CN113779618A - Information security protection method and system for secret resource in k8s - Google Patents

Information security protection method and system for secret resource in k8s Download PDF

Info

Publication number
CN113779618A
CN113779618A CN202110914777.9A CN202110914777A CN113779618A CN 113779618 A CN113779618 A CN 113779618A CN 202110914777 A CN202110914777 A CN 202110914777A CN 113779618 A CN113779618 A CN 113779618A
Authority
CN
China
Prior art keywords
secret
resource
secret resource
access request
information
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Withdrawn
Application number
CN202110914777.9A
Other languages
Chinese (zh)
Inventor
刘鹏
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Jinan Inspur Data Technology Co Ltd
Original Assignee
Jinan Inspur Data Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Jinan Inspur Data Technology Co Ltd filed Critical Jinan Inspur Data Technology Co Ltd
Priority to CN202110914777.9A priority Critical patent/CN113779618A/en
Publication of CN113779618A publication Critical patent/CN113779618A/en
Withdrawn legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/44Program or device authentication
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/602Providing cryptographic facilities or services

Abstract

The invention discloses an information security protection method and system for secret resources in k8s, wherein the information security protection method for secret resources in k8s comprises the following steps: intercepting the created secret resource when the creating action of the secret resource in k8s is monitored; carrying out information encryption on the intercepted secret resource according to a preset encryption algorithm; storing the encrypted secret resource into the distributed key value database of the k8 s. The technical scheme of the invention can solve the problem that the information of the secret resource is unsafe because of few information safety protection measures of the secret resource in the prior art.

Description

Information security protection method and system for secret resource in k8s
Technical Field
The invention relates to the technical field of information storage, in particular to an information security protection method and system for secret resources in k8 s.
Background
K8s, which is called kubernets as a whole, is an open source container arrangement engine which supports functions such as automatic deployment, large-scale scalability, and application containerization management. k8s allows multiple containers to be created, each running an application instance inside, and then management, discovery, and access to each set of application instances is achieved through built-in load balancing policies.
Wherein k8s contains secret resources: the secret resource is used for storing sensitive information such as a user name, a password, a digital certificate, a private key, a token, and a ssh key, so as to support each application instance through the secret resource.
In the cloud computing era k8s, the application is wide, and especially in the micro service scenario, k8s brings great convenience and feasibility, so that sensitive information is often used when k8s is used. When we use sensitive information, secret such as k8s resource object is often used. However, at present, base64 coding is only performed once on secret resources by k8s, sensitive information is not really encrypted, which is not safe for the sensitive information, and an attacker can acquire original data information by a simple base64 anti-coding tool.
Disclosure of Invention
The invention provides an information security protection method and system for secret resources in k8s, and aims to solve the problem that information security protection measures of secret resources are few in the prior art, so that information of secret resources is unsafe.
According to a first aspect of the present invention, the present invention provides an information security protection method for secret resources in k8s, including:
intercepting the created secret resource when the creating action of the secret resource in k8s is monitored;
carrying out information encryption on the intercepted secret resource according to a preset encryption algorithm;
the encrypted secret resource is stored in the distributed key value database of k8 s.
Preferably, the information security protection method further includes:
when monitoring an access request of the secret resource, extracting the secret resource from the distributed key value database according to the access request;
decrypting the information of the secret resource by using a key corresponding to a preset encryption algorithm;
and feeding back the decrypted secret resource according to the access request.
Preferably, the information security protection method further includes:
performing access authority authentication on the monitored access request;
when the access authority authentication is successful, a step of extracting secret resources from the distributed key value database according to the access request is executed;
and when the access authority authentication fails, feeding back an access request by using a pseudo secret resource prestored in the distributed key value database, and sending alarm information to the superior network.
Preferably, the step of intercepting the created secret resource when monitoring the creation action of the secret resource in k8s includes:
monitoring the creating action of the secret resource through an Application Programming Interface (API);
intercepting the secret resource by using a network interception tool when the creating action of the secret resource is monitored;
and transmitting the intercepted secret resource to a user-defined resource for information encryption by using a network interception tool.
Preferably, the step of encrypting the intercepted secret resource according to a preset encryption algorithm includes:
receiving and analyzing sensitive information contained in the secret resource by using a user-defined resource;
and the user-defined resource encrypts the sensitive information by using the key stored in the distributed key value database according to a preset encryption algorithm.
Preferably, before the step of encrypting the intercepted secret resource according to a preset encryption algorithm, the method further comprises:
acquiring an access right corresponding to the secret resource;
generating a key of the preset encryption algorithm according to the access authority corresponding to the secret resource;
storing the key in the distributed key-value database.
Preferably, the information security protection method further includes:
matching a corresponding key from the distributed key value database by using the access authority of the access request when the access authority of the monitored access request is successfully authenticated;
the secret resource is decrypted using the key.
According to a second aspect of the present invention, the present invention further provides an information security protection system for secret resources in k8s, including:
the intercepting module is used for intercepting the created secret resource when the creating action of the secret resource in the k8s is monitored;
the encryption module is used for encrypting the intercepted secret resource according to a preset encryption algorithm;
and the storage module is used for storing the encrypted secret resource into the distributed key value database of the k8 s.
Preferably, the information security protection system further includes:
the extraction module is used for extracting the secret resource from the distributed key value database according to the access request when the access request of the secret resource is monitored;
the decryption module is used for decrypting the information of the secret resource by using a key corresponding to a preset encryption algorithm;
and the sending module is used for feeding back the decrypted secret resource according to the access request.
Preferably, the information security protection system further includes:
the authentication module is used for carrying out access authority authentication on the monitored access request, and when the access authority authentication is successful, the extraction module is executed;
and the sending module is also used for feeding back the access request by using the pseudo secret resource prestored in the distributed key value database and sending alarm information to the superior network when the authentication module fails to authenticate the access authority.
Preferably, the intercepting module includes:
the action monitoring submodule is used for monitoring the creating action of the secret resource through an Application Programming Interface (API);
the resource interception submodule is used for intercepting the secret resource by using a network interception tool;
and the resource transmission submodule is used for transmitting the intercepted secret resources to user-defined resources by using a network interception tool for information encryption.
Preferably, the encryption module includes:
the information analysis submodule is used for receiving and analyzing the sensitive information contained in the secret resource by using the user-defined resource;
and the information encryption submodule is used for encrypting the sensitive information by using the key stored in the distributed key value database according to a preset encryption algorithm.
According to the information security protection scheme of secret resources in k8s, a uniform monitoring entry is set for monitoring secret resources in k8 s; intercepting the created secret resource when the creating action of the secret resource in k8s is monitored; then, encrypting the intercepted secret resource according to a preset encryption algorithm; and finally, storing the encrypted secret resource into the distributed key value database of the k8 s. According to the embodiment of the application, the intercepted secret resources are encrypted by the preset encryption algorithm before being stored in the distributed key value database, so that the safety protection of sensitive information in the secret resources can be realized, and the risk that the secret resources cannot be encrypted by the original k8s in the traditional mode is avoided.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only some embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to the structures shown in the drawings without creative efforts.
