Score
A package manager for Kubernetes that packages applications into charts with templated manifests and configurable values; using Helm involves authoring charts, managing releases with helm install/upgrade/rollback, templating values.yaml, and hosting chart repositories for repeatable deployments.
In cloud-native systems, Kubernetes’ declarative configurations (YAML/Helm) impede architectural understanding, hindering developer and operator productivity. This paper introduces the first user-study-driven visualization framework that automatically and semantically faithfully maps raw Kubernetes resource specifications to interpretable architecture diagrams. Methodologically, it integrates a custom domain-specific language (DSL), the Kubernetes client API, and a graph-based encoding strategy to enable zero-intrusion integration and low-friction embedding into DevOps pipelines. Evaluated on three real-world systems, the tool accelerates architectural comprehension by 42% on average and improves modeling accuracy—reducing modeling errors by 68%. It has been adopted by the CNCF ecosystem as a recommended visualization tool. The core contributions are: (1) the first visualization generation paradigm explicitly designed for Kubernetes semantics; and (2) a solution that jointly ensures precision, scalability, and engineering practicality.
Kubernetes configuration defects frequently cause severe runtime failures, yet existing static analysis tools exhibit limited detection capability. This paper presents an empirical study of 2,260 open-source Kubernetes configuration scripts, systematically identifying and classifying 15 common defect categories. Through combined qualitative analysis and static analysis, we uncover two critical defect patterns previously undetected by existing tools. Leveraging these insights, we design and implement a novel lightweight linter capable of precisely detecting all identified defect types. Evaluated on real-world projects, the tool discovers 26 previously unknown, manually verified defects—19 of which have since been fixed. Our contributions include: (1) a comprehensive, publicly available dataset of annotated configurations; (2) an open-source implementation of the linter; and (3) a reusable taxonomy and methodology for improving Kubernetes configuration reliability. All artifacts are openly released to support reproducible research and practical adoption.
To address the challenges of difficult development and debugging, complex integration testing environments, and high pedagogical barriers in the GlideinWMS distributed system, this paper proposes the “Workspace Container” methodology—a unified, lightweight, containerized environment for development and education. Built upon a multi-container architecture—including Factory, Frontend, compute nodes, and batch systems—it integrates Docker and VS Code to enable one-click local deployment, offline debugging, and seamless IDE collaboration. The key contribution lies in abstracting development, testing, and teaching workflows into reusable, composable, standardized container units, thereby substantially reducing onboarding overhead for new users. Empirical validation across multiple workshops confirms that the full system runs efficiently on commodity laptops, accelerates development and debugging cycles, and significantly improves instructional interactivity and experimental reproducibility.
This study addresses the significant inconsistencies among current Kubernetes security hardening guidelines and configuration scanning tools in terms of recommendation coverage and risk scoring, which hinder effective security configuration decisions. The authors systematically analyze eight widely adopted hardening guides to derive a unified benchmark of 79 configuration recommendations and conduct a structured empirical evaluation of ten static scanning tools. For the first time, they establish a standardized framework for assessing Kubernetes configuration security. Their findings reveal substantial discrepancies in both coverage and risk assessment across existing guidelines and tools, underscoring the urgent need for a transparent and consistent security evaluation methodology. This work provides the community with a reproducible benchmark and actionable criteria for tool selection and policy alignment.
Despite growing adoption of Software Bill of Materials (SBOM), empirical comparisons across major SBOM standards—particularly SPDX and CycloneDX—remain scarce, hindering evidence-based standardization and tooling decisions. Method: This study conducts the first cross-format, multidimensional empirical evaluation of the SPDX and CycloneDX ecosystems, analyzing 170 tools, 36,990 open-source issue reports, and 250 health metrics from top-tier projects. It integrates open-source ecosystem measurement, issue-report mining, and health modeling—including contribution frequency, maintenance responsiveness, and integration coverage. Contribution/Results: CycloneDX exhibits 23% higher developer activity, whereas SPDX offers 1.8× more tools and significantly greater industrial adoption. Both formats suffer from shared limitations in automated SBOM generation, compliance validation, and cross-format interoperability. The study proposes a complementary evolutionary roadmap to guide SBOM standardization and practical engineering deployment, grounded in rigorous empirical evidence.
In HPC environments, binary package managers suffer from inflexible configuration due to strict ABI constraints, while source-based builds incur inefficiency from redundant compilation (e.g., when switching MPI implementations). Although Spack supports hybrid source/binary deployment, its lack of a formal binary compatibility model prevents safe reuse of binaries built across heterogeneous environments. This work introduces *splicing*, a novel Spack extension that establishes the first fine-grained ABI compatibility model. It integrates metadata annotation, enhanced dependency resolution, and runtime compatibility checking to enable secure cross-environment binary reuse. The approach seamlessly unifies the configurability of source builds with the efficiency of binary installation—reducing redundant compilations significantly, achieving near-binary installation speed, and incurring negligible overhead. As a result, splicing enhances both flexibility and scalability of HPC software distribution.
This work addresses the challenges in edge and embedded application development—namely, heterogeneous software stacks, multi-language runtimes, and difficult debugging—which lead to rigid deployment workflows and complex fault diagnosis. To overcome these limitations, the paper proposes a novel architecture enabling unified end-edge-cloud development. Its core components include a single programming language, a retargetable runtime system, a local recording and replay mechanism for distributed events, and a cross-platform deployment framework. This design breaks down traditional debugging barriers in edge–cloud collaborative development, facilitating seamless scalability, consistent testing, and flexible deployment across heterogeneous environments. Evaluation of the prototype system demonstrates that the proposed approach significantly simplifies deployment procedures and enhances fault diagnosis efficiency.
In cross-organizational, cross-domain, and offline distributed entity collaboration, existing API- and message-broker-based approaches struggle to simultaneously ensure auditability, loose coupling, and participant autonomy. Method: This paper proposes a GitOps-based coordination model that uses Git as a shared state repository, leverages Kubernetes-style Custom Resource Definitions (CRDs) with declarative spec/status fields to represent desired and observed states, and integrates cryptographic commit signing, fine-grained access control, and Operator-driven automated synchronization. Contribution/Results: The model extends GitOps beyond intra-cluster operations to inter-organizational coordination, natively supporting version traceability, operational auditing, and state reproducibility. Experiments demonstrate significant improvements over RESTful APIs and message middleware in transparency, auditability, offline fault tolerance, and operational observability—while preserving participant autonomy and system decoupling.
Overly permissive Kubernetes configurations—such as excessively broad RBAC permissions and overly open network policies—facilitate privilege escalation and lateral movement, yet existing approaches rely predominantly on static analysis, failing to capture dynamic runtime requirements. This paper introduces KubeGuard, the first runtime log-driven, LLM-augmented framework for minimal-privilege configuration optimization. KubeGuard employs a modular prompt chain to jointly analyze YAML manifests and cluster runtime logs, translating observed operational behavior into actionable, security-compliant configuration recommendations. It automatically generates and refines RBAC roles, network policies, and deployment resource constraints. Experimental evaluation demonstrates that KubeGuard significantly outperforms baseline methods in precision, recall, and F1-score, while supporting both proprietary and open-source LLMs. By grounding configuration hardening in actual runtime behavior, KubeGuard effectively bridges the gap between declarative security policies and operational reality.
This work addresses the inefficiency and error-proneness of manually aggregating change descriptions and impact scopes in cloud-native CI/CD pipelines during multi-task, multi-author collaborative releases. To tackle this challenge, the authors propose a novel approach that integrates semantic commit filtering, large language model (LLM)-driven structured summarization, and static task dependency analysis—marking the first integration of LLMs with pipeline dependency analysis to automatically generate stakeholder-oriented, categorized change reports. The system has been implemented within GitHub Actions and Tekton and deployed in a production environment comprising over 20 pipelines and 60 tasks. Empirical results demonstrate significant improvements in the accuracy and timeliness of release communication, outperforming existing tools such as SmartNote and VerLog.