CN113867919A - Kubernetes cluster scheduling method, system, equipment and medium - Google Patents
Kubernetes cluster scheduling method, system, equipment and medium Download PDFInfo
- Publication number
- CN113867919A CN113867919A CN202111170771.1A CN202111170771A CN113867919A CN 113867919 A CN113867919 A CN 113867919A CN 202111170771 A CN202111170771 A CN 202111170771A CN 113867919 A CN113867919 A CN 113867919A
- Authority
- CN
- China
- Prior art keywords
- node
- security configuration
- configuration information
- score
- security
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000034 method Methods 0.000 title claims abstract description 37
- 238000013468 resource allocation Methods 0.000 claims description 33
- 238000004364 calculation method Methods 0.000 claims description 16
- 238000004590 computer program Methods 0.000 claims description 10
- 230000008569 process Effects 0.000 abstract description 9
- 230000006870 function Effects 0.000 description 6
- 239000002131 composite material Substances 0.000 description 5
- 238000004422 calculation algorithm Methods 0.000 description 4
- 238000004891 communication Methods 0.000 description 3
- 238000005516 engineering process Methods 0.000 description 3
- 238000007689 inspection Methods 0.000 description 3
- 238000010586 diagram Methods 0.000 description 2
- 238000011156 evaluation Methods 0.000 description 2
- 238000007726 management method Methods 0.000 description 2
- 238000012216 screening Methods 0.000 description 2
- 238000009434 installation Methods 0.000 description 1
- 238000005259 measurement Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000012544 monitoring process Methods 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 238000005457 optimization Methods 0.000 description 1
- 238000012545 processing Methods 0.000 description 1
- 230000009467 reduction Effects 0.000 description 1
- 231100000817 safety factor Toxicity 0.000 description 1
- 239000007787 solid Substances 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
- 230000007723 transport mechanism Effects 0.000 description 1
- 238000012384 transportation and delivery Methods 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/46—Multiprogramming arrangements
- G06F9/48—Program initiating; Program switching, e.g. by interrupt
- G06F9/4806—Task transfer initiation or dispatching
- G06F9/4843—Task transfer initiation or dispatching by program, e.g. task dispatcher, supervisor, operating system
- G06F9/4881—Scheduling strategies for dispatcher, e.g. round robin, multi-level priority queues
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/445—Program loading or initiating
- G06F9/44505—Configuring for program initiating, e.g. using registry, configuration files
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/455—Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
- G06F9/45533—Hypervisors; Virtual machine monitors
- G06F9/45558—Hypervisor-specific management and integration aspects
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/46—Multiprogramming arrangements
- G06F9/50—Allocation of resources, e.g. of the central processing unit [CPU]
- G06F9/5005—Allocation of resources, e.g. of the central processing unit [CPU] to service a request
- G06F9/5027—Allocation of resources, e.g. of the central processing unit [CPU] to service a request the resource being a machine, e.g. CPUs, Servers, Terminals
- G06F9/505—Allocation of resources, e.g. of the central processing unit [CPU] to service a request the resource being a machine, e.g. CPUs, Servers, Terminals considering the load
Abstract
The present disclosure provides a kubernets cluster scheduling method, system, terminal device and computer readable storage medium, wherein the method includes: respectively acquiring security configuration information of each node in a Kubernetes cluster; respectively calculating the security score of each node based on the security configuration information to obtain the security score result of each node; selecting a call-in node of the Pod to be scheduled from the nodes based on the safety scoring result; and scheduling the Pod to be scheduled to the call node. The embodiment of the disclosure considers the security configuration condition of the nodes in Kubernets cluster scheduling, and then selects a proper node to complete scheduling according to the security score, so that the problem of security and reliability generated in the current Kubernets cluster scheduling process can be at least solved.
Description
Technical Field
The present disclosure relates to the field of communications technologies, and in particular, to a kubernets cluster scheduling method, a kubernets cluster scheduling system, a terminal device, and a computer-readable storage medium.
Background
The Kubernetes cluster is an open source, is used for managing containerized applications on a plurality of hosts in a cloud platform, is mainly used for automatically deploying, expanding and managing the container applications, and provides a whole set of functions of resource scheduling, deployment management, service discovery, capacity expansion and reduction, monitoring and the like.
The minimum unit for creation, scheduling and management in kubernets is Pod, and a Pod may contain one or more containers running on the same node and sharing the resources of the node. The Node is used as an operation unit of Kubernetes and is used for being allocated to the Pod for binding, the Pod finally runs on the Node, and the Node can be regarded as a host of the Pod. In a Kubernetes cluster, scheduling refers to placing a Pod on a suitable Node, and then a Kubelet component on the corresponding Node can run the Pod, and the current Pod scheduling usually considers the resource occupation situation of the Node, but as network security becomes more and more important, only considering the resource occupation situation of the Node may cause that the security and reliability of service cannot be guaranteed.
Disclosure of Invention
The disclosure provides a Kubernets cluster scheduling method, a Kubernets cluster scheduling system, terminal equipment and a computer readable storage medium, which are used for at least solving the problem that the safety and reliability of scheduling nodes cannot be guaranteed in the current Kubernets cluster scheduling process.