Fig. 1 is a schematic flowchart of a first method for protecting information security of secret resources in k8s according to an embodiment of the present invention;
fig. 2 is a schematic flowchart of an intercepting method of a secret resource provided in the embodiment shown in fig. 1;
fig. 3 is a flowchart illustrating an encryption method for a secret resource according to the embodiment shown in fig. 1;
fig. 4 is a schematic flowchart of a second method for protecting information security of secret resources in k8s according to an embodiment of the present invention;
fig. 5 is a schematic flowchart of an information security protection method for secret resources in k8s according to a third embodiment of the present invention;
fig. 6 is a schematic flowchart of an information security protection method for secret resources in a fourth k8s according to an embodiment of the present invention;
fig. 7 is a schematic flowchart of a fifth method for protecting information security of secret resources in k8s according to an embodiment of the present invention;
fig. 8 is a schematic structural diagram of an information security protection system for secret resources in k8s according to an embodiment of the present invention;
fig. 9 is a schematic structural diagram of an information security protection system for secret resources in k8s according to an embodiment of the present invention;
FIG. 10 is a schematic structural diagram of an intercepting module provided in the embodiment shown in FIG. 8;
fig. 11 is a schematic structural diagram of an encryption module provided in the embodiment shown in fig. 8.
The implementation, functional features and advantages of the objects of the present invention will be further explained with reference to the accompanying drawings.
Detailed Description
It should be understood that the specific embodiments described herein are merely illustrative of the invention and are not intended to limit the invention.
The main technical problems of the embodiment of the invention are as follows:
k8s contains secret resources: the secret resource is used for storing sensitive information such as a user name, a password, a digital certificate, a private key, a token, and a ssh key, so as to support each application instance through the secret resource. However, at present, base64 coding is only performed once on secret resources by k8s, sensitive information is not really encrypted, which is not safe for the sensitive information, and an attacker can acquire original data information by a simple base64 anti-coding tool.
In order to solve the above problem, referring to fig. 1 in particular, fig. 1 is a schematic flow chart of an information security protection method for secret resources in k8s according to an embodiment of the present invention, as shown in fig. 1, the information security protection method includes:
s110: intercepting the created secret resource when the creating action of the secret resource in k8s is monitored; according to the scheme, a uniform monitoring entry is set through the CRD resource and is used for monitoring the creating action of the secret resource, so that the secret resource is accurately intercepted.
As a preferred embodiment, as shown in fig. 2, the step of intercepting the created secret resource specifically includes:
s111: monitoring the creating action of the secret resource through an Application Programming Interface (API); in general, a user performs a create action of a secret resource (including a modify action of the secret resource) through an application programming interface API, and in the embodiment of the present application, a uniform listening entry provided by a user-defined resource CRD is required to listen to the API interface, so as to listen to the create action of the secret resource.
S112: intercepting the secret resource by using a network interception tool when the creating action of the secret resource is monitored; in the embodiment of the application, a webhook plug-in of a network interception tool is used for intercepting a creation request of a secret resource, and then forwarding the creation request to a corresponding CRD controller.
S113: and transmitting the intercepted secret resource to a user-defined resource for information encryption by using a network interception tool.
In the technical scheme provided by the embodiment of the application, when the creating action of the secret resource is monitored, the secret resource is intercepted by using a webhook tool of a network interception tool, and then the intercepted secret resource is transmitted to the user-defined resource for information encryption, so that the secret resource can be encrypted before being stored in the distributed key value database, and the security of sensitive information in the secret resource is improved. In addition, since the secret resource needs to be transmitted through the distributed network in k8s, the secret resource can be accurately intercepted by using the webhook tool.
As shown in fig. 1, the method for protecting information security of secret resources in k8S according to the embodiment of the present application, after step S110, further includes the following steps:
s120: and encrypting the intercepted secret resource according to a preset encryption algorithm. The preset encryption algorithm can be defined by a user or stored in a distributed key value database in advance, and when the network interception tool transmits the secret resource to the user-defined resource for information encryption, the intercepted secret resource is encrypted by the user-defined resource according to the preset encryption algorithm, so that the data security of sensitive information in the secret resource is ensured.
Specifically, as a preferred embodiment, as shown in fig. 3, the step of encrypting the intercepted secret resource according to a preset encryption algorithm provided in the embodiment of the present application specifically includes:
s121: receiving and analyzing sensitive information contained in the secret resource by using a user-defined resource; the user-defined resource CRD can receive the secret resource transferred by the webhook in a user-defined mode, analyze the secret resource, acquire sensitive information contained in the secret resource, and further realize the security protection of the secret resource.
S122: and the user-defined resource encrypts the sensitive information by using the key stored in the distributed key value database according to a preset encryption algorithm. And the user self-defines the resource CRD, the encryption algorithm can be self-defined by the user according to the preset encryption algorithm, the corresponding secret key is pre-stored in the distributed key value database, and the sensitive information is encrypted by the secret key stored in the distributed key value data block, so that the sensitive information in the secret resource is safely protected, and the leakage of the sensitive information in the secret resource is avoided.
According to the technical scheme provided by the embodiment of the application, the sensitive information contained in the secret resource is received and analyzed by using the user-defined resource CRD, and then the sensitive information is encrypted by using the secret key stored in the distributed key value database through the CRD according to the preset encryption algorithm, so that the security protection can be performed on the sensitivity in the secret resource, and the leakage of the sensitive information in the secret resource is avoided.
S130: the encrypted secret resource is stored in the distributed key value database of k8 s. Typically the secret resource is stored in a distributed key-value database of k8s, persisting data in the secret resource. In the embodiment of the application, before the secret resource is stored in the distributed key value database, the secret resource is intercepted and encrypted, so that the leakage of sensitive information in the secret resource is avoided, and the safety of the secret resource in the distributed key value database is ensured.
In summary, in the information security protection method for secret resources in k8s provided in the embodiment of the present application, a uniform listening entry is set for listening to secret resources in k8 s; intercepting the created secret resource when the creating action of the secret resource in k8s is monitored; then, encrypting the intercepted secret resource according to a preset encryption algorithm; and finally, storing the encrypted secret resource into the distributed key value database of the k8 s. According to the embodiment of the application, the intercepted secret resources are encrypted by the preset encryption algorithm before being stored in the distributed key value database, so that the safety protection of sensitive information in the secret resources can be realized, and the risk that the secret resources cannot be encrypted by the original k8s in the traditional mode is avoided. In addition, according to the technical scheme provided by the embodiment of the application, if the webhook intercepts the request for deleting the secret resource, the browser in the CRD resource is called to delete the related secret resource.
After the encrypted secret resource is stored in the distributed key value database, the secret resource is called at any time, and in order to ensure reliable transmission of the secret resource, the encrypted secret resource needs to be decrypted. Specifically, as a preferred embodiment, as shown in fig. 4, the information security protection method provided in the embodiment of the present application further includes the following steps in addition to the above steps:
s210: monitoring an access request of a secret resource; in the embodiment of the application, a user generally creates an access request of the secret resource through an application programming interface API, and in the embodiment of the application, the webhook performs information interception on the access request of the secret resource, so that the analysis, verification and other processing of the access request is realized before the secret resource is called.
S220: and when an access request of the secret resource is monitored, extracting the secret resource from the distributed key value database according to the access request. In the embodiment of the application, the controller in the CRD resource extracts the secret resource, so that the secret resource is extracted.
S230: and decrypting the secret resource by using the key corresponding to the preset encryption algorithm. After receiving the access request of the secret resource, the secret resource is decrypted by the key corresponding to the preset encryption algorithm, so that the user can access the data in the secure secret resource.
S240: and feeding back the decrypted secret resource according to the access request.
According to the technical scheme provided by the embodiment of the application, after the access request of the secret resource is monitored, the secret resource is extracted from the distributed key value data block according to the access request, the secret resource is safely decrypted by using the key corresponding to the preset encryption algorithm, if the secret resource can be decrypted by using the corresponding key, sensitive data in the secret resource are not tampered, the data are safe and reliable, the decrypted secret resource is transmitted and fed back to a corresponding user, and the safe feedback of the sensitive data can be realized.
Since the access request may not be an access request of an authenticated user, if the sensitive data in the secret resource is fed back to the user corresponding to the access request, the information of the secret resource may be leaked, thereby reducing the security of the system. In order to solve this problem, as a preferred embodiment, as shown in fig. 5, the information security protection method provided in the embodiment of the present application further includes, in addition to the above steps:
s310: performing access authority authentication on the monitored access request; and when the access authority authentication is successful, executing the step of extracting the secret resource from the distributed key value database according to the access request. The embodiment of the application needs to perform authentication of access authority on the monitored access request, for example, authentication of an access client, authentication of an access certificate and an access user name, and the like. And after the access authority authentication is successful, determining that the user corresponding to the access request has the access authority, and at this time, extracting secret resources from the distributed key value database according to the steps and feeding the secret resources back to the corresponding user side. When the access request authentication fails and it is determined that the user does not have the access right, the following step S320 is performed.
S320: and when the access authority authentication fails, feeding back an access request by using a pseudo secret resource prestored in the distributed key value database, and sending alarm information to the superior network.
According to the technical scheme provided by the embodiment of the application, when the access authority authentication fails, the pseudo secret resource stored in the distributed key value data block is used for feeding back the user corresponding to the access request, so that the real secret resource can be protected, and the alarm information is sent to the superior network in time, so that the related manager knows that the secret resource has a theft risk, wherein the alarm information comprises the authority authentication result of the access request, the access user name, the access client and other information.
In order to secure the secret resource, it is necessary to define that only an authorized user of the access right of the secret resource can access the corresponding secret resource. Therefore, in order to ensure the security of the secret resource, as a preferred embodiment, as shown in fig. 6, before the step of encrypting the intercepted secret resource according to the preset encryption algorithm, the method further includes the following steps:
s410: and acquiring the access right corresponding to the secret resource. The access right corresponding to the Secret resource can be obtained by monitoring a corresponding creation user when the Secret resource is created; or searching from the distributed key value database according to the type corresponding to the secret resource, or generating according to the type of the secret resource and a certain rule.
S420: and generating a key of a preset encryption algorithm according to the access authority corresponding to the secret resource. Because the key of the preset encryption algorithm is generated according to the access right corresponding to the secret resource, the key can be used only when the system successfully verifies the authorized user, thereby ensuring the security of the secret resource.
S430: the key is stored in a distributed key-value database.
According to the technical scheme provided by the embodiment of the application, the key of the preset encryption algorithm is generated according to the access authority corresponding to the secret resource, and then the key is stored in the distributed key value database, so that the secret resource can be encrypted according to the access authority, and therefore only an authorized user can view the secret resource.
As a preferred embodiment, as shown in fig. 7, the information security protection method further includes the following steps:
s510: matching a corresponding key from the distributed key value database by using the access authority of the access request when the access authority of the monitored access request is successfully authenticated;
s520: the secret resource is decrypted using the key.
In the technical scheme provided by the embodiment of the application, because the key is generated according to the access authority, only an authorized user can perform access operation on the secret resource, and therefore, when the access authority of the monitored access request is successfully authenticated, the access authority of the access request is used for matching the corresponding key in the distributed key value database, so that the secret resource can be decrypted, and the data security of the secret resource is further ensured.
In order to implement the method, the following embodiments of the present application further provide an information security protection system for secret resources in k8s, and the functions of the method can be implemented by the following information security protection system for secret resources in k8s, and since the specific operation steps of the method are already mentioned, repeated descriptions are omitted.
Referring to fig. 8, fig. 8 is a schematic structural diagram of an information security protection system for secret resources in k8s according to an embodiment of the present invention. As shown in fig. 8, the information security protection system for secret resources in k8s includes:
the intercepting module 110 is configured to intercept the created secret resource when the creating action of the secret resource in k8s is monitored;
the encryption module 120 is configured to encrypt information of the intercepted secret resource according to a preset encryption algorithm;
and the storage module 130 is configured to store the encrypted secret resource in the distributed key value database of k8 s.
To sum up, in the information security protection system for secret resources in k8s provided in the embodiment of the present application, a uniform listening entry is set for listening to secret resources in k8 s; when the creating action of the secret resource in k8s is monitored, the intercepting module 110 intercepts the created secret resource; then, the encryption module 120 encrypts the intercepted secret resource according to a preset encryption algorithm; finally, the storage module 130 stores the encrypted secret resource in the distributed key value database of k8 s. According to the embodiment of the application, the intercepted secret resources are encrypted by the preset encryption algorithm before being stored in the distributed key value database, so that the safety protection of sensitive information in the secret resources can be realized, and the risk that the secret resources cannot be encrypted by the original k8s in the traditional mode is avoided. In addition, according to the technical scheme provided by the embodiment of the application, if the webhook intercepts the request for deleting the secret resource, the browser in the CRD resource is called to delete the related secret resource.
As a preferred embodiment, as shown in fig. 9, the information security protection system provided in the embodiment of the present application further includes, in addition to the above modules:
the extracting module 210 is configured to, when an access request of the secret resource is monitored, extract the secret resource from the distributed key value database according to the access request;
the decryption module 220 is configured to decrypt the information of the secret resource by using a key corresponding to a preset encryption algorithm;
and the sending module 230 is configured to feed back the decrypted secret resource according to the access request.
As a preferred embodiment, as shown in fig. 9, the information security protection system provided in the embodiment of the present application further includes, in addition to the above modules:
the authentication module 310 is configured to perform access right authentication on the monitored access request, and execute the extraction module when the access right authentication is successful;
the sending module 230 is further configured to, when the authentication module 310 fails to authenticate the access right, use a pseudo secret resource pre-stored in the distributed key value database to feed back the access request, and send alarm information to the upper-level network.
As a preferred embodiment, as shown in fig. 10, the intercepting module 110 includes:
the action monitoring submodule 111 is used for monitoring the creating action of the secret resource through an application programming interface API;
a resource interception submodule 112 for intercepting the secret resource using a network interception tool;
and the resource transmission submodule 113 is configured to transmit the intercepted secret resource to the user-defined resource for information encryption by using a network interception tool.
As a preferred embodiment, as shown in fig. 11, an encryption module 120 provided in an embodiment of the present application includes:
the information analysis submodule 121 is configured to receive and analyze sensitive information included in the secret resource by using a user-defined resource;
and the information encryption sub-module 122 is configured to encrypt the sensitive information by using the key stored in the distributed key value database according to a preset encryption algorithm.
In summary, in the information security protection scheme for secret resources in k8s provided in the embodiment of the present application, a uniform listening entry is set for listening to secret resources in k8 s; intercepting the created secret resource when the creating action of the secret resource in k8s is monitored; then, encrypting the intercepted secret resource according to a preset encryption algorithm; and finally, storing the encrypted secret resource into the distributed key value database of the k8 s. According to the embodiment of the application, the intercepted secret resources are encrypted by the preset encryption algorithm before being stored in the distributed key value database, so that the safety protection of sensitive information in the secret resources can be realized, and the risk that the secret resources cannot be encrypted by the original k8s in the traditional mode is avoided. In addition, according to the technical scheme provided by the embodiment of the application, if the webhook intercepts the request for deleting the secret resource, the browser in the CRD resource is called to delete the related secret resource.
As will be appreciated by one skilled in the art, embodiments of the present invention may be provided as a method, system, or computer program product. Accordingly, the present invention may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present invention may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The present invention is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the invention. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
It should be noted that in the claims, any reference signs placed between parentheses shall not be construed as limiting the claim. The word "comprising" does not exclude the presence of elements or steps not listed in a claim. The word "a" or "an" preceding an element does not exclude the presence of a plurality of such elements. The invention may be implemented by means of hardware comprising several distinct elements, and by means of a suitably programmed computer. In the unit claims enumerating several means, several of these means may be embodied by one and the same item of hardware. The usage of the words first, second and third, etcetera do not indicate any ordering. These words may be interpreted as names.
While preferred embodiments of the present invention have been described, additional variations and modifications in those embodiments may occur to those skilled in the art once they learn of the basic inventive concepts. Therefore, it is intended that the appended claims be interpreted as including preferred embodiments and all such alterations and modifications as fall within the scope of the invention.
It will be apparent to those skilled in the art that various changes and modifications may be made in the present invention without departing from the spirit and scope of the invention. Thus, if such modifications and variations of the present invention fall within the scope of the claims of the present invention and their equivalents, the present invention is also intended to include such modifications and variations.

Claims (10)

1. An information security protection method for secret resources in k8s is characterized by comprising the following steps:
intercepting the created secret resource when the creating action of the secret resource in k8s is monitored;
carrying out information encryption on the intercepted secret resource according to a preset encryption algorithm;
storing the encrypted secret resource into the distributed key value database of the k8 s.
2. The information security protection method according to claim 1, further comprising:
when an access request of a secret resource is monitored, extracting the secret resource from the distributed key value database according to the access request;
decrypting the secret resource by using a key corresponding to the preset encryption algorithm;
and feeding back the decrypted secret resource according to the access request.
3. The information security protection method according to claim 2, further comprising:
performing access authority authentication on the monitored access request;
when the access authority authentication is successful, executing a step of extracting the secret resource from the distributed key value database according to the access request;
and when the access authority authentication fails, feeding back the access request by using a pseudo secret resource prestored in the distributed key value database, and sending alarm information to an upper-level network.
4. The information security protection method according to claim 1, wherein the step of intercepting the created secret resource when the creating action of the secret resource in k8s is intercepted includes:
monitoring the creating action of the secret resource through an Application Programming Interface (API);
intercepting the secret resource by using a network interception tool when the creating action of the secret resource is monitored;
and transmitting the intercepted secret resource to a user-defined resource for information encryption by using the network interception tool.
5. The information security protection method according to claim 4, wherein the step of encrypting the intercepted secret resource according to a preset encryption algorithm includes:
receiving and analyzing sensitive information contained in the secret resource by using a user-defined resource;
and the user-defined resource encrypts the sensitive information by using the key stored in the distributed key value database according to a preset encryption algorithm.
6. The information security protection method according to claim 1, wherein before the step of encrypting the intercepted secret resource according to a preset encryption algorithm, the method further comprises:
acquiring an access right corresponding to the secret resource;
generating a key of the preset encryption algorithm according to the access authority corresponding to the secret resource;
storing the key in the distributed key-value database.
7. The information security protection method according to claim 6, further comprising:
matching a corresponding key from the distributed key value database by using the access authority of the access request when the access authority of the monitored access request is successfully authenticated;
and decrypting the secret resource by using the key.
8. An information security protection system for secret resources in k8s, comprising:
the intercepting module is used for intercepting the created secret resource when the creating action of the secret resource in the k8s is monitored;
the encryption module is used for encrypting the intercepted secret resource according to a preset encryption algorithm;
and the storage module is used for storing the encrypted secret resource into the distributed key value database of the k8 s.
9. The information security protection system according to claim 8, further comprising:
the extraction module is used for extracting the secret resource from the distributed key value database according to the access request when the access request of the secret resource is monitored;
the decryption module is used for decrypting the information of the secret resource by using a key corresponding to the preset encryption algorithm;
and the sending module is used for feeding back the decrypted secret resource according to the access request.
10. The information security protection system according to claim 9, further comprising:
the authentication module is used for carrying out access authority authentication on the monitored access request, and when the access authority authentication is successful, the extraction module is executed;
and the sending module is further configured to, when the authentication module fails to authenticate the access right, use a pseudo secret resource pre-stored in the distributed key value database to feed back the access request, and send alarm information to an upper-level network.
CN202110914777.9A 2021-08-10 2021-08-10 Information security protection method and system for secret resource in k8s Withdrawn CN113779618A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110914777.9A CN113779618A (en) 2021-08-10 2021-08-10 Information security protection method and system for secret resource in k8s

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110914777.9A CN113779618A (en) 2021-08-10 2021-08-10 Information security protection method and system for secret resource in k8s

Publications (1)

Publication Number Publication Date
CN113779618A true CN113779618A (en) 2021-12-10

Family

ID=78837293

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110914777.9A Withdrawn CN113779618A (en) 2021-08-10 2021-08-10 Information security protection method and system for secret resource in k8s

Country Status (1)

Country Link
CN (1) CN113779618A (en)

Similar Documents

Publication Publication Date Title
CN109274652B (en) Identity information verification system, method and device and computer storage medium
US11968206B2 (en) Non-custodial tool for building decentralized computer applications
US9917817B1 (en) Selective encryption of outgoing data
CN106454528A (en) Service processing method based on trusted execution environment and client side
CN110311787B (en) Authorization management method, system, device and computer readable storage medium
CN111538977B (en) Cloud API key management method, cloud platform access method, cloud API key management device, cloud platform access device and server
CN103246850A (en) Method and device for processing file
US8848922B1 (en) Distributed encryption key management
CN107040520B (en) Cloud computing data sharing system and method
CN106055936A (en) Method and device for encryption/decryption of executable program data package
CN106992859B (en) Bastion machine private key management method and device
CN103888429A (en) Virtual machine starting method, correlation devices and systems
CN111460410A (en) Server login method, device and system and computer readable storage medium
CN107181589B (en) Bastion machine private key management method and device
CN111680308A (en) File sharing method, control method for shared file, device and terminal thereof
CN116136911A (en) Data access method and device
US20210232662A1 (en) Methods to protect stakeholders' algorithms and information in untrusted environments
CN113792345A (en) Data access control method and device
CN110602051B (en) Information processing method based on consensus protocol and related device
CN111737747A (en) Database security method, device, equipment and computer storage medium
KR20130085537A (en) System and method for accessing to encoded files
CN104462348A (en) Data extraction method and device
CN113779618A (en) Information security protection method and system for secret resource in k8s
CN115391795A (en) Data processing method, related device and medium
Yeboah-Ofori et al. Enhancement of Big Data Security in Cloud Computing Using RSA Algorithm

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
WW01 Invention patent application withdrawn after publication
WW01 Invention patent application withdrawn after publication

Application publication date: 20211210