhead than iptables, Tetragon killed disallowed processes the moment they ran, and the application kept serving users at normal speed. The threat model is grounded in NIST guidance on container security, CI/CD pipelines,and zero-trust architecture, covering six MITRE ATT&CK tactics including Execution, Privilege Escalation, and Exfiltration.
The same packaged stack runs identically on a developer\u2019s laptop and on AWS, showing that secure, reproducible, vendor-neutral delivery is achievable on open foundations alone, no proprietary security suite required.
About the project group
Individual graduation internship