According to an aspect of the present disclosure, there is provided a kubernets cluster scheduling method, including:
respectively acquiring security configuration information of each node in a Kubernetes cluster;
respectively calculating the security score of each node based on the security configuration information to obtain the security score result of each node;
selecting a call-in node of the Pod to be scheduled from the nodes based on the safety scoring result; and scheduling the Pod to be scheduled to the call node.
In one embodiment, the security configuration information includes one or any combination of the following: operating system security configuration information, container security configuration information, and kubernets component security configuration information.
In one embodiment, the security configuration information includes operating system security configuration information, container security configuration information, and kubernets component security configuration information, and the calculating the security score of each node based on the security configuration information includes:
respectively calculating the operating system security configuration score, the container security configuration score and the Kubernets component security configuration score of each node based on the operating system security configuration information, the container security configuration information and the Kubernets component security configuration information of each node; and the number of the first and second groups,
and respectively calculating the security scores of the nodes based on the operating system security configuration scores, the container security configuration scores and the Kubernets component security configuration scores of the nodes.
In one embodiment, the selecting a call-in node of Pod to be scheduled from the nodes based on the security score result includes:
selecting all nodes with safety scores reaching a safety threshold value from all nodes based on the safety score result as a plurality of preselected nodes;
respectively acquiring first resource configuration information of the plurality of preselected nodes;
respectively calculating first resource allocation scores of the plurality of preselected nodes based on the first resource allocation information to obtain first resource allocation score results; and the number of the first and second groups,
and selecting a preselected node with the highest resource configuration score as a call-in node of the Pod to be scheduled based on the first resource configuration scoring result.
In one embodiment, the selecting a call-in node of Pod to be scheduled from the nodes based on the security score result includes:
respectively acquiring second resource configuration information of each node;
respectively calculating a second resource allocation score of each node based on the second resource allocation information to obtain a second resource allocation score result;
calculating the comprehensive score of each equipment node according to a preset rule based on the safety score result and the second resource allocation score result to obtain a comprehensive score result;
and selecting the node with the highest score as the call-in node of the Pod to be scheduled based on the comprehensive scoring result.
According to another aspect of the present disclosure, there is provided a kubernets cluster scheduling system, including:
the acquisition module is arranged to respectively acquire the security configuration information of each node in the Kubernetes cluster;
the scoring module is configured to calculate the security score of each node respectively based on the security configuration information to obtain the security score result of each node;
a selection module configured to select a call-in node of the Pod to be scheduled from the respective nodes based on the security score result; and the number of the first and second groups,
a scheduling module configured to schedule the Pod to be scheduled into the call-in node.
In one embodiment, the security configuration information includes one or any combination of the following: operating system security configuration information, container security configuration information, and kubernets component security configuration information.
In one embodiment, the security configuration information includes operating system security configuration information, container security configuration information, and kubernets component security configuration information, and the computing module includes:
a first calculation unit configured to calculate an operating system security configuration score, a container security configuration score, and a kubernets component security configuration score of each node, respectively, based on operating system security configuration information, container security configuration information, and kubernets component security configuration information of each node; and the number of the first and second groups,
and the second calculation unit is arranged to calculate the security scores of the nodes respectively based on the operating system security configuration scores, the container security configuration scores and the Kubernets component security configuration scores of the nodes.
According to yet another aspect of the present disclosure, there is provided a terminal device comprising a memory and a processor, wherein the memory stores a computer program, and the processor executes the kubernets cluster scheduling method when the processor runs the computer program stored in the memory.
According to yet another aspect of the present disclosure, there is provided a computer readable storage medium having a computer program stored thereon, which when executed by a processor, the processor performs the kubernets cluster scheduling method.
According to the Kubernets cluster scheduling method, the Kubernets cluster scheduling system, the terminal equipment and the computer readable storage medium, safety configuration information of each node in the Kubernets cluster is obtained respectively; respectively calculating the security score of each node based on the security configuration information to obtain the security score result of each node; selecting a call-in node of the Pod to be scheduled from the nodes based on the safety scoring result; and scheduling the Pod to be scheduled to the call node. When Kubernets cluster scheduling is carried out, the safety configuration condition of each node is considered, and then a proper node is selected according to the safety score to complete scheduling, so that the problem that the safety and reliability of the scheduling node cannot be guaranteed in the current Kubernets cluster scheduling process can be solved at least.
Additional features and advantages of the disclosure will be set forth in the description which follows, and in part will be obvious from the description, or may be learned by the practice of the disclosure. The objectives and other advantages of the disclosure may be realized and attained by the structure particularly pointed out in the written description and claims hereof as well as the appended drawings.
Drawings
The accompanying drawings are included to provide a further understanding of the disclosed embodiments and are incorporated in and constitute a part of this specification, illustrate embodiments of the disclosure and together with the example serve to explain the principles of the disclosure and not to limit the disclosure.
Fig. 1 is a flow chart of kubernets cluster scheduling in the related art;
fig. 2 is a schematic flow chart of a kubernets cluster scheduling method according to an embodiment of the present disclosure;
fig. 3 is a schematic flow chart of another kubernets cluster scheduling method according to an embodiment of the present disclosure;
fig. 4 is a schematic flowchart of another kubernets cluster scheduling method according to an embodiment of the present disclosure;
fig. 5 is a schematic structural diagram of a kubernets cluster scheduling system according to an embodiment of the present disclosure;
fig. 6 is a schematic structural diagram of a terminal device according to an embodiment of the present disclosure.
