2

Deploying Testbed Docker-based application for

Encryption as a Service in Kubernetes
Amir Javadpour, Forough Ja’fari, Tarik Taleb, Chafika benzaid, Luis Rosa, Pedro Tomás and Luis Cordeiro

Abstract—The scalability of today’s networking infrastruc- and scalability, reduced costs of ownership and maintenance,
tures, such as Kubernetes, has increased the demand for and enhanced security measures [1, 2, 3].
everything-as-a-service concepts, including encryption services. One of the needful users of EaaS solutions is the Internet
This paper details deploying an Encryption as a Service (EaaS)
framework on Kubernetes. In our current implementation, a web of Things (IoT) devices. They have limited resources, and
platform is dedicated to the subscription processes and managing due to their large scale and the popularity of such networks
the requested services. Service providers subscribe to receive among modern digital societies, a scalable EaaS framework is
encryption and decryption services for their clients, and a token needed. However, managing and maintaining an EaaS platform
is assigned to them. The client, or better to say, the devices for this demand is challenging [4, 5, 6]. An EaaS framework
covered by that service provider, can use encryption/decryption
to specify that token. As our implemented web platform is written deployed on Kubernetes environments improves data security
in Django, through this paper, we have discussed the deployment across other services provided by this environment. It focuses
of Django applications on Kubernetes and the role of two other on real-time encryption, easy integration, and improved access
services (i.e., Database and Nginx) to make it available. The controls [2, 7].
services are executed on Docker containers and deployed on To communicate with the world outside the Kubernetes
Kubernetes pods. We have also explained the steps to build
Docker containers, including the details of Dockerfiles. We have cluster, clients first connect to Nginx, which acts as an entry
deployed this framework on both local and remote Kubernetes point and then routes requests to appropriate internal services,
environments. The former deployment was performed by setting such as the Django/Gunicorn service. NGINX offers high
up a local Minikube cluster, while the latter assumes a remote performance, scalability, and reliability. NGINX is flexible
Kubernetes cluster, and we are connecting to it through a and can be used for various applications, from serving static
VPN. We have tested the availability and accuracy of the
encryption/decryption services and checked the logs to ensure content to load balancing and caching dynamic web applica-
that these services work correctly. We aim to present this article tions. NGINX Ingress Controller is a popular and powerful
to assist researchers wishing to conduct effective testing or a tool for managing external access to Kubernetes services.
Testbed in the real world. NGINX works with third-party modules for load balancing,
Index Terms—Encryption as a Service (EaaS), Kubernetes, caching, security, and monitoring, allowing users to extend the
Internet of Things (IoT), NGINX, Deploying Docker-based, capabilities of their web servers while maintaining reliability.
TestBed. NGINX Service Mesh provides a trustful environment with
strict control over allowed connections.
I. I NTRODUCTION Minikube is a platform that allows running a single-node
Kubernetes cluster in a local environment, such as a laptop
Encryption as a Service (EaaS) is the process of pro- or PC. This tool allows developers and DevOps engineers to
viding all cryptographic services to the end users, and it install Kubernetes quickly for testing, development, or learn-
overcomes the resource limitation issues of the end devices. ing. Minikube includes all the core components of Kubernetes,
With EaaS, organizations can outsource the complex and including Deployments, Services, and ConfigMaps, and is
time-consuming tasks of encryption and key management to compatible with common tools such as kubectl. In Kubernetes,
third-party providers who specialize in these processes. This a cluster may contain one or more nodes. Each node can host
allows them to focus on their core business operations while multiple pods, and each pod can host one or more containers.
maintaining the security and integrity of their sensitive data. Each node has its resources, such as CPU, memory, and
EaaS offers numerous benefits, including easy implementation storage. When pods are deployed in the cluster, Kubernetes
Corresponding author: Amir Javadpour ([email protected]), automatically determines which nodes are best suited to run
Amir Javadpour is with ICTFICIAL Oy, Espoo, Finland. He was with the the pods. To check the sufficient resources in the nodes, tools
Faculty of Information Technology and Electrical Engineering, University of such as kubectl describe nodes and kubectl get pods -o wide
Oulu (e-mail: [email protected]).
Forough Ja’fari is with the Department of Computer Engineering, Sharif are used to monitor the cluster and check how the pods are
University of Technology, Iran. distributed.
Tarik Taleb is with the Faculty of Electrical Engineering and Infor- We also have another concept called microservices, which
mation Technology, Ruhr University Bochum, Bochum, Germany (e-mail:
[email protected]) can solve problems related to the growth of projects. They
Chafika Benzaı̈d is with the Faculty of Information Technology and are often used with container management tools and services
Electrical Engineering, University of Oulu (e-mail: [email protected]) and deployed on Kubernetes-managed cloud platforms. De-
Luis Rosa, Pedro Tomás and Luis Cordeiro are with OneSource,
Coimbra, Portugal. ploying microservices requires considering API versions and
integration testing across multiple domains, and automated
 3

