Applying Machine Learning for Network Security Monitoring in Kubernetes Environments

This article presents a systematic analysis of methodological approaches to applying machine learning for network security monitoring in Kubernetes environments, where the dynamic nature of containerized workloads, microservice architectures, and distributed observability significantly complicate attack detection and interpretation. The study is conducted as a review-and-analytical synthesis of peer-reviewed publications, summarizing architectural models, telemetry types, algorithmic approaches, and operational constraints without quantitative aggregation of results due to methodological heterogeneity of the sources. Particular attention is paid to the impact of Kubernetes network infrastructure on the properties of observed data, the role of non-identical and imbalanced distributions in distributed environments, and the limitations of classical centralized training schemes. The analysis shows that the prevailing practice of using ML-based intrusion detection systems is oriented toward isolated event detection and does not account for systemic telemetry distortions introduced by container network interfaces and the control plane. It is established that the greatest practical robustness is demonstrated by architectures based on hybrid data sources and federated learning algorithms, as well as two-tier schemes that separate anomaly detection from semantic interpretation. It is shown that the effectiveness of ML monitoring in Kubernetes is determined not so much by model complexity as by the degree of architectural integration into a managed security control loop encompassing observation, analysis, interpretation, and controlled response. The article will be useful for cybersecurity researchers, cloud platform architects, container security engineers, and specialists in operating distributed systems.