CN112543108A - Network isolation policy management method and network isolation policy management system - Google Patents
Network isolation policy management method and network isolation policy management system Download PDFInfo
- Publication number
- CN112543108A CN112543108A CN201910851744.7A CN201910851744A CN112543108A CN 112543108 A CN112543108 A CN 112543108A CN 201910851744 A CN201910851744 A CN 201910851744A CN 112543108 A CN112543108 A CN 112543108A
- Authority
- CN
- China
- Prior art keywords
- network
- policy
- container
- network isolation
- bin
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000002955 isolation Methods 0.000 title claims abstract description 211
- 238000007726 management method Methods 0.000 title claims abstract description 110
- 238000000034 method Methods 0.000 claims description 47
- 238000012217 deletion Methods 0.000 claims description 38
- 230000037430 deletion Effects 0.000 claims description 38
- 238000013507 mapping Methods 0.000 claims description 9
- 230000004044 response Effects 0.000 claims description 9
- 230000008569 process Effects 0.000 description 14
- 238000010586 diagram Methods 0.000 description 8
- 230000011664 signaling Effects 0.000 description 8
- 230000009471 action Effects 0.000 description 4
- 238000005516 engineering process Methods 0.000 description 4
- 238000012545 processing Methods 0.000 description 3
- 238000004891 communication Methods 0.000 description 2
- 230000006870 function Effects 0.000 description 2
- 230000000007 visual effect Effects 0.000 description 2
- 102100033121 Transcription factor 21 Human genes 0.000 description 1
- 101710119687 Transcription factor 21 Proteins 0.000 description 1
- 238000006243 chemical reaction Methods 0.000 description 1
- 239000012634 fragment Substances 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 230000007723 transport mechanism Effects 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/08—Configuration management of networks or network elements
- H04L41/0894—Policy-based network configuration management
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/08—Configuration management of networks or network elements
- H04L41/0895—Configuration of virtualised networks or elements, e.g. virtualised network function or OpenFlow elements
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/40—Network security protocols
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The present disclosure provides a network isolation policy management method, including: responding to a container bin establishing request sent by a user side, binding a corresponding label, and writing establishing position information of a first container bin to be established into a virtual switch configuration library so as to establish a related network bridge on a virtual switch; and sending a network port establishing and strategy issuing request to the software-defined network controller so that the software-defined network controller can respond to the network port establishing and strategy issuing request to establish a virtual network port for the first container bin, and when network isolation strategy information matched with the label of the first container bin is stored in the software-defined network controller, sending the network isolation strategy information to a virtual switch where the first container bin is located. The embodiment of the disclosure also provides a network isolation policy management system.
Description
Technical Field
The present disclosure relates to the field of virtual network technologies, and in particular, to a network isolation policy management method, a container cluster management system, a software defined network controller, and a network isolation policy management system.
Background
Kubernetes is used as an open-source container cluster management system, can conveniently run, operate, maintain and expand applications, and can conveniently manage containerized applications running across hosts. However, kubernets are not fully capable of managing and isolating container networks, and an important feature of kubernets is to connect container bins (Pod) of different Virtual Switch (Virtual Switch) nodes, regardless of the physical node limitations. However, in some application environments, such as public clouds, the Pod of different tenants should not interwork, and network isolation is required. Therefore, how to manage the network isolation policy becomes an urgent technical problem to be solved.
Disclosure of Invention
The present disclosure is directed to at least solve one of the technical problems in the prior art, and provides a network isolation policy management method, a container cluster management system, a software defined network controller, and a network isolation policy management system.
In a first aspect, an embodiment of the present disclosure provides a network isolation policy management method, including:
responding to a container bin establishing request sent by a user side, binding a corresponding label, and writing establishing position information of a first container bin to be established into a virtual switch configuration library so as to establish a related network bridge on a virtual switch;
and sending a network port establishing and strategy issuing request to a software-defined network controller, so that the software-defined network controller responds to the network port establishing and strategy issuing request, establishes a virtual network port for the first container bin, and sends network isolation strategy information to a virtual switch where the first container bin is located when the network isolation strategy information matched with the label of the first container bin is stored in the virtual switch.
In some embodiments, the network quarantine policy management method further includes:
in response to a network isolation policy scheme configuration request sent by a user side, forwarding a received network isolation policy scheme to the software defined network controller, where the network isolation policy scheme includes: network quarantine policy information and a tag selector that defines a tag for a container bin to which the network quarantine policy information applies.
In some embodiments, the network quarantine policy management method further includes:
responding to a container bin deleting request sent by a user side, forwarding the container bin deleting request to a container bin deleting system so that the container bin deleting system deletes a corresponding second container bin, wherein the container bin deleting request comprises: the bin name of the second container bin to be deleted;
and determining the IP address of the virtual network port of the second container bin according to the bin name of the second container bin, and sending a first deletion control request to the software-defined network controller, so that the software-defined network controller sends a policy deletion instruction to the virtual switch where the second container bin is located when network isolation policy information corresponding to the IP address of the virtual network port of the second container bin exists in a corresponding relation table stored in advance in the software-defined network controller in response to the first deletion control request.
In some embodiments, the network quarantine policy management method further includes:
responding to a network isolation strategy scheme deleting request sent by a user side, sending a second deleting control request to the software defined network controller, so that the software defined network controller can respond to the second deleting control request and delete the network isolation strategy information corresponding to the strategy name of the target network isolation strategy scheme when the software defined network controller stores the network isolation strategy information corresponding to the strategy name of the target network isolation strategy scheme;
the second deletion control request includes: the policy name of the target network isolation policy scheme.
In a second aspect, an embodiment of the present disclosure further provides a network isolation policy management method, including:
responding to a network port establishing and strategy issuing request sent by a container cluster management system, establishing a virtual network port for a first container bin, and allocating an IP address for the virtual network port, wherein the network port establishing and strategy issuing request comprises the following steps: a bin name and a label for the first container;
inquiring whether network isolation strategy information matched with the label of the first container bin is stored in the first container bin according to the label of the first container bin;
and when the network isolation strategy information matched with the label of the first container bin is stored in the inquiry unit, sending the inquired network isolation strategy information to the virtual switch where the first container bin is located through the IP address.
