CN114253654A - Container cloud policy scheduling method and device - Google Patents
Container cloud policy scheduling method and device Download PDFInfo
- Publication number
- CN114253654A CN114253654A CN202011003168.XA CN202011003168A CN114253654A CN 114253654 A CN114253654 A CN 114253654A CN 202011003168 A CN202011003168 A CN 202011003168A CN 114253654 A CN114253654 A CN 114253654A
- Authority
- CN
- China
- Prior art keywords
- security
- node
- container
- policy
- label value
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000034 method Methods 0.000 title claims abstract description 31
- 238000003860 storage Methods 0.000 claims description 13
- 238000004458 analytical method Methods 0.000 claims description 11
- 238000004590 computer program Methods 0.000 claims description 10
- 238000010586 diagram Methods 0.000 description 19
- 230000006870 function Effects 0.000 description 4
- 238000012545 processing Methods 0.000 description 4
- 230000008569 process Effects 0.000 description 2
- 238000007619 statistical method Methods 0.000 description 2
- 230000009286 beneficial effect Effects 0.000 description 1
- 210000004556 brain Anatomy 0.000 description 1
- 230000008602 contraction Effects 0.000 description 1
- 238000013500 data storage Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 230000014509 gene expression Effects 0.000 description 1
- 238000003306 harvesting Methods 0.000 description 1
- 230000036541 health Effects 0.000 description 1
- 230000003862 health status Effects 0.000 description 1
- 230000000977 initiatory effect Effects 0.000 description 1
- 230000010354 integration Effects 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000012544 monitoring process Methods 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 230000001737 promoting effect Effects 0.000 description 1
- 238000013468 resource allocation Methods 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/455—Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
- G06F9/45533—Hypervisors; Virtual machine monitors
- G06F9/45558—Hypervisor-specific management and integration aspects
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/46—Multiprogramming arrangements
- G06F9/50—Allocation of resources, e.g. of the central processing unit [CPU]
- G06F9/5005—Allocation of resources, e.g. of the central processing unit [CPU] to service a request
- G06F9/5027—Allocation of resources, e.g. of the central processing unit [CPU] to service a request the resource being a machine, e.g. CPUs, Servers, Terminals
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/455—Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
- G06F9/45533—Hypervisors; Virtual machine monitors
- G06F9/45558—Hypervisor-specific management and integration aspects
- G06F2009/4557—Distribution of virtual machine instances; Migration and load balancing
Abstract
The invention discloses a container cloud policy scheduling method and device, and relates to the field of network security. The method comprises the following steps: analyzing the security log data of each node and container in the container cloud to obtain the security level of each node; setting a security label value for each node according to the security level of each node; and selecting the matched security label value according to the deployment requirement of the container application, and deploying the container application to the corresponding node of the matched security label value. According to the method and the device, based on the safety log data of the operated nodes and containers of the container cloud, the safety levels of the nodes are analyzed, the optimal and safe node resources are dynamically selected for the container application, the potential safety risks faced when the container application is deployed in the container cloud are reduced, and safe deployment is achieved.
Description
Technical Field
The present disclosure relates to the field of network security, and in particular, to a container cloud policy scheduling method and apparatus.
Background
The container cloud has made rapid development due to its advantages of light weight, elastically stretchable resources, continuous integration/delivery and the like. The container cloud based on the micro-service architecture realizes lightweight and flexible expansion and contraction container resource scheduling through a scheduling strategy, and is one of important implementation technologies of a 5G MEC (Multi-access Edge Computing) cloud native platform. The K8S scheduler serves as the brain of the container cluster, and solves the resource utilization rate of the cluster, so that stable operation of services in the cluster is guaranteed. At present, the resource allocation of the K8S container cloud node is to perform a scheduling policy according to the availability of resources and the health state of the node, and deploy a container application to the node conforming to the scheduling policy. When a container resource already running on a node presents a security threat itself, a new container application, if deployed on such an unsecured node, may be subject to a potential threat attack.
