KR102633812B1 - Container integrated control system using intelligent agent and its control method - Google Patents

Abstract

The present invention relates to an integrated container control system using an intelligent agent and a control method thereof. The method according to the present invention includes the steps of a user interface unit registering an application from a user; Creating a configuration file for the application in which the user interface unit is registered; When the intelligent agent unit receives an installation or update command for a registered application along with the configuration file of the registered application, a command line is sent to install or update the application registered for the corresponding POD among the PODs distributed to multiple worker nodes. generating a; and passing the generated command line to the corresponding POD to install or update the registered application. Includes. According to the present invention, it is possible to easily manage the container integrated control system even if you are not an IT expert. In particular, it is convenient to install or update applications. Additionally, security issues caused by installation or updates of new applications can be automatically checked in advance.

Description

Container integrated control system using intelligent agent and its control method {Container integrated control system using intelligent agent and its control method}

The present invention relates to an integrated container control system using an intelligent agent and a control method thereof.

When you want to deploy and use a specific application from one physical environment (e.g., server computer 1) to another physical environment (e.g., server computer 2), two different server environments (differences in server OS product types and versions) , the presence or absence of dependent applications, etc.), the inconvenience that a specific application that was operating normally on server computer 1 does not work on server computer 2 is a common occurrence in the field. To solve this problem, applications are containerized so that they can be distributed/used regardless of the server computer environment.

1 is a diagram explaining the concepts of containers and PODs.

Referring to FIG. 1, the container (1) refers to an image that bundles an application (2), a binary file (3), a library file (4), etc. related to the application. One container (1) may contain multiple applications.

POD (Point Of Deployment) (5) is a management unit that organizes one or several containers (1) and resources (such as configuration files and storage) related to the settings and operation of applications included in the containers (1). It means grouped together. One POD can include one or more containers (1), configuration files (6), and storage (7).

The environment settings file (6) is a file that contains information and commands necessary to configure the environment settings of applications included in the corresponding POD. And the storage 7 may be a file, table, queue, etc. that stores data related to the operation of the application included in the corresponding POD.

One server computer (NODE) can consist of one or several PODs (5). The node can be a master node or a worker node, which will be explained later.

Figure 2 illustrates the configuration of a conventional container integrated control platform.

Referring to Figure 2, container integrated control platforms are known such as Kubernetes, Docker Swarm, and Apache Mesos, and generally include a master node (20) and a number of worker nodes ( 30).

The master node 20 performs the function of controlling and managing the entire container integrated control platform.

The worker node 30 runs one or more PODs 5, which are a set of one or more containers 1.

The master node 20 may include an API server 21, a scheduler 22, a data storage 23, and a controller manager 24.

The API server 21 serves to provide an API so that end users, other parts of the container integrated control platform, and external components can communicate with each other. The scheduler 22 is responsible for allocating and managing each resource, such as POD and service, to appropriate worker nodes. The data storage 23 serves to store the status or setting information of the cluster 10. The controller manager 24 detects the shared state of the cluster 10 through the API server 21, manages the control loop that transitions the current state to the desired state, and, if necessary, connects with a cloud company to load balancer or disk. It is responsible for managing resources such as volumes.

However, in this container integrated control platform, thousands or tens of thousands of PODs (5) can be executed simultaneously. The execution location of POD(5) may change each time as it repeats creation and destruction countless times, and the memory and disk resource capacity allocated to POD(5) may be changed at any time through the Auto Scaling function.

However, the process of installing or updating numerous applications on thousands to tens of thousands of PODs performed simultaneously within this container integrated control platform is a specialized work area that can only be performed by professional engineers. In addition, among the management functions provided by the container integrated control platform, it does not provide an intuitive graphical user interface environment that takes user convenience into account in relation to application installation, update, replication and distribution, and tasks must be performed in a CLI (Command Line Interface) environment. It was done through. As such, in the conventional container integrated control platform, application installation and update had to go through very complicated professional steps, and there was an inconvenient and cumbersome process in which experts entered commands one by one.

Meanwhile, because the container integrated control platform was originally created as open source, unlike proprietary commercial software, there is no security policy from the manufacturer (open source does not have a single exclusive manufacturer). Therefore, due to these inherent problems, it was up to each user to prepare customized security measures for the container integrated control platform. As a result, it was not only difficult for general IT managers or system users who were not expert engineers in open source or containers, but also to prepare their own security measures for the container integrated control platform, and it was also difficult to implement or manage security measures.

The technical problem to be solved by the present invention is to provide an integrated container control system and control method using an intelligent agent.

A container integrated control system consisting of a plurality of worker nodes and a master node according to the present invention for solving the above-described technical problem includes: a user interface unit for registering an application from a user and generating a configuration file for the registered application; And when an installation or update command for the registered application is received along with the configuration file of the registered application, a command for installing or updating the registered application is installed for the corresponding POD among the PODs distributed to the plurality of worker nodes. an intelligent agent unit that generates a command line and delivers it to the corresponding POD to install or update the registered application; Includes, the plurality of worker nodes are deployed and executed by one or more PODs, the POD includes one or more containers and environment configuration files, the container includes an application and libraries and binary files necessary for application execution, and the master The node distributes PODs to the plurality of worker nodes and manages the PODs distributed to the plurality of worker nodes.

The intelligent agent unit searches a predetermined vulnerability database using the name of the registered application as a keyword, and based on words extracted from vulnerability data collected, downloads the application required for a mock attack from the application repository and installs it in the corresponding POD. Then, a mock attack on the cluster can be executed by writing a command for a mock attack and then passing the written command to the corresponding POD and executing it.

The corresponding POD may be a POD selected by the user in the user interface unit as an installation or update target for the registered application.

The intelligent agent unit may check the status of the corresponding POD according to execution of the mock attack and store the result of the mock attack in the agent database.

The intelligent agent unit may include a plurality of intelligent agents.

It may further include an agent interface unit that mediates commands and command results between the user interface unit and the plurality of intelligent agent units.

The agent interface unit may include an upper agent interface unit and a plurality of lower agent interface units.

The upper agent interface unit may classify commands transmitted from the user interface unit and selectively transmit them to the plurality of lower agent interface units.

The lower agent interface unit that receives the command may transmit it to a corresponding intelligent agent among the plurality of intelligent agents.

A method of controlling a container integrated control system consisting of a plurality of worker nodes and a master node according to the present invention to solve the above technical problem includes the steps of a user interface unit registering an application from a user; generating a configuration file of the registered application by the user interface unit; When the intelligent agent unit receives an installation or update command for the registered application along with the configuration file of the registered application, it installs or updates the registered application for the corresponding POD among the PODs distributed to the plurality of worker nodes. generating a command line for; and passing the generated command line to the corresponding POD to install or update the registered application. Includes.

A recording medium according to an embodiment of the present invention may include a computer-readable recording medium on which a program for executing the above method is recorded on a computer.

According to the present invention, it is possible to easily manage the container integrated control system even if you are not an IT expert. In particular, it is convenient to install or update applications. Additionally, security issues caused by installation or updates of new applications can be automatically checked in advance.

1 is a diagram explaining the concepts of containers and PODs.
Figure 2 illustrates the configuration of a conventional container integrated control platform.
Figure 3 is a configuration diagram of a container integrated control system using an intelligent agent according to an embodiment of the present invention.
Figure 4 is a diagram provided to explain the configuration of an agent interface unit according to an embodiment of the present invention.
Figure 5 illustrates vulnerability data collected from a vulnerability database according to an embodiment of the present invention.
Figure 6 illustrates words extracted by an intelligent agent from vulnerability data collected according to an embodiment of the present invention.
Figure 7 illustrates a command automatically written by the intelligent agent unit for a simulated attack according to the present invention.
Figure 8 is a flowchart showing an application installation or update process according to an embodiment of the present invention.
Figure 9 is a flowchart showing a simulated attack process according to an embodiment of the present invention.

Then, with reference to the attached drawings, embodiments of the present invention will be described in detail so that those skilled in the art can easily implement the present invention.

Figure 3 is a configuration diagram of a container integrated control system using an intelligent agent according to an embodiment of the present invention.

Referring to Figure 3, the system according to the present invention includes a master node 100, a cluster 200 consisting of a plurality of worker nodes 210, an intelligent agent unit 300, a user interface unit 400, and an agent interface unit ( 500), an application storage 600, an agent database 700, and a vulnerability database unit 800.

The cluster 200, which consists of a master node 100 and a plurality of worker nodes 210, uses containers that image applications, such as Kubernetes, Docker Swarm, Apache Mesos, etc., as a POD. It may be a system that manages deployment by unit, or a container orchestration system that automates the deployment, management, expansion, and networking of containers.

The master node 100 performs the function of controlling and managing the cluster 200 consisting of a plurality of worker nodes 210. The master node 100 may perform the role of a master node in a conventional container orchestration system.

The master node 100 distributes the POD 220 to a plurality of worker nodes 210 and performs the function of managing the POD 220 distributed to the plurality of worker nodes 210. Here, managing the POD 220 also includes managing the POD 220, the container included in the POD 220, or the application included in the container.

A plurality of worker nodes 210 are executed by distributing one or more PODs 220. In FIG. 3, to simplify the drawing, a cluster 200 is shown containing three worker nodes 210 and one, two, or three PODs 220 in each worker node. However, the cluster 200 includes The number of worker nodes, PODs, etc. can vary depending on the situation.

POD 220 means that one or more containers and resources (such as configuration files and storage) related to the settings and operation of applications included in the containers are grouped into one management unit.

The container included in the POD 220 means an image that bundles an application and binary files and library files related to the application. One container may contain multiple applications.

The user interface unit 400 can register an application from a user. Additionally, the user interface unit 400 may receive an installation or update command for a registered application from the user. Additionally, the user interface unit 400 may receive a request to inquire about the status of the cluster 200 from the user, for example, the status of applications installed in the cluster 200 (resource efficiency, normal operation, etc.).

To this end, the user interface unit 400 may be implemented based on a graphical user interface (web user interface). For example, the user interface unit 400 may present a list of registered applications to the user and display an installation or update command button next to the application list.

And when the user presses the install or update command button, a screen for selecting the POD corresponding to the application to be installed or updated can be displayed. For PODs where the application is already installed, if the application version is different, the update button may be activated and displayed, and if the application version is the same, the delete and reinstall button may be activated and displayed. On the other hand, for PODs where the application is not installed, the application installation button may be activated and displayed. Therefore, the user can visually check and then select whether to install, delete and then reinstall or update the registered application.

Meanwhile, applications registered through the user interface unit 400 may be stored in the application storage 600.

The application repository 600 distributes and manages versions of the source code of an application like a Git repository, and can store information such as the date and time when the source code was registered together with the source code. Various applications related to the operation and operation of the cluster 200 may be stored in the application storage 600. In addition, applications necessary for a simulated attack on the cluster 200 described later may also be stored.

Meanwhile, the user interface unit 400 may generate an environment setting file (config file) for an application registered by the user. Here, the environment configuration file is a file containing information and commands necessary to configure environment settings related to the operation and installation of the application in the cluster 200. Specifically, the location information of the application installation file (location information stored in the application repository), application installation options, application usage permissions, application usage period, etc. may be included in the environment setting file. Information about application installation options, application usage rights, application usage period, etc. may be set by the user or automatically determined according to predetermined rules and included in the configuration file.

The user interface unit 400 may transmit an installation (hereinafter installation includes reinstallation) or update command for the application to the intelligent agent unit 300 along with the configuration file and POD selection information of the application. Hereinafter, when an installation or update command for an application is delivered, it means that the application's configuration file and POD selection information are also delivered.

Depending on the embodiment, an installation or update command for an application may be transmitted from the user interface unit 400 to the intelligent agent unit 300 via the agent interface unit 500.

Generally, hundreds to thousands of PODs 220 exist within one cluster 200. Therefore, although the drawing shows one intelligent agent unit 300, the intelligent agent unit 300 can be understood to include multiple intelligent agents. Additionally, a worker node or POD in charge of each intelligent agent can be determined.

In this case, it is desirable to position the agent interface unit 500 between the user interface unit 400 and the intelligent agent unit 300 in order to operate the system more efficiently.

The agent interface unit 500 may mediate commands and command results between the user interface unit 400 and the intelligent agent unit 300.

Figure 4 is a diagram provided to explain the configuration of an agent interface unit according to an embodiment of the present invention.

Referring to FIG. 4, the agent interface unit 500 may include an upper agent interface unit 510 and a plurality of lower agent interface units 520.

The upper agent interface unit 510 may classify commands transmitted from the user interface unit 400 and selectively transmit them to one of the plurality of lower agent interface units 520.

The plurality of lower agent interface units 520 may include a command transmission interface unit 521 and a status inquiry interface unit 523. Additionally, in the case of the command transmission interface unit 521, a plurality of command transmission interface units 521 may be implemented, and one or more intelligent agents may be assigned to each command transmission interface unit 521.

If the command transmitted from the user interface unit 400 is an application installation or update command, the upper agent interface unit 510 may transmit the command to the command transmission interface unit 521. At this time, the upper agent interface unit 510 may select the command transmission interface unit 521 assigned to the intelligent agent to execute the installation or update command of the application and transmit the command.

Meanwhile, if the command transmitted from the user interface unit 400 is an application status inquiry command, the upper agent interface unit 510 may transmit the inquiry command to the status inquiry interface unit 523. In this case, it can be implemented to query the agent database 700 directly from the status inquiry interface unit 523 without going through the intelligent agent unit 300 and transmit the status inquiry result of the application to the upper agent interface unit 510. Then, the upper agent interface unit 510 can transmit the status inquiry result to the user interface unit 400 and output it to the user.

The user interface unit 400 may receive a request from a user to monitor the cluster 200 and report the monitoring results accordingly. For example, the user interface unit 400 may provide information on the POD 220 and applications distributed to each worker node 210 of the cluster 200. And when a request is received from a user to monitor the current status of a specific application, the user interface unit 400 searches the agent database 700 through the agent interface unit 500 as described above and provides the current status inquiry result of the application. It can be returned and provided to the user.

Of course, depending on the embodiment, the user interface unit 400 transmits an inquiry command for a specific application to the intelligent agent unit 300 through the agent interface unit 500, and retrieves the current status of the application from the agent interface unit 500. Status information can also be received and provided to the user.

When the intelligent agent unit 300 receives a command directly from the user interface unit 400 or through the agent interface unit 500, it may execute the command and return a command result value.

First, when an application installation or update command is received, the intelligent agent unit 300 interprets the configuration file of the application, automatically generates a command line for installing or updating the application, and delivers it to the corresponding POD 220. The POD can install or update the application by executing the command line transmitted from the intelligent agent unit 300.

The intelligent agent unit 300 may receive a success or failure value after installing or updating an application in the corresponding POD 220, store it in the agent database 700, and transmit it to the user interface unit 400.

The user interface unit 400 may receive the success or failure of installing or updating the application and display it to the user. Of course, if the same application is installed or updated on multiple PODs 220, the success or failure of the application installation or update can be indicated separately for each POD 220.

Meanwhile, the intelligent agent unit 300 can automatically inquire the status of applications installed in the cluster 200 at preset intervals, store the status in the agent database 700, and transmit it to the user interface unit 400. The user can set a cycle for the intelligent agent unit 300 to automatically check the status of applications installed in the cluster 200 through the user interface unit 400.

Of course, whenever the intelligent agent unit 300 receives a request to inquire the status of an application through the user interface unit 400, the intelligent agent unit 300 may manually inquire the status of the application, store it in the agent database 700, and transmit it to the user interface unit 400. there is.

Meanwhile, the intelligent agent unit 300 can autonomously perform vulnerability simulation attacks after installing or updating an application. Specifically, the intelligent agent unit 300 may collect vulnerability data by querying the predetermined vulnerability database 800 using the name of the registered application as a keyword. And, based on words extracted from the collected vulnerability data, the intelligent agent unit 300 can download the application required for a mock attack from the application storage and install it in the corresponding POD. Afterwards, the intelligent agent unit 300 installs the application required for the mock attack on the POD, prepares an environment for the mock attack, and then executes the mock attack on the cluster 200 according to the command written for the mock attack. Commands for mock attacks can also be automatically created based on words extracted from vulnerability data in the intelligent agent unit 300.

For reference, Figure 3 illustrates that the predetermined vulnerability database 800 includes National Vulnerability Database (NVD), Common Vulnerabilities and Exposures (CVE), Vulnerability Notes Database (VNDB), and Vulnerability Database (VulnDB), but in the embodiment Accordingly, the predetermined vulnerability database 800 may be added or partially excluded. Vulnerability databases such as NVD, CVE, VNDB, VulnDB, etc. may be databases operated and managed by an operating entity separate from the operating entity of the system according to the present invention.

Figure 5 illustrates vulnerability data collected from a vulnerability database according to an embodiment of the present invention.

Referring to Figure 5, an example of vulnerability data collected by the intelligent agent unit 300 from a CVE using the application 'Microsoft .NET Framework' as a keyword is shown. Vulnerability data collected from a CVE may be a file in which information classified into six categories (file name, overview, related software and version, damage environment, test results, and attack traces) is written in natural language, as shown in Figure 5. .

The intelligent agent unit 300 includes target application, target version, operating system, operating environment, parameters, data, test server, test application, test process, test account, test executable file, attack trace location, attack trace URL, Words corresponding to attack trace processes, etc. can be extracted.

Figure 6 illustrates words extracted by an intelligent agent from vulnerability data collected according to an embodiment of the present invention.

Figure 6 illustrates words extracted from the vulnerability data illustrated in Figure 5. First, 'Microsoft .NET Framework', extracted as the target application, is the name of the installed application and can be extracted from the related software category in the vulnerability data in Figure 5. And the target version can also be extracted from the related software category in the vulnerability data in Figure 5. The operating system and operating environment can be extracted from the relevant software and version categories in the vulnerability data in Figure 5. Of course, there may be cases where it is extracted from the test result category rather than the victim environment category, such as IIS. If IIS is registered in advance as a word corresponding to the operating environment in the data dictionary through natural language processing, the intelligent agent unit 300 can extract IIS as a word corresponding to the operating environment. In addition, by analyzing the vulnerability data shown in Figure 5, ".Net Framework processes 'csc.exe' and 'cvtres.exe' and injected commands are executed" included in the test result category, 'csc.exe' and 'cvtres'. exe' can be extracted as a test executable file.

A data dictionary necessary for the intelligent agent unit 300 to extract words related to mock attacks from vulnerability data is prepared in advance, and the data dictionary can be continuously learned. Additionally, the intelligent agent unit 300 can be continuously trained to extract words related to simulated attacks from vulnerability data based on Natural Language Processing technology.

Based on the extracted words, the intelligent agent unit 300 can download the application required for a mock attack from the application storage 600 and install it on the corresponding POD 220. Here, the corresponding POD 220 may be a POD in which an application registered by the user is installed or updated.

For example, as shown in Figure 6, if the application corresponding to the operating environment, test process, test execution file, etc. extracted from vulnerability data is not installed in the corresponding POD, the application can be downloaded from the application storage 600 and installed. . For example, if there is an application that is not installed among the test application 'Powershell', the test process 'w3wp.exe', or the test executable files 'csc.exe' and 'cvtres.exe', the intelligent agent unit 300 stores it in the application storage (600). ) and install it on the corresponding POD (220).

The intelligent agent unit 300 automatically creates a command for a mock attack as shown in FIG. 7 based on the words extracted from the vulnerability data shown in FIG. 6 and then executes a command for the cluster 200 according to the written command. Mock attacks can be carried out.

Figure 7 illustrates a command automatically written by the intelligent agent unit for a simulated attack according to the present invention.

Figure 7 illustrates commands for executing the test executable files 'csc.exe' and 'cvtres.exe' in the corresponding POD (220).

The intelligent agent unit 300 may transmit a command written for a simulated attack as illustrated in FIG. 7 to the POD 220 to execute the simulated attack.

The intelligent agent unit 300 checks the status of the POD 220 according to the execution of the simulated attack, and reports the results of the simulated attack, such as the type of failure occurring in the POD 220, the details of the failure, the phenomenon of the failure, normal operation, and inoperability. It can be stored in the agent database 700.

The user can query the results of the mock attack through the user interface unit 400.

Meanwhile, depending on the embodiment, the intelligent agent unit 300 refers to the attack trace location, attack trace URL, attack trace process information, etc. extracted from the vulnerability data before the simulated attack to determine whether there has been an attack on the corresponding vulnerability in the corresponding POD (220). You can also check whether or not.

Figure 8 is a flowchart showing an application installation or update process according to an embodiment of the present invention.

Referring to FIG. 8, first, the user interface unit 400 can register an application from the user (S810). The application registered in step S810 may be stored in the application storage 600.

Thereafter, the user interface unit 400 may receive an installation or update command for the registered application from the user (S820). In step S820, when the user presses the installation or update command button, the user interface unit 400 may display a screen for selecting a POD in which the corresponding application will be installed or updated.

Next, the user interface unit 400 may generate a configuration file for the application requested to be installed or updated by the user (S830).

Thereafter, the user interface unit 400 may transmit an installation or update command for the application to the intelligent agent unit 300 (S840).

Next, the intelligent agent unit 300 can interpret the configuration file of the application, automatically generate a command line for installing or updating the application, and transmit it to the corresponding POD 220 (S850). The configuration file may also include installation file path information for downloading the application from the application repository 600.

Thereafter, the POD 220 executes the command line transmitted from the intelligent agent unit 300, downloads the application, and then installs or updates it according to the configuration file (S860).

Finally, the intelligent agent unit 300 may receive a success or failure value after installing or updating the application in the corresponding POD 220, store it in the agent database 700, and transmit it to the user interface unit 400 (S870).

As described above, after installing or updating an application, the intelligent agent unit 300 can automatically perform a simulated attack to identify vulnerabilities in advance.

Figure 9 is a flowchart showing a simulated attack process according to an embodiment of the present invention.

Referring to FIG. 9, first, after installing or updating an application, the intelligent agent unit 300 can collect vulnerability data by querying a predetermined vulnerability database 800 using the name of the application as a keyword (S910).

Next, the intelligent agent unit 300 can extract words needed for a mock attack from the collected vulnerability data (S920).

Thereafter, the intelligent agent unit 300 may download the application required for a mock attack from the application storage based on the word extracted in step S920 and install it on the corresponding POD (S930). Of course, if the application required for a mock attack is already installed in the corresponding POD, step (S930) can be omitted, or only the necessary application can be downloaded and installed.

And the intelligent agent unit 300 can automatically create commands for a mock attack based on words extracted from the collected vulnerability data (S940).

Steps S930 and S940 may be performed simultaneously or their order may be changed.

Next, the intelligent agent unit 300 can transmit the command written for the mock attack to the POD 220 to execute the mock attack (S950).

Afterwards, the intelligent agent unit 300 may receive the result of the simulated attack from the POD 220 and store it in the agent database 700 (S960).

Meanwhile, depending on the embodiment, the intelligent agent unit 300 refers to the attack trace location, attack trace URL, attack trace process information, etc. extracted from the vulnerability data before step S950 and attacks the corresponding vulnerability in the corresponding POD 220. You can also check whether this existed or not.

The embodiments described above may be implemented with hardware components, software components, and/or a combination of hardware components and software components. For example, the devices, methods, and components described in the embodiments may include, for example, a processor, a controller, an arithmetic logic unit (ALU), a digital signal processor, a microcomputer, and a field programmable gate (FPGA). It may be implemented using one or more general-purpose or special-purpose computers, such as an array, programmable logic unit (PLU), microprocessor, or any other device capable of executing and responding to instructions. A processing device may execute an operating system (OS) and one or more software applications that run on the operating system. Additionally, a processing device may access, store, manipulate, process, and generate data in response to the execution of software. For ease of understanding, a single processing device may be described as being used; however, those skilled in the art will understand that a processing device includes multiple processing elements and/or multiple types of processing elements. It can be seen that it may include. For example, a processing device may include a plurality of processors or one processor and one controller. Additionally, other processing configurations, such as parallel processors, are possible.

Software may include a computer program, code, instructions, or a combination of one or more of these, which may configure a processing unit to operate as desired, or may be processed independently or collectively. You can command the device. Software and/or data may be used on any type of machine, component, physical device, virtual equipment, computer storage medium or device to be interpreted by or to provide instructions or data to a processing device. , or may be permanently or temporarily embodied in a transmitted signal wave. Software may be distributed over networked computer systems and thus stored or executed in a distributed manner. Software and data may be stored on one or more computer-readable recording media.

The method according to the embodiment may be implemented in the form of program instructions that can be executed through various computer means and recorded on a computer-readable medium. The computer-readable medium may include program instructions, data files, data structures, etc., singly or in combination. Program instructions recorded on the medium may be specially designed and configured for the embodiment or may be known and available to those skilled in the art of computer software. Examples of computer-readable recording media include magnetic media such as hard disks, floppy disks, and magnetic tapes, optical media such as CD-ROMs and DVDs, and magnetic media such as floptical disks. -Includes optical media (magneto-optical media) and hardware devices specifically configured to store and execute program instructions, such as ROM, RAM, flash memory, etc. Examples of program instructions include machine language code, such as that produced by a compiler, as well as high-level language code that can be executed by a computer using an interpreter, etc. The hardware devices described above may be configured to operate as one or more software modules to perform the operations of the embodiments, and vice versa.

Although the embodiments have been described with limited drawings as described above, those skilled in the art can apply various technical modifications and variations based on the above. For example, the described techniques are performed in a different order than the described method, and/or components of the described system, structure, device, circuit, etc. are combined or combined in a different form than the described method, or other components are used. Alternatively, appropriate results may be achieved even if substituted or substituted by an equivalent.

Claims (11)

In a container integrated control system consisting of multiple worker nodes and master nodes,
a user interface unit that receives an application from a user and creates a configuration file for the registered application; and
When an installation or update command for the registered application is received along with the configuration file of the registered application, a command for installing or updating the registered application for the corresponding POD among the PODs distributed to the plurality of worker nodes an intelligent agent unit that creates a line and delivers it to the corresponding POD to install or update the registered application;
Including,
The plurality of worker nodes are deployed and executed by one or more PODs, the POD includes one or more containers and environment configuration files, the container includes an application and libraries and binary files necessary for application execution, and the master node is the plurality of worker nodes. Distribution of PODs to worker nodes and management of PODs distributed to the plurality of worker nodes,
The intelligent agent unit includes a plurality of intelligent agents,
It further includes an agent interface unit that mediates commands and command results between the user interface unit and the plurality of intelligent agent units,
The agent interface unit includes an upper agent interface unit and a plurality of lower agent interface units,
The upper agent interface unit classifies commands transmitted from the user interface unit and selectively transmits them to the plurality of lower agent interface units,
A container integrated control system where the lower agent interface unit receives the command and transmits it to a corresponding intelligent agent among the plurality of intelligent agents.
In paragraph 1,
The intelligent agent unit,
Based on the words extracted from the vulnerability data collected by searching the predetermined vulnerability database using the name of the registered application as a keyword, the application required for the mock attack is downloaded from the application repository, installed in the corresponding POD, and the mock attack is performed. A container integrated control system that executes a simulated attack on the cluster by writing a command for the cluster and then passing the written command to the corresponding POD and executing it.
In paragraph 2,
The corresponding POD is a container integrated control system that is selected by the user in the user interface unit as an installation or update target for the registered application.
In paragraph 2,
The intelligent agent unit,
A container integrated control system that checks the status of the corresponding POD according to the execution of the mock attack and stores the result of the mock attack in an agent database.
delete In the control method of a container integrated control system consisting of a plurality of worker nodes and master nodes,
A user interface unit registering an application from a user;
generating a configuration file of the registered application by the user interface unit;
When the intelligent agent unit receives an installation or update command for the registered application along with the configuration file of the registered application, it installs or updates the registered application for the corresponding POD among the PODs distributed to the plurality of worker nodes. generating a command line for; and
passing the generated command line to the corresponding POD to install or update the registered application;
Including,
The plurality of worker nodes are executed by distributing one or more PODs, the POD includes one or more containers and environment configuration files, the container includes an application and libraries and binary files necessary for application execution, and the master node is the plurality of worker nodes. Distribution of PODs to worker nodes and management of PODs distributed to the plurality of worker nodes,
The intelligent agent unit includes a plurality of intelligent agents,
It further includes an agent interface unit that mediates commands and command results between the user interface unit and the plurality of intelligent agent units,
The agent interface unit includes an upper agent interface unit and a plurality of lower agent interface units,
The upper agent interface unit classifies commands transmitted from the user interface unit and selectively transmits them to the plurality of lower agent interface units,
A control method of a container integrated control system in which the lower agent interface unit receives the command and transmits it to a corresponding intelligent agent among the plurality of intelligent agents.
In paragraph 6:
collecting vulnerability data by the intelligent agent unit searching a predetermined vulnerability database using the name of the registered application as a keyword;
The intelligent agent unit downloading an application required for a mock attack from an application storage and installing it on a corresponding POD, based on words extracted from the collected vulnerability data; and
Executing a mock attack on the cluster by the intelligent agent unit writing a command for a mock attack and then passing the written command to the corresponding POD and executing it;
A control method of a container integrated control system further comprising:
In paragraph 7:
The corresponding POD is a POD selected by the user in the user interface unit as an installation or update target for the registered application. A control method of a container integrated control system.
In paragraph 7:
The intelligent agent unit,
A control method of a container integrated control system that checks the status of the corresponding POD according to the execution of the mock attack and stores the result of the mock attack in an agent database.
delete A computer-readable recording medium recording a program for executing the method according to any one of claims 6 to 9.

Images