Detailed Description
To make the objects, technical solutions and advantages of the embodiments of the present disclosure more apparent, specific embodiments of the present disclosure are described below in detail with reference to the accompanying drawings. It should be understood that the detailed description and specific examples, while indicating the present disclosure, are given by way of illustration and explanation only, not limitation.
It should be noted that the terms "first," "second," and the like in the description and claims of the present disclosure and in the above-described drawings are used for distinguishing between similar elements and not necessarily for describing a particular sequential or chronological order; also, the embodiments and features of the embodiments in the present disclosure may be arbitrarily combined with each other without conflict.
In the following description, suffixes such as "module", "component", or "unit" used to denote elements are used only for the convenience of explanation of the present disclosure, and have no specific meaning in themselves. Thus, "module", "component" or "unit" may be used mixedly.
For understanding, kubernets cluster scheduling is usually performed by using a kubernets Scheduler (kubernets Scheduler), where the kubernets Scheduler is used to bind a Pod to be scheduled to an appropriate Node in a cluster according to a certain scheduling algorithm and policy, and write binding information into an etcd (as can be understood, the etcd is a distributed and consistent KV storage system used for shared configuration and service discovery), and then a kubbelet service in a target Node monitors a Pod binding event generated by the Scheduler through an API Server to obtain Pod information, and then downloads a mirror image start container. Three important objects involved in selecting a suitable Node are the Podqueue (scheduling Pod list), the nodlist (available Node list) and the scheduling algorithm/scheduling policy. Where Podqueue refers to the set of Pods created by the user and to be scheduled, and Nodelist refers to the set of all available nodes in the cluster. The scheduling algorithm/scheduling policy refers to a selection policy that selects a most suitable Node from the Node list for each Pod to be scheduled in the scheduling Pod list. The scheduling process is shown in fig. 1.
In the related art, the default scheduling process provided by the Kubernetes Scheduler includes the following two steps: 1) firstly, traversing all target nodes, and screening out candidate nodes meeting requirements, wherein the Kubernetes content has a plurality of preselection strategies for users to select; 2) and determining an optimal Node process, and on the basis of the first step, calculating the integral of each candidate Node by adopting an optimal strategy, wherein the Node with the highest integral is the optimal Node.
The screened candidate nodes are mainly obtained through the following strategies: PodFitsHostPorts strategy: it is checked whether the HostPort required for the Pod is already occupied by other containers or services on the node. If it is already occupied, the Pod is prohibited from scheduling to that node. PodFitsHost strategy: checking whether the NodeName appointed by the Pod is matched with the current node; PodFitsResources policy: checking whether the node has enough free resources (e.g., CPU and memory) to meet the Pod requirement; PodMatchNodeSector policy: checking whether a Node selector of the Pod is matched with a label of the Node; NoVolumeZonecFLict strategy: for a given certain block area, judging whether volume conflicts exist in the Pod deployed on the nodes of the area; NoDiskConflict strategy: according to the volume requested by the node and the mounted volume, whether the Pod is suitable for the node is evaluated; MaxCSIVolumeCount policy: determining how many CSI (Center for Internet Security) volumes should be attached and whether the volume exceeds configured limits; the CheckNodeMemoryPresure strategy: if the node reports memory pressure and there is no configuration exception, then Pod will not be dispatched thereto; the CheckNodePIDPressure strategy: if the node reports that process id is scarce and there is no configuration exception, then Pod will not be scheduled there; the CheckNodeDiskPresure strategy: if the node reports storage pressure (file system full or near full), and there is no configuration exception, then Pod will not be dispatched thereto; the CheckNodeCondition policy: nodes may report that they have a completely complete file system, however the network is not available, or kubelet is not ready to run Pods. If such a condition is set for a node and no configuration exception is made, then the Pod will not be dispatched thereto.
After selecting candidate nodes by the scheduling algorithm (the candidate is in a single-vote mode), the Node can pass only when all strategies are required to be met, if a plurality of nodes meet the conditions, the optimal Node process is continuously determined, and finally the nodes are sequenced according to the priority, wherein the optimal strategy comprises the following steps: SelectSpreadpriority strategy: for Pods belonging to the same service and having a state set or a copy set, the Pods are dispersed to different hosts as much as possible; InterPodAffinitypriority strategy: the strategy comprises two configuration modes of podAffinity and podanthiaffinity. In brief, the rule for scheduling and matching according to the Label menu of Pod running on Node is as follows: in, Notin, Exists, DoesNotExist, through the strategy, Pod can be more flexibly scheduled; the LeastRequestedpriority strategy: nodes that use less requested resources are biased. In other words, the more pods placed on a node, the more resources these pods use, and the lower the rank given by the policy; mossrequestpriority policy: the node with the most requested resources is biased. This strategy will run putting the projected Pods on the minimum node needed for the entire workload set; requesttocapacityrationpriority policy: a resource allocation priority based requestdToCapacity is created using a default resource scoring function model. BalancResourceAllocation strategy: nodes with balanced resource usage are biased. NodePreferAvoidPodsPriority policy: nodes are prioritized according to the node annotation schedule. It can be used to show that two different Pod should not run on the same Node; NodeAffinityPriority: sorting the nodes according to the node association scheduling preference shown in the preferredingschedulingschedulingsection (emphasizing that a specified rule is satisfied preferentially); ImageLocalitypriority policy: biasing to a node already owning a local cache Pod mirror; servicespareadingpriority policy: this policy is intended to ensure that, for a given Service, the Pods of the Service server are running on different nodes. The overall result is that Service becomes more resilient to single node failures; the equal priority policy: endowing all nodes with the same weight 1; evenpoddsspaadppriority policy: and realizing the topological expansion constraint of the preferred pod.