monitoring is critical to ensure that each component is working TABLE I

well. As mentioned, NGINX is a powerful load-balancing T HE DOCKERFILE USED FOR DOCKERIZING THE D JANGO WEB SERVICE .
solution trusted by some of the world’s most popular web- FROM python:3.8.10-slim-buster as builder
sites, including Dropbox, Netflix, and Zynga. By providing WORKDIR /usr/src/ICT
dynamic reconfiguration for simple service management and ENV PYTHONDONTWRITEBYTECODE 1
ENV PYTHONUNBUFFERED 1
easy integration with popular microservices management tools RUN apt-get update && apt-get install -y –no-install-recommends gcc
like Kubernetes, NGINX makes it easy for leading companies RUN pip install –upgrade pip
like Netflix to use NGINX at the core of microservices RUN pip install flake8==6.0.0
COPY . /usr/src/ICT/
deployments. NGINX Controller provides application delivery COPY ./requirements.txt .
management for NGINX microservices solutions and makes RUN pip wheel –wheel-dir /usr/src/ICT/wheels -r requirements.txt
it easy to manage and monitor microservices architectures at FROM python:3.8.10-slim-buster
RUN mkdir -p /home/ICT
scale. NGINX Service Mesh provides management solutions RUN addgroup –system ict && adduser –system –group ict
for our containerized microservices and provides solutions for ENV HOME=/home/ICT
bridging heterogeneous microservice environments. To deploy ENV APP HOME=/home/ICT/web
RUN mkdir $APP HOME
EaaS on Kubernetes, we need to partition the environment into RUN mkdir $APP HOME/staticfiles
different parts on different nodes. We also need to consider the WORKDIR $APP HOME
hardware requirements for each node to consider the optimal RUN apt-get update
RUN apt-get install -y –no-install-recommends netcat
performance and scalability of the EaaS deployment Figure 1. COPY –from=builder /usr/src/ICT/wheels /wheels
As seen in Figure 1 (Part A), EaaS deployment in a COPY –from=builder /usr/src/ICT/requirements.txt .
RUN pip install –upgrade pip
Kubernetes environment should have different partitions on RUN pip install –no-cache /wheels/*
different nodes, according to hardware requirements, to opti- COPY . $APP HOME
mize performance and scalability. The details of each item for RUN chown -R ict:ict $APP HOME
USER ict
EaaS deployment in organizing Kubernetes containers based
on NGINX service are shown in Figure 1 (Part B).
This paper focuses on implementing an EaaS framework
on Kubernetes and its details. Figure 2 shows the implemen- executed on the Kubernetes based on their Docker container.
tation architecture, containing three main services: Django, A PostgreSQL service for the database, a Django service for
Gunicorn, and Nginx. Django is a popular high-level web the web platform, and an Nginx service for the proxy.
development framework in the Python programming language. The steps to build Docker containers will be reviewed in the
This framework has attracted the attention of many web following section. This includes creating a Dockerfile for each
developers due to its Model-View-Controller (MVC) architec- service. For the web service, the Dockerfile includes installing
ture, powerful tools for database management, and a fast and dependencies, copying project files, and setting up Gunicorn.
efficient development environment. The end-devices connect The Dockerfile consisted of copying the Nginx config file and
to the web platform (Django) through Nginx, as a proxy. Nginx setting the executable command for the Nginx service. Also, it
forwards traffic from the end-devices to the Django service, explains how to build a Docker image using the docker build
and vice versa. And the Django service is also exposed by command and test it with docker run. Docker Compose is a
the Gunicorn service. It is worth noting that a PostgreSQL tool that allows us to manage different Docker services with
database service [8] is also provided to store the data related a single YAML file. We looked at how to define services in
to the EaaS framework. Each service is encapsulated in Docker Docker Compose and map ports. Also, dependencies between
containers, defined by Dockerfiles, and orchestrated using services and settings related to networking and storage are
Docker Compose with environment configurations managed explained. To configure Nginx, we looked at creating an
through .env files. The deployment process on Kubernetes upstream to direct traffic to the web service. We also discussed
involves creating deployments for each service, ensuring com- settings for Nginx listening on port 80 and how to configure
munication between them, and managing pods efficiently. This paths for static and media files.
setup exemplifies a robust infrastructure for a scalable EaaS A Dockerfile is a file that defines a set of commands to build
framework. a Docker container. This file should specify what images will
The remainder of this paper is as follows. Section II be used as a base, how dependencies will be installed, and
provides the details of dockerizing the main services and how the project will run. Table I shows a sample dockerfile
the required configurations. Section III presents the steps of that we have used for the Django service. This file specifies
deploying the created Docker containers on the Kubernetes the required dependencies to be installed and the related
environment. The performance of the deployed EaaS frame- commands to be executed before the container is deployed.
work is then evaluated in Section IV. And finally, Section V To serve static and media files, specific paths are provided to
gives this paper’s summary and conclusion. access CSS, JavaScript, images, and other static resources.
To run Nginx as a standalone service in Docker, we must
create a special dockerfile for Nginx. Also, to properly con-
II. D OCKERIZING THE S ERVICES
figure Nginx, we need to include the appropriate settings in
This section describes how to dockerize the main services to the Nginx config file. These settings include the upstream to
provide the EaaS framework. Three services are needed to be direct traffic to the web service and the ports Nginx uses to
 4

