Background: Intrusion Detection Systems (IDS) are essential for monitoring and analyzing network or system activities to detect malicious actions or policy violations. However, applying traditional IDS solutions to the dynamic, distributed framework of microservices—especially in a Kubernetes cluster—faces numerous shortcomings. These systems often struggle to adapt to the rapid deployment and fluid nature of a Kubernetes cluster, where each pod can become a potential attack vector for security threats.

Objectives: The objective of this thesis is divided into three parts:

• To perform a literature review on intrusion detection systems in Kubernetes/microservices cloud-native environments.
• Develop an intrusion detection system that is implemented at the pod level in a Kubernetes cluster.
• Evaluate the intrusion detection system in a Kubernetes cluster.

Methods: A literature review is conducted to examine the current landscape of Kubernetes-compatible IDS solutions. This is followed by a formal experiment involving the development and deployment of a hybrid IDS that combines rule-based(Snort), supervised (KNN), and unsupervised (Isolation Forest) models. Network traffic is captured at the pod level using Ksniff and processed into flow data using CICFlowMeter. Model evaluation is performed on the improved CICIDS dataset.

Results: The system demonstrates successful detection of known attacks using the KNN model, with reasonable precision and recall scores. Isolation Forest effectively flagged novel or anomalous activity, though with some false positives. While the architecture proves viable as a concept, real-time implementation is hindered by significant inference latency introduced in the data pipeline. Additionally, the CICIDS dataset was the most applicable among publicly available sources, although gaps remain in modeling Kubernetes-native behaviors.

Conclusions: This thesis validates the feasibility of hybrid IDS deployment at the pod level in Kubernetes. The layered approach enhances detection coverage, especially in environments with encrypted service mesh traffic. However, current limitations in dataset realism, system latency, and access requirements highlight the need for further optimizations. Future work should focus on reducing latency, expanding model diversity, and developing datasets that better reflect modern Kubernetes threat landscapes.