Finally, the system calculates the score of the Node through the opened preferred strategies, if a plurality of preferred strategies are opened, the scores of different preferred strategies are added. The system binds the nodes selected from the preferred step, and if a plurality of nodes exist, one Node is randomly selected.
Through the scheduling policy used in the foregoing kubernets process of completing scheduling, it can be seen that the scheduling policy is mainly based on resource dimensions, and some policies consider custom tag dimensions (for example, a podfitssost policy, etc.), where the resource dimensions include computing resources: CPU, memory, GPU, etc.; storage resources: disk space, disk IO, solid state disk SSD, etc.; network resources: network bandwidth, IP address, port, etc.; mirroring resources: node local cache mirroring, etc.
In the related art, in Pod scheduling based on resource (and custom tag) dimension, although availability of service and effective utilization of resource are guaranteed, in a large context that network security is more and more important, final scheduling result may be difficult to provide safe and reliable service due to the fact that security of nodes is not considered. In order to solve the above problems, an embodiment of the present disclosure provides a kubernets cluster scheduling policy based on security specifications, where security scores are performed on each node when kubernets cluster scheduling is performed, and then an appropriate node is selected according to the security scores to complete scheduling, so that it can be at least effectively ensured that the kubernets cluster scheduling can at least meet the security and reliability of services.
Referring to fig. 2, fig. 2 is a schematic flow chart of a kubernets cluster scheduling method according to an embodiment of the present disclosure, and as shown in fig. 2, the method includes steps S201 to S204.
In step S201, security configuration information of each node in the kubernets cluster is acquired.
Specifically, the security configuration information may include one or any combination of the following: operating system security configuration information, container security configuration information, and kubernets component security configuration information.
It is understood that, where the operating system, the container, and the kubernets component are installed on corresponding nodes, the security configuration information may reflect the security status of the node, and in some embodiments, the security configuration information of the node may also take into account security vulnerability information of the node.
In step S202, the security score of each node is calculated based on the security configuration information, and a security score result of each node is obtained.
In this embodiment, the security configuration information includes operating system security configuration information, container security configuration information, and kubernets component security configuration information, and the security scores of the nodes are respectively calculated based on the security configuration information (step S202), specifically:
respectively calculating the operating system security configuration score, the container security configuration score and the Kubernets component security configuration score of each node based on the operating system security configuration information, the container security configuration information and the Kubernets component security configuration information of each node; and the number of the first and second groups,
and respectively calculating the security scores of the nodes based on the operating system security configuration scores, the container security configuration scores and the Kubernets component security configuration scores of the nodes.
Specifically, the security configuration specification (i.e., the security score specification for calculating each piece of security configuration information) may adopt a standard of CIS Benchmarks (internet security center reference), a series of check standards are set for an inspection object based on CIS Benchmarks, if the configuration conforms to the standard of CIS Benchmarks, a score of the item is obtained, and if the configuration does not conform to the standard of CIS Benchmarks, a score of the item cannot be obtained. For example, in the standard established by CIS Docker Benchmark v1.2.0, the total score is 89 when the total score items are 89. In some embodiments, the open source tool of the Docker-bench-security-master can also be used to perform scanning check on all scoring items, and if the check on the relevant Docker container configuration meets the specification, the score is obtained, and if the check does not meet the specification, the score is not obtained. The security preference policy (i.e., the security score of each node) is calculated in the following manner as an example:
the security preferred policy calculation formula is as follows:
wherein, SystemSecurity refers to the operating system security configuration grade of the Node, containerscurity refers to the security configuration grade of the Node installation container, kubernetescurity refers to the security configuration grade of Kubernetes components installed on the Node, int () function is used for an integer function, and security priority is the final grade of the security optimization strategy, namely the security grade of the Node.
Further, the Operating system security configuration score is calculated by using CIS Operating Systems Benchmark, and the calculation formula is as follows:
wherein, System Security score is the Node Operating system security configuration score checked by the checking script based on CIS Operating Systems Benchmark, System Security TotalScore is the Node Operating system CIS Operating Systems Benchmark security configuration total score, and System Security is the Node Operating system security configuration score obtained by calculation.
Further, the container security configuration score is calculated by CIS Docker Benchmark, and the calculation formula is as follows:
wherein, the ContainerSecurity score is a Docker security configuration score of the checking script checked based on CIS Docker Benchmark, the ContainerSecurity TotalScore is a total score of Docker security configuration, and the ContainerSecurity is a Node container security configuration score obtained by calculation.
Further, the kubernets component security configuration score is calculated by CIS kubernets Benchmark, and the calculation formula is as follows:
the Kubernetes Security score is a Kubernetes Security configuration score of an inspection script based on CIS Kubernetes Benchmark inspection, the Kubernetes Security score is a total score of Kubernetes Security configuration, and the Kubernetes Security score is a Kubernetes component Security score of a node obtained through calculation.
Taking actual data as an example, we take the calculation of the security configuration score of the container as an example to simply explain, the result of the checking tool docker-bench-security-master shows that, in all the checked items with scores, 70 items of checking results are the requirement of the composite specification, and the remaining 19 items of checking results do not meet the requirement of the specification, then the security configuration score of the container is:
in some embodiments, in order to improve the accuracy of the security score, in addition to the operating system security configuration information, the container security configuration information, and the Kubernetes component security configuration information, more security evaluation factors may be added, for example, for the security information of the system vulnerability of the Node, the security score of the system vulnerability of the Node needs to be further calculated, and for different security evaluation factors, a reference calculation method for the security score of the Node:
wherein alpha isiAnd setting a proportionality coefficient for a user according to the importance degrees of different safety factors. SecurityFactors are measurement scores for different security factors that need to be taken into account.
In step S203, a call-in node of the Pod to be scheduled is selected from the nodes based on the security score result.
It can be understood that a Pod to be scheduled is a Pod that needs to be called out in a certain node, for example, a Pod needs to be called into another node when the resources of the current node are insufficient.
In step S204, the Pod to be scheduled is scheduled to the call node.
In this embodiment, we can finally obtain the security priority of all Node nodes by calculating the SystemSecurity, ContainerSecurity, and KubernetesSecurity of each Node. During scheduling, Kubernets select a call-in node based on the SecurityPrority score of the node (and the resource configuration information of the node to select the call-in node) so as to complete Pod scheduling, for example, in the initial selection stage of the node, only the node of which the SecurityPrority reaches a certain value can enter a candidate link, and then a proper node is further selected according to the resource configuration of the node; alternatively, a Node with a high SecurityPrority score is preferentially selected as the Pod call Node, and if a plurality of Node nodes have the same score, the Node may be further selected based on information such as resource configuration of the Node, and the like.
Referring to fig. 3, fig. 3 is a schematic flow chart of another kubernets cluster scheduling method provided in the embodiment of the present disclosure, where on the basis of the previous embodiment, the present embodiment uses a security configuration score of a node as a basis, resource configuration information of the node as a preferred condition, and selects a suitable node as a call-in node to provide a service that is secure and reliable and satisfies effective utilization of resources, and compared with the previous embodiment, the present embodiment further divides step S203 into the following steps S301 to S304.
In step S301, all nodes with security scores reaching a security threshold are selected from the nodes based on the security score result as a plurality of preselected nodes.
In this embodiment, the Kubernetes cluster scheduling preselects the nodes according to the security scores of the nodes, and can ensure that the selected nodes can at least meet the requirements of the security and reliability of the service.
It is understood that the skilled person can adapt the setting of the safety threshold, which represents the lowest score for ensuring the safety and reliability of the service, in combination with the prior art and the practical application.
In step S302, first resource configuration information of the several preselected nodes is respectively obtained.
In step S303, respectively calculating first resource allocation scores of the plurality of preselected nodes based on the first resource allocation information, to obtain a first resource allocation score result; and the number of the first and second groups,
in step S304, a preselected node with the highest resource allocation score is selected as a call-in node of the Pod to be scheduled based on the first resource allocation scoring result.
Specifically, a part of preselected nodes which do not meet the resource requirement (or the custom label is not matched with the Pod to be called) can be screened according to the resource requirement of the Pod to be called, a preselected node set is obtained, and then the node with the highest resource configuration score is selected from the preselected node set to serve as the calling node. In practical application, there may be a case that all the preselected nodes do not satisfy the resource requirement, that is, the preselected node with the highest resource allocation score does not satisfy the resource requirement, and to solve the similar problems, the system does not directly perform Pod call based on the selected call-in node, and may prompt the user to perform resource allocation on each node again and then perform the above steps S301 to S304 again, or wait for a certain duration to perform the above steps S301 to S304 again to calculate the resource allocation condition of each node until the optimal node that satisfies the resource requirement is selected as the call-in node of the Pod to be scheduled.
Compared with the prior art, the embodiment does not need to acquire the resource configuration information of all the nodes, only needs to acquire the resource configuration information of the preselected nodes which pass the security grading screening, carries out grading judgment on the resource configuration of the preselected nodes, further selects the optimal node, and can meet the effective utilization of resources while ensuring the safety and reliability of the service.
It should be noted that, in this embodiment, the first resource allocation information and the second resource allocation information described later include two dimensions, namely, a resource of a node and a custom tag, where the custom tag indicates that the node can implement Pod scheduling.
Referring to fig. 4, fig. 4 is a schematic flow chart of another kubernets cluster scheduling method provided in the embodiment of the present disclosure, which is different from the previous embodiment, in the embodiment, a composite score is calculated according to a certain rule based on a security configuration score and a resource configuration score, and then a suitable node is selected based on the composite score, so that the finally selected node reaches an effective balance between service security and resource availability, specifically, step S203 is further divided into steps S401 to S404.
In step S401, second resource configuration information of each node is respectively obtained;
in step S402, respectively calculating a second resource allocation score of each node based on the second resource allocation information, to obtain a second resource allocation score result;
in step S403, calculating a composite score of each device node according to a preset rule based on the security score result and the second resource allocation score result, to obtain a composite score result;
in step S404, a node with the highest score is selected as a call-in node of the Pod to be scheduled based on the comprehensive scoring result.
Accordingly, in this embodiment, some nodes that do not satisfy the minimum security and resource conditions (a person skilled in the art may adaptively set the minimum security conditions and the minimum resource conditions in combination with actual applications) may be first screened out according to the security scoring result and the resource configuration scoring result of the node to obtain a node set, and then the nodes in the node set are selected according to the above steps S401 to S404. Considering that in practical application, even if the node has the highest comprehensive score and still cannot meet the condition, the Pod may not be scheduled temporarily, the current state is maintained, and the node is selected according to the above steps after a period of time until the selected node meets the condition.
Based on the same technical concept, the embodiment of the present disclosure correspondingly provides a kubernets cluster scheduling system, as shown in fig. 5, the system includes an obtaining module 51, a scoring module 52, a selecting module 53 and a scheduling module 54, wherein,
an obtaining module 51 configured to obtain security configuration information of each node in the kubernets cluster, respectively;
a scoring module 52 configured to calculate a security score of each node based on the security configuration information, and obtain a security score result of each node;
a selecting module 53 configured to select a call-in node of Pod to be scheduled from the respective nodes based on the security scoring result; and the number of the first and second groups,
a scheduling module 54 configured to schedule the Pod to be scheduled into the dispatch node.
In one embodiment, the security configuration information includes one or any combination of the following: operating system security configuration information, container security configuration information, and kubernets component security configuration information.
In one embodiment, the security configuration information includes operating system security configuration information, container security configuration information, and kubernets component security configuration information, and the computing module includes:
a first calculation unit configured to calculate an operating system security configuration score, a container security configuration score, and a kubernets component security configuration score of each node, respectively, based on operating system security configuration information, container security configuration information, and kubernets component security configuration information of each node; and the number of the first and second groups,
and the second calculation unit is arranged to calculate the security scores of the nodes respectively based on the operating system security configuration scores, the container security configuration scores and the Kubernets component security configuration scores of the nodes.
In one embodiment, the selecting module 53 includes:
the preselection unit is arranged to select all nodes with safety scores reaching a safety threshold value from all nodes as a plurality of preselection nodes based on the safety score result;
a first obtaining unit configured to obtain first resource configuration information of the plurality of preselected nodes, respectively;
the third calculation unit is used for calculating first resource configuration scores of the plurality of preselected nodes respectively based on the resource configuration information to obtain first resource configuration score results; and the number of the first and second groups,
and the first selection unit is arranged to select a preselected node with the highest resource configuration score as a call-in node of the Pod to be scheduled based on the first resource configuration scoring result.
In one embodiment, the selecting module 53 includes:
a second obtaining unit configured to obtain second resource configuration information of each node, respectively;
the fourth calculating unit is arranged to calculate the second resource allocation scores of the nodes respectively based on the second resource allocation information to obtain second resource allocation score results;
the fifth calculating unit is configured to calculate a comprehensive score of each equipment node according to a preset rule based on the safety score result and the second resource allocation score result to obtain a comprehensive score result;
and the second selection unit is arranged to select the node with the highest score as the call-in node of the Pod to be scheduled based on the comprehensive scoring result.
Based on the same technical concept, the embodiment of the present disclosure correspondingly provides a terminal device, as shown in fig. 6, where the terminal device includes a memory 61 and a processor 62, the memory 61 stores a computer program, and when the processor 62 runs the computer program stored in the memory 61, the processor 62 executes the kubernets cluster scheduling method.
Based on the same technical concept, embodiments of the present disclosure correspondingly provide a computer-readable storage medium, on which a computer program is stored, where when the computer program is executed by a processor, the processor executes the kubernets cluster scheduling method.
It will be understood by those of ordinary skill in the art that all or some of the steps of the methods, systems, functional modules/units in the devices disclosed above may be implemented as software, firmware, hardware, and suitable combinations thereof. In a hardware implementation, the division between functional modules/units mentioned in the above description does not necessarily correspond to the division of physical components; for example, one physical component may have multiple functions, or one function or step may be performed by several physical components in cooperation. Some or all of the physical components may be implemented as software executed by a processor, such as a central processing unit, digital signal processor, or microprocessor, or as hardware, or as an integrated circuit, such as an application specific integrated circuit. Such software may be distributed on computer readable media, which may include computer storage media (or non-transitory media) and communication media (or transitory media). The term computer storage media includes volatile and nonvolatile, removable and non-removable media implemented in any method or technology for storage of information such as computer readable instructions, data structures, program modules or other data, as is well known to those of ordinary skill in the art. Computer storage media includes, but is not limited to, RAM, ROM, EEPROM, flash memory or other memory technology, CD-ROM, Digital Versatile Disks (DVD) or other optical disk storage, magnetic cassettes, magnetic tape, magnetic disk storage or other magnetic storage devices, or any other medium which can be used to store the desired information and which can accessed by a computer. In addition, communication media typically embodies computer readable instructions, data structures, program modules or other data in a modulated data signal such as a carrier wave or other transport mechanism and includes any information delivery media as known to those skilled in the art.