A) The details of Deploying EaaS on Orchestrating Kubernetes Containers based on NGINX Service

B) The EaaS deployment in a Kubernetes environment should have different parts on different nodes, with consideration given to
the hardware requirements to optimize performance and scalability.

Fig. 1. The details of Deploying EaaS and presenting different parts on different nodes in Kubernetes Containers based on NGINX Service

listen for incoming requests. First, a Dockerfile for Nginx must storage processes. Moreover, a Gunicorn command is defined
be created in a separate path. This file contains the necessary to make the Django service accessible. Gunicorn is used as
commands to configure and run Nginx. In this Dockerfile, we a WSGI server to handle requests. It is worth noting that we
need to copy the Nginx config file to the container, which have passed the environment variables directly in the docker-
will start Nginx. The Nginx config file contains upstream and compose.yml file in this configuration. Another common way
routing settings. In this file, we must define how Nginx will to manage environment variables is to create a .env file that
route incoming traffic to the web service and the ports Nginx contains important information such as database URLs, API
will listen on. These settings allow Nginx to connect to the keys, and other sensitive settings. This file should be placed
web service and handle incoming traffic properly. in the main project folder and not uploaded to version control
After that, the Dockerfiles are generated, and a docker- systems.
compose.yml file is used to define them as services. It is worth The configurations for the Nginx service should be added,
noting that for the database service, a default one is presented and necessary configurations should be done in the docker-
by Docker Hub, and we can easily build it on Kubernetes compose.yml file.
by calling the version and the path to its default container.
Hence, dockerizing the Django platform and the Nginx proxy III. D EPLOYING ON K UBERNETES
are discussed here. This section provides details on pods and services for
The docker-compose.yml file shown in Figure 3 presents Kubernetes deployment. The database service, web, and Nginx
the configurations for dockerizing web (i.e., Django service) are defined as the project’s main components in this configu-
and nginx (i.e., Nginx proxy). The database URL is also ration. Docker images are used for each service, and required
specified to show the web service where to communicate for settings are provided by using environment variables. The
 5

configured through Dockerfiles, and managed using Kuber-

netes Secrets and ConfigMaps for sensitive information. Data
replication, backup, and recovery strategies are implemented
to safeguard against data loss and ensure high availability.

IV. E VALUATION R ESULTS

The deployment process involved setting up Kubernetes
services to facilitate communication between the web ser-
vice, database, and Nginx. Environment configurations were
managed through .env files, ensuring sensitive information
was securely handled. Testing with Minikube in a local en-
vironment confirmed that the deployment works as intended,
with services communicating correctly and efficiently handling
HTTP/HTTPS traffic. Using Kubectl to manage resources and
check logs has been instrumental in verifying the deployment’s
stability and performance. Initial results are promising, with
the deployed system showing robust performance and scalabil-
ity. Also, in our current implementation, we have implemented
the EaaS and the subscription part to prepare tokens for new
Fig. 2. The implementation architecture used for deploying the EaaS clients. We also discussed various topics related to deploying
framework on Kubernetes.
and configuring Django projects on Kubernetes and Docker.
First, we discussed the deployment of Django on Kubernetes
and the role of the three primary services (web, database, and
Kubernetes infrastructure to deploy these services is shown Nginx). The database service was defined with PostgreSQL,
in Figure 1. When the Docker containers are ready, we can the web service with Django/Gunicorn, and the Nginx service
deploy them on the Kubernetes pods. Figure 3 shows how to handle HTTP traffic. To build Docker containers, we
the three containers related to our three main services are explained the steps to create a Dockerfile and the methods
deployed. The Nginx service is a proxy reverser, and Gunicorn of creating a Docker image. The Dockerfile included steps to
handles incoming requests through port 8000. install dependencies, copy project files, and run the app with
To bring up a local Kubernetes cluster, we have used Gunicorn. Also, we examined how to configure the Django
Minikube, and Kubectl allows us to connect to the cluster, project using environment files (.env) and methods of manag-
create new resources, and monitor the status of the cluster ing environment variables. Next, the structure of the Docker
and pods. kubectl is the primary tool for Kubernetes cluster Compose file, how to define different services, map ports,
management. and the settings required to connect services were discussed.
We can use containers such as PostgreSQL to create and Also, Nginx configurations and upstream settings, ports, and
deploy an SQL database. For example, if we want to have traffic routing to the web service were explained. Also, we
a PostgreSQL version 15, we can call the version associated covered setting up Minikube and how to test Kubernetes
with this version from Docker Hub. YAML files are commonly deployments in a local environment. We ran Kubernetes files,
used to create and run a database in Kubernetes. These files tested services with curl, and checked logs to ensure services
contain Kubernetes resource definitions for developing and worked correctly.
managing pods, deployments, and services. ”kubectl apply -f We started by building Docker containers to package our
db-deployment.yaml -f db-service.yaml” This command ap- custom services. This involved setting up Dockerfiles to create
plies the YAML files and creates the required deployment and container images that included everything needed for the
service. This way, we will deploy one replica of PostgreSQL services. Once the containers were built, We deployed them to
and a service listening on the specified port in Figure 3 part Kubernetes, where they were run as pods, the basic building
db.yaml. blocks in Kubernetes. This made our services accessible and
Data monitoring and services are critical for maintaining ready for users. Then, we tested Encryption as a service
operational integrity and security in deploying Encryption- platform. This involved checking that the different parts could
as-a-Service on Kubernetes. Each service is carefully moni- connect, looking at logs to spot errors, and ensuring the
tored using tools to track health, performance, and resource services were fast and responsive. This final step aimed to
usage. Logs from each container are collected and analyzed ensure the platform was ready for production and that users
to detect anomalies and troubleshoot problems. Kubernetes’ would have a smooth experience. We need to ensure that users
native monitoring capabilities are enhanced with tools like connected to the EaaS platform have access. Various platforms
Prometheus and Grafana for metrics collection and visualiza- are available in the EaaS sector, such as a Django-type web
tion. Additionally, Kubernetes’ logging capabilities play a vital service. This web service provides a page to the customer and
role in monitoring for auditing access and identifying potential subscription encryption services. Upon joining and requesting
security breaches. PostgreSQL is used as the database service, a service, the user receives a token (for example, 15a4d),
 6

Fig. 3. Deploying a Django project on Kubernetes using Docker.

which he or his devices can use to access EaaS. When a RH, which wants to encrypt the word ”Hello” using RSA
user registers, his information is stored in the database along encryption. The device also has a token. When RH receives
with the token. The EaaS platform has several components, a request, it first searches the database for the token and
including the request handler (RH), Decryptor, Encryptor, key user information to verify if the service can be provided.
manager (KM), and key generator (KG). In Figure 4, we can If allowed, RH communicates with KM to obtain the key
see an Internet of Things (IoT) device sending a request to generated by KG for the encryption process. Then, RH sends
 7

HORIZON-JU-SNS-2022 under the RIGOUROUS project

(Grant No. 101095933)