Disclosure of Invention
The technical problem to be solved by the present disclosure is to provide a container cloud policy scheduling method and apparatus, which can reduce potential security risks faced by a container application when the container cloud is deployed.
According to an aspect of the disclosure, a container cloud policy scheduling method is provided, including: analyzing the security log data of each node and container in the container cloud to obtain the security level of each node; setting a security label value for each node according to the security level of each node; and selecting the matched security label value according to the deployment requirement of the container application, and deploying the container application to the corresponding node of the matched security label value.
In some embodiments, selecting a matching security tag value according to container application deployment requirements comprises: according to the application deployment requirement of the container, a security policy template is made and filled; and matching the filled security policy template with the security label value of the node to obtain the security label value matched with the security policy template.
In some embodiments, the security policy template comprises: node identification, node location, node security label value, and logical relationship.
In some embodiments, it is determined whether there are nodes available; if it is determined that there are available nodes, a matching security label value is selected.
In some embodiments, a request sent by a client to create a container application is received; storing information of a container application to be created in a database; after the information of the container application is stored in the database, the safety log data of each node and each container are collected.
In some embodiments, the security log data includes at least one of CPU data, memory data, network data, and security alarm data.
According to another aspect of the present disclosure, a container cloud policy scheduling apparatus is further provided, including: the node security analysis unit is configured to analyze the security log data of each node and container in the container cloud to obtain the security level of each node; a security label setting module configured to set a security label value for each node according to a security level of each node; and the container application deployment module is configured to select the matched security label value according to the container application deployment requirement, and deploy the container application to the node corresponding to the matched security label value.
In some embodiments, the security label setting module is configured to formulate a security policy template according to container application deployment requirements, and fill the security policy template; and the container application deployment module is configured to match the filled security policy template with the security tag value of the node according to the container application deployment requirement to obtain the security tag value matched with the security policy template.
According to another aspect of the present disclosure, a container cloud policy scheduling apparatus is further provided, including: a memory; and a processor coupled to the memory, the processor configured to perform the container cloud policy scheduling method as described above based on the instructions stored in the memory.
According to another aspect of the present disclosure, a non-transitory computer-readable storage medium is also presented, on which computer program instructions are stored, which instructions, when executed by a processor, implement the above-mentioned container cloud policy scheduling method.
In the embodiment of the disclosure, based on the security log data of the operated nodes and containers of the container cloud, the security level of the nodes is analyzed, the optimal and secure node resources are dynamically selected for the container application, the potential security risk of the container application when the container cloud is deployed is reduced, and the secure deployment is realized.
Other features of the present disclosure and advantages thereof will become apparent from the following detailed description of exemplary embodiments thereof, which proceeds with reference to the accompanying drawings.
Drawings
The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate embodiments of the disclosure and together with the description, serve to explain the principles of the disclosure.
The present disclosure may be understood more clearly and in accordance with the following detailed description, taken with reference to the accompanying drawings,
wherein:
fig. 1 is a flow diagram of some embodiments of a container cloud policy scheduling method of the present disclosure.
Fig. 2 is a schematic flow diagram of another embodiment of a container cloud policy scheduling method according to the present disclosure.
Fig. 3 is a schematic flow chart diagram illustrating further embodiments of a container cloud policy scheduling method according to the present disclosure.
Fig. 4 is a schematic structural diagram of some embodiments of a container cloud policy scheduling apparatus according to the present disclosure.
Fig. 5 is a schematic structural diagram of another embodiment of a container cloud policy scheduling apparatus according to the present disclosure.
Fig. 6 is a schematic structural diagram of another embodiment of a container cloud policy scheduling apparatus according to the present disclosure.
Detailed Description
Various exemplary embodiments of the present disclosure will now be described in detail with reference to the accompanying drawings. It should be noted that: the relative arrangement of the components and steps, the numerical expressions, and numerical values set forth in these embodiments do not limit the scope of the present disclosure unless specifically stated otherwise.
Meanwhile, it should be understood that the sizes of the respective portions shown in the drawings are not drawn in an actual proportional relationship for the convenience of description.
The following description of at least one exemplary embodiment is merely illustrative in nature and is in no way intended to limit the disclosure, its application, or uses.
Techniques, methods, and apparatus known to those of ordinary skill in the relevant art may not be discussed in detail but are intended to be part of the specification where appropriate.
In all examples shown and discussed herein, any particular value should be construed as merely illustrative, and not limiting. Thus, other examples of the exemplary embodiments may have different values.
It should be noted that: like reference numbers and letters refer to like items in the following figures, and thus, once an item is defined in one figure, further discussion thereof is not required in subsequent figures.
For the purpose of promoting a better understanding of the objects, aspects and advantages of the present disclosure, reference is made to the following detailed description taken in conjunction with the accompanying drawings.
Fig. 1 is a flow diagram of some embodiments of a container cloud policy scheduling method of the present disclosure.
In step 110, the security log data of each node and container in the container cloud is analyzed to obtain the security level of each node.
In some embodiments, CPU data, memory data, network data, security alarm data, and the like of the node and the container are respectively collected, the security analyzer stores the CPU data, the memory data, the network data, the security alarm data, and the like of the node and the container, and analyzes and counts the CPU data, the memory data, the network data, the security alarm data, and the like of the node and the container to determine the security level of the node.
At step 120, a security label value is set for each node according to the security level of each node.
In some embodiments, the security analyzer notifies the policy scheduler to set the security label value of the node.
In step 130, according to the deployment requirement of the container application, the matched security label value is selected, and the container application is deployed to the node corresponding to the matched security label value.
In some embodiments, the policy scheduler makes a security policy template according to the container application deployment requirement, and fills the security policy template; and matching the filled security policy template with the security label value of the node to obtain the security label value matched with the security policy template.
In the above embodiment, based on the security log data of the nodes and containers that the container cloud has run, the security level of the nodes is analyzed, the optimal and secure node resources are dynamically selected for the container application, the potential security risk that the container application faces when the container cloud is deployed is reduced, and secure deployment is achieved.
Fig. 2 is a schematic flow diagram of another embodiment of a container cloud policy scheduling method according to the present disclosure.
In step 210, the collection tool is used to collect the CPU data, memory data, network data and security alarm data of the nodes and containers.
In some embodiments, CPU data, memory data, network data, and security alarm data for the nodes and containers of K8S are collected using an integrated collection tool such as cAdvisor and Heapster of K8S.
In step 220, the security analyzer stores the CPU data, memory data, network data, security alarm data, etc. of the nodes and containers.
Because the acquisition tool only acquires real-time data within a preset time without storing the data, the security level of the node can be judged only by performing security analysis on the security data within a period of time, and therefore, the data needs to be stored.
In step 230, the security analyzer performs risk and statistics on the CPU data, memory data, network data, and security alarm data of the node and the container to determine the security level of the node.
In some embodiments, the node security level is defined according to the connection frequency of the external or internal network of the node, for example, if the connection frequency exceeds 100 times in 1 minute, the node is set as a high-risk node, if the connection frequency exceeds 50-100 times in 1 minute, the node is set as a medium-risk node, and if the connection frequency exceeds 0-50 times in 1 minute, the node is set as a low-risk node.
It will be appreciated by those skilled in the art that the security level of a node may also be determined from collected security events of the node, etc., and may be determined in other ways.
At step 240, the policy scheduler sets the security label value of the node according to the security level of the node.
In step 250, the policy dispatcher formulates a security policy template according to the container application deployment requirements and populates the security policy template.
In some embodiments, the policy scheduler formulates a security policy template comprising node identification, node location, node security label value, and logical relationship according to the security level requirements of the container application. And filling the security policy template according to the security policy selection applied by the user container.
In some embodiments, the k8s container application may be deployed by writing a file in the yaml format. The yaml file defines the container application deployment resources and security requirements in a form similar to key-value pairs. For example, a nginx container application is deployed in k8s, which has high security requirements and is expected to be deployed on nodes with low security risk levels. The following yaml file can be prepared:
a nodeSecurityLevel (node security level) tag and an operation tag operator, i.e., a logical relationship, a node identifier, a node location, etc., are defined in the security policy template.
In some embodiments, a node tag selector of a container cloud identifies nodes by way of key-value pairs. The node identifier is created for the purpose of effectively managing node resources, and is beneficial for a policy scheduler to specify the node identifier of container application deployment in a security policy template.
The node position corresponds to the node identification, and the node identification can also reflect the node position information.
The node security label value can be regarded as a type of setting a corresponding node label in combination with the node security log analysis.
The logical relationship, operator field in the security policy template, provides the following operators:
in: the value of label is in some list;
NotIn: the value of label is not in a certain list;
gt: the value of label is greater than a certain value;
and Lt: the value of label is less than a certain value;
exists: a certain label is present;
doessoxist: some label is not present.
In some embodiments, the security policy module dynamically adjusts for different types of container clouds based on the actual situation.
At step 260, it is determined whether there are nodes available.
In step 270, if it is determined that there is an available node, the populated security policy template is matched with the security tag value of the node, so as to obtain a security tag value matched with the security policy template.
At step 280, the container application is deployed onto the matching security tag value corresponding node.
In the above embodiment, the security log data of the operated nodes and containers of the container cloud are analyzed to obtain the security levels of the nodes, the security policy template is formulated according to the deployment requirement of the container application, the security policy template is filled, the security levels of the nodes are matched with the container application request, so that the new container application is deployed at the safer nodes, and the problem of security deployment of the new container application in the container cloud is solved.
Fig. 3 is a schematic flow chart diagram illustrating further embodiments of a container cloud policy scheduling method according to the present disclosure. In this embodiment, Kubernetes (K8S for short) container cloud is taken as an example for description.
At step 310, a user submits a file for creating a container application through a K8S client, initiating a resource request to the K8S system.
In some embodiments, the yaml file for the nginx container application is created by the K8S client kubecect submission.
At step 320, the user sends a request to create a container application in a node of a low-risk security level to the API server through the command line tool.
In some embodiments, after the resource request is submitted to the K8S system, the user sends a "POST" request, i.e. a request to create a nginx container in a node of low-risk security level, to the K8S cluster, i.e. API server, through the command line tool kubecect.
At step 330, the API server, upon receiving the request, stores the information for creating the container application in a database.
In some embodiments, the API server creates nginx container application information for storage in the etcd database, where the policy scheduler periodically monitors the API server.
Since the etcd database, API server and policy dispatcher components are all on the master node of k8s, while the kubel component is on the worker/node of k8 s. The API server is used as a central component of k8s, and the components such as the etcd database, the policy scheduler, the kubel and the like cannot be directly interacted with one another and all the components acquire required information by monitoring and calling the API server.
At step 340, the policy scheduler determines that the database has stored container application information, informing the API server.
In some embodiments, the information to create the nginx container application is obtained through the API server, and the policy dispatcher employs a watch mechanism to notify the API server immediately upon success of the etcd database storing the nginx container application information.
At step 350, the security log data for the nodes and containers is collected using a collection tool.
In some embodiments, the K8S cluster and node metrology data and event data are collected using an integrated collection tool such as cAdvisor and Heapster of K8S, which collects single node data and only collects real-time data and does not store it.
In step 360, the collected data is stored in the storage module of the security analyzer, the analysis module performs statistical analysis on the node log information to determine the security level of each node, and the study and judgment module notifies the policy scheduler to set the security label value for the node.
In some embodiments, the memory module may be implemented using an open source data storage facility such as InfluxDB, Elasticissearch, or the like. The analysis module of the safety analyzer performs statistical analysis on Node log information, for example, the high-risk/medium-risk/low-risk alarm logs generated by the nodes are counted, the number of times of the alarm logs with high-risk level exceeds more than 3, which indicates that the Node safety state is at high risk, at this time, the judging module notifies the policy scheduler of k8s, a safety label is marked on the Node through a Node selector component, two Node nodes are assumed, wherein the Node1 label is Node security level: high, Node2 is labeled nodeSecurityLevel: and Low.
At step 370, the API server notifies the policy dispatcher of the message created by the container application, and the policy dispatcher generates and populates the security policy template.
In some embodiments, the API server will immediately notify the policy scheduler of the message created by the nginx container application, the policy scheduler of k8s formulates a scheduler security policy template according to the nginx container application deployment requirement, where the scheduler security policy template includes a node identifier, a node location, a node security label, a logical relationship, and the like, and at this time, according to the requirement, the nginx container needs to be deployed in a node at a Low risk level, the security policy template will be filled, and when the value of the node security label nodeSecurityLevel is set to Low. When the security policy template is completely filled, the API server is notified to trigger the scheduling process.
In step 380, the API server first determines whether there is an available node according to the resource availability and the health status of the node, and then determines whether the scheduling policy matches the selected container application deployment location after determining that there is an available node resource, thereby deploying the container application at the appropriate node.
The continuous node information collection and the security analysis dynamically evaluate and adjust the security level of the node, and the accuracy of the security level of the node is further improved. In this embodiment, the API server would select Node1 with nodeSecurityLevel of Low as the location where the nginx container resource starts.
Fig. 4 is a schematic structural diagram of some embodiments of a container cloud policy scheduling apparatus according to the present disclosure. The apparatus includes a node security analysis unit 410, a security label setting module 420, and a container application deployment module 430.
The log data obtaining module 410 is configured to analyze the security log data of each node and container in the container cloud, and obtain the security level of each node.
In some embodiments, the security log data includes CPU data, memory data, network data, security alarm data, and the like.
In some embodiments, as shown in fig. 5, the security log data of the nodes and containers may be collected by a collection tool 510.
In some embodiments, the node security analysis unit 410, i.e., the security analyzer 520, as shown in fig. 5, may specifically include a storage module 521, an analysis module 522, and a judging module 523. The storage module 521 is configured to store collected security log data of each node and container, the analysis module 522 is configured to analyze and count the security log data, and the judge module 523 is configured to determine a security level of a node and notify the policy scheduler 530 to set a node tag.
The security tag setting module 420 is configured to set a security tag value for each node according to the security log data.
In some embodiments, the security label setting module 420, i.e., the policy scheduler 530 stamps a security label value on each node.
The container application deployment module 430 is configured to select a matching security label value according to a container application deployment requirement, and deploy the container application to a node corresponding to the matching security label value.
In some embodiments, the security label setup module 420 is configured to formulate and populate a security policy template according to container application deployment requirements; the container application deployment module 430 is configured to match the populated security policy template with the security tag values of the nodes according to the container application deployment requirement, so as to obtain the security tag values matched with the security policy template.
In some embodiments, the security policy template comprises: node identification, node location, node security label value, and logical relationship.
In some embodiments, the container application deployment module 430 is the API server 540 in fig. 5. The API server 540 also determines whether there are nodes available; if it is determined that there are available nodes, a matching security label value is selected.
The API server 540 receives a request sent by the client 550 to create a container application; storing information of a container application to be created in a database; after the information of the container application is stored in the database, the acquisition tool acquires the safety log data of each node and container.
The harvesting tool 510 and client 550 are located in the worker node, and the security analyzer 520, policy scheduler 530, and API server 540 are located on the master node.
In the above embodiment, based on the security log data of the nodes and containers that the container cloud has run, the security level of the nodes is analyzed, the optimal and secure node resources are dynamically selected for the container application, the potential security risk that the container application faces when the container cloud is deployed is reduced, and secure deployment is achieved.
Fig. 6 is a schematic structural diagram of another embodiment of a container cloud policy scheduling apparatus according to the present disclosure. The apparatus includes a memory 610 and a processor 620. Wherein: the memory 610 may be a magnetic disk, flash memory, or any other non-volatile storage medium. The memory is used to store instructions in the embodiments corresponding to fig. 1-3. Processor 620 is coupled to memory 610 and may be implemented as one or more integrated circuits, such as a microprocessor or microcontroller. The processor 620 is configured to execute instructions stored in the memory.
In some embodiments, processor 620 is coupled to memory 610 through a BUS BUS 630. The apparatus 600 may also be coupled to an external storage system 650 via a storage interface 640 for external data retrieval, and may also be coupled to a network or another computer system (not shown) via a network interface 660. And will not be described in detail herein.
In this embodiment, the data instructions are stored in the memory and processed by the processor, so that potential security risks faced by the container application when the container cloud is deployed are reduced.
In other embodiments, a computer-readable storage medium has stored thereon computer program instructions which, when executed by a processor, implement the steps of the method in the embodiments corresponding to fig. 1-3. As will be appreciated by one skilled in the art, embodiments of the present disclosure may be provided as a method, apparatus, or computer program product. Accordingly, the present disclosure may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present disclosure may take the form of a computer program product embodied on one or more computer-usable non-transitory storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The present disclosure is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems) and computer program products according to embodiments of the disclosure. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
Thus far, the present disclosure has been described in detail. Some details that are well known in the art have not been described in order to avoid obscuring the concepts of the present disclosure. It will be fully apparent to those skilled in the art from the foregoing description how to practice the presently disclosed embodiments.
Although some specific embodiments of the present disclosure have been described in detail by way of example, it should be understood by those skilled in the art that the foregoing examples are for purposes of illustration only and are not intended to limit the scope of the present disclosure. It will be appreciated by those skilled in the art that modifications may be made to the above embodiments without departing from the scope and spirit of the present disclosure. The scope of the present disclosure is defined by the appended claims.
Claims (10)
1. A container cloud policy scheduling method, comprising:
analyzing the security log data of each node and container in the container cloud to obtain the security level of each node;
setting a security label value for each node according to the security level of each node;
and selecting the matched security label value according to the deployment requirement of the container application, and deploying the container application to the corresponding node of the matched security label value.
2. The container cloud policy scheduling method of claim 1, wherein selecting a matching security label value according to container application deployment requirements comprises:
according to the container application deployment requirement, a security policy template is made and filled;
and matching the filled security policy template with the security label value of the node to obtain the security label value matched with the security policy template.
3. The container cloud policy scheduling method of claim 2, wherein the security policy template comprises:
node identification, node location, node security label value, and logical relationship.
4. The container cloud policy scheduling method of claim 1, further comprising:
judging whether available nodes exist or not;
if it is determined that there are available nodes, a matching security label value is selected.
5. The container cloud policy scheduling method according to any one of claims 1 to 4, further comprising:
receiving a request for creating a container application sent by a client;
storing information of the container application to be created in a database;
and after the information of the container application is stored in the database, collecting the safety log data of each node and each container.
6. The container cloud policy scheduling method according to any one of claims 1 to 4, wherein the security log data includes at least one of CPU data, memory data, network data and security alarm data.
7. A container cloud policy scheduling apparatus, comprising:
the node security analysis unit is configured to analyze the security log data of each node and container in the container cloud to obtain the security level of each node;
a security label setting module configured to set a security label value for each of the nodes according to a security level of each of the nodes;
and the container application deployment module is configured to select the matched security label value according to the container application deployment requirement, and deploy the container application to the node corresponding to the matched security label value.
8. The container cloud policy scheduling apparatus of claim 7, wherein,
the security label setting module is configured to formulate a security policy template according to a container application deployment requirement, and fill the security policy template;
the container application deployment module is configured to match the filled security policy template with the security tag values of the nodes according to a container application deployment requirement, so as to obtain the security tag values matched with the security policy template.
9. A container cloud policy scheduling apparatus, comprising:
a memory; and
a processor coupled to the memory, the processor configured to perform the container cloud policy scheduling method of any of claims 1 to 6 based on instructions stored in the memory.
10. A non-transitory computer readable storage medium having stored thereon computer program instructions which, when executed by a processor, implement the container cloud policy scheduling method of any one of claims 1 to 6.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011003168.XA CN114253654B (en) | 2020-09-22 | 2020-09-22 | Container cloud policy scheduling method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011003168.XA CN114253654B (en) | 2020-09-22 | 2020-09-22 | Container cloud policy scheduling method and device |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN114253654A true CN114253654A (en) | 2022-03-29 |
| CN114253654B CN114253654B (en) | 2023-12-22 |
Family
ID=80788435
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202011003168.XA Active CN114253654B (en) | 2020-09-22 | 2020-09-22 | Container cloud policy scheduling method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114253654B (en) |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US9800517B1 (en) * | 2013-10-31 | 2017-10-24 | Neil Anderson | Secure distributed computing using containers |
| CN108376100A (en) * | 2017-01-31 | 2018-08-07 | 慧与发展有限责任合伙企业 | Container scheduling based on safety |
| CN110287163A (en) * | 2019-06-25 | 2019-09-27 | 浙江乾冠信息安全研究院有限公司 | Security log acquires analytic method, device, equipment and medium |
| CN110851241A (en) * | 2019-11-20 | 2020-02-28 | 杭州安恒信息技术股份有限公司 | Safety protection method, device and system for Docker container environment |
-
2020
- 2020-09-22 CN CN202011003168.XA patent/CN114253654B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US9800517B1 (en) * | 2013-10-31 | 2017-10-24 | Neil Anderson | Secure distributed computing using containers |
| CN108376100A (en) * | 2017-01-31 | 2018-08-07 | 慧与发展有限责任合伙企业 | Container scheduling based on safety |
| CN110287163A (en) * | 2019-06-25 | 2019-09-27 | 浙江乾冠信息安全研究院有限公司 | Security log acquires analytic method, device, equipment and medium |
| CN110851241A (en) * | 2019-11-20 | 2020-02-28 | 杭州安恒信息技术股份有限公司 | Safety protection method, device and system for Docker container environment |
Also Published As
| Publication number | Publication date |
|---|---|
| CN114253654B (en) | 2023-12-22 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN106802826B (en) | Service processing method and device based on thread pool | |
| CN108776934B (en) | Distributed data calculation method and device, computer equipment and readable storage medium | |
| WO2020024442A1 (en) | Resource allocation method and apparatus, computer device and computer-readable storage medium | |
| EP2411927B1 (en) | Monitoring of distributed applications | |
| CN112162865A (en) | Server scheduling method and device and server | |
| CN109726004B (en) | Data processing method and device | |
| CN107645483B (en) | Risk identification method, risk identification device, cloud risk identification device and system | |
| CN111459641B (en) | Method and device for task scheduling and task processing across machine room | |
| CN111538563A (en) | Event analysis method and device for Kubernetes | |
| CN113051019A (en) | Flow task execution control method, device and equipment | |
| CN106713396A (en) | Server scheduling method and system | |
| CN106878389B (en) | Method and device for resource scheduling in cloud system | |
| CN108960641B (en) | E-commerce platform operation scheduling method and system | |
| CN113422808B (en) | Internet of things platform HTTP information pushing method, system, device and medium | |
| CN113568759B (en) | Cloud computing-based big data processing method and system | |
| CN113672500B (en) | Deep learning algorithm testing method and device, electronic device and storage medium | |
| CN106664259B (en) | Method and device for expanding virtual network function | |
| CN114253654B (en) | Container cloud policy scheduling method and device | |
| CN111082964B (en) | Distribution method and device of configuration information | |
| CN109670932B (en) | Credit data accounting method, apparatus, system and computer storage medium | |
| CN107885593B (en) | User authentication method and device | |
| CN115509714A (en) | Task processing method and device, electronic equipment and storage medium | |
| CN113900811A (en) | Event-driven task scheduling method and device | |
| CN113259878B (en) | Call bill settlement method, system, electronic device and computer readable storage medium | |
| EP2209282A1 (en) | A method, device and computer program product for service balancing in an electronic communications system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |