CN116257841B - Function processing method and device based on Kubernetes - Google Patents
Function processing method and device based on Kubernetes Download PDFInfo
- Publication number
- CN116257841B CN116257841B CN202310149690.6A CN202310149690A CN116257841B CN 116257841 B CN116257841 B CN 116257841B CN 202310149690 A CN202310149690 A CN 202310149690A CN 116257841 B CN116257841 B CN 116257841B
- Authority
- CN
- China
- Prior art keywords
- objective function
- function
- network connection
- kubernetes
- instruction
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000003672 processing method Methods 0.000 title claims abstract description 40
- 238000000034 method Methods 0.000 claims abstract description 58
- 238000001914 filtration Methods 0.000 claims abstract description 56
- 239000000523 sample Substances 0.000 claims abstract description 45
- 230000006870 function Effects 0.000 claims description 243
- 230000008569 process Effects 0.000 claims description 34
- 238000012545 processing Methods 0.000 claims description 27
- 238000004458 analytical method Methods 0.000 claims description 19
- 238000004590 computer program Methods 0.000 claims description 16
- 238000006243 chemical reaction Methods 0.000 claims description 3
- 230000000875 corresponding effect Effects 0.000 description 13
- 230000006399 behavior Effects 0.000 description 10
- 238000010586 diagram Methods 0.000 description 9
- 238000004891 communication Methods 0.000 description 8
- 230000005540 biological transmission Effects 0.000 description 4
- 230000004044 response Effects 0.000 description 4
- 230000009286 beneficial effect Effects 0.000 description 3
- 239000003795 chemical substances by application Substances 0.000 description 3
- 230000008878 coupling Effects 0.000 description 3
- 238000010168 coupling process Methods 0.000 description 3
- 238000005859 coupling reaction Methods 0.000 description 3
- 238000005516 engineering process Methods 0.000 description 3
- 230000004048 modification Effects 0.000 description 3
- 238000012986 modification Methods 0.000 description 3
- 230000009471 action Effects 0.000 description 2
- 239000000463 material Substances 0.000 description 2
- 230000007246 mechanism Effects 0.000 description 2
- 230000000750 progressive effect Effects 0.000 description 2
- 239000004215 Carbon black (E152) Substances 0.000 description 1
- 108010001267 Protein Subunits Proteins 0.000 description 1
- 230000002159 abnormal effect Effects 0.000 description 1
- 230000008901 benefit Effects 0.000 description 1
- 230000002596 correlated effect Effects 0.000 description 1
- 238000007405 data analysis Methods 0.000 description 1
- 229930195733 hydrocarbon Natural products 0.000 description 1
- 150000002430 hydrocarbons Chemical class 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 230000003993 interaction Effects 0.000 description 1
- 238000012423 maintenance Methods 0.000 description 1
- 230000005055 memory storage Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 238000011084 recovery Methods 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/52—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
- G06F21/54—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow by adding security routines or objects to programs
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/455—Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
- G06F9/45533—Hypervisors; Virtual machine monitors
- G06F9/45558—Hypervisor-specific management and integration aspects
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/455—Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
- G06F9/45533—Hypervisors; Virtual machine monitors
- G06F9/45558—Hypervisor-specific management and integration aspects
- G06F2009/45587—Isolation or security of virtual machine instances
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02D—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
- Y02D10/00—Energy efficient computing, e.g. low power processors, power management or thermal management
Landscapes
- Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Computer Security & Cryptography (AREA)
- Theoretical Computer Science (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Computer Hardware Design (AREA)
- Computer And Data Communications (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention provides a function processing method and device based on Kubernetes, and the corresponding method comprises the following steps: mounting a hook function on an objective function through a probe preset on a container node, and issuing a filtering rule to a preset instruction channel; reading the context of the objective function through the instruction channel and a hook function; and judging whether the objective function is legal or not according to the context of the objective function and the filtering rule in the instruction channel. The invention can continuously protect the safety of the Kubernetes system after the creation of the container Pod, thereby achieving the purpose of completely and real-time protecting the safety of the Kubernetes system.
Description
Technical Field
The application belongs to the technical field of computer operating systems, in particular to the technical field of Linux kernel containers, and particularly relates to a function processing method and device based on Kubernetes.
Background
Kubernetes is an open source system for automatically deploying, scaling and managing containerized applications. The goal is to make deploying a containerized application simple and efficient.
The traditional application deployment mode is to install the application through a plug-in or script. The disadvantage of this is that the running, configuration, management, all lifecycle of the application will bind to the current operating system, which is not beneficial for the upgrade update/rollback operations of the application, kubernetes itself provides some security mechanisms, limits the capacity of the container, sets SELinux tags of the container, etc. The above-mentioned security mechanism is a parameter configured before the creation of the container Pod, and cannot be modified after the easy Pod creation, so that the system security cannot be protected in real time.
Disclosure of Invention
The function processing method and the device based on the Kubernetes can continuously protect the safety of the Kubernetes system after the container Pod is created, thereby achieving the purpose of completely and real-time protecting the safety of the Kubernetes system.
In a first aspect, the present invention provides a Kubernetes-based function processing method, which includes:
mounting a hook function on an objective function through a probe preset on a container node, and issuing a filtering rule to a preset instruction channel;
reading the context of the objective function through the instruction channel and a hook function;
and judging whether the objective function is legal or not according to the context of the objective function and the filtering rule in the instruction channel.
In one embodiment, the mounting the hook function on the objective function by the probe preset on the container node includes:
loading a kernel file through the probe to generate a loading result;
analyzing an objective function according to the loading result to generate an analysis result;
and mounting the hook function on the objective function according to the analysis result and a rule preset by a system.
In one embodiment, the parsing result includes: the objective function name, the instruction channel control channel and the data channel.
In one embodiment, the context of the objective function includes: and the read-write file name, the process name, the network connection address and the network connection port of the objective function.
In an embodiment, the determining whether the objective function is legal according to the context of the objective function and the filtering rule in the instruction channel includes:
and matching the read-write file name, the process name, the network connection address and the network connection port of the objective function with the filtering rule to judge whether the objective function is legal or not.
In an embodiment, the matching the file name, the process name, the network connection address, and the network connection port of the objective function with the filtering rule includes:
converting the filtering rule into parameters read by eBPF instruction codes and issuing the parameters to an instruction channel;
generating an execution result of the filtering rule according to the eBPF instruction code and the parameters read from the instruction channel;
and matching the file name, the process name, the network connection address and the network connection port of the objective function with the execution result.
In one embodiment, the probe on the container node operates in the manner of DaemonSet.
In a second aspect, the present invention provides a Kubernetes-based function processing apparatus, the apparatus comprising:
the hook function mounting module is used for mounting the hook function on the objective function through a probe preset on the container node and issuing a filtering rule to a preset instruction channel;
a context reading module, configured to read a context of the objective function through the instruction channel and a hook function;
and the objective function judging module is used for judging whether the objective function is legal or not according to the context of the objective function and the filtering rule in the instruction channel.
In one embodiment, the hook function mounting module includes:
the loading result generating unit is used for loading the kernel file through the probe so as to generate a loading result;
the analysis result generation unit is used for analyzing the objective function according to the loading result so as to generate an analysis result;
and the hook function mounting unit is used for mounting the hook function on the objective function according to the analysis result and a rule preset by the system.
In one embodiment, the parsing result includes: the objective function name, the instruction channel control channel and the data channel.
In one embodiment, the context of the objective function includes: and the read-write file name, the process name, the network connection address and the network connection port of the objective function.
In one embodiment, the objective function judging module includes:
and the objective function judging unit is used for matching the read-write file name, the process name, the network connection address and the network connection port of the objective function with the filtering rule so as to judge whether the objective function is legal or not.
In one embodiment, the objective function judging unit includes:
the rule conversion unit is used for converting the filtering rule into parameters read by the eBPF instruction code and issuing the parameters to the instruction channel;
the execution result generation unit is used for generating an execution result of the filtering rule according to the eBPF instruction code and the parameters read from the instruction channel;
and the execution result matching unit is used for matching the file name, the process name, the network connection address and the network connection port of the objective function with the execution result.
In one embodiment, the probe on the container node operates in the manner of DaemonSet.
In a third aspect, the present invention provides a computer program product comprising computer programs/instructions which, when executed by a processor, implement the steps of a spatio-temporal distribution prediction method adapted to shale hydrocarbon reservoirs.
In a fourth aspect, the present invention provides an electronic device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, the processor implementing the steps of a Kubernetes-based function processing method when the program is executed by the processor.
In a fifth aspect, the present invention provides a computer-readable storage medium having stored thereon a computer program which, when executed by a processor, implements the steps of a Kubernetes-based function processing method.
As can be seen from the above description, the embodiment of the present invention provides a method and an apparatus for processing a function based on Kubernetes, including: firstly, mounting a hook function on an objective function through a probe preset on a container node, and issuing a filtering rule to a pre-established instruction channel; then, reading the context of the objective function through the instruction channel and the hook function; and finally judging whether the objective function is legal or not according to the context of the objective function and the filtering rule in the instruction channel. The invention can continuously protect the safety of the Kubernetes system after the creation of the container Pod, thereby achieving the purpose of completely and real-time protecting the safety of the Kubernetes system.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings that are required in the embodiments or the description of the prior art will be briefly described, and it is obvious that the drawings in the following description are some embodiments of the present invention, and other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
FIG. 1 is a flow chart of a Kubernetes-based function processing method in an embodiment of the invention;
FIG. 2 is a flowchart of step 100 of a Kubernetes-based function processing method according to an embodiment of the present invention;
FIG. 3 is a flowchart illustrating a step 300 of a Kubernetes-based function processing method according to an embodiment of the present invention;
FIG. 4 is a flowchart of step 301 of a Kubernetes-based function processing method according to an embodiment of the present invention;
FIG. 5 is a conceptual diagram of a Kubernetes-based function processing method in an embodiment of the invention;
FIG. 6 is a conceptual diagram of a Kubernetes-based function processing method on the kernel layer side of a linux system in an embodiment of the present invention;
FIG. 7 is a schematic flow chart of a Kubernetes-based function processing method on the kernel layer side of the linux system in the embodiment of the present invention;
FIG. 8 is a conceptual diagram of a Kubernetes-based function processing method on the Kubernetes side of an application layer in an embodiment of the present invention;
FIG. 9 is a schematic flow chart of a Kubernetes-based function processing method on the side of the application layer in a specific embodiment of the present invention;
FIG. 10 is a conceptual diagram of a Kubernetes-based function processing method on the security platform side in an embodiment of the present invention;
FIG. 11 is a schematic flow chart of a Kubernetes-based function processing method on the security platform side in an embodiment of the present invention;
FIG. 12 is a schematic structural diagram of a Kubernetes-based function processing device according to an embodiment of the present invention;
FIG. 13 is a schematic diagram of a configuration file modification module 10 according to an embodiment of the present invention;
fig. 14 is a schematic structural diagram of an objective function determining module 30 according to an embodiment of the present invention;
fig. 15 is a schematic diagram of the structure of the objective function judging unit 301 according to the embodiment of the present invention;
fig. 16 is a schematic structural diagram of an electronic device in an embodiment of the invention.
Detailed Description
For the purpose of making the objects, technical solutions and advantages of the embodiments of the present invention more apparent, the technical solutions of the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings in the embodiments of the present invention, and it is apparent that the described embodiments are some embodiments of the present invention, but not all embodiments of the present invention. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.
It will be appreciated by those skilled in the art that embodiments of the present invention may be provided as a method, system, or computer program product. Accordingly, the present invention may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present invention may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
It should be noted that the terms "comprises" and "comprising," and any variations thereof, in the description and claims of the present application and in the foregoing figures, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed or inherent to such process, method, article, or apparatus. Embodiments and features of embodiments in this application may be combined with each other without conflict. The present application will be described in detail below with reference to the accompanying drawings in conjunction with embodiments.
In the technical scheme, the acquisition, storage, use, processing and the like of the data all accord with the relevant regulations of laws and regulations.
Based on the technical pain points in the prior art, the embodiment of the invention provides a specific implementation manner of a Kubernetes-based function processing method, and referring to fig. 1, the method specifically comprises the following steps:
step 100: mounting a hook function on an objective function through a probe preset on a container node, and issuing a filtering rule to a preset instruction channel;
step 200: reading the context of the objective function through the instruction channel and a hook function;
step 300: and judging whether the objective function is legal or not according to the context of the objective function and the filtering rule in the instruction channel.
As can be seen from the foregoing description, the embodiment of the present invention provides a Kubernetes-based function processing method, which includes: firstly, mounting a hook function on an objective function through a probe preset on a container node, and issuing a filtering rule to a pre-established instruction channel; then, reading the context of the objective function through the instruction channel and the hook function; and finally judging whether the objective function is legal or not according to the context of the objective function and the filtering rule in the instruction channel. The invention can continuously protect the safety of the Kubernetes system after the creation of the container Pod, thereby achieving the purpose of completely and real-time protecting the safety of the Kubernetes system.
In one embodiment, referring to fig. 2, the "the hook function is mounted on the objective function by the probe preset on the container node" in step 100 includes:
step 101: loading a kernel file through the probe to generate a loading result;
the linux kernel provides a kprobe/tracepoint debugging technology, and a series of hook functions are provided for observing the working states of each functional module, such as a memory subsystem, a network subsystem and a file subsystem, so as to help a developer to check and analyze problems.
Step 102: analyzing an objective function according to the loading result to generate an analysis result;
the analysis result comprises: the objective function name, the instruction channel control channel and the data channel.
Step 103: and mounting the hook function on the objective function according to the analysis result and a rule preset by a system.
In one embodiment, the context of the objective function includes: and the read-write file name, the process name, the network connection address and the network connection port of the objective function. Further, referring to fig. 3, step 200 includes:
step 301: and matching the read-write file name, the process name, the network connection address and the network connection port of the objective function with the filtering rule to judge whether the objective function is legal or not.
In one embodiment, referring to fig. 4, step 301 includes:
step 3011: converting the filtering rule into parameters read by eBPF instruction codes and issuing the parameters to an instruction channel;
step 3012: generating an execution result of the filtering rule according to the eBPF instruction code and the parameters read from the instruction channel;
the data channel, the control channel and the instruction channel are channels for the eBPF virtual machine to provide Map data structures for interaction between the application layer and the kernel layer and data transmission. And the data channel stores the execution result of the flow matching rule executed by the function, and the Node performs polling reading. The control channel stores the rule matching result, reads the rule matching result and forwards the rule matching result to the Master node. The instruction channel stores a rule instruction code issued by the security platform and is used for filtering the function execution flow.
Step 3013: and matching the file name, the process name, the network connection address and the network connection port of the objective function with the execution result.
In steps 3011 to 3013, when the hook function of the linux kernel is executed, the eBPF instruction code is executed by the eBPF virtual machine to perform rule matching. And reading rule parameters from the instruction channel for filtering to judge whether the execution flow of the objective function is legal or not.
If not, the execution result is written to the control channel (which has been interpreted in step 3012) and the corresponding container (Pod) is processed. If the event is legal, the event of the execution flow is written into the data channel, and the data is reported to the security platform.
In one embodiment, the probe on the container node operates in the manner of DaemonSet.
DaemonSet is a daemon controller that has the following functions: each node in the cluster can be ensured to run a group of identical pod; ensuring that the newly added node automatically creates a corresponding pod according to the state of the node; when the node is removed, the corresponding pod can be deleted; the state of each pod is tracked, and when the pod is abnormal and Crash is dropped, the state of recovery is timely removed.
In a specific embodiment, referring to fig. 5, the present invention further provides a specific embodiment of a Kubernetes-based function processing method, which specifically includes the following matters.
First, the embodiment of the invention provides a function processing system based on Kubernetes, which is used for realizing a function processing method based on Kubernetes, and specifically comprises the following steps: the linux system kernel layer, the application layer Kubernetes and the security platform, in particular,
linux system kernel layer: when the system is started, the probe on the container node mounts the hook function on a certain objective function according to a preset relevant rule, and issues the rule to the instruction channel. When the function is executed to the target function, a hook function is executed, the eBPF virtual machine reads the context information (the read-write file name, the process name, the network connection address and the network connection port of the target function) of the function, and the matching is carried out according to the characteristic of the target function and the filtering rule of the instruction channel, so that whether the execution flow of the function is legal or not is finally confirmed.
In fig. 5, when the hook function of the linux kernel is executed, the virtual machine enters the eBPF to execute the eBPF instruction code (for rule matching), the rule matching module reads rule parameters from the instruction channel to filter, judges whether the execution flow of the function is legal, if not, writes the execution result into the control channel, and processes the corresponding Pod by the rule processing module. If the event is legal, the event of the execution flow is written into the data channel, and the data is reported to the security platform by the data reporting module.
Application layer Kubernetes: and the management platform of the server cluster is used for managing the network, storage, CPU and memory resources of the server cluster. Pod is a basic unit of kubernetes cluster management, is an entity for executing tasks, and is equivalent to the process of the linux system.
The probe, which works on the container Node of the Node, is the security software of this host Node, responsible for reading the data channel and the control channel and issuing the compiled rules to the instruction channel. When the polling module reads the data channel, the rule matching result is sent to the data reporting module and then to the security platform. When the polling module reads the control channel, a rule matching result is obtained and sent to the rule processing module, and then the polling module communicates with the component API server of kubernetes to request to delete or stop the corresponding Pod. The rule analysis module is used for receiving rules, converting the rules into eBPF instruction codes and transmitting the eBPF instruction codes to the instruction channel.
And the probe working at the Master node is responsible for reporting data, executing rule results and receiving rules issued by the security platform. And when the data reporting module receives the agent reporting data of the Node, the agent reporting data is forwarded to the security platform. The rule processing module communicates with the API Server by calling the REST API interface, and deletes or stops the corresponding Pod according to the rule execution result. In addition, the probes operating on the container nodes of the Node nodes operate in a DaemonSet mode, and increase with the increase of cluster nodes.
The security platform is mainly responsible for data analysis, alarm rule matching, processing result issuing and filtering rule issuing. And the behavior module performs finer-granularity data association according to the reported data, and the rules are matched to find out potential security threats. The alarm module issues the rule execution result to the execution module, communicates with the probe on the container node of the Master node, and the rule processing module deletes or stops the corresponding Pod according to the result issued by the security platform.
The rule configuration module is a custom rule interface provided by the security platform and is used for the security operation and maintenance personnel to operate. The rule configuration module issues rules to the rule receiving module of the Pod-master-agent, issues the rules to probes on corresponding Node corresponding container nodes, analyzes the rules at the Node nodes, compiles eBPF instruction codes, and issues the instruction codes to the instruction channels to update the rules matched by the eBPF virtual machines.
From the above description, the invention can continue to protect the Kubernetes system after the container Pod is created, thereby achieving the purpose of completely and real-time protecting the Kubernetes system. Specifically, the invention has the following beneficial effects:
(1) According to the method, the hook function is mounted on the objective function based on the eBPF technology to acquire behavior information of the hook function, and the method does not need to modify the kernel of the linux system, so that the stability and the non-invasiveness of the system are ensured.
(2) The method and the device realize the hot update of the filtering rules, do not need to restart the system, can judge whether the process behavior is legal or not in real time by modifying the filtering rules, and can filter the reported log.
(3) According to the method and the device, the behavior information of the objective function is read and matched with the filtering rule, illegal behaviors are notified to the probe, and the response operation is timely executed by the Kubernetes, so that the quick response to the security event is realized, and the security of the system is ensured.
Based on the above-mentioned function processing system based on Kubernetes, the specific application examples of the function processing method based on Kubernetes provided by the invention include the following:
referring to fig. 6 and 7, the Kubernetes-based function processing method located at the kernel layer side of the linux system includes the following steps:
s1: probes on the container nodes establish data transmission channels.
Specifically, probes on container nodes load kernel files, parse defined MAP variables, build MAP data structures through system calls __ NR_bpf, and the TYPE of MAP employed for improving transmission efficiency is BPF_MAP_TYPE_PERF_EVENT_ARRAY.
S2: probes on container nodes mount hook functions.
And loading the kernel file by the probe on the container node, analyzing the defined function, and mounting the hook function to the corresponding kernel function according to the rule issued by the security platform.
S3: and reading the filtering function of the matching rule.
The rule matching module is used as an executing component of the hook function and is mainly compiled into eBPF instruction codes by adopting C language. And matching the context information of the execution function with the filtering parameters in the read instruction channel, and confirming whether the execution process is legal or not. In addition, the context information of the objective function refers to parameters such as a process pid file, a process open file and the like.
Referring to fig. 8 and 9, the Kubernetes-based function processing method located on the Kubernetes side of the application layer includes the following steps:
SA: the probe on the container node requests rules from the secure platform at startup.
When the probes on the container nodes are loaded, firstly, a request is sent to a security platform for issuing rules, after the rules are received by a rule receiving module on the container master node probe, the rules are forwarded to a rule analyzing module of the probes on the corresponding container nodes in the cluster, and the analyzed rules are sent to corresponding instruction channels by the rule analyzing module.
SB: and the security platform is used for reporting the information of the data channel.
The polling module continuously reads the data of the data channel, and forwards the data to the data reporting module after the data is correlated, and the data is forwarded to the security platform by the data reporting module.
SC: and reporting the information of the control channel to a rule processing module to process the Pod running condition.
Specifically, when rule matching is performed on the eBPF virtual machine of the linux kernel layer, if the rule matching is illegal, a control channel for reporting the process information for executing the objective function is provided, and a polling module reads the information of the control channel. The rule processing module communicates with the API server component of Kubernetes, requesting to delete or stop the corresponding Pod. When the rule processing module communicates with Kubernetes, a REST API interface provided by Kubernetes is adopted, for example, a REST API function interface for deleting Pod is as follows: DELETE/api/v 1/nasspatial/{ nasespace }/ports/{ name }.
Referring to fig. 10 and 11, the Kubernetes-based function processing method located on the security platform side includes the following steps:
sa: the rule configuration module issues rules to Kubernetes. When a probe on a container node in Kubernetes receives a rule, it is forwarded to the probe on the container node.
Sb: and performing behavior modeling according to the information reported by the probes on the container nodes, finding out potential threat of the Pod running process, triggering an alarm in time, executing Kubernetes issued by actions, and deleting or isolating the Pod.
Based on the same inventive concept, the embodiments of the present application also provide a function processing device based on Kubernetes, which can be used to implement the method described in the above embodiments, such as the following embodiments. Since the principle of the Kubernetes-based function processing device for solving the problem is similar to that of the Kubernetes-based function processing method, the implementation of the Kubernetes-based function processing device can be implemented by referring to the Kubernetes-based function processing method, and the repetition is omitted. As used below, the term "unit" or "module" may be a combination of software and/or hardware that implements the intended function. While the system described in the following embodiments is preferably implemented in software, implementation in hardware, or a combination of software and hardware, is also possible and contemplated.
The embodiment of the invention firstly provides a specific implementation manner of a Kubernetes-based function processing device capable of realizing a Kubernetes-based function processing method, and referring to fig. 12, the Kubernetes-based function processing device specifically comprises the following contents:
the hook function mounting module 10 is used for mounting the hook function on the objective function through a probe preset on a container node, and issuing a filtering rule to a preset instruction channel;
a context reading module 20, configured to read the context of the objective function through the instruction channel and the hook function;
and the objective function judging module 30 is configured to judge whether the objective function is legal according to the context of the objective function and the filtering rule in the instruction channel.
In one embodiment, referring to fig. 13, the hook function mounting module 10 includes:
a loading result generating unit 101, configured to load a kernel file through the probe, so as to generate a loading result;
an analysis result generating unit 102, configured to analyze the objective function according to the loading result, so as to generate an analysis result;
and the hook function mounting unit 103 is configured to mount the hook function on the objective function according to the analysis result and a rule preset by a system.
In one embodiment, the parsing result includes: the objective function name, the instruction channel control channel and the data channel.
In one embodiment, the context of the objective function includes: and the read-write file name, the process name, the network connection address and the network connection port of the objective function.
In one embodiment, referring to fig. 14, the objective function determining module 30 includes:
and the objective function judging unit 301 is configured to match the read-write file name, the process name, the network connection address and the network connection port of the objective function with the filtering rule, so as to judge whether the objective function is legal.
In one embodiment, referring to fig. 15, the objective function determining unit 301 includes:
a rule conversion unit 3011, configured to convert the filtering rule into parameters read by the eBPF instruction code, and send the parameters to an instruction channel;
an execution result generating unit 3012, configured to generate an execution result of the filtering rule according to the eBPF instruction code and the parameter read from the instruction channel;
and an execution result matching unit 3013, configured to match the file name, the process name, the network connection address, and the network connection port of the objective function with the execution result.
In one embodiment, the probe on the container node operates in the manner of DaemonSet.