In some embodiments, the network quarantine policy management method further includes:
receiving a network isolation policy scheme sent by a container cluster management system, and storing the received network isolation policy scheme to a policy storage module, wherein the network isolation policy scheme comprises: network quarantine policy information and a tag selector that defines a tag for a container bin to which the network quarantine policy information applies.
In some embodiments, the step of storing the received network quarantine policy scheme to a policy storage module comprises:
creating a security container in the policy storage module, and encapsulating network isolation policy information in the network isolation policy scheme in the security container in the form of security group rules;
and establishing a corresponding relation between the security container and a label selector in the network isolation strategy scheme.
In some embodiments, when it is queried that the network isolation policy information matching with the tag of the container bin is stored in the network isolation policy information, the method further includes:
and establishing a corresponding relation between the IP address and the inquired network isolation strategy information, and storing the corresponding relation into a predefined corresponding relation table.
In some embodiments, the network quarantine policy management method further includes:
responding to a first deletion control request sent by the container cluster management system, and inquiring whether network isolation strategy information corresponding to the IP address of the virtual network port of the second container bin exists in a corresponding relation table stored in advance; wherein the first deletion control request includes: the IP addresses of the virtual network ports of the second container bin and the corresponding relation table are recorded with the IP addresses of the virtual network ports of different container bins and the corresponding network isolation strategy information;
when the network isolation policy information corresponding to the IP address of the virtual network port of the second container bin exists in the corresponding relation table, sending a policy deleting instruction to the virtual switch where the second container bin is located according to the inquired network isolation policy information, so that the virtual switch where the second container bin is located deletes the network isolation policy information which is stored in the virtual switch and is applied to the second container bin.
In some embodiments, the network quarantine policy management method further includes:
responding to a second deletion control request sent by the container cluster management system, and inquiring whether network isolation strategy information corresponding to the strategy name of the target network isolation strategy scheme is stored in the container cluster management system; wherein the second deletion control request includes: a policy name of the target network isolation policy scheme;
and when the network isolation strategy information corresponding to the strategy name of the target network isolation strategy scheme is inquired, deleting the network isolation strategy information corresponding to the strategy name of the target network isolation strategy scheme, which is stored by the network isolation strategy information.
In some embodiments, the step of sending the queried network isolation policy information to the virtual switch where the first container bin is located through the IP address includes:
mapping the inquired network isolation strategy information into an access control list;
and sending the mapped access control list to the corresponding virtual switch in a flow table form by adopting an openflow protocol through the IP address.
In a third aspect, an embodiment of the present disclosure further provides a container cluster management system, including:
one or more first processors;
a first storage device having one or more programs stored thereon;
the one or more programs, when executed by the one or more first processors, cause the one or more first processors to implement the method provided by the first aspect described above.
In a fourth aspect, an embodiment of the present disclosure further provides a software-defined network controller, including:
one or more second processors;
a second storage device having one or more programs stored thereon;
when the one or more programs are executed by the one or more second processors, the one or more first processors are caused to implement the method provided by the second aspect described above.
In a fifth aspect, an embodiment of the present disclosure further provides a network isolation policy management system, including: a container cluster management system as described above and a software defined network controller as described above.
The embodiment of the disclosure provides a network isolation policy management method, a container cluster management system, a software defined network controller and a network isolation policy management system, which utilize the strong network arrangement capability of an SDN controller and combine the characteristic that a network policy supports the arrangement of a label-level network isolation policy, so as to flexibly customize and manage the effective isolation of a container network in various application scenarios.
Drawings
Fig. 1 is a flowchart of a network quarantine policy management method according to an embodiment of the present disclosure;
fig. 2 is a flowchart of another network quarantine policy management method provided by an embodiment of the present disclosure;
figure 3 is a signaling diagram of a container cluster management system and a software defined network controller implementing a network policy floor procedure in an embodiment of the present disclosure,
fig. 4 is a flowchart of another network quarantine policy management method provided by an embodiment of the present disclosure;
fig. 5 is a flowchart of another network quarantine policy management method provided by an embodiment of the present disclosure;
FIG. 6 is a signaling diagram of a container cluster management system and a software defined network controller implementing a network policy storage procedure in an embodiment of the present disclosure;
fig. 7 is a flowchart of another network quarantine policy management method provided by an embodiment of the present disclosure;
fig. 8 is a flowchart of another network quarantine policy management method provided by an embodiment of the present disclosure;
FIG. 9 is a signaling diagram of a container cluster management system and a software defined network controller implementing a container bin delete process in an embodiment of the present disclosure;
fig. 10 is a flowchart of a further network quarantine policy management method provided by an embodiment of the present disclosure;
fig. 11 is a flowchart of another network quarantine policy management method provided by an embodiment of the present disclosure;
fig. 12 is a signaling diagram of a container cluster management system and a software-defined network controller implementing a network isolation policy scheme deletion process in an embodiment of the present disclosure.
Detailed Description
In order to make those skilled in the art better understand the technical solution of the present disclosure, a detailed description is given below of a network quarantine policy management method and system provided by the present disclosure with reference to the accompanying drawings.
Example embodiments will be described more fully hereinafter with reference to the accompanying drawings, but which may be embodied in different forms and should not be construed as limited to the embodiments set forth herein. Rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the scope of the disclosure to those skilled in the art.
The terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the disclosure. As used herein, the singular forms "a", "an" and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise. It will be further understood that the terms "comprises" and/or "comprising," when used in this specification, specify the presence of stated features, integers, steps, operations, elements, and/or components, but do not preclude the presence or addition of one or more other features, integers, steps, operations, elements, components, and/or groups thereof.
It will be understood that, although the terms first, second, etc. may be used herein to describe various elements/instructions/requests, these elements/instructions/requests should not be limited by these terms. These terms are only used to distinguish one element/instruction/request from another element/instruction/request.
Unless otherwise defined, all terms (including technical and scientific terms) used herein have the same meaning as commonly understood by one of ordinary skill in the art. It will be further understood that terms, such as those defined in commonly used dictionaries, should be interpreted as having a meaning that is consistent with their meaning in the context of the relevant art and the present disclosure, and will not be interpreted in an idealized or overly formal sense unless expressly so defined herein.
The disclosure provides a Network isolation policy management method based on a container cluster management system and a Software Defined Network (SDN) controller, wherein Kubernets are preferably adopted by the container cluster management system.
The technical scheme disclosed by the invention utilizes the strong Network arrangement capacity of the SDN controller and combines the characteristic that a Network strategy (Network Policy) supports the arrangement of a label-level Network isolation strategy, so that the effective isolation of the container Network under various application scenes can be flexibly customized and managed.
Fig. 1 is a flowchart of a network quarantine policy management method provided by an embodiment of the present disclosure, and as shown in fig. 1, an execution subject of the method is a container cluster management system, and the method includes:
step S1, in response to the container bin creation request sent by the user end, binding the corresponding tag, and writing the creation location information of the first container bin to be created into the virtual switch configuration library, so as to create an associated bridge on the virtual switch.
A client submits a container warehouse creation request to a container cluster management system, the container cluster management system responds to the request, binds a corresponding label (label) for a Pod (called a first Pod) to be created, and issues the label and the creation position information of the first Pod to an external container warehouse creation system (provided with a virtual switch configuration library); after receiving the label, the container warehouse creation system creates a bridge on the selected virtual switch according to the label and the creation position information, and associates a first Pod, wherein the first Pod can provide applications or services for the tenant to use.
It should be noted that the specific process of creating Pod based on tag by the container bin creation system is conventional in the art and will not be described in detail here. At this time, the created first Pod has a bin name (Pod name), and the bin name may be manually specified by the client or automatically assigned by the container cluster management system.
And step S2, sending a request for establishing the internet access and issuing the strategy to the software defined network controller.
After the container cluster management system issues the label to the container bin creation system, a gateway creation and policy issuing request is also sent to the SDN controller, so that the SDN controller responds to the gateway creation and policy issuing request, creates a virtual gateway for the first Pod and serves as the virtual gateway, and when the SDN controller stores network isolation policy information matched with the label of the first container bin, the SDN controller sends the inquired network isolation policy information to a virtual switch where the first Pod is located.
The request for creating the internet access and issuing the policy includes a bin name and a tag of the first Pod, and may also include related information such as location information of the virtual switch where the first Pod is located.
Fig. 2 is a flowchart of another network isolation policy management method provided in an embodiment of the present disclosure, as shown in fig. 1, an execution subject of the method is an SDN controller, and the method includes:
step S3, in response to the request for creating the network port and issuing the policy sent by the container cluster management system, creating a virtual network port for the container bin and allocating an IP address to the virtual network port.
And the SDN controller responds to a network port creating request sent by the container cluster management system, creates a virtual network port according to the bin name of the first Pod and allocates an IP address to the virtual network port.
As an alternative, after the SDN controller creates a virtual portal for the first Pod, when the virtual portal goes online (access network), the virtual switch where the first Pod is located sends an asynchronous message to the SDN controller to notify the SDN controller that the virtual portal goes online, where the asynchronous message includes a device number and a port number of the virtual portal. After receiving asynchronous information of online of a virtual network port, an SDN controller calls an Open Virtual Switch Database (OVSDB) background service of the virtual switch to query an identity number (32-bit character string) corresponding to a device number and a port number of the virtual network port, that is, the identity number of the virtual network port, and then converts an IP address based on the identity number of the virtual network port to serve as an IP address allocated to the virtual network port.
And step S4, inquiring whether the policy storage module of the user has network isolation policy information matched with the label of the first container bin according to the label of the first container bin.
The SDN controller is provided with a strategy storage module, and different network isolation strategy information and corresponding label selectors thereof are stored in the strategy storage module; wherein, the network isolation strategy information records the network isolation strategy configured by the user terminal; the tag selector defines the tags of the Pod to which the corresponding network quarantine policy information applies, i.e., determines which of the tagged pods will apply the corresponding network quarantine policy.
The process and manner of the policy storage module storing the network isolation policy information and the corresponding tag selector will be described in detail in the following.
In step S4, the SDN controller queries, according to the label of the first Pod, in the policy storage module whether there is network quarantine policy information matching the label of the first Pod.
Specifically, the SDN controller matches a label of the first Pod with each label selector, and if the label of the first Pod is a label defined by at least one label selector, queries that network isolation policy information matching the label of the Pod exists in the policy storage module, and queries network isolation policy information matching the label of the first Pod, and then executes step S5; if the label of the first Pod is not the label defined by any label selector, inquiring that the network isolation policy information matched with the label of the first Pod does not exist in the policy storage module, namely that the network isolation policy which needs to be applied does not exist in the first Pod.
It should be noted that, in step S4, the label of the Pod may match multiple label selectors (network quarantine policy information), i.e., the Pod needs to apply multiple network quarantine policies.
And step S5, sending the inquired network isolation policy information to the virtual switch where the first container bin is located through the IP address of the virtual network port of the first container bin.
And the SDN controller sends the network isolation policy information queried in step S4 to the corresponding virtual switch through the IP address of the virtual port of the first Pod, that is, the falling of the network policy is completed.
In some embodiments, the SDN controller maps the queried network isolation policy information into an Access Control List (ACL), and then sends all the ACL mapped by the network isolation policy information to the corresponding virtual switch in the form of a flow table by using an openflow protocol.
According to the technical scheme, the container bin creating request is used as a trigger mechanism, and when the virtual internet access of the created Pod is on line, the network isolation strategy corresponding to the Pod can be sent to the corresponding virtual switch, so that the landing of the network strategy is realized.
Fig. 3 is a signaling diagram of a process in which a container cluster management system and a software-defined network controller implement a network policy landing procedure in the embodiment of the present disclosure, and as shown in fig. 3, the landing procedure for implementing a network policy in the embodiment of the present disclosure includes the above step S1 to step S5, and for specific description of each step, reference may be made to the foregoing contents, which are not described herein again.
Fig. 4 is a flowchart of another network quarantine policy management method provided by an embodiment of the present disclosure, and as shown in fig. 4, an execution subject of the method is a container cluster management system, and the method includes steps S1 to S2, and further includes: step S6, only step S6 will be described in detail below.
Step S6, in response to the network isolation policy scheme configuration request sent by the user side, forwarding the received network isolation policy scheme to the software defined network controller.
In the embodiment of the disclosure, the container cluster management system is provided with a visual policy configuration interface, a user side can complete configuration of a network isolation policy scheme through the visual policy configuration interface and submit a corresponding network isolation policy scheme to the container cluster management system, and the container cluster management system forwards the received network isolation policy scheme to the SDN controller, so that the SDN controller stores the received network isolation policy scheme into a policy storage module of the SDN controller. The network isolation strategy scheme comprises the following steps: network quarantine policy information and a tag selector that defines a tag for a container bin to which the network quarantine policy information applies.
In some scenarios, the client may create a yaml file for a kubernets object of type Network Policy and then send the yaml file to the container cluster management system.
As an example, the configuration content segments of the yaml file are as follows:
in the above example, the content carried by podSelector serves as a tag selector, which defines: all inbound and outbound traffic for a Pod labeled label1 is subject to the constraints of the present network policy. The content carried by Ingress, as network isolation policy information, defines: all IP addresses belonging to the 172.17.0.0/16 segment, except the IP address in the 172.17.1.0/24 segment, can access the Pod labeled labels1 (the IP address of the virtual network card labeled Pod of labels1 is used as the destination IP address).
In practical application, when the container cluster management system receives a network isolation policy scheme configured by using the yaml file, the container cluster management system may convert and translate the yaml file into a file type that can be identified by the SDN controller, and then send the network isolation policy scheme that has been converted and translated to the SDN controller through a restconf interface. It should be noted that, in the process of converting and translating the yaml file, the network isolation policy information is not changed.
The Network Policy has a standard Policy model, and the user side can make a required Network Policy for a selected Pod based on the Policy model. The process of configuring Network policies by using Network policies belongs to the conventional technology in the field, and the specific configuration process is not described in detail here.
It should be noted that the present disclosure does not limit the execution sequence of step S6 and step S1 to step S2, that is, step S6 may be executed before step S1 to step S2, after step S1 to step S2, or in synchronization with step S1 to step S2, and fig. 4 only illustrates the case where step S6 is executed after step S1 to step S2.
Fig. 5 is a flowchart of another network isolation policy management method provided in an embodiment of the present disclosure, and as shown in fig. 5, an execution subject of the method is an SDN controller, and the method includes steps S3 to S5, and further includes: step S7, only step S7 will be described in detail below.
Step S7, receiving the network isolation policy scheme sent by the container cluster management system, and storing the received network isolation policy scheme in the policy storage module.
In some embodiments, step S7 specifically includes: the SDN network controller creates a security container in a policy storage module and encapsulates network isolation policy information in a network isolation policy scheme into the security container in a security group rule form; and establishing a corresponding relation between the security container and a label selector in the network isolation strategy scheme.
In this disclosure, Network Policy may be mapped to security group rules of the SDN controller to facilitate storage by the SDN controller. The security group rules of the Network Policy and the SDN controller both have standard formats, and a field mapping Policy for mapping the Network Policy to the security group rules of the SDN controller is shown in table 1 below:
TABLE 1 field mapping Policy for Network Policy and SDN controller security groups
After conversion based on the mapping policy, the network isolation policy information in the yaml file can be converted into the following two security group rules;
1) the source ip network segment is 172.17.0.0/16, the direction is ingress, and the action type is permit;
2) the source ip network segment is 172.17.1.0/24, the direction is ingress, and the action type is drop;
it should be noted that, when the network isolation policy information stored in the SDN controller in the form of the security group rule needs to be sent to the corresponding virtual switch through the foregoing step S5, the group rule may be mapped into the access control list, and then sent to the corresponding virtual switch in the form of a flow table through the openflow protocol.
As an example, the two security group rules described above may be mapped to two access control lists:
1)dst_ip=ip1,src_ip=172.17.0.0/16,priority=100,actions=go_to_next_table;
2)dst_ip=ip1,src_ip=172.17.1.0/24,priority=130,actions=drop;
wherein dst _ IP represents a destination IP address, src _ IP represents a source IP address, and IP represents an IP address of a port labeled as Pod 1.
In some embodiments, the Network isolation Policy information in the Network isolation Policy scheme exists in the container cluster management system in the form of yaml file fragments of type Network Policy, exists in the SDN controller in the form of security group rules encapsulated in security containers, and exists in the virtual switch in the form of access control lists.
It should be noted that, in the technical solution of the present disclosure, the execution sequence of step S7 and step S3 to step S5 is not limited, that is, step S7 may be executed before step S3 to step S5, or after step S3 to step S5, or may be executed in synchronization with step S3 to step S5, and fig. 5 only illustrates the case where step S7 is executed after step S3 to step S5.
Fig. 6 is a signaling diagram of a process of implementing network policy storage by a container cluster management system and a software-defined network controller in the embodiment of the present disclosure, and as shown in fig. 6, the process of implementing network policy storage in the embodiment of the present disclosure includes the above step S6 to step S7, and for specific description of each step, reference may be made to the foregoing contents, which are not described herein again.
Fig. 7 is a flowchart of another network quarantine policy management method provided by an embodiment of the present disclosure, and as shown in fig. 7, an execution subject of the method is a container cluster management system, and the method includes steps S1 to S2, and further includes: step S8 to step S9, and only step S8 to step S9 will be described in detail below.
And step S8, responding to the container bin deleting request sent by the user side, and forwarding the container bin deleting request to the container bin deleting system.
And the client submits the container bin deleting system to the container cluster management system, and the container cluster management system forwards the container bin deleting request to the external container bin deleting system so that the container bin deleting system deletes the relevant configuration data of the second Pod. Wherein the container bin delete request contains the bin name of the second Pod to be deleted.
And step S9, determining the IP address of the virtual network port of the second container bin according to the bin name of the second container bin, and sending a first deletion control request to the software defined network controller.
The container cluster management system queries an IP address of a virtual network port of the second Pod from its own database according to the name of the second Pod (after the SDN controller allocates the IP address of the virtual network port to the Pod, the Pod will notify the allocated IP address to the container cluster management system so as to facilitate management of the container cluster management system), and sends a first deletion control request to the software-defined network controller, so that the software-defined network controller responds to the first deletion control request, and when network isolation policy information corresponding to the IP address of the virtual network port of the second container Pod exists in a correspondence table stored in advance, sends a policy deletion instruction to the virtual switch where the second container Pod is located so that the virtual switch where the second container Pod is located deletes the network isolation policy information applied to the second container Pod stored in itself. Wherein, the first delete control request includes the IP address of the virtual network port of the second Pod.
It should be noted that the present disclosure does not limit the execution sequence of steps S8 to S9 and steps S1 to S2, that is, steps S8 to S9 may be executed before steps S1 to S2, after steps S1 to S2, or in synchronization with steps S1 to S2, and fig. 7 only illustrates the case where steps S8 to S9 are executed after steps S1 to S2.
Fig. 8 is a flowchart of another network isolation policy management method provided in an embodiment of the present disclosure, and as shown in fig. 8, an execution subject of the method is an SDN controller, and the method includes steps S3 to S5, and further includes: step S5a and steps S10 to step 12, only step S5a and steps S10 to S12 will be described in detail.
Step S5a, establishing a corresponding relationship between the IP address of the virtual internet access of the first Pod and the queried network isolation policy information, and storing the corresponding relationship in a predefined corresponding relationship table.
In step S4, when the SDN controller queries that network isolation policy information matching the label of the container bin exists in its policy storage module, step S5a may be executed while step S5 is executed.
The SDN controller establishes a correspondence between the IP address allocated to the first Pod in step S3 and the network isolation policy information queried in step S4, and stores the correspondence in a predefined correspondence table.
When the network isolation policy information in the SDN controller is encapsulated in the security container in the form of the security group rule, the correspondence between the IP address and the network isolation policy information is established, which is substantially the correspondence between the IP address and the security container.
Step S10, in response to the first delete control request sent by the container cluster management system, querying whether network isolation policy information corresponding to the IP address of the virtual network port of the second container bin exists in a mapping table pre-stored in the mapping table.
After receiving the first deletion control request, the SDN controller inquires whether network isolation policy information corresponding to the IP address of the virtual network port of the second container bin exists in a corresponding relation table stored in advance. The correspondence table stores different IP addresses and network isolation policy information corresponding to the different IP addresses, and the correspondence stored in the correspondence table may be generated in step S5 a.
When the network isolation policy information corresponding to the IP address of the virtual network port of the second Pod exists in the mapping table, it indicates that the virtual switch where the second Pod is located stores the network isolation policy corresponding to the second Pod, and then step S11 and step S12 are executed; when the network isolation policy information corresponding to the IP address of the virtual network port of the second Pod does not exist in the corresponding relationship table, it indicates that the network isolation policy corresponding to the second Pod is not stored in the virtual switch where the second Pod is located, and deletion processing is not required.
And step S11, sending a policy deletion instruction to the virtual switch where the second container bin is located according to the inquired network isolation policy information.
And the SDN controller sends a policy deletion instruction to the virtual switch where the second Pod is located according to the inquired network isolation policy information, so that the virtual switch where the second Pod is located deletes the network isolation policy information which is stored in the virtual switch and is applied to the second Pod.
It should be noted that, when the SDN controller issues the network isolation policy information to the corresponding virtual switch in the form of the access control list in step S5, the network isolation policy information is stored in the virtual switch in the form of the access control list. At this time, before sending the policy deletion instruction to the virtual switch where the second Pod is located, the SDN controller needs to map the queried network isolation policy information into an access control list, and then encapsulate the mapped access control list into the policy deletion instruction. At this time, the same access control list in the virtual switch where the second Pod is located may be deleted through openflow protocol.
Step S12, the correspondence between the IP address of the virtual network port of the second container pool and the network isolation policy information described in the correspondence table is deleted.
The SDN controller sends a policy deletion instruction to the virtual switch where the second Pod is located, and simultaneously deletes the corresponding relation between the IP address of the virtual network port of the second Pod and the network isolation policy information recorded in the corresponding relation table of the SDN controller, so that the storage space of the SDN controller is saved.
It should be noted that the present disclosure does not limit the execution sequence of steps S10 to S12 and steps S3 to S5, that is, steps S10 to S12 may be executed before steps S3 to S5, after steps S3 to S5, or in synchronization with steps S3 to S5, and fig. 8 only illustrates the case where steps S10 to S12 are executed after steps S3 to S5.
Fig. 9 is a signaling diagram of a container cluster management system and a software-defined network controller implementing a container bin deletion process in the embodiment of the present disclosure, and as shown in fig. 9, a storage process implementing a network policy in the embodiment of the present disclosure includes the above step S8 to step S12, and for specific description of each step, reference may be made to the foregoing contents, which are not described herein again.
Fig. 10 is a flowchart of another network quarantine policy management method provided by an embodiment of the present disclosure, and as shown in fig. 10, an execution subject of the method is a container cluster management system, and the method includes steps S1 to S2, and further includes: step S13, only step S13 will be described in detail below.
And step S13, responding to the network isolation strategy scheme deletion request sent by the user side, and sending a second deletion control request to the software defined network controller.
The client side submits a network isolation strategy scheme deleting request to the container cluster management system, wherein the network isolation strategy scheme deleting request comprises a strategy name of a target network isolation strategy scheme to be deleted.
After receiving the network isolation policy scheme deletion request, the container cluster management system sends a second deletion control request to the SDN controller, so that the SDN controller can respond to the second deletion control request, inquire whether network isolation policy information corresponding to the policy name of the target network isolation policy scheme exists in the policy storage module, and delete the network isolation policy information corresponding to the policy name of the target network isolation policy scheme in the policy storage module when the network isolation policy information corresponding to the policy name of the target network isolation policy scheme exists in the policy storage module. Wherein, the second delete control request includes a policy name of the target network isolation policy scheme.
It should be noted that the present disclosure does not limit the execution sequence of step S13 and step S1 to step S2, that is, step S13 may be executed before step S1 to step S2, after step S1 to step S2, or in synchronization with step S1 to step S2, and fig. 10 only illustrates the case where step S13 is executed after step S1 to step S2.
Fig. 11 is a flowchart of another network isolation policy management method provided in an embodiment of the present disclosure, and as shown in fig. 11, an execution subject of the method is an SDN controller, and the method includes steps S3 to S5, and further includes: step S14 to step S15, and only step S14 to step S15 will be described in detail below.
Step S14, in response to the second delete control request sent by the container cluster management system, querying whether network isolation policy information corresponding to the policy name of the target network isolation policy scheme exists in the policy storage module.
It should be noted that, when the SDN controller stores the network isolation policy information based on the network isolation policy scheme, the policy storage module not only stores the correspondence between the network isolation policy information and the tag selector, but also synchronously stores the correspondence between the network isolation policy information and the policy name of the network isolation policy scheme. Namely, the policy name of the network isolation policy scheme, the network isolation policy information contained in the network isolation policy scheme, and the tag selector contained in the network isolation policy scheme have a one-to-one correspondence relationship.
When the network isolation policy information corresponding to the policy name of the target network isolation policy scheme exists in the queried policy storage module, executing step S15; when the network isolation strategy information corresponding to the strategy name of the target network isolation strategy scheme does not exist in the strategy storage module, subsequent deletion processing is not needed.
And step S15, deleting the network isolation strategy information corresponding to the strategy name of the target network isolation strategy scheme in the strategy storage module.
And deleting the network isolation strategy information and the label selector corresponding to the strategy name of the target network isolation strategy scheme in the strategy storage module by the SDN controller so as to save the storage space of the SDN controller.
It should be noted that, in some embodiments, when the policy storage module is queried to have network isolation policy information corresponding to the policy name of the target network isolation policy scheme, the SDN queries network isolation policy information corresponding to the policy name of the target network isolation policy scheme, and then queries, based on the queried network isolation policy information, whether an IP address corresponding to the queried network isolation policy information exists in the correspondence table (which virtual switches the network isolation policy information has been landed on is queried), and if so, sends a policy deletion instruction to the corresponding virtual switches according to the queried IP address, so that the virtual switches delete the corresponding network isolation policy information.
The present disclosure does not limit the execution sequence of steps S14 to S15 and S3 to S5, that is, steps S14 to S15 may be executed before steps S3 to S5, or after steps S3 to S5, or may be executed in synchronization with steps S3 to S5, and fig. 11 only illustrates the case where steps S14 to S15 are executed after steps S3 to S5.
Fig. 12 is a signaling diagram of a process of implementing the network isolation policy scheme deletion by the container cluster management system and the software-defined network controller in the embodiment of the present disclosure, as shown in fig. 12, the process of implementing the network policy in the embodiment of the present disclosure includes the above step S13 to step S15, and for specific description of each step, reference may be made to the foregoing contents, which are not described herein again.
It should be noted that, in the present disclosure, different steps in the above embodiments may be combined with each other to obtain a new technical solution, and the combined new technical solution also belongs to the protection scope of the present disclosure. As a combination scheme, the network isolation policy management method includes the above steps S1 to S15, that is, the network policy landing, network policy storage, container bin deletion, and network isolation policy schemes are simultaneously implemented.
An embodiment of the present disclosure further provides a container cluster management system, including: one or more first processors and a first storage device; wherein the first storage device has one or more programs stored thereon; the one or more programs, when executed by the one or more first processors, cause the one or more first processors to implement the network quarantine policy management method as provided by the foregoing embodiments.
An embodiment of the present disclosure further provides a software-defined network controller, including: one or more second processors and a second storage device; wherein the second storage device has one or more programs stored thereon; the one or more programs, when executed by the one or more second processors, cause the one or more first processors to implement the network quarantine policy management method as provided by the foregoing embodiments.
The embodiment of the present disclosure further provides a network isolation policy management system, including: the foregoing embodiments provide a container cluster management system and a software defined network controller.
It will be understood by those of ordinary skill in the art that all or some of the steps of the methods disclosed above, functional modules/units in the apparatus, may be implemented as software, firmware, hardware, and suitable combinations thereof. In a hardware implementation, the division between functional modules/units mentioned in the above description does not necessarily correspond to the division of physical components; for example, one physical component may have multiple functions, or one function or step may be performed by several physical components in cooperation. Some or all of the physical components may be implemented as software executed by a processor, such as a central processing unit, digital signal processor, or microprocessor, or as hardware, or as an integrated circuit, such as an application specific integrated circuit. Such software may be distributed on computer readable media, which may include computer storage media (or non-transitory media) and communication media (or transitory media). The term computer storage media includes volatile and nonvolatile, removable and non-removable media implemented in any method or technology for storage of information such as computer readable instructions, data structures, program modules or other data, as is well known to those of ordinary skill in the art. Computer storage media includes, but is not limited to, RAM, ROM, EEPROM, flash memory or other memory technology, CD-ROM, Digital Versatile Disks (DVD) or other optical disk storage, magnetic cassettes, magnetic tape, magnetic disk storage or other magnetic storage devices, or any other medium which can be used to store the desired information and which can accessed by a computer. In addition, communication media typically embodies computer readable instructions, data structures, program modules or other data in a modulated data signal such as a carrier wave or other transport mechanism and includes any information delivery media as known to those skilled in the art.
Example embodiments have been disclosed herein, and although specific terms are employed, they are used and should be interpreted in a generic and descriptive sense only and not for purposes of limitation. In some instances, features, characteristics and/or elements described in connection with a particular embodiment may be used alone or in combination with features, characteristics and/or elements described in connection with other embodiments, unless expressly stated otherwise, as would be apparent to one skilled in the art. Accordingly, it will be understood by those skilled in the art that various changes in form and details may be made therein without departing from the scope of the disclosure as set forth in the appended claims.
Claims (15)
1. A network isolation policy management method, comprising:
responding to a container bin establishing request sent by a user side, binding a corresponding label, and writing establishing position information of a first container bin to be established into a virtual switch configuration library so as to establish a related network bridge on a virtual switch;
and sending a network port establishing and strategy issuing request to a software-defined network controller, so that the software-defined network controller responds to the network port establishing and strategy issuing request, establishes a virtual network port for the first container bin, and sends network isolation strategy information to a virtual switch where the first container bin is located when the network isolation strategy information matched with the label of the first container bin is stored in the virtual switch.
2. The network quarantine policy management method according to claim 1, further comprising:
in response to a network isolation policy scheme configuration request sent by a user side, forwarding a received network isolation policy scheme to the software defined network controller, where the network isolation policy scheme includes: network quarantine policy information and a tag selector that defines a tag for a container bin to which the network quarantine policy information applies.
3. The network quarantine policy management method according to claim 1, further comprising:
responding to a container bin deleting request sent by a user side, forwarding the container bin deleting request to a container bin deleting system so that the container bin deleting system deletes a corresponding second container bin, wherein the container bin deleting request comprises: the bin name of the second container bin to be deleted;
and determining the IP address of the virtual network port of the second container bin according to the bin name of the second container bin, and sending a first deletion control request to the software-defined network controller, so that the software-defined network controller sends a policy deletion instruction to the virtual switch where the second container bin is located when network isolation policy information corresponding to the IP address of the virtual network port of the second container bin exists in a corresponding relation table stored in advance in the software-defined network controller in response to the first deletion control request.
4. The network quarantine policy management method according to claim 1, further comprising:
responding to a network isolation strategy scheme deleting request sent by a user side, sending a second deleting control request to the software defined network controller, so that the software defined network controller can respond to the second deleting control request and delete the network isolation strategy information corresponding to the strategy name of a target network isolation strategy scheme when the software defined network controller stores the network isolation strategy information corresponding to the strategy name of the target network isolation strategy scheme;
the second deletion control request includes: the policy name of the target network isolation policy scheme.
5. A network isolation policy management method, comprising:
responding to a network port establishing and strategy issuing request sent by a container cluster management system, establishing a virtual network port for a first container bin, and allocating an IP address for the virtual network port, wherein the network port establishing and strategy issuing request comprises the following steps: a bin name and a label for the first bin of containers;
inquiring whether network isolation strategy information matched with the label of the first container bin is stored in the first container bin according to the label of the first container bin;
and when the network isolation strategy information matched with the label of the first container bin is stored in the inquiry unit, sending the inquired network isolation strategy information to the virtual switch where the first container bin is located through the IP address.
6. The network quarantine policy management method according to claim 5, further comprising:
receiving a network isolation policy scheme sent by a container cluster management system, and storing the received network isolation policy scheme to a policy storage module, wherein the network isolation policy scheme comprises: network quarantine policy information and a tag selector that defines a tag for a container bin to which the network quarantine policy information applies.
7. The method according to claim 6, wherein the step of storing the received network quarantine policy scheme in a policy storage module comprises:
creating a security container in the policy storage module, and encapsulating network isolation policy information in the network isolation policy scheme in the security container in the form of security group rules;
and establishing a corresponding relation between the security container and a label selector in the network isolation strategy scheme.
8. The method according to claim 5, wherein when querying that the network isolation policy information matching the tag of the container bin is stored in the query itself, the method further comprises:
and establishing a corresponding relation between the IP address and the inquired network isolation strategy information, and storing the corresponding relation into a predefined corresponding relation table.
9. The network quarantine policy management method according to claim 5, further comprising:
responding to a first deletion control request sent by the container cluster management system, and inquiring whether network isolation strategy information corresponding to the IP address of the virtual network port of the second container bin exists in a corresponding relation table stored in advance; wherein the first deletion control request includes: the IP addresses of the virtual network ports of the second container bin and the corresponding relation table are recorded with the IP addresses of the virtual network ports of different container bins and the corresponding network isolation strategy information;
when the network isolation policy information corresponding to the IP address of the virtual network port of the second container bin exists in the corresponding relation table, sending a policy deleting instruction to the virtual switch where the second container bin is located according to the inquired network isolation policy information, so that the virtual switch where the second container bin is located deletes the network isolation policy information which is stored in the virtual switch and is applied to the second container bin.
10. The method according to claim 9, wherein when it is found out that the network isolation policy information corresponding to the IP address of the virtual portal of the second container bay exists in the correspondence table, the method further comprises:
and deleting the corresponding relation between the IP address of the virtual network port of the second container bin recorded in the corresponding relation table and the network isolation strategy information.
11. The network quarantine policy management method according to claim 5, further comprising:
responding to a second deletion control request sent by the container cluster management system, and inquiring whether network isolation strategy information corresponding to the strategy name of the target network isolation strategy scheme is stored in the container cluster management system; wherein the second deletion control request includes: a policy name of the target network isolation policy scheme;
and when the network isolation strategy information corresponding to the strategy name of the target network isolation strategy scheme is inquired, deleting the network isolation strategy information corresponding to the strategy name of the target network isolation strategy scheme, which is stored by the network isolation strategy information.
12. The method according to claim 5, wherein the step of sending the queried network isolation policy information to the virtual switch where the first container bin is located via the IP address comprises:
mapping the inquired network isolation strategy information into an access control list;
and sending the mapped access control list to the corresponding virtual switch in a flow table form by adopting an openflow protocol through the IP address.
13. A container cluster management system, comprising:
one or more first processors;
a first storage device having one or more programs stored thereon;
the one or more programs, when executed by the one or more first processors, cause the one or more first processors to implement the method of any of claims 1-4.
14. A software defined network controller, comprising:
one or more second processors;
a second storage device having one or more programs stored thereon;
the one or more programs, when executed by the one or more second processors, cause the one or more first processors to implement the method of any of claims 5-12.
15. A network quarantine policy management system, comprising: a container cluster management system as claimed in claim 13 and a software defined network controller as claimed in claim 14.
Priority Applications (2)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910851744.7A CN112543108A (en) | 2019-09-04 | 2019-09-04 | Network isolation policy management method and network isolation policy management system |
| PCT/CN2020/099021 WO2021042846A1 (en) | 2019-09-04 | 2020-06-29 | Network isolation policy management method and network isolation policy management system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910851744.7A CN112543108A (en) | 2019-09-04 | 2019-09-04 | Network isolation policy management method and network isolation policy management system |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN112543108A true CN112543108A (en) | 2021-03-23 |
Family
ID=74852057
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201910851744.7A Pending CN112543108A (en) | 2019-09-04 | 2019-09-04 | Network isolation policy management method and network isolation policy management system |
Country Status (2)
| Country | Link |
|---|---|
| CN (1) | CN112543108A (en) |
| WO (1) | WO2021042846A1 (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113608824A (en) * | 2021-06-28 | 2021-11-05 | 济南浪潮数据技术有限公司 | Cluster external service access control method, system, device and readable storage medium |
| CN114640678A (en) * | 2022-03-14 | 2022-06-17 | 明阳产业技术研究院(沈阳)有限公司 | Pod management method, device and medium based on SR-IOV |
Families Citing this family (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113965376B (en) * | 2021-10-21 | 2023-09-19 | 合肥城市云数据中心股份有限公司 | Cloud host remote data communication method based on data isolation platform |
| CN114389886B (en) * | 2022-01-14 | 2024-03-08 | 平安科技(深圳)有限公司 | Access method, device, equipment and storage medium of virtual private cloud service |
Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104081733A (en) * | 2012-01-31 | 2014-10-01 | 国际商业机器公司 | Interconnecting data centers for migration of virtual machines |
| CN104104572A (en) * | 2014-07-15 | 2014-10-15 | 杭州华三通信技术有限公司 | Automatic deploying method and device for switch in SDN network |
| US20160378518A1 (en) * | 2015-06-29 | 2016-12-29 | Vmware, Inc. | Policy based provisioning of containers |
| US20170093923A1 (en) * | 2015-09-29 | 2017-03-30 | NeuVector, Inc. | Creating Additional Security Containers For Transparent Network Security For Application Containers Based On Conditions |
| CN107222353A (en) * | 2017-07-11 | 2017-09-29 | 中国科学技术大学 | The unrelated software defined network virtual management platform of supported protocol |
| CN107864131A (en) * | 2017-11-03 | 2018-03-30 | 郑州云海信息技术有限公司 | A kind of method and system for realizing Kubernetes cluster multi-tenant Network Isolations |
| CN109542630A (en) * | 2019-01-29 | 2019-03-29 | 中国人民解放军火箭军工程大学 | A kind of mobile communication net network function virtual platform based on container cloud |
Family Cites Families (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107947961B (en) * | 2017-10-17 | 2021-07-30 | 上海数讯信息技术有限公司 | SDN-based Kubernetes network management system and method |
| CN110198231B (en) * | 2018-05-08 | 2022-02-25 | 腾讯科技(深圳)有限公司 | Container network management method and system for multiple tenants and middleware |
| CN109947452A (en) * | 2019-03-26 | 2019-06-28 | 南京联创信息科技有限公司 | A kind of Kubernetes container platform application update method |
-
2019
- 2019-09-04 CN CN201910851744.7A patent/CN112543108A/en active Pending
-
2020
- 2020-06-29 WO PCT/CN2020/099021 patent/WO2021042846A1/en active Application Filing
Patent Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104081733A (en) * | 2012-01-31 | 2014-10-01 | 国际商业机器公司 | Interconnecting data centers for migration of virtual machines |
| CN104104572A (en) * | 2014-07-15 | 2014-10-15 | 杭州华三通信技术有限公司 | Automatic deploying method and device for switch in SDN network |
| US20160378518A1 (en) * | 2015-06-29 | 2016-12-29 | Vmware, Inc. | Policy based provisioning of containers |
| US20170093923A1 (en) * | 2015-09-29 | 2017-03-30 | NeuVector, Inc. | Creating Additional Security Containers For Transparent Network Security For Application Containers Based On Conditions |
| CN107222353A (en) * | 2017-07-11 | 2017-09-29 | 中国科学技术大学 | The unrelated software defined network virtual management platform of supported protocol |
| CN107864131A (en) * | 2017-11-03 | 2018-03-30 | 郑州云海信息技术有限公司 | A kind of method and system for realizing Kubernetes cluster multi-tenant Network Isolations |
| CN109542630A (en) * | 2019-01-29 | 2019-03-29 | 中国人民解放军火箭军工程大学 | A kind of mobile communication net network function virtual platform based on container cloud |
Non-Patent Citations (2)
| Title |
|---|
| RAFAEL TOLOSANA-CALASANZ: "Characterising resource management performance in Kubernetes", 《COMPUTERS & ELECTRICAL ENGINEERING》, 31 May 2018 (2018-05-31) * |
| 马征;缪凯;张广温;: "浅析Kubernetes容器虚拟化技术", 金融电子化, no. 06, 15 June 2018 (2018-06-15) * |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113608824A (en) * | 2021-06-28 | 2021-11-05 | 济南浪潮数据技术有限公司 | Cluster external service access control method, system, device and readable storage medium |
| CN114640678A (en) * | 2022-03-14 | 2022-06-17 | 明阳产业技术研究院(沈阳)有限公司 | Pod management method, device and medium based on SR-IOV |
Also Published As
| Publication number | Publication date |
|---|---|
| WO2021042846A1 (en) | 2021-03-11 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US9602307B2 (en) | Tagging virtual overlay packets in a virtual networking system | |
| US11863625B2 (en) | Routing messages between cloud service providers | |
| US11962501B2 (en) | Extensible control plane for network management in a virtual infrastructure environment | |
| US11086653B2 (en) | Forwarding policy configuration | |
| US11005752B2 (en) | Packet transmission | |
| CN112543108A (en) | Network isolation policy management method and network isolation policy management system | |
| US10063470B2 (en) | Data center network system based on software-defined network and packet forwarding method, address resolution method, routing controller thereof | |
| US20150188802A1 (en) | System for supporting multi-tenant based on private ip address in virtual private cloud networks and operating method thereof | |
| US20140310393A1 (en) | Virtual Network and Management Method of Virtual Network | |
| EP2905930A1 (en) | Processing method, apparatus and system for multicast | |
| CN105323136A (en) | Information processing method and device | |
| US20220006758A1 (en) | Multisite interconnect and policy with switching fabrics | |
| JP2004038922A (en) | Technique for enabling a plurality of virtual filers on single filer to participate in a plurality of address spaces with overlapping network addresses | |
| CN111010329B (en) | Message transmission method and device | |
| US9641611B2 (en) | Logical interface encoding | |
| CN104734930B (en) | Method and device for realizing access of Virtual Local Area Network (VLAN) to Variable Frequency (VF) network and Fiber Channel Frequency (FCF) | |
| CN111404797B (en) | Control method, SDN controller, SDN access point, SDN gateway and CE | |
| CN112583655B (en) | Data transmission method and device, electronic equipment and readable storage medium | |
| WO2016101515A1 (en) | Method and apparatus for determining information technology (it) device port | |
| CN110519147A (en) | Data frame transmission method, device, equipment and computer readable storage medium | |
| CN105591890A (en) | Method and device for updating mapping buffering of ingress router | |
| CN110535829B (en) | Data interaction method and video networking system | |
| CN109088767B (en) | Route updating method and device | |
| CN113973045B (en) | Message transmission method and device | |
| CN105763669A (en) | Method and device for supporting host name mapping of edge device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |