CN109413065A - A kind of cluster safety management method based on container - Google Patents
A kind of cluster safety management method based on container Download PDFInfo
- Publication number
- CN109413065A CN109413065A CN201811252387.4A CN201811252387A CN109413065A CN 109413065 A CN109413065 A CN 109413065A CN 201811252387 A CN201811252387 A CN 201811252387A CN 109413065 A CN109413065 A CN 109413065A
- Authority
- CN
- China
- Prior art keywords
- cluster
- pod
- service account
- strategy
- namespace
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
Abstract
The cluster safety management method based on container that the invention discloses a kind of, specific method include the cluster Role Management function by RBAC, operating right of the control user to cluster resource;Network Isolation is done to tenant by Configuration network isolation strategy, for preventing the application random access between tenant;It is limited by super authority of the pod security strategy to cluster, prevents container group malicious sabotage host.Compared to the prior art a kind of cluster safety management method based on container of the invention, improves the security level of cluster, enhances the high availability of cluster.
Description
Technical field
The present invention relates to container technical field, specifically a kind of cluster safety management method based on container.
Background technique
Kubernetes is a kind of completely new distributed structure/architecture based on container technique, on the basis of Docker technology,
A series of complete functions such as deployment operation, scheduling of resource, service discovery and dynamic retractility are provided for the application of container words, are improved
The convenience and high availability of extensive container cluster management.
The cluster safety of Kubernetes includes that the safety of clustered node, tenant's application of cluster be safe, cluster resource
Situations such as safe, if be not managed collectively to cluster safety, cluster safety rank can be very low, and user can easily be controlled very much
Clustered node resource processed can do some destruction movements, may finally destroy cluster, cause cluster unavailable.How collection is managed
Group's safety is a urgent problem to be solved.
It is existing it is a kind of realize Kubernetes cluster multi-tenant Network Isolation method and system (application number:
201711070531.8) a kind of method and system for realizing Kubernetes cluster multi-tenant Network Isolation are provided,
The foreground Kubernetes interface receives the configuration of tenant's creation, and Namespace are referred to as label, automatic after reception parameter from the background
The Namespace that creation refusal is communicated with any Pod, creates the NetworkPolicy that can be communicated with the Pod of Namespace,
Complete the Network Isolation setting of the corresponding Namespace of tenant.When user creates application or service, label work is transmitted automatically
For the label of Pod, the Pod is marked to use the NetworkPolicy of the Namespace;When user deletes the Pod of application or service
When, Kubernetes cluster can also clear up relevant NetworkPolicy automatically, not influence other Pod access of existing environment.
Kubernetes cluster multi-tenant Network Isolation, energy are configured in conjunction with Calico network plug-in and NetworkPolicy network strategy
Enough making up Kubernetes difference Namespace does not have a defect of Network Isolation, helps that user is safer to use this tenant's
Kubernetes cluster network, while operation maintenance personnel being helped preferably to manage the Kubernetes cluster network of multi-tenant.But
There are the drawbacks of it is as follows: only promote the safety of cluster from the angle of Network Isolation, unified availability do not done to cluster and is promoted.
Summary of the invention
Technical assignment of the invention is place against the above deficiency, provide a kind of cluster safety management method based on container and its
System and a kind of server of the cluster safety management based on container.
The technical solution adopted by the present invention to solve the technical problems is: a kind of cluster safety manager based on container
Method, the specific method is as follows:
By the cluster Role Management function of RBAC, user is controlled to the operating right of cluster resource;
Network Isolation is done to tenant by Configuration network isolation strategy, for preventing the application random access between tenant;
It is limited by super authority of the pod security strategy to cluster, prevents container group malicious sabotage host.
Further, preferred method is,
Include: by the method that RBAC manages the access authority of cluster resource
When Pod has specified service account, pod is distinguished to the operating rights of cluster resource according to the role bindings of service account
Limit;
When service account is associated with rolebinding, then service account, user and user group operate a specific NameSpace
Under resource;
When service account is associated with clusterrolebinding, then service account, user and user group operate entire cluster
Resource;
When there is no service accounts when specified service account, defaulted under the meeting each NameSpace of carry by Pod.
Further, preferred method is,
Include: by the method that super authority of the pod security strategy to cluster is limited
Container group security strategy is tied to the service account of specific NameSpace by rolebinding by cluster Role Management
On number, pod obtains the super-ordinate right that whether can operate host by service account.
Further, preferred method is,
Network Isolation is done to tenant by Configuration network isolation strategy, specific method includes:
By creating Network Isolation strategy for NameSpace, the access of other NameSpace is prevented;The Network Isolation strategy
For deny-other-ns strategy.
Further, preferred method is,
The method that Network Isolation is done to tenant by Configuration network isolation strategy further include:
In NameSpace, by the way that strategy is isolated for pod Configuration network, the pod access for only allowing to set, the Network Isolation
Strategy is allow-ns-pod strategy.
Further, preferred method is,
RBAC realizes that service account and user access cluster resource by apiserver;
After creating a service account, a corresponding key is generated, token, certification certificate file and life are stored in key
Name space information, after pod quotes corresponding service account, to using token, certification certificate file in corresponding pod
And NameSpace is interacted with apiserver.
Further, preferred method is,
Include: by the specific method that super authority of the pod security strategy to cluster is limited
For resource settings two the class Cluster-psp and Default-psp of cluster rank;
Wherein Cluster-psp is applied to the service account of specific NameSpace by cluster-cr and cluster-rb-ns
On, the corresponding role bindings of the container group security strategy of cluster-rb-ns cluster rank manage cluster resource;
Default-psp is applied on the service account of specific NameSpace by default-cr and default-rb-ns,
The corresponding role bindings of container group security strategy of default-rb-ns common grade are used for particular user, cannot manage collection
Group's resource.
A kind of cluster safety management system based on container, including cluster role management module, Network Isolation module and
Pod security policy module;
The cluster role management module is managed by apiserver and is collected for passing through the cluster Role Management function of RBAC
Group's resource;
The Network Isolation module, for doing Network Isolation to tenant by Configuration network isolation;
The Pod security policy module, for being limited by super authority of the pod security strategy to cluster.
Further, preferred structure is,
The cluster role management module includes specified services account relating unit and default service account relating unit;It is described
Specified services account relating unit, for distinguishing pod to the operating right of cluster resource according to the role bindings of service account;
When service account is associated with rolebinding, then service account, user and user group operate under a specific NameSpace
Resource;When service account is associated with clusterrolebinding, then service account, user and user group operate entire cluster
Resource;The default service account relating unit, for when Pod is there is no when specified service account, meeting carry to be each
The service account defaulted under NameSpace;
The Network Isolation module includes NameSpace Network Isolation unit and pod Network Isolation unit;The name is empty
Between Network Isolation unit, for by for deny-other-ns strategy be NameSpace create Network Isolation strategy, prevent it is other
The access of NameSpace;The pod Network Isolation unit, for by allow-ns-pod strategy be pod Configuration network every
From strategy, the pod for only allowing to set is accessed;
The Pod security policy module, by cluster Role Management, is tied to specific life by rolebinding for container
On the service account of the name space, pod obtains the super-ordinate right that whether can operate host by service account.
A kind of server of the cluster safety management based on container,
One or more processors;
Storage device, for storing one or more programs;
When one or more of programs are executed by one or more of processors, so that one or more of processors
Realize the method as described in any in claim 1-7.
Compared to the prior art a kind of cluster safety management method based on container of the invention, has the beneficial effect that:
1, by the management to cluster safety, safeguard procedures is increased to clustered node, tenant, program, can effectively prevent for collection
The destruction movement of group, guarantees the stable operation of cluster;
2, the access authority of cluster resource can be managed by RBAC, effective guarantee cluster resource is from malicious sabotage;It 3, can be with
Network Isolation is done to tenant by network strategy, the application random access between tenant can be effectively prevented, effective protection is specifically rented
The application program at family is by malicious attack;
4, cluster super authority can be limited by pod security strategy, prevents pod malicious sabotage host resource.
Detailed description of the invention
The following further describes the present invention with reference to the drawings.
Attached drawing 1 is a kind of functional block diagram of cluster safety management method based on container.
A kind of RBAC functional block diagram of the cluster safety management method based on container of attached drawing 2.
Attached drawing 3 is a kind of Network Isolation functional block diagram of cluster safety management method based on container.
Attached drawing 4 is a kind of pod security strategy functional block diagram of cluster safety management method based on container.
Specific embodiment
The present invention will be further explained below with reference to the attached drawings and specific examples.
Wherein, Kubernetes: container layout, scheduling service;RBAC((Role-Based Access Control) it is based on
The right access control of role;Token: the token in computer identity certification;Namespace: NameSpace;Ca: authentication proof
Book;Ca.crt: certification certificate file;Serviceaccount: service account;User: user;Group: user group;
Rolebinding: role bindings resource;Clusterrolebinding: cluster role bindings;Role: role;
Clusterrole: cluster role;Apiserver: the api service of container service;Pod: container group;Networkpolicy: net
Network security strategy;Deny-other-ns-networkpolicy: the network strategy of NameSpace is isolated;allow--ns-pod-
Networkpolicy: the network strategy for allowing the container group under the same NameSpace mutually to access;
PodSecurityPolicy: container group security strategy;Cluster-psp: the container group security strategy of cluster rank;
Cluster-cr: the corresponding role of cluster rank container group security strategy;Cluster-rb-ns: the container group peace of cluster rank
Complete tactful corresponding role bindings;Default-psp: the container group security strategy of common grade;Default-cr: common grade
The corresponding role of container group security strategy;Default-rb-ns: the corresponding role of container group security strategy of common grade ties up
It is fixed;Secret: code key.
The present invention is a kind of cluster safety management method based on container, and the power of user's operation cluster resource is controlled by RBAC
Limit.Tenant's application is isolated by network strategy.It prevents from destroying host money using by super authority by pod security strategy
Source.
Embodiment 1:
As shown in Fig. 1, cluster K8S, security strategy are divided into two kinds, Networkpolicy: network security policy and
PodSecurityPolicy: container group security strategy;
Network security policy is used to be isolated the network of NameSpace, can also be in the network of NameSpace internal insulation container group;
Container group security strategy, for defining whether the container in container group can access host resource, in order to guarantee cluster section
Point safety, other than the NameSpace of K8S system level, the container group in other names space does not allow to access the net of host
The information such as network, system configuration.
Container group security strategy (PSP) is a kind of system resource, by cluster Role Management, by role bindings to specifically
NameSpace service account on, container group obtains the highest permission of host whether can be operated by service account.
One, RBAC:
As shown in Fig. 2, the right access control of RBAC(based role) realize that service account, user pass through container service
API service accesses the function of cluster K8S resource, and user group is service account (serviceaccount) and the set mark of user
Know.
Service account realizes that container group (pod) process interacts the function of (apiserver) with the API service of container service,
After creating a service account, a corresponding key can be generated, token (token), certification are housed in this key
The information of certificate file (sa.crt) and NameSpace (namespace), when a container group quotes corresponding service account
Afterwards, it can be interacted in corresponding container group using token, certification certificate file and NameSpace and apiserver.
When container group does not specify specific service account, the service account of the common grade of meeting carry default, Mei Geming
There is the service account of a default under the name space.
Role (Role) manages the resource under a NameSpace, by role bindings (rolebinding) with servicing account
Number, user, user group association makes service account, user (user), user group (group) that can operate a specific name
Resource under space.
Clusterrole manages the resource of entire cluster, by clusterrolebinding with service account, user,
User group association, makes service account, user (user), user group (group) that can operate the resource of entire cluster.
K8S cluster has some default roles, for example cluster-admin can manage all resources of entire cluster, be
One super keepe role;There are also some other default roles, can operate specific resource.
RBAC is the method for effectively operating cluster resource, is suitable for managing the field of cluster resource by apiserver
Scape.
Two, NetWorkPolicy network security policy
Network security policy (networkpolicy) can isolate NameSpace (namespace) and container group (pod);
When some NameSpace creates deny-other-ns-networkpolicy, (life is isolated in the strategy of deny-other-ns
The network strategy of the name space) when, other NameSpace cannot access the resource of the NameSpace where the network security policy
?.
If the resource of some NameSpace needs the access of other NameSpace, deny-other-ns plan cannot be set
Slightly.
In each NameSpace, an allow--ns-pod strategy (allow--ns- can be configured to a container group
Pod-networkpolicy, the network strategy for allowing the container group under the same NameSpace mutually to access);With postponing this
Container group only allows separate container group access, without allowing other container group access.
In actual operation, according to the API of network security policy, we can configure multiple network isolation strategy, preferentially
We use deny-other-ns and two kinds of allow--ns-pod.
Three .PodSecurityPolicy container group security strategies
PodSecurityPolicy is the resource of cluster rank, does not distinguish NameSpace, we can set two class PSP, one
Cluster is managed, permission is bigger, default, and permission is smaller;Two classes are the container of Cluster-psp cluster rank respectively
The container group security strategy of group security strategy and default-psp common grade;
The container group security strategy of Cluster-psp cluster rank passes through cluster-cr(cluster rank container group security strategy
Corresponding role) and cluster-rb-ns(cluster rank the corresponding role bindings of container group security strategy), be applied to specific
On the service account of NameSpace, these ns are that for users to use, cannot have very big permission, cannot operate host's generator terminal
The keystone resources such as mouth, network;
A kind of cluster safety management method based on container of the invention, the server of system and fortune in this way, pass through
RBAC controls the permission of user's operation cluster resource, and effective guarantee cluster resource is from malicious sabotage;It is isolated by network strategy
The application random access between tenant can be effectively prevented in tenant's application, and the application program of the specific tenant of effective protection is by malice
Attack;It prevents from destroying host resource using by super authority by pod security strategy.
The technical personnel in the technical field can readily realize the present invention with the above specific embodiments,.But it answers
Work as understanding, the present invention is not limited to above-mentioned several specific embodiments.On the basis of the disclosed embodiments, the technology
The technical staff in field can arbitrarily combine different technical features, to realize different technical solutions.
Claims (10)
1. a kind of cluster safety management method based on container, which is characterized in that the specific method is as follows:
By the cluster Role Management function of RBAC, user is controlled to the operating right of cluster resource;
Network Isolation is done to tenant by Configuration network isolation strategy, for preventing the application random access between tenant;
It is limited by super authority of the pod security strategy to cluster, prevents container group malicious sabotage host.
2. a kind of cluster safety management method based on container according to claim 1, which is characterized in that
Include: by the method that RBAC manages the access authority of cluster resource
When Pod has specified service account, pod is distinguished to the operating rights of cluster resource according to the role bindings of service account
Limit;
When service account is associated with rolebinding, then service account, user and user group operate a specific NameSpace
Under resource;
When service account is associated with clusterrolebinding, then service account, user and user group operate entire cluster
Resource;
When there is no service accounts when specified service account, defaulted under the meeting each NameSpace of carry by Pod.
3. a kind of cluster safety management method based on container according to claim 1, which is characterized in that
Include: by the method that super authority of the pod security strategy to cluster is limited
Container group security strategy is tied to the service account of specific NameSpace by rolebinding by cluster Role Management
On number, pod obtains the super-ordinate right that whether can operate host by service account.
4. a kind of cluster safety management method based on container according to claim 2 or 3, which is characterized in that
Network Isolation is done to tenant by Configuration network isolation strategy, specific method includes:
By creating Network Isolation strategy for NameSpace, the access of other NameSpace is prevented;The Network Isolation strategy
For deny-other-ns strategy.
5. a kind of cluster safety management method based on container according to claim 4, which is characterized in that by configuring net
The method that network isolation strategy does Network Isolation to tenant further include:
In NameSpace, by the way that strategy is isolated for pod Configuration network, the pod access for only allowing to set, the Network Isolation
Strategy is allow-ns-pod strategy.
6. a kind of cluster safety management method based on container according to claim 2, which is characterized in that
RBAC realizes that service account and user access cluster resource by apiserver;
After creating a service account, a corresponding key is generated, token, certification certificate file and life are stored in key
Name space information, after pod quotes corresponding service account, to using token, certification certificate file in corresponding pod
And NameSpace is interacted with apiserver.
7. a kind of cluster safety management method based on container according to claim 3, which is characterized in that pacified by pod
The tactful specific method limited the super authority of cluster includes: entirely
For resource settings two the class Cluster-psp and Default-psp of cluster rank;
Wherein Cluster-psp is applied to the service account of specific NameSpace by cluster-cr and cluster-rb-ns
On, the corresponding role bindings of the container group security strategy of cluster-rb-ns cluster rank manage cluster resource;
Default-psp is applied on the service account of specific NameSpace by default-cr and default-rb-ns,
The corresponding role bindings of container group security strategy of default-rb-ns common grade are used for particular user, cannot manage collection
Group's resource.
8. a kind of cluster safety management system based on container, which is characterized in that including cluster role management module, Network Isolation
Module and pod security policy module;
The cluster role management module is managed by apiserver and is collected for passing through the cluster Role Management function of RBAC
Group's resource;
The Network Isolation module, for doing Network Isolation to tenant by Configuration network isolation;
The Pod security policy module, for being limited by super authority of the pod security strategy to cluster.
9. a kind of cluster safety management system based on container according to claim 8, it is characterised in that: the cluster
Role management module includes specified services account relating unit and default service account relating unit;The specified services account
Associative cell, for distinguishing pod to the operating right of cluster resource according to the role bindings of service account;When service account with
Rolebinding association, then service account, user and user group operate the resource under a specific NameSpace;Work as service
Account is associated with clusterrolebinding, then service account, user and user group operate the resource of entire cluster;It is described
Default service account relating unit, for that can write from memory under each NameSpace of carry when Pod is there is no when specified service account
The service account recognized;
The Network Isolation module includes NameSpace Network Isolation unit and pod Network Isolation unit;The name is empty
Between Network Isolation unit, for by for deny-other-ns strategy be NameSpace create Network Isolation strategy, prevent it is other
The access of NameSpace;The pod Network Isolation unit, for by allow-ns-pod strategy be pod Configuration network every
From strategy, the pod for only allowing to set is accessed;
The Pod security policy module, by cluster Role Management, is tied to specific life by rolebinding for container
On the service account of the name space, pod obtains the super-ordinate right that whether can operate host by service account.
10. a kind of server of the cluster safety management based on container, which is characterized in that
One or more processors;
Storage device, for storing one or more programs;
When one or more of programs are executed by one or more of processors, so that one or more of processors
Realize the method as described in any in claim 1-7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201811252387.4A CN109413065A (en) | 2018-10-25 | 2018-10-25 | A kind of cluster safety management method based on container |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201811252387.4A CN109413065A (en) | 2018-10-25 | 2018-10-25 | A kind of cluster safety management method based on container |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN109413065A true CN109413065A (en) | 2019-03-01 |
Family
ID=65469928
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201811252387.4A Pending CN109413065A (en) | 2018-10-25 | 2018-10-25 | A kind of cluster safety management method based on container |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN109413065A (en) |
Cited By (13)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110175077A (en) * | 2019-05-27 | 2019-08-27 | 浪潮云信息技术有限公司 | A kind of method and system based on order management container resource |
| CN110266679A (en) * | 2019-06-14 | 2019-09-20 | 腾讯科技(成都)有限公司 | Capacitor network partition method and device |
| CN110336758A (en) * | 2019-05-28 | 2019-10-15 | 厦门网宿有限公司 | Data distributing method and virtual router in a kind of virtual router |
| CN110519361A (en) * | 2019-08-22 | 2019-11-29 | 北京宝兰德软件股份有限公司 | Container cloud platform multi-tenant construction method and device based on kubernetes |
| CN110990150A (en) * | 2019-11-15 | 2020-04-10 | 北京浪潮数据技术有限公司 | Tenant management method and system of container cloud platform, electronic device and storage medium |
| CN111162941A (en) * | 2019-12-26 | 2020-05-15 | 浪潮云信息技术有限公司 | Method for automatically managing virtual IP (Internet protocol) in Kubernetes environment |
| CN111399980A (en) * | 2020-03-16 | 2020-07-10 | 中国联合网络通信集团有限公司 | Safety authentication method, device and system for container organizer |
| CN111625349A (en) * | 2020-04-14 | 2020-09-04 | 金蝶软件(中国)有限公司 | Pod isolation method, device, equipment and storage medium in container scheduling platform |
| CN111935110A (en) * | 2020-07-24 | 2020-11-13 | 北京金山云网络技术有限公司 | Method and device for controlling permission of tenant to access container instance |
| CN114650170A (en) * | 2022-02-24 | 2022-06-21 | 京东科技信息技术有限公司 | Cross-cluster resource management method, device, equipment and storage medium |
| US11700274B1 (en) | 2021-02-04 | 2023-07-11 | Cisco Technology, Inc. | Systems and methods for protecting pod deployment |
| US11704413B2 (en) | 2021-04-22 | 2023-07-18 | International Business Machines Corporation | Assessing latent security risks in Kubernetes cluster |
| US11947660B2 (en) | 2021-08-31 | 2024-04-02 | International Business Machines Corporation | Securing pods in a container orchestration environment |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20120233668A1 (en) * | 2011-03-08 | 2012-09-13 | Rackspace Us, Inc. | Pluggable Allocation in a Cloud Computing System |
| CN105354076A (en) * | 2015-10-23 | 2016-02-24 | 深圳前海达闼云端智能科技有限公司 | Application deployment method and device |
| CN107864131A (en) * | 2017-11-03 | 2018-03-30 | 郑州云海信息技术有限公司 | A kind of method and system for realizing Kubernetes cluster multi-tenant Network Isolations |
-
2018
- 2018-10-25 CN CN201811252387.4A patent/CN109413065A/en active Pending
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20120233668A1 (en) * | 2011-03-08 | 2012-09-13 | Rackspace Us, Inc. | Pluggable Allocation in a Cloud Computing System |
| CN105354076A (en) * | 2015-10-23 | 2016-02-24 | 深圳前海达闼云端智能科技有限公司 | Application deployment method and device |
| CN107864131A (en) * | 2017-11-03 | 2018-03-30 | 郑州云海信息技术有限公司 | A kind of method and system for realizing Kubernetes cluster multi-tenant Network Isolations |
Non-Patent Citations (3)
| Title |
|---|
| K8S技术圈: "《Kubernetes RBAC 详解》", 《HTTPS://WWW.JIANSHU.COM/P/F77D5D0DF58B》 * |
| SHIRDRN: "《Pod 安全策略》", 《HTTP://DOCS.KUBERNETES.ORG.CN/690.HTML》 * |
| 翻江倒海一条鱼: "《kubernetes Network Policies之限制其他命名空间的pod访问本命名空间的pod》", 《HTTPS://WWW.JIANSHU.COM/P/E4625024FA64》 * |
Cited By (19)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110175077A (en) * | 2019-05-27 | 2019-08-27 | 浪潮云信息技术有限公司 | A kind of method and system based on order management container resource |
| CN110336758A (en) * | 2019-05-28 | 2019-10-15 | 厦门网宿有限公司 | Data distributing method and virtual router in a kind of virtual router |
| CN110336758B (en) * | 2019-05-28 | 2022-10-28 | 厦门网宿有限公司 | Data distribution method in virtual router and virtual router |
| CN110266679A (en) * | 2019-06-14 | 2019-09-20 | 腾讯科技(成都)有限公司 | Capacitor network partition method and device |
| CN110266679B (en) * | 2019-06-14 | 2023-02-28 | 腾讯科技(成都)有限公司 | Container network isolation method and device |
| CN110519361B (en) * | 2019-08-22 | 2022-07-29 | 北京宝兰德软件股份有限公司 | Container cloud platform multi-tenant construction method and device based on kubernets |
| CN110519361A (en) * | 2019-08-22 | 2019-11-29 | 北京宝兰德软件股份有限公司 | Container cloud platform multi-tenant construction method and device based on kubernetes |
| CN110990150A (en) * | 2019-11-15 | 2020-04-10 | 北京浪潮数据技术有限公司 | Tenant management method and system of container cloud platform, electronic device and storage medium |
| CN111162941A (en) * | 2019-12-26 | 2020-05-15 | 浪潮云信息技术有限公司 | Method for automatically managing virtual IP (Internet protocol) in Kubernetes environment |
| CN111162941B (en) * | 2019-12-26 | 2023-04-07 | 浪潮云信息技术股份公司 | Method for automatically managing virtual IP (Internet protocol) in Kubernetes environment |
| CN111399980A (en) * | 2020-03-16 | 2020-07-10 | 中国联合网络通信集团有限公司 | Safety authentication method, device and system for container organizer |
| CN111625349A (en) * | 2020-04-14 | 2020-09-04 | 金蝶软件(中国)有限公司 | Pod isolation method, device, equipment and storage medium in container scheduling platform |
| CN111935110A (en) * | 2020-07-24 | 2020-11-13 | 北京金山云网络技术有限公司 | Method and device for controlling permission of tenant to access container instance |
| CN111935110B (en) * | 2020-07-24 | 2022-05-06 | 北京金山云网络技术有限公司 | Method and device for controlling permission of tenant to access container instance |
| US11700274B1 (en) | 2021-02-04 | 2023-07-11 | Cisco Technology, Inc. | Systems and methods for protecting pod deployment |
| US11704413B2 (en) | 2021-04-22 | 2023-07-18 | International Business Machines Corporation | Assessing latent security risks in Kubernetes cluster |
| US11947660B2 (en) | 2021-08-31 | 2024-04-02 | International Business Machines Corporation | Securing pods in a container orchestration environment |
| CN114650170A (en) * | 2022-02-24 | 2022-06-21 | 京东科技信息技术有限公司 | Cross-cluster resource management method, device, equipment and storage medium |
| CN114650170B (en) * | 2022-02-24 | 2024-02-02 | 京东科技信息技术有限公司 | Cross-cluster resource management method, device, equipment and storage medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN109413065A (en) | A kind of cluster safety management method based on container | |
| CN109219949B (en) | Method and apparatus for configuring security domains in a network function virtualization infrastructure | |
| CN101986599B (en) | Network security control method based on cloud service and cloud security gateway | |
| CN103870749B (en) | A kind of safety monitoring system and method for realizing dummy machine system | |
| CN101594360B (en) | Local area network system and method for maintaining safety thereof | |
| CN109413080B (en) | Cross-domain dynamic authority control method and system | |
| WO2002008870A2 (en) | Distributive access controller | |
| CN107426152B (en) | Multitask security isolation system and method under cloud platform actual situation Interconnection Environment | |
| CN107026825A (en) | A kind of method and system for accessing big data system | |
| CN111447222A (en) | Distributed system authority authentication system and method based on micro-service architecture | |
| CN103763369B (en) | A kind of multiple authority distributing method based on SAN storage system | |
| CN106845183A (en) | A kind of application container engine management method and system | |
| CN110719298A (en) | Method and device for supporting user-defined change of privileged account password | |
| CN106341369A (en) | Security control method and device | |
| CN107707573A (en) | Data access method and its device and computer installation and its readable storage medium storing program for executing | |
| CN103778379B (en) | Application in management equipment performs and data access | |
| CN111818059A (en) | Automatic construction system and method for access control strategy of high-level information system | |
| CN114978697A (en) | Network information system endogenous security defense method, device, equipment and medium | |
| CN114244568B (en) | Security access control method, device and equipment based on terminal access behavior | |
| CN111083088B (en) | Cloud platform hierarchical management method and device based on multiple security domains | |
| CN109977644A (en) | Right management method is classified under a kind of Android platform | |
| CN110474916A (en) | Web oriented application provides the method and device of franchise account | |
| CN106790219A (en) | The access control method and system of a kind of SDN controllers | |
| Ahmed et al. | A generalized threat taxonomy for cloud computing | |
| CN107465688B (en) | Method for identifying network application permission of state monitoring and evaluating system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20190301 |