As can be seen from the foregoing description, the embodiment of the present invention provides a function processing device based on Kubernetes, including: firstly, mounting a hook function on an objective function through a probe preset on a container node, and issuing a filtering rule to a pre-established instruction channel; then, reading the context of the objective function through the instruction channel and the hook function; and finally judging whether the objective function is legal or not according to the context of the objective function and the filtering rule in the instruction channel. The invention can continuously protect the safety of the Kubernetes system after the creation of the container Pod, thereby achieving the purpose of completely and real-time protecting the safety of the Kubernetes system, and particularly, the invention has the following beneficial effects:
(1) According to the method, the hook function is mounted on the objective function based on the eBPF technology to acquire behavior information of the hook function, and the method does not need to modify the kernel of the linux system, so that the stability and the non-invasiveness of the system are ensured.
(2) The method and the device realize the hot update of the filtering rules, do not need to restart the system, can judge whether the process behavior is legal or not in real time by modifying the filtering rules, and can filter the reported log.
(3) According to the method and the device, the behavior information of the objective function is read and matched with the filtering rule, illegal behaviors are notified to the probe, and the response operation is timely executed by the Kubernetes, so that the quick response to the security event is realized, and the security of the system is ensured.
The embodiment of the present application further provides a specific implementation manner of an electronic device capable of implementing all the steps in the Kubernetes-based function processing method in the foregoing embodiment, and referring to fig. 16, the electronic device specifically includes the following contents:
a processor 1201, a memory 1202, a communication interface (Communications Interface) 1203, and a bus 1204;
wherein the processor 1201, the memory 1202 and the communication interface 1203 perform communication with each other through the bus 1204; the communication interface 1203 is configured to implement information transmission between the server device and the client device;
the processor 1201 is configured to invoke a computer program in the memory 1202, and when the processor executes the computer program, the processor implements all the steps in the Kubernetes-based function processing method in the above embodiment, for example, when the processor executes the computer program, the processor implements the following steps:
step 100: mounting a hook function on an objective function through a probe preset on a container node, and issuing a filtering rule to a preset instruction channel;
step 200: reading the context of the objective function through the instruction channel and a hook function;
step 300: and judging whether the objective function is legal or not according to the context of the objective function and the filtering rule in the instruction channel.
The embodiments of the present application also provide a computer-readable storage medium capable of implementing all the steps in the Kubernetes-based function processing method in the above embodiments, and a computer program stored on the computer-readable storage medium, which when executed by a processor implements all the steps in the Kubernetes-based function processing method in the above embodiments, for example, the processor implements the following steps when executing the computer program:
in this specification, each embodiment is described in a progressive manner, and identical and similar parts of each embodiment are all referred to each other, and each embodiment mainly describes differences from other embodiments. In particular, for a hardware+program class embodiment, the description is relatively simple, as it is substantially similar to the method embodiment, as relevant see the partial description of the method embodiment.
The foregoing describes specific embodiments of the present disclosure. Other embodiments are within the scope of the following claims. In some cases, the actions or steps recited in the claims can be performed in a different order than in the embodiments and still achieve desirable results. In addition, the processes depicted in the accompanying figures do not necessarily require the particular order shown, or sequential order, to achieve desirable results. In some embodiments, multitasking and parallel processing are also possible or may be advantageous.
Although the present application provides method operational steps as an example or flowchart, more or fewer operational steps may be included based on conventional or non-inventive labor. The order of steps recited in the embodiments is merely one way of performing the order of steps and does not represent a unique order of execution. When implemented by an actual device or client product, the instructions may be executed sequentially or in parallel (e.g., in a parallel processor or multi-threaded processing environment) as shown in the embodiments or figures.
For convenience of description, the above devices are described as being functionally divided into various modules, respectively. Of course, when implementing the embodiments of the present disclosure, the functions of each module may be implemented in the same or multiple pieces of software and/or hardware, or a module that implements the same function may be implemented by multiple sub-modules or a combination of sub-units, or the like. The above-described apparatus embodiments are merely illustrative, for example, the division of the units is merely a logical function division, and there may be additional divisions when actually implemented, for example, multiple units or components may be combined or integrated into another system, or some features may be omitted or not performed. Alternatively, the coupling or direct coupling or communication connection shown or discussed with each other may be an indirect coupling or communication connection via some interfaces, devices or units, which may be in electrical, mechanical or other form.
Those skilled in the art will also appreciate that, in addition to implementing the controller in a pure computer readable program code, it is well possible to implement the same functionality by logically programming the method steps such that the controller is in the form of logic gates, switches, application specific integrated circuits, programmable logic controllers, embedded microcontrollers, etc. Such a controller can be regarded as a hardware component, and means for implementing various functions included therein can also be regarded as a structure within the hardware component. Or even means for achieving the various functions may be regarded as either software modules implementing the methods or structures within hardware components.
In one typical configuration, a computing device includes one or more processors (CPUs), input/output interfaces, network interfaces, and memory.
The memory may include volatile memory in a computer-readable medium, random Access Memory (RAM) and/or nonvolatile memory, such as Read Only Memory (ROM) or flash memory (flash RAM). Memory is an example of computer-readable media.
The present embodiments may be described in the general context of computer-executable instructions, such as program modules, being executed by a computer. Generally, program modules include routines, programs, objects, components, data structures, etc. that perform particular tasks or implement particular abstract data types. The embodiments of the specification may also be practiced in distributed computing environments where tasks are performed by remote processing devices that are linked through a communications network. In a distributed computing environment, program modules may be located in both local and remote computer storage media including memory storage devices.
In this specification, each embodiment is described in a progressive manner, and identical and similar parts of each embodiment are all referred to each other, and each embodiment mainly describes differences from other embodiments. In particular, for system embodiments, since they are substantially similar to method embodiments, the description is relatively simple, as relevant to see a section of the description of method embodiments. In the description of the present specification, a description referring to terms "one embodiment," "some embodiments," "examples," "specific examples," or "some examples," etc., means that a particular feature, structure, material, or characteristic described in connection with the embodiment or example is included in at least one embodiment or example of the embodiments of the present specification. In this specification, schematic representations of the above terms are not necessarily directed to the same embodiment or example. Furthermore, the particular features, structures, materials, or characteristics described may be combined in any suitable manner in any one or more embodiments or examples. Furthermore, the different embodiments or examples described in this specification and the features of the different embodiments or examples may be combined and combined by those skilled in the art without contradiction.
The foregoing is merely an example of an embodiment of the present disclosure and is not intended to limit the embodiment of the present disclosure. Various modifications and variations of the illustrative embodiments will be apparent to those skilled in the art. Any modification, equivalent replacement, improvement, or the like, which is within the spirit and principles of the embodiments of the present specification, should be included in the scope of the claims of the embodiments of the present specification.
Claims (11)
1. The utility model provides a function processing method based on Kubernetes, which is characterized by comprising the following steps:
mounting a hook function on an objective function through a probe preset on a container node, and issuing a filtering rule to a preset instruction channel;
reading the context of the objective function through the instruction channel and a hook function;
judging whether the objective function is legal or not according to the context of the objective function and the filtering rule in the instruction channel;
the context of the objective function includes: the read-write file name, the process name, the network connection address and the network connection port of the objective function;
the determining whether the objective function is legal according to the context of the objective function and the filtering rule in the instruction channel includes:
matching the read-write file name, the process name, the network connection address and the network connection port of the objective function with the filtering rule to judge whether the objective function is legal or not;
the matching the read-write file name, the process name, the network connection address and the network connection port of the objective function with the filtering rule includes:
converting the filtering rule into parameters read by eBPF instruction codes and issuing the parameters to an instruction channel;
generating an execution result of the filtering rule according to the eBPF instruction code and the parameters read from the instruction channel;
and matching the read-write file name, the process name, the network connection address and the network connection port of the objective function with the execution result.
2. The function processing method as claimed in claim 1, wherein said mounting the hook function on the objective function by a probe preset on the container node comprises:
loading a kernel file through the probe to generate a loading result;
analyzing an objective function according to the loading result to generate an analysis result;
and mounting the hook function on the objective function according to the analysis result and a rule preset by a system.
3. The function processing method according to claim 2, wherein the analysis result includes: the objective function name, the instruction channel control channel and the data channel.
4. The method of claim 1, wherein the probe on the container node operates in the manner of DaemonSet.
5. A Kubernetes-based function processing apparatus, comprising:
the hook function mounting module is used for mounting the hook function on the objective function through a probe preset on the container node and issuing a filtering rule to a preset instruction channel;
a context reading module, configured to read a context of the objective function through the instruction channel and a hook function;
the objective function judging module is used for judging whether the objective function is legal or not according to the context of the objective function and the filtering rule in the instruction channel;
the context of the objective function includes: the read-write file name, the process name, the network connection address and the network connection port of the objective function;
the objective function judging module comprises:
the objective function judging unit is used for matching the read-write file name, the process name, the network connection address and the network connection port of the objective function with the filtering rule so as to judge whether the objective function is legal or not;
the objective function judgment unit includes:
the rule conversion unit is used for converting the filtering rule into parameters read by the eBPF instruction code and issuing the parameters to the instruction channel;
the execution result generation unit is used for generating an execution result of the filtering rule according to the eBPF instruction code and the parameters read from the instruction channel;
and the execution result matching unit is used for matching the read-write file name, the process name, the network connection address and the network connection port of the objective function with the execution result.
6. The function processing device of claim 5, wherein the hook function mounting module comprises:
the loading result generating unit is used for loading the kernel file through the probe so as to generate a loading result;
the analysis result generation unit is used for analyzing the objective function according to the loading result so as to generate an analysis result;
and the hook function mounting unit is used for mounting the hook function on the objective function according to the analysis result and a rule preset by the system.
7. The function processing apparatus according to claim 6, wherein the analysis result includes: the objective function name, the instruction channel control channel and the data channel.
8. The function processing device of claim 5, wherein the probe on the container node operates in the manner of DaemonSet.
9. A computer program product comprising computer programs/instructions which, when executed by a processor, implement the Kubernetes-based function processing method of any of claims 1 to 4.
10. An electronic device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, characterized in that the processor implements the steps of the Kubernetes-based function processing method of any of claims 1 to 4 when the program is executed.
11. A computer-readable storage medium, on which a computer program is stored, characterized in that the computer program, when being executed by a processor, implements the steps of the Kubernetes-based function processing method of any one of claims 1 to 4.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310149690.6A CN116257841B (en) | 2023-02-16 | 2023-02-16 | Function processing method and device based on Kubernetes |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310149690.6A CN116257841B (en) | 2023-02-16 | 2023-02-16 | Function processing method and device based on Kubernetes |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN116257841A CN116257841A (en) | 2023-06-13 |
| CN116257841B true CN116257841B (en) | 2024-01-26 |
Family
ID=86682154
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202310149690.6A Active CN116257841B (en) | 2023-02-16 | 2023-02-16 | Function processing method and device based on Kubernetes |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN116257841B (en) |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113794605A (en) * | 2021-09-10 | 2021-12-14 | 杭州谐云科技有限公司 | Method, system and device for detecting kernel packet loss based on eBPF |
| CN113986459A (en) * | 2021-10-21 | 2022-01-28 | 浪潮电子信息产业股份有限公司 | Control method and system for container access, electronic equipment and storage medium |
| CN114816668A (en) * | 2022-04-29 | 2022-07-29 | 阿里巴巴(中国)有限公司 | Virtual machine kernel monitoring method, device, equipment and storage medium |
| CN115080307A (en) * | 2022-05-11 | 2022-09-20 | 北京百度网讯科技有限公司 | Mounting recovery method and device, electronic equipment and readable storage medium |
| CN115617610A (en) * | 2022-10-26 | 2023-01-17 | 杭州谐云科技有限公司 | Kubernetes-based full-behavior monitoring method and system in bypass non-invasive application operation |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US11977934B2 (en) * | 2020-11-12 | 2024-05-07 | New Relic, Inc. | Automation solutions for event logging and debugging on KUBERNETES |
-
2023
- 2023-02-16 CN CN202310149690.6A patent/CN116257841B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113794605A (en) * | 2021-09-10 | 2021-12-14 | 杭州谐云科技有限公司 | Method, system and device for detecting kernel packet loss based on eBPF |
| CN113986459A (en) * | 2021-10-21 | 2022-01-28 | 浪潮电子信息产业股份有限公司 | Control method and system for container access, electronic equipment and storage medium |
| CN114816668A (en) * | 2022-04-29 | 2022-07-29 | 阿里巴巴(中国)有限公司 | Virtual machine kernel monitoring method, device, equipment and storage medium |
| CN115080307A (en) * | 2022-05-11 | 2022-09-20 | 北京百度网讯科技有限公司 | Mounting recovery method and device, electronic equipment and readable storage medium |
| CN115617610A (en) * | 2022-10-26 | 2023-01-17 | 杭州谐云科技有限公司 | Kubernetes-based full-behavior monitoring method and system in bypass non-invasive application operation |
Non-Patent Citations (2)
| Title |
|---|
| Energy Efficiency of N:1 Protection Setups with Kubernetes Horizontal Pod Autoscaler;Benoît Lemoine;《2022 25th Conference on Innovation in Clouds, Internet and Networks (ICIN)》;全文 * |
| 基于Kubernetes的高可用容器云的设计与实现;张春辉;《中国优秀硕士论文全文数据库 信息科技辑》;全文 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN116257841A (en) | 2023-06-13 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN107317730B (en) | Method, equipment and system for monitoring state of block chain node | |
| US8555238B2 (en) | Programming and development infrastructure for an autonomic element | |
| US7962798B2 (en) | Methods, systems and media for software self-healing | |
| CN102592092B (en) | Strategy adaptation system and method based on SELinux (Security-Enhanced Linux) security subsystem | |
| KR101740604B1 (en) | Generic unpacking of applications for malware detection | |
| CN110362301B (en) | Processing method for terminal application behavior reflection | |
| CN105022628A (en) | Extendable software application platform | |
| Choi | Model checking trampoline OS: a case study on safety analysis for automotive software | |
| CN103930872A (en) | Passive monitoring of virtual systems using extensible indexing | |
| JP6380958B2 (en) | Method, system, computer program, and application deployment method for passive monitoring of virtual systems | |
| Choi | Safety analysis of trampoline OS using model checking: an experience report | |
| CN113535532A (en) | Fault injection system, method and device | |
| US20170091076A1 (en) | Debugging remote vertex code on test machine | |
| CN116257841B (en) | Function processing method and device based on Kubernetes | |
| US20140189449A1 (en) | Method and system for checking software | |
| CN114006815A (en) | Automatic deployment method and device for cloud platform nodes, nodes and storage medium | |
| Yeboah-Antwi et al. | Online Genetic Improvement on the java virtual machine with ECSELR | |
| CN111538491B (en) | Data event processing method, device, equipment and storage medium | |
| CN113031964B (en) | Big data application management method, device, equipment and storage medium | |
| CN115544518A (en) | Vulnerability scanning engine implementation method and device, vulnerability scanning method and electronic equipment | |
| Muñoz et al. | A review of dynamic verification of security and dependability properties | |
| Loulou et al. | Adapting security policy at runtime for connected autonomous vehicles | |
| Van Eekelen et al. | Analysis of a session-layer protocol in mcrl2: verification of a real-life industrial implementation | |
| CN108243204B (en) | Process running state display method and device | |
| Kornienko et al. | Methodology of conflict detection and resolution in cyber attacks protection software on railway transport |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |