CN111510515B - Method and device for distinguishing containers of mixed application environment - Google Patents
Method and device for distinguishing containers of mixed application environment Download PDFInfo
- Publication number
- CN111510515B CN111510515B CN202010266073.0A CN202010266073A CN111510515B CN 111510515 B CN111510515 B CN 111510515B CN 202010266073 A CN202010266073 A CN 202010266073A CN 111510515 B CN111510515 B CN 111510515B
- Authority
- CN
- China
- Prior art keywords
- address translation
- network address
- cluster
- container
- central network
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L61/00—Network arrangements, protocols or services for addressing or naming
- H04L61/09—Mapping addresses
- H04L61/25—Mapping addresses of the same type
- H04L61/2503—Translation of Internet protocol [IP] addresses
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/455—Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
- G06F9/45533—Hypervisors; Virtual machine monitors
- G06F9/45558—Hypervisor-specific management and integration aspects
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L45/00—Routing or path finding of packets in data switching networks
- H04L45/38—Flow based routing
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L45/00—Routing or path finding of packets in data switching networks
- H04L45/74—Address processing for routing
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L61/00—Network arrangements, protocols or services for addressing or naming
- H04L61/09—Mapping addresses
- H04L61/25—Mapping addresses of the same type
- H04L61/2503—Translation of Internet protocol [IP] addresses
- H04L61/2521—Translation architectures other than single NAT servers
- H04L61/2532—Clique of NAT servers
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L61/00—Network arrangements, protocols or services for addressing or naming
- H04L61/50—Address allocation
- H04L61/5007—Internet protocol [IP] addresses
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/455—Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
- G06F9/45533—Hypervisors; Virtual machine monitors
- G06F9/45558—Hypervisor-specific management and integration aspects
- G06F2009/45595—Network integration; Enabling network access in virtual machine instances
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention provides a method and a device for distinguishing containers of mixed application environments, wherein the method comprises the following steps: screening a central network address translation node from a Kubernetes cluster, and deploying a keepalived container on the central network address translation node; converging request flow which is sent by a container in a Kubernetes cluster and is generated by actively accessing the outside of the cluster to a central network address translation node; the container inside the kubernets cluster is controlled by eIP of the central network address translation node and a network address translation method to access the outside of the cluster through the central network address translation node. The method provided by the application at least solves the problem that in the prior art, due to the fact that a plurality of containers in the K8S cluster share one IP, it is difficult for the outside of the K8S cluster to clearly determine which container the access traffic from the inside of the cluster comes from through a single IP.
Description
Technical Field
The present application belongs to the technical field of container networks, and in particular, to a method and an apparatus for distinguishing containers of a hybrid application environment.
Background
Kubernets (hereinafter referred to as K8S) uses a Container Network Interface (hereinafter referred to as a Container Network Interface) as a de facto standard for Container networks. As a standard, the container network interface puts forward three basic core constraints for all implementations of the kubernets container network plug-in, namely: the containers see their own IP consistent with the external world to see their IP, network communication between the containers does not need to be by means of network address translation (namely NAT) technology, and network communication between the containers and the cluster nodes where the containers are located does not need to be by means of NAT technology. These three rules are more in the context of describing container network communications within a K8S cluster and impose constraints on Kubernets container network plug-ins, whether containers within a K8S cluster, or nodes within a cluster, whose IP is within the K8S cluster.
For communication outside the cluster, NAT technology is needed (NAT is a common solution because IP is managed in the case of conventional data centers or in the case of common public cloud environments in general; thus flexible resources like containers, which have flexible requirements for IP, which present challenges to IP management. Since the containers of the K8S cluster are typically assigned IPs from private virtual networks that are not directly accessible outside the K8S cluster, NATs are also performed on the nodes of the K8S cluster. For the scenario that the container in the K8S cluster actively accesses the node outside the cluster, generally speaking, the container will initiate communication to the outside through NAT technology on the host node by means of the computing node IP of the cluster. For the case of accessing the K8S cluster internal container outside the K8S cluster, K8S provides hostNetwork and nodoport, etc. to support four-layer access, and for seven-layer access provides Ingress to support. Both the NodePort and Ingress modes include NAT technology; the hostNetwork can directly host the port of the node because of the containers, and does not need the NAT technology, but correspondingly introduces port limitation.