Finally, it should be noted that: the above embodiments are only used for illustrating the technical solutions of the present disclosure, and not for limiting the same; while the present disclosure has been described in detail with reference to the foregoing embodiments, those of ordinary skill in the art will understand that: the technical solutions described in the foregoing embodiments may still be modified, or some or all of the technical features may be equivalently replaced; and such modifications or substitutions do not depart from the spirit and scope of the corresponding technical solutions of the embodiments of the present disclosure.
Claims (10)
1. A Kubernetes cluster scheduling method is characterized by comprising the following steps:
respectively acquiring security configuration information of each node in a Kubernetes cluster;
respectively calculating the security score of each node based on the security configuration information to obtain the security score result of each node;
selecting a call-in node of the Pod to be scheduled from each node based on the safety scoring result; and scheduling the Pod to be scheduled to the call node.
2. The method of claim 1, wherein the security configuration information comprises one or any combination of the following: operating system security configuration information, container security configuration information, and kubernets component security configuration information.
3. The method of claim 2, wherein the security configuration information includes operating system security configuration information, container security configuration information, and kubernets component security configuration information, and wherein the calculating the security score of each node based on the security configuration information includes:
respectively calculating the operating system security configuration score, the container security configuration score and the Kubernets component security configuration score of each node based on the operating system security configuration information, the container security configuration information and the Kubernets component security configuration information of each node; and the number of the first and second groups,
and respectively calculating the security scores of the nodes based on the operating system security configuration scores, the container security configuration scores and the Kubernets component security configuration scores of the nodes.
4. The method of claim 1, wherein selecting a call-in node of the Pod to be scheduled from the nodes based on the security score result comprises:
selecting all nodes with safety scores reaching a safety threshold value from all nodes based on the safety score result as a plurality of preselected nodes;
respectively acquiring first resource configuration information of the plurality of preselected nodes;
respectively calculating first resource allocation scores of the plurality of preselected nodes based on the first resource allocation information to obtain first resource allocation score results; and the number of the first and second groups,
and selecting a preselected node with the highest resource configuration score as a call-in node of the Pod to be scheduled based on the first resource configuration scoring result.
5. The method of claim 1, wherein selecting a call-in node of the Pod to be scheduled from the nodes based on the security score result comprises:
respectively acquiring second resource configuration information of each node;
respectively calculating a second resource allocation score of each node based on the second resource allocation information to obtain a second resource allocation score result;
calculating the comprehensive score of each equipment node according to a preset rule based on the safety score result and the second resource allocation score result to obtain a comprehensive score result;
and selecting the node with the highest score as the call-in node of the Pod to be scheduled based on the comprehensive scoring result.
6. A kubernets cluster scheduling system, comprising:
the acquisition module is arranged to respectively acquire the security configuration information of each node in the Kubernetes cluster;
the scoring module is configured to calculate the security score of each node respectively based on the security configuration information to obtain the security score result of each node;
a selection module configured to select a call-in node of the Pod to be scheduled from the nodes based on the security score result; and the number of the first and second groups,
a scheduling module configured to schedule the Pod to be scheduled into the call-in node.
7. The system of claim 6, wherein the security configuration information comprises one or any combination of the following: operating system security configuration information, container security configuration information, and kubernets component security configuration information.
8. The system of claim 7, wherein the security configuration information includes operating system security configuration information, container security configuration information, and kubernets component security configuration information, and wherein the scoring module comprises:
a first calculation unit configured to calculate an operating system security configuration score, a container security configuration score, and a kubernets component security configuration score of each node, respectively, based on operating system security configuration information, container security configuration information, and kubernets component security configuration information of each node; and the number of the first and second groups,
and the second calculation unit is arranged to calculate the security scores of the nodes respectively based on the operating system security configuration scores, the container security configuration scores and the Kubernets component security configuration scores of the nodes.
9. A terminal device comprising a memory and a processor, the memory having stored therein a computer program, the processor performing the kubernets cluster scheduling method according to any one of claims 1 to 5 when the processor runs the computer program stored in the memory.
10. A computer-readable storage medium, on which a computer program is stored, which, when being executed by a processor, carries out the kubernets cluster scheduling method according to any one of claims 1 to 5.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111170771.1A CN113867919B (en) | 2021-10-08 | 2021-10-08 | Kubernetes cluster scheduling method, system, equipment and medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111170771.1A CN113867919B (en) | 2021-10-08 | 2021-10-08 | Kubernetes cluster scheduling method, system, equipment and medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN113867919A true CN113867919A (en) | 2021-12-31 |
| CN113867919B CN113867919B (en) | 2024-05-07 |
Family
ID=79001846
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111170771.1A Active CN113867919B (en) | 2021-10-08 | 2021-10-08 | Kubernetes cluster scheduling method, system, equipment and medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113867919B (en) |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110968424A (en) * | 2019-09-12 | 2020-04-07 | 广东浪潮大数据研究有限公司 | Resource scheduling method, device and storage medium based on K8s |
| CN111062039A (en) * | 2019-11-25 | 2020-04-24 | 哈尔滨安天科技集团股份有限公司 | Multi-standard security reference detection method and system, target host and server |
| CN111522667A (en) * | 2020-04-27 | 2020-08-11 | 中国地质大学(武汉) | Resource scheduling method based on mirror image existence mechanism scoring strategy in container cloud environment |
| CN112214288A (en) * | 2019-07-10 | 2021-01-12 | 中国移动通信集团上海有限公司 | Pod scheduling method, device, equipment and medium based on Kubernetes cluster |
| CN112668011A (en) * | 2020-12-29 | 2021-04-16 | 广东电网有限责任公司电力调度控制中心 | Deployment method and system of cloud container cluster |
| US20210149737A1 (en) * | 2019-11-14 | 2021-05-20 | Korea Electronics Technology Institute | Method for fast scheduling for balanced resource allocation in distributed and collaborative container platform environment |
-
2021
- 2021-10-08 CN CN202111170771.1A patent/CN113867919B/en active Active
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112214288A (en) * | 2019-07-10 | 2021-01-12 | 中国移动通信集团上海有限公司 | Pod scheduling method, device, equipment and medium based on Kubernetes cluster |
| CN110968424A (en) * | 2019-09-12 | 2020-04-07 | 广东浪潮大数据研究有限公司 | Resource scheduling method, device and storage medium based on K8s |
| US20210149737A1 (en) * | 2019-11-14 | 2021-05-20 | Korea Electronics Technology Institute | Method for fast scheduling for balanced resource allocation in distributed and collaborative container platform environment |
| CN111062039A (en) * | 2019-11-25 | 2020-04-24 | 哈尔滨安天科技集团股份有限公司 | Multi-standard security reference detection method and system, target host and server |
| CN111522667A (en) * | 2020-04-27 | 2020-08-11 | 中国地质大学(武汉) | Resource scheduling method based on mirror image existence mechanism scoring strategy in container cloud environment |
| CN112668011A (en) * | 2020-12-29 | 2021-04-16 | 广东电网有限责任公司电力调度控制中心 | Deployment method and system of cloud container cluster |
Non-Patent Citations (7)
| Title |
|---|
| MD. SHAZIBUL ISLAM SHAMIM等: "XI Commandments of Kubernetes Security: A Systematization of Knowledge Related to Kubernetes Security Practices", 《2020 IEEE SECURE DEVELOPMENT (SECDEV)》, 21 October 2020 (2020-10-21), pages 58 - 64 * |
| 一个技术: "kubernetes CIS 安全基线", pages 1 - 6, Retrieved from the Internet <URL:https://www.jianshu.com/p/9393d31f85a9> * |
| 丁攀等: "云原生中的容器技术及其安全配置规范", 《信息通信技术》, vol. 15, no. 4, 15 August 2021 (2021-08-15), pages 59 - 64 * |
| 吴芦峰: "容器级虚拟化的安全审计与监控研究", 《中国优秀硕士学位论文全文数据库信息科技辑》, 15 November 2018 (2018-11-15), pages 138 - 25 * |
| 宋霖: "基于Kubernetes的资源调度与监控系统的设计与实现", 《中国优秀硕士学位论文全文数据库信息科技辑》, 15 August 2019 (2019-08-15), pages 140 - 469 * |
| 小小科: "这应该是最全的K8s-Pod调度策略了", pages 1 - 17, Retrieved from the Internet <URL:https://cloud.tencent.com/developer/article/1644857> * |
| 陈丰琴: "基于Kubernetes集群容器资源调度策略的研究与设计", 《中国优秀硕士学位论文全文数据库信息科技辑》, 15 July 2021 (2021-07-15), pages 139 - 51 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN113867919B (en) | 2024-05-07 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN112153700B (en) | Network slice resource management method and equipment | |
| US8799431B2 (en) | Virtual systems management | |
| US9319281B2 (en) | Resource management method, resource management device, and program product | |
| US10176453B2 (en) | Ensuring resilience of a business function by managing resource availability of a mission-critical project | |
| WO2016090946A1 (en) | Method and device for mapping virtual data centre resources | |
| US8185905B2 (en) | Resource allocation in computing systems according to permissible flexibilities in the recommended resource requirements | |
| CN112269641B (en) | Scheduling method, scheduling device, electronic equipment and storage medium | |
| CN104836819A (en) | Dynamic load balancing method and system, and monitoring and dispatching device | |
| CN110389843B (en) | Service scheduling method, device, equipment and readable storage medium | |
| US10565021B2 (en) | Automated capacity management in distributed computing systems | |
| CN111880936A (en) | Resource scheduling method and device, container cluster, computer equipment and storage medium | |
| US20080201474A1 (en) | Computer system | |
| CN109873714B (en) | Cloud computing node configuration updating method and terminal equipment | |
| CN105468619A (en) | Resource distribution method and device used for database connection pool | |
| CN111770477A (en) | Deployment method and related device of protected resources of MEC network | |
| US9594596B2 (en) | Dynamically tuning server placement | |
| CN112214288B (en) | Pod scheduling method, device, equipment and medium based on Kubernetes cluster | |
| US20140282581A1 (en) | Method and apparatus for providing a component block architecture | |
| CN106021026B (en) | Backup method and device | |
| CN110120978B (en) | Safety protection method for elastic user cloud computing resources | |
| CN113867919B (en) | Kubernetes cluster scheduling method, system, equipment and medium | |
| CN114844791B (en) | Cloud service automatic management and distribution method and system based on big data and storage medium | |
| US11231969B2 (en) | Method for auditing a virtualised resource deployed in a cloud computing network | |
| US9942083B1 (en) | Capacity pool management | |
| CN113760549B (en) | Pod deployment method and device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant |