CN111324456A - Method and system for isolating resources among cloud tenants based on namespace binding - Google Patents
Method and system for isolating resources among cloud tenants based on namespace binding Download PDFInfo
- Publication number
- CN111324456A CN111324456A CN202010093625.2A CN202010093625A CN111324456A CN 111324456 A CN111324456 A CN 111324456A CN 202010093625 A CN202010093625 A CN 202010093625A CN 111324456 A CN111324456 A CN 111324456A
- Authority
- CN
- China
- Prior art keywords
- namespace
- tenant
- binding
- pod
- creating
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Withdrawn
Links
- 238000000034 method Methods 0.000 title claims abstract description 23
- 238000002955 isolation Methods 0.000 claims abstract description 32
- 238000004590 computer program Methods 0.000 claims description 12
- 238000004891 communication Methods 0.000 claims description 9
- 230000007246 mechanism Effects 0.000 abstract description 5
- 230000000694 effects Effects 0.000 description 9
- 238000010276 construction Methods 0.000 description 3
- 238000010586 diagram Methods 0.000 description 2
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000008569 process Effects 0.000 description 1
- 238000012545 processing Methods 0.000 description 1
- 230000001737 promoting effect Effects 0.000 description 1
- 238000011160 research Methods 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/46—Multiprogramming arrangements
- G06F9/50—Allocation of resources, e.g. of the central processing unit [CPU]
- G06F9/5083—Techniques for rebalancing the load in a distributed system
Landscapes
- Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention provides a method and a system for isolating resources among cloud tenants based on namespace binding, wherein the method and the system are based on Kubernetes RBAC and namespace binding, and based on a Kubernetes RBAC mechanism, through establishing tenants, binding the tenants with namespaces, establishing roles, setting the authority of the roles and a binding scheme of the authority of a namespace list corresponding to the tenants, the resources among the tenants are isolated in a hard way and in a mutual access way, different network strategies are set for different namespaces, the application of the mutual access between the tenants is communicated in a soft way, and the isolation requirement of the tenants of a container cloud platform is met, so that the resources among the tenants are isolated, the resources are isolated in a visibility way and in a network, and the characteristic integrity of the cloud platform and the use safety of a user are improved.
Description
Technical Field
The invention relates to the technical field of cloud computing platforms, in particular to a method and a system for isolating resources among cloud tenants based on namespace binding.
Background
With the development of information technology and social economy, the current informatization construction has fully entered the cloud computing era, a large-scale and centralized cloud data center becomes an important component of national infrastructure, and the country is also actively promoting cloud engineering of key industries such as government affairs, enterprises and finance.
In the cloud computing construction process, through multi-aspect exploration and research, the centralized large-scale clustering construction of the unified cloud data center is a more efficient implementation scheme. When a large-scale cloud computing platform is built, the requirement of resource isolation among tenants is brought, users accessing the cloud all want own services not to be influenced by others, at least, the services can be isolated on the network, and others cannot access own cloud resources at will. Aiming at the isolation requirements of cloud computing platform tenants with higher and higher requirements, the tiled management can cause great inconvenience for users, and meanwhile, mutual attack of service systems among the users can not be avoided, so that great potential safety hazards are brought.
Disclosure of Invention
The invention aims to provide a method and a system for isolating resources among cloud tenants based on namespace binding, and aims to solve the problem that the prior art cannot meet the requirement of increasingly high cloud computing platform tenant isolation, realize the resource isolation among tenants, and improve the characteristic integrity of a cloud platform and the use safety of users.
In order to achieve the technical purpose, the invention provides a method for isolating resources among cloud tenants based on namespace binding, which comprises the following steps:
s1, creating a tenant in the cloud platform, creating a plurality of users in the tenant, and creating an incidence relation between the tenant and the users;
s2, creating a plurality of namespaces for each user in the tenant, establishing an incidence relation among the tenant, the users and the namespaces, and binding the tenant and the namespaces;
s3, creating roles on the cloud platform by utilizing a Kubernets RBAC, and setting a namespace list authority binding scheme corresponding to the roles and tenants;
and S4, setting different network strategies for different namespaces, and setting whether communication can be carried out between the namespaces or not through the network strategies.
Preferably, the setting mode of the network policy includes the following steps:
pod with same name space, inbound rule is all forbidden;
the same name space pod, the inbound rule is all open;
the outbound rule is all forbidden according to pod of the same name space;
with the pod of the namespace, the outbound rules are all open.
Preferably, the setting of the network policy is set through two parameters, including a pod selector, PodSelector, and network policy PolicyTypes; the pod selector selects a pod in the same namespace as the network policy based on the tag; the rules defined by the network policy are divided into two types, one is an Ingress rule of an incoming port, and the other is an Egress rule of an outgoing port.
The invention also provides a system for isolating resources among cloud tenants based on the namespace binding, which comprises the following steps:
the system comprises a tenant creating module, a cloud platform and a user setting module, wherein the tenant creating module is used for creating a tenant in the cloud platform, creating a plurality of users in the tenant and creating an incidence relation between the tenant and the users;
the system comprises a namespace binding module, a namespace setting module and a namespace setting module, wherein the namespace binding module is used for creating a plurality of namespaces for each user in a tenant, establishing the incidence relation among the tenant, the users and the namespaces and binding the tenant and the namespaces;
the role creating and binding module is used for creating roles on the cloud platform by utilizing a Kubernets RBAC and setting a role and tenant corresponding namespace list permission binding scheme;
and the namespace communication module is used for setting different network strategies for different namespaces and setting whether the communication can be carried out between the namespaces through the network strategies.
Preferably, the setting mode of the network policy includes the following steps:
pod with same name space, inbound rule is all forbidden;
the same name space pod, the inbound rule is all open;
the outbound rule is all forbidden according to pod of the same name space;
with the pod of the namespace, the outbound rules are all open.
Preferably, the setting of the network policy is set through two parameters, including a pod selector, PodSelector, and network policy PolicyTypes; the pod selector selects a pod in the same namespace as the network policy based on the tag; the rules defined by the network policy are divided into two types, one is an Ingress rule of an incoming port, and the other is an Egress rule of an outgoing port.
The invention also provides a device for isolating resources among cloud tenants based on the namespace binding, which comprises the following components:
a memory for storing a computer program;
and the processor is used for executing the computer program to realize the method for isolating resources among cloud tenants based on the namespace binding.
The invention also provides a readable storage medium for storing a computer program, wherein the computer program is executed by a processor to implement the method for resource isolation between cloud tenants based on namespace binding.
The effect provided in the summary of the invention is only the effect of the embodiment, not all the effects of the invention, and one of the above technical solutions has the following advantages or beneficial effects:
compared with the prior art, the isolation method is based on Kubernetes RBAC and namespace binding, based on a KuberneteseRBAC mechanism, through creating tenants, binding the tenants and the namespaces, creating roles, setting permissions of the roles and binding schemes of the namespaces corresponding to the tenants, carrying out hard isolation of resource visibility and mutual accessibility among the tenants, setting different network strategies for different namespaces, carrying out soft access of application mutual accessibility among the tenants, meeting tenant isolation requirements of a container cloud platform, realizing resource isolation among the tenants, realizing resource visibility isolation and network isolation among the tenants, and improving the characteristic integrity of the cloud platform and the use safety of users.
Drawings
Fig. 1 is a flowchart of a method for resource isolation between cloud tenants based on namespace binding according to an embodiment of the present invention;
fig. 2 is a logic diagram of a namespace binding-based resource isolation scheme between cloud tenants provided in an embodiment of the present invention;
fig. 3 is a block diagram of a system for resource isolation between cloud tenants based on namespace binding according to an embodiment of the present invention.
Detailed Description
In order to clearly explain the technical features of the present invention, the following detailed description of the present invention is provided with reference to the accompanying drawings. The following disclosure provides many different embodiments, or examples, for implementing different features of the invention. To simplify the disclosure of the present invention, the components and arrangements of specific examples are described below. Furthermore, the present invention may repeat reference numerals and/or letters in the various examples. This repetition is for the purpose of simplicity and clarity and does not in itself dictate a relationship between the various embodiments and/or configurations discussed. It should be noted that the components illustrated in the figures are not necessarily drawn to scale. Descriptions of well-known components and processing techniques and procedures are omitted so as to not unnecessarily limit the invention.
The following describes in detail a method and a system for resource isolation between cloud tenants based on namespace binding according to an embodiment of the present invention with reference to the accompanying drawings.
As shown in fig. 1, the present invention discloses a method for resource isolation between cloud tenants based on namespace binding, which comprises the following steps:
s1, creating a tenant in the cloud platform, creating a plurality of users in the tenant, and creating an incidence relation between the tenant and the users;
s2, creating a plurality of namespaces for each user in the tenant, establishing an incidence relation among the tenant, the users and the namespaces, and binding the tenant and the namespaces;
s3, creating roles on the cloud platform by utilizing a Kubernets RBAC, and setting a namespace list authority binding scheme corresponding to the roles and tenants;
and S4, setting different network strategies for different namespaces, and setting whether communication can be carried out between the namespaces or not through the network strategies.
The embodiment of the invention realizes the resource isolation among tenants based on Kubernets RBAC and a manner of binding a namespace, and realizes the resource visibility isolation and network isolation among tenants.
Kubernetes is an open source application for managing containerization on multiple hosts in a cloud platform, which makes deploying containerized applications simple and college. RBAC is a role-based access control with three roles: role, defining the operation authority of a group of API objects; the Subject actor can be a human, a machine or a user of k8s, and is most commonly a ServiceAccount; RoleBinding, which defines the binding relationship between Subject and Role. And appointing a Role corresponding to the ServiceAccount through RoleBinding, binding the ServiceAccount by the pod to obtain a mounted secret to access the APIServer, and verifying corresponding authority by the APIServer.
The method comprises the steps of creating a tenant in a cloud platform, storing information of the tenant into a database, creating a plurality of users in the tenant, creating an association relationship between the tenant and the users, and obtaining corresponding association information through a tenant ID or a user ID.
Each user in the tenant can create a plurality of namespaces, the association relationship is recorded during creation, and the tenant and the namespaces are bound through the relationship of the tenant- > user- > namespaces.
The method comprises the steps of establishing roles in a cloud platform, defining a characteristic role based on a Kubernets RBAC mechanism, associating the roles with a specific namespace group, setting that the roles can only access resources in a namespace list corresponding to a certain tenant, setting other resources without permission, establishing a serviceAccount for the tenant, binding the roles with the serviceAccount, and using the serviceAccount to have the permission range of the current role, so that the accessibility of the resources among the tenants is fundamentally avoided.
Setting different network policies for different namespaces, and setting whether applications can communicate between them, as shown in fig. 2, allowing users in a tenant to define network accessibility to users in other tenants and users outside the tenant, which are typically set in the following ways:
pod with same name space, inbound rule is all forbidden;
the same name space pod, the inbound rule is all open;
the outbound rule is all forbidden according to pod of the same name space;
with the pod of the namespace, the outbound rules are all open.
The setting is performed by two parameters, including the pod selector, PodSector, and the network policy PolicyTypes. The pod selector selects a pod in the same namespace as the network policy based on the tag, and if the pod is selected, applies the rules defined in the network policy thereto. The pod selector is an optional field that, when not present, indicates that all pods are selected. The field can be regarded as a switch, if the field contains Ingress, the rule defined by the Ingress part takes effect, if the field contains Egress, the rule defined by the Egress part takes effect, and if the field contains Egress, the rule defined by