For the four-layer network communication between the container cluster and the outside of the cluster, no matter the container accesses the outside of the cluster or the outside of the cluster accesses the inside of the cluster through a node port mode, the NAT technology by which a problem is necessarily introduced, namely that the K8S cluster uses a small amount of highly-recycled IP to perform address translation for containers from different namespaces. This means that it is difficult to specify, through a single IP, from which namespace and from which tenant traffic originating from within the cluster comes from outside the cluster, which poses a challenge to network security. Thus, for a container within a container cluster to communicate with the outside of the container cluster through a four-layer network, in a scenario where security requirements are high (e.g., when there is a black-and-white list-like restriction on IP access to the outside of the cluster), the K8S cluster or container network interface needs to provide a mechanism so that the IP of the container can be distinguished to distinguish container traffic from different namespaces.
Disclosure of Invention
The application provides a method and a device for distinguishing containers of a hybrid application environment, so as to at least solve the problem that in the prior art, because a plurality of containers in a K8S cluster share one IP, the access traffic from the inside of the cluster is difficult to be clear from which container by a single IP outside the K8S cluster comes from.
According to an aspect of the present application, there is provided a method of distinguishing containers of a hybrid application environment, including:
screening a central network address translation node from a Kubernetes cluster, and deploying a keepalive container on the central network address translation node, wherein the keepalive container is used for managing eIP of the central network address translation node;
converging request flow which is sent by a container in a Kubernetes cluster and is generated by actively accessing the outside of the cluster to a central network address translation node;
eIP of the central network address translation node and a network address translation method are used for controlling the containers inside the Kubernetes cluster to access the outside of the cluster through the central network address translation node.
In an embodiment, the method of differentiating containers of a hybrid application environment further comprises:
when eIP of the central network address translation node drifts, the information of the current central network address translation node is obtained through the keepalive container, and the information of the current central network address translation node is obtained through the way of watch by updating the indication of service so that components on each node in the Kubernets cluster.
In one embodiment, the method for converging request traffic issued by a container inside a cluster for actively accessing the outside of the cluster to a central network address translation node comprises the following steps:
when kubernets use OpenvSwitch-based implemented container network interface standards, request traffic is redirected to an OpenvSwitch bridge port on a central network address translation node by modifying OpenvSwitch's flow table rules;
and modifying the destination Ethernet address of the request traffic into the Ethernet address of the OpenvSwitch bridge port.
In one embodiment, the method for converging request traffic issued by a container inside the cluster for actively accessing outside the cluster to the central network address translation node further comprises:
when kubernets use the container network interface standard based on routing implementation, container routing inside the cluster to which the service configured with eIP belongs is modified to a central network address translation node by configuring policy routing.
According to another aspect of the present application, there is also provided an apparatus for distinguishing a container of a hybrid application environment, including:
selecting a deployment unit, wherein the deployment unit is used for screening the central network address translation node from the Kubernets cluster, and deploying a keepalive container on the central network address translation node, and the keepalive container is used for managing eIP of the central network address translation node;
the convergence unit is used for converging request flow which is sent by a container in the Kubernetes cluster and is generated by actively accessing the outside of the cluster to the central network address translation node;
and the external access unit is used for controlling the container inside the Kubernetes cluster to access the outside of the cluster through the central network address translation node by utilizing eIP of the central network address translation node and a network address translation method.
In one embodiment, the apparatus for differentiating containers of a hybrid application environment further comprises:
and the drift processing unit is used for acquiring the information of the current central network address translation node through the keepalive container and enabling the components on each node in the Kubernets cluster to be obtained in a way of way by updating the indication of service according to the information of the current central network address translation node when eIP of the central network address translation node drifts.
In one embodiment, the bus unit includes:
a first modification module, configured to redirect request traffic to an OpenvSwitch bridge port on a central network address translation node by modifying a flow table rule of OpenvSwitch when kubernets use an OpenvSwitch-based implemented container network interface standard;
and the Ethernet address modification module is used for modifying the target Ethernet address of the request flow into the Ethernet address of the OpenvSwitch bridge port.
In one embodiment, the bus unit includes:
and the policy routing configuration module is used for modifying the container routing inside the cluster to which the service configured with eIP belongs into the central network address translation node by configuring the policy routing when the Kubernets use the container network interface standard based on the routing implementation.
The method provided by the application enables an administrator to allocate the recognizable and accessible IP outside the cluster as the service's extra IPs (eIP) for different services when the container in the K8S cluster communicates with the outside of the cluster by the network layer four. By means of eIP, no matter whether the container of the K8S cluster is accessed outside the cluster or actively accessed outside the cluster, the outside of the cluster can screen the containers behind different services by means of eIP, so as to achieve the corresponding security purpose.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the embodiments or the prior art descriptions will be briefly described below, it is obvious that the drawings in the following description are only some embodiments of the present invention, and other drawings can be obtained by those skilled in the art without creative efforts.
Fig. 1 is a flowchart of a method for distinguishing containers of a hybrid application environment provided by the present application.
Fig. 2 is a flowchart of a method for converging request traffic to a central network address translation node according to an embodiment of the present disclosure.
Fig. 3 is a block diagram illustrating an apparatus for distinguishing containers in a hybrid application environment according to the present application.
Fig. 4 is a block diagram of a bus unit according to an embodiment of the present disclosure.
Fig. 5 is a block diagram of another bus unit according to the embodiment of the present application.
Fig. 6 is a specific implementation of an electronic device provided in an embodiment of the present application.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
Based on the problems of the prior art mentioned in the background, the present application provides a method for distinguishing containers of a hybrid application environment, as shown in fig. 1, comprising:
s101: and screening the central network address translation node from the Kubernets cluster, and deploying keepalive containers on the central network address translation node, wherein the keepalive containers are used for managing eIP of the central network address translation node.
Service of K8S has an attribute of "extranalips" itself, and is used to process traffic of IP (hereinafter referred to as eIP) targeted by IP listed in the extranalips, which is accessed to cluster nodes, into service traffic through NAT technology, and eIP is generally an IP that is recognizable outside the cluster and directly accessible. This attribute may be used to resolve different services within the cluster by different IPs outside the cluster, but eIP requires an administrator to configure the IPs onto the nodes of the cluster by manual addition and also becomes the responsibility of the administrator to consider the high availability of IPs.
In one embodiment, a set of keepalive containers may be deployed by selecting a set of K8S clusters of compute nodes in cooperation with label selectors in the form of daemonSets, which are only responsible for management of eIP, while NAT and load balancing forwarding functions for eIP to post-service Pod continue to be provided by K8S itself. A set of keepalive containers will result in eIP being bound and switched only on the K8S nodes where the keepalive containers are deployed, in other words eIP will be provided only by these computing nodes, which may be referred to as Centralized NAT (i.e., CNAT, central network address translation) nodes. Only one of the CNAT nodes will be in working state at the same time (i.e. eIP is provided to the outside), so that the request traffic from outside the cluster can only enter the cluster through NAT processing at this working node by eIP (i.e. the request source IP received by Pod behind service is a certain IP on the CNAT node).
S102: and converging request traffic generated by actively accessing the outside of the cluster and sent by a container in the Kubernets cluster to the central network address translation node.
In a specific embodiment, in order to track which container the outgoing access request traffic from inside the cluster specifically comes from, when the service inside the K8S cluster is outside the active access cluster, the outgoing access request traffic should also be forwarded to the CNAT node first, and then leave the cluster through the NAT processing by eIP.
S103: the container inside the kubernets cluster is controlled by eIP of the central network address translation node and a network address translation method to access the outside of the cluster through the central network address translation node.
In an embodiment, the method of differentiating containers of a hybrid application environment further comprises:
when eIP of the central network address translation node drifts, the information of the current central network address translation node is obtained through the keepalive container and is broadcasted to each node in the Kubernets cluster.
In a specific embodiment, considering that the keepalived container provides eIP with high availability, which means that eIP may drift and the CNAT node in working state may rotate, the process of redirecting to the CNAT node may be affected accordingly. Since the CNAT node is not a fixed node, when a handover occurs, all configuration information about the CNAT node, whether it is the ethernet address of the OVS port in the OVS (openvswitch) flow table or the next hop of the default route in policy routing in Calico, changes, and therefore a mechanism is needed for performing the attribute. Some extra operations are needed for the keepalived container, when eIP drifts, the keepalid container in the Master state needs to acquire the information of the corresponding current CNAT node, and update the information to the options of the service hung in eIP through the K8S API. And the kube-proxy on each node is responsible for updating the corresponding OVS flow table or policy routing according to the change of the indications of the service.
In actual practice, the CNI plug-in implementing the aforementioned technique needs to be replaced for K8S. An administrator needs to group several computing nodes as CNAT nodes, and deploy different groups of keepalive containers for the CNAT nodes respectively, and the keepalive containers are responsible for eIP mounting. Then, by an administrator or a K8S service provider, in case there is no conflict in eIP allocation, eIP is allocated to the needed tenant for use, and the tenant may add eIP to the needed service externalIPs attribute.
In an embodiment, converging request traffic issued by a container inside a cluster for actively accessing outside the cluster to a central network address translation node, as shown in fig. 2, includes:
s201: when kubernets use OpenvSwitch-based implementation of the container network interface standard, request traffic is redirected to the OpenvSwitch bridge port on the central network address translation node by modifying OpenvSwitch's flow table rules.
In a particular embodiment, when kubernets use CNI implemented based on Openvswitch (OVS), request traffic from the container within the cluster to access outside the cluster may be redirected to a port on the CNAT node to access the OVS bridge by modifying the flow table rules of the OVS.
S202: and modifying the destination Ethernet address of the request traffic into the Ethernet address of the OpenvSwitch bridge port.
In a specific embodiment, since the request traffic is redirected, the destination ethernet address of the packet needs to be modified to the ethernet address of the destination OVS bridge port.
In one embodiment, the method for converging request traffic issued by a container inside a cluster and used for actively accessing the outside of the cluster to a central network address translation node further comprises the following steps:
when Kubernetes uses the container network interface standard based on the route implementation, the container route inside the cluster to which the service configured with eIP belongs is modified to be the central network address translation node by configuring policy routing.
In a specific embodiment, for a CNI implemented based on routing, for example, Calico, the default route of the container behind the service of configuration eIP may be modified to be a CNAT node by configuring policy routing, so that request traffic outside the container access cluster is redirected to the CNAT node.
Based on the same inventive concept, the embodiments of the present application further provide a device for distinguishing containers in a hybrid application environment, which can be used to implement the method described in the above embodiments, as described in the following embodiments. Since the principle of solution of the device for distinguishing the container of the mixed application environment is similar to that of the method for distinguishing the container of the mixed application environment, the implementation of the device for distinguishing the container of the mixed application environment can be referred to the implementation of the method for distinguishing the container of the mixed application environment, and repeated details are omitted. As used hereinafter, the term "unit" or "module" may be a combination of software and/or hardware that implements a predetermined function. While the system described in the embodiments below is preferably implemented in software, implementations in hardware, or a combination of software and hardware are also possible and contemplated.
As shown in fig. 3, the present application provides an apparatus for distinguishing a container of a hybrid application environment, comprising:
selecting a deployment unit 301, configured to screen a central network address translation node from a kubernets cluster, and deploy a keepalive container on the central network address translation node, where the keepalive container is used to manage eIP of the central network address translation node;
a convergence unit 302, configured to converge request traffic generated by actively accessing the outside of the cluster and sent by a container inside the kubernets cluster to the central network address translation node;
the external access unit 303 is configured to control the container inside the kubernets cluster to access the outside of the cluster through the central network address translation node by using eIP of the central network address translation node and a network address translation method.
In one embodiment, the apparatus for differentiating containers of a hybrid application environment further comprises:
and the drift processing unit is used for acquiring the information of the current central network address translation node through the keepalived container and broadcasting the information of the current central network address translation node to each node in the Kubernets cluster when eIP of the central network address translation node drifts.
In one embodiment, as shown in fig. 4, the bus unit 302 includes:
a first modification module 401, configured to redirect request traffic to an OpenvSwitch bridge port on a central network address translation node by modifying a flow table rule of OpenvSwitch when kubernets use OpenvSwitch-based implementation of a container network interface standard;
an ethernet address modification module 402, configured to modify a destination ethernet address of the requested traffic into an ethernet address of an OpenvSwitch bridge port.
In one embodiment, as shown in fig. 5, the bus unit 302 includes:
a policy route configuration module 501, configured to modify a container route inside a cluster to which the service configured with eIP belongs to a central network address translation node by configuring the policy route when kubernets uses a container network interface standard implemented based on the route.
By the method and the device, when the container in the K8S cluster is communicated with the outside of the cluster by four layers of networks, an administrator can allocate the recognizable and accessible IP outside the cluster for different services as the external IPs of the services. By means of the eIP, no matter whether the container of the K8S cluster is accessed outside the cluster or actively accessed outside the cluster, the outside of the cluster can screen the containers behind different services by means of eIP, so as to achieve the corresponding safety purpose.
As will be appreciated by one skilled in the art, embodiments of the present invention may be provided as a method, system, or computer program product. Accordingly, the present invention may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present invention may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The present invention is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the invention. It will be understood that each flow and/or block of the flowchart illustrations and/or block diagrams, and combinations of flows and/or blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
The principle and the implementation mode of the invention are explained by applying specific embodiments in the invention, and the description of the embodiments is only used for helping to understand the method and the core idea of the invention; meanwhile, for a person skilled in the art, according to the idea of the present invention, there may be variations in the specific embodiments and the application scope, and in summary, the content of the present specification should not be construed as a limitation to the present invention.
An embodiment of the present application further provides a specific implementation manner of an electronic device, which is capable of implementing all steps in the method in the foregoing embodiment, and referring to fig. 6, the electronic device specifically includes the following contents:
a processor (processor)601, a memory 602, a communication Interface 603, a bus 604, and a non-volatile memory 605;
the processor 601, the memory 602, and the communication interface 603 complete mutual communication through the bus 604;
the processor 601 is configured to call the computer programs in the memory 602 and the nonvolatile memory 605, and when the processor executes the computer programs, the processor implements all the steps in the method in the foregoing embodiments, for example, when the processor executes the computer programs, the processor implements the following steps:
s101: and screening the central network address translation node from the Kubernets cluster, and deploying a keepalived container on the central network address translation node, wherein the keepalived container is used for eIP for managing the central network address translation node.
S102: and converging request traffic which is sent by a container inside the Kubernetes cluster and is generated by actively accessing the outside of the cluster to the central network address translation node.
S103: eIP of the central network address translation node and a network address translation method are used for controlling the containers inside the Kubernetes cluster to access the outside of the cluster through the central network address translation node.
Embodiments of the present application also provide a computer-readable storage medium capable of implementing all the steps of the method in the above embodiments, where the computer-readable storage medium stores thereon a computer program, and the computer program when executed by a processor implements all the steps of the method in the above embodiments, for example, the processor implements the following steps when executing the computer program:
s101: and screening the central network address translation node from the Kubernets cluster, and deploying a keepalived container on the central network address translation node, wherein the keepalived container is used for eIP for managing the central network address translation node.
S102: and converging request traffic which is sent by a container inside the Kubernetes cluster and is generated by actively accessing the outside of the cluster to the central network address translation node.
S103: eIP of the central network address translation node and a network address translation method are used for controlling the containers inside the Kubernetes cluster to access the outside of the cluster through the central network address translation node.
The embodiments in the present specification are described in a progressive manner, and the same and similar parts among the embodiments are referred to each other, and each embodiment focuses on the differences from the other embodiments. In particular, for the hardware + program class embodiment, since it is substantially similar to the method embodiment, the description is simple, and the relevant points can be referred to the partial description of the method embodiment. Although the embodiments herein provide method operation steps as described in the embodiments or flowcharts, more or fewer operation steps may be included based on conventional or non-inventive means. The order of steps recited in the embodiments is merely one manner of performing the steps in a multitude of orders and does not represent the only order of execution. When an actual apparatus or end product executes, it may execute sequentially or in parallel (e.g., parallel processors or multi-threaded environments, or even distributed data processing environments) according to the method shown in the embodiment or the figures. The terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, the presence of additional identical or equivalent elements in a process, method, article, or apparatus that comprises the recited elements is not excluded. For convenience of description, the above devices are described as being divided into various modules by functions, which are described separately. Of course, when implementing the embodiments of the present specification, the functions of each module may be implemented in one or more pieces of software and/or hardware, or a module that implements the same function may be implemented by a combination of multiple sub-modules or sub-units, or the like. The above-described embodiments of the apparatus are merely illustrative, and for example, the division of the units is only one logical division, and other divisions may be realized in practice, for example, a plurality of units or components may be combined or integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection through some interfaces, devices or units, and may be in an electrical, mechanical or other form. The present invention is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the invention. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
As will be appreciated by one skilled in the art, embodiments of the present description may be provided as a method, system, or computer program product. Accordingly, embodiments of the present description may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, embodiments of the present description may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and so forth) having computer-usable program code embodied therein. All the embodiments in the present specification are described in a progressive manner, and the same and similar parts among the embodiments are referred to each other, and each embodiment focuses on the differences from other embodiments. In particular, as for the system embodiment, since it is substantially similar to the method embodiment, the description is relatively simple, and reference may be made to the partial description of the method embodiment for relevant points.
In this specification, the schematic representations of the terms used above are not necessarily intended to refer to the same embodiment or example. Furthermore, various embodiments or examples and features of different embodiments or examples described in this specification can be combined and combined by one skilled in the art without contradiction. The above description is only an example of the embodiments of the present disclosure, and is not intended to limit the embodiments of the present disclosure. Various modifications and variations to the embodiments described herein will be apparent to those skilled in the art. Any modification, equivalent replacement, improvement or the like made within the spirit and principle of the embodiments of the present invention should be included in the scope of the claims of the embodiments of the present invention.
Claims (8)
1. A method of differentiating containers of a hybrid application environment, comprising:
screening a central network address translation node from a Kubernetes cluster, and deploying a keepalive container on the central network address translation node, wherein the keepalive container is used for managing eIP of the central network address translation node;
converging request traffic generated by actively accessing the outside of the Kubernets cluster and sent by a container in the Kubernets cluster to the central network address translation node;
controlling a container inside the Kubernetes cluster to access the outside of the cluster through the central network address translation node by utilizing eIP of the central network address translation node and a network address translation method;
the method for distinguishing the containers of the mixed application environment further comprises the following steps:
when eIP of the central network address translation node drifts, the information of the current central network address translation node is obtained through the keepalive container, and the information of the current central network address translation node is made to be obtained through a way of watch by updating the indication of service on each node in the Kubernets cluster.
2. The method for distinguishing containers of a hybrid application environment according to claim 1, wherein said converging request traffic issued by a container inside said kubernets cluster and generated outside said cluster due to active access to said central network address translation node comprises:
when kubernets use OpenvSwitch-based implemented container network interface standards, redirecting the request traffic to an OpenvSwitch bridge port on the central network address translation node by modifying OpenvSwitch's flow table rules;
and modifying the destination Ethernet address of the request flow into the Ethernet address of the OpenvSwitch bridge port.
3. The method for differentiating containers of a hybrid application environment according to claim 1, wherein said converging request traffic originating from a container inside said kubernets cluster and originating from outside said cluster due to active access to said central network address translation node further comprises:
when Kubernetes uses a container network interface standard implemented based on routing, container routing inside the cluster to which the service configured with eIP belongs is modified to the central network address translation node by configuring policy routing.
4. An apparatus for differentiating containers of a hybrid application environment, comprising:
selecting a deployment unit, which is used for screening a central network address translation node from a Kubernets cluster, and deploying a keepalive container on the central network address translation node, wherein the keepalive container is used for managing eIP of the central network address translation node;
a converging unit, configured to converge request traffic, which is sent by a container inside the Kubernetes cluster and is generated by actively accessing the outside of the cluster, to the central network address translation node;
an external access unit, configured to control, by using the eIP of the central network address translation node and a network address translation method, a container inside the kubernets cluster to access outside the cluster through the central network address translation node;
the apparatus for differentiating containers of a hybrid application environment further comprises:
and the drift processing unit is used for acquiring the information of the current central network address translation node through the keepalive container and enabling the components on each node in the Kubernets cluster to be acquired in a way of way by updating the notification of service according to the information of the current central network address translation node when eIP of the central network address translation node drifts.
5. The apparatus for distinguishing containers for a hybrid application environment according to claim 4, wherein the confluence unit comprises:
a first modification module, configured to redirect the request traffic to an OpenvSwitch bridge port on the central network address translation node by modifying a flow table rule of OpenvSwitch when kubernets use OpenvSwitch-based implemented container network interface standards;
an ethernet address modification module, configured to modify the destination ethernet address of the request traffic to an ethernet address of the OpenvSwitch bridge port.
6. The apparatus for distinguishing containers of a hybrid application environment of claim 4, wherein the confluence unit comprises:
and the policy routing configuration module is used for modifying the container routing inside the cluster to which the service configured with eIP belongs into the central network address translation node by configuring the policy routing when the Kubernets use the container network interface standard realized based on the routing.
7. An electronic device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, wherein the processor implements the method of distinguishing containers of a hybrid application environment according to any one of claims 1 to 3 when executing the program.
8. A computer-readable storage medium, on which a computer program is stored which, when being executed by a processor, carries out the method of distinguishing containers of a hybrid application environment according to any one of claims 1 to 3.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010266073.0A CN111510515B (en) | 2020-04-07 | 2020-04-07 | Method and device for distinguishing containers of mixed application environment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010266073.0A CN111510515B (en) | 2020-04-07 | 2020-04-07 | Method and device for distinguishing containers of mixed application environment |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN111510515A CN111510515A (en) | 2020-08-07 |
| CN111510515B true CN111510515B (en) | 2022-09-09 |
Family
ID=71864062
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010266073.0A Active CN111510515B (en) | 2020-04-07 | 2020-04-07 | Method and device for distinguishing containers of mixed application environment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111510515B (en) |
Families Citing this family (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112738181B (en) * | 2020-12-24 | 2022-07-19 | 新浪网技术(中国)有限公司 | Method, device and server for cluster external IP access |
| CN112764886A (en) * | 2021-01-29 | 2021-05-07 | 上海弘积信息科技有限公司 | Load balancing controller based on Kubernetes platform |
| CN112637037B (en) * | 2021-03-10 | 2021-06-18 | 北京瑞莱智慧科技有限公司 | Cross-region container communication system, method, storage medium and computer equipment |
| CN113342468B (en) * | 2021-06-23 | 2023-08-08 | 山石网科通信技术股份有限公司 | Container data processing method and device |
| CN114553823A (en) * | 2022-02-28 | 2022-05-27 | 联想(北京)有限公司 | Access control method and electronic equipment |
| CN114697290A (en) * | 2022-03-16 | 2022-07-01 | 浪潮云信息技术股份公司 | Method for realizing floating IP function of VIP (very important person) by using flow table |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110750332A (en) * | 2019-10-23 | 2020-02-04 | 广西梯度科技有限公司 | Method for setting static IP (Internet protocol) in Pod in Kubernetes |
| KR20200027783A (en) * | 2018-09-05 | 2020-03-13 | 주식회사 나눔기술 | Integrated management system of distributed intelligence module |
Family Cites Families (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106067858B (en) * | 2016-05-24 | 2019-02-15 | 中国联合网络通信集团有限公司 | Communication means, apparatus and system between container |
| CN108737584A (en) * | 2017-04-19 | 2018-11-02 | 中国移动通信集团山西有限公司 | The access method of container service, the analytic method of network address, device and system |
| CN108810013B (en) * | 2018-07-02 | 2021-12-24 | 上海浪潮云计算服务有限公司 | Container-based service access method |
| CN109032760A (en) * | 2018-08-01 | 2018-12-18 | 北京百度网讯科技有限公司 | Method and apparatus for application deployment |
| US10728145B2 (en) * | 2018-08-30 | 2020-07-28 | Juniper Networks, Inc. | Multiple virtual network interface support for virtual execution elements |
-
2020
- 2020-04-07 CN CN202010266073.0A patent/CN111510515B/en active Active
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| KR20200027783A (en) * | 2018-09-05 | 2020-03-13 | 주식회사 나눔기술 | Integrated management system of distributed intelligence module |
| CN110750332A (en) * | 2019-10-23 | 2020-02-04 | 广西梯度科技有限公司 | Method for setting static IP (Internet protocol) in Pod in Kubernetes |
Non-Patent Citations (2)
| Title |
|---|
| Kubernetes高可用集群的部署实践;盛乐标等;《电脑知识与技术》;20180915(第26期);全文 * |
| 云环境下基于Kubernetes集群系统的容器网络研究与优化;刘渊等;《信息网络安全》;20200310(第03期);全文 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN111510515A (en) | 2020-08-07 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN111510515B (en) | Method and device for distinguishing containers of mixed application environment | |
| US11658936B2 (en) | Resizing virtual private networks in provider network environments | |
| US20220377045A1 (en) | Network virtualization of containers in computing systems | |
| US10666609B2 (en) | Management of domain name systems in a large-scale processing environment | |
| US9999030B2 (en) | Resource provisioning method | |
| US9965317B2 (en) | Location-aware virtual service provisioning in a hybrid cloud environment | |
| US10355940B2 (en) | Compiler for and method of software defined networking, storage and compute performing operations | |
| US10411989B2 (en) | Compiler for and method of software defined networking, storage and compute determining physical and virtual resources | |
| CN106464528B (en) | For the contactless method allocated, medium and the device in communication network | |
| US10341201B2 (en) | Cross-domain orchestration of switch and service functions | |
| US11153194B2 (en) | Control plane isolation for software defined network routing services | |
| US9344360B2 (en) | Technique for managing an allocation of a VLAN | |
| US10630508B2 (en) | Dynamic customer VLAN identifiers in a telecommunications network | |
| US10122578B1 (en) | Configuration propagation deployment policy | |
| CN112655185B (en) | Apparatus, method and storage medium for service allocation in a software defined network | |
| US20240179070A1 (en) | Implementing defined service policies in a third-party container cluster | |
| Liffredo | Analysis and Benchmarking of Kubernetes Networking | |
| US20240179071A1 (en) | Network controller as a service (ncaas) to define network policies for third-party container clusters | |
| CN107769983B (en) | Network function sharing method and system based on extended vSDN | |
| Cain et al. | Microsoft System Center Building a Virtualized Network Solution | |
| CN114390101A (en) | Kubernetes load balancing method based on BGP networking | |
| CN118118447A (en) | Distributed switch deployment method and server |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| TR01 | Transfer of patent right | ||
| TR01 | Transfer of patent right |
Effective date of registration: 20220907 Address after: 25 Financial Street, Xicheng District, Beijing 100033 Patentee after: CHINA CONSTRUCTION BANK Corp. Address before: 25 Financial Street, Xicheng District, Beijing 100033 Patentee before: CHINA CONSTRUCTION BANK Corp. Patentee before: Jianxin Financial Science and Technology Co.,Ltd. |