R EFERENCES
[1] A. Alqarni, “Enhancing cloud security and privacy with
zero-knowledge encryption and vulnerability assessment
in kubernetes deployments,” Ph.D. dissertation, Middle
Tennessee State University, 2023.
[2] A. Javadpour, F. Ja’fari, T. Taleb, Y. Zhao, Y. Bin, and
C. Benzaı̈d, “Encryption as a service for iot: Opportuni-
ties, challenges and solutions,” IEEE Internet of Things
Journal, 2023.
[3] M. Zhang, J. Cao, Y. Sahni, Q. Chen, S. Jiang, and T. Wu,
“Eaas: A service-oriented edge computing framework
towards distributed intelligence,” in 2022 IEEE Interna-
Fig. 4. Make an HTTP post request and include the authorization token tional Conference on Service-Oriented System Engineer-
received from the site ing (SOSE), 2022, pp. 165–175.
[4] D. Unal, A. Al-Ali, F. O. Catak, and M. Hammoudeh, “A
secure and efficient internet of things cloud encryption
the encrypted content back to the IoT client (curl -X POST
scheme with forensics investigation compatibility based
-H ”Content-Type: application/json” -H ’Authorization:
on identity-based encryption,” Future Generation Com-
Bearer aaaa’ -d ’”id”: ”1”, ”text”: ”hello”, ”algo”: ”rsa”’
puter Systems, vol. 125, pp. 433–445, 2021.
http://10.1.0.100:30303/encrypt/). The request is sent to RH
[5] C. Carrión, “Kubernetes scheduling: Taxonomy, ongoing
for decryption, which contains the ID and encrypted text, and
issues and challenges,” ACM Computing Surveys, vol. 55,
assuming that the cipher is “bbbb”, to decrypt it, the command
no. 7, pp. 1–37, 2022.
is used (curl -X POST -H ”Content-Type: application/json”
[6] A. Javadpour, F. Ja’fari, T. Taleb, M. Shojafar, and
-H ’Authorization: Bearer aaaa’ -d ’”id”: ”1”, ”cipher”:
C. Benzaı̈d, “A comprehensive survey on cyber deception
”bbbb”, ”algo”: ”rsa”’ http://10.1.0.100:30303/decrypt/ )
techniques to improve honeypot performance,” Comput-
ers & Security, p. 103792, 2024.
V. C ONCLUSION AND F UTURE W ORK [7] A. Javadpour, F. Ja’fari, and T. Taleb, “Encryption as
In this paper, we have implemented encryption as a service a service: A review of architectures and taxonomies,”
framework on Kubernetes. The current Testbed has been in Distributed Applications and Interoperable Systems,
deployed on OneSource (OneSource, Consultoria Informática, R. Martins and M. Selimi, Eds. Cham: Springer Nature
Lda.) company assets as part of the RIGOUROUS ”secuRe de- Switzerland, 2024, pp. 36–44.
sIGn and deplOyment of trUsthwoRthy cOntinUum computing [8] H. Schönig, Mastering PostgreSQL 15: Advanced
6G Services” project. We have covered deploying Django on techniques to build and manage scalable, reliable, and
Kubernetes, building Docker containers, configuring Django fault-tolerant database applications. Packt Publishing,
projects using environment files, setting up Minikube, and 2023. [Online]. Available: https://books.google.nl/books?
testing Kubernetes deployments in a local environment. Fur- id=ZBOrEAAAQBAJ
ther integration with advanced monitoring and logging tools [9] A. Javadpour, F. Ja’Fari, T. Taleb, and C. Benzaı̈d, “A
will be pursued to enhance the system’s observability. This mathematical model for analyzing honeynets and their
includes implementing more granular logging and real-time cyber deception techniques,” in 2023 27th International
alerts to identify and resolve issues proactively. Enhancing Conference on Engineering of Complex Computer Sys-
security measures should be considered for future work, such tems (ICECCS), 2023, pp. 81–88.
as incorporating advanced authentication mechanisms and en- [10] G. Kokolakis, G. Ntousakis, I. Karatsoris, S. Antonatos,
suring compliance with emerging data protection regulations. M. Athanatos, and S. Ioannidis, “Honeychart: Automated
In our future projects, we plan to increase the security honeypot management over kubernetes,” in European
of our Docker-based application deployed on Kubernetes by Symposium on Research in Computer Security. Springer,
integrating a network honeypot. It acts as a decoy to lure 2022, pp. 321–328.
and analyze potential attackers, significantly enhancing our [11] C. Gupta, “Honeykube: designing a honeypot using
security measures [9, 6, 10, 11, 12]. Administrators can detect microservices-based architecture,” Master’s thesis, Uni-
and monitor unauthorized access attempts by deploying a versity of Twente, 2021.
honeypot and collecting real-time data on emerging threats. [12] A. Ayala Gil, “Honeypot in a box: A distributed cluster
network for honeypot deployment,” Ph.D. dissertation,
ACKNOWLEDGMENT Politecnico di Torino, 2024.
This research work is partially supported by the European
Union’s Horizon Europe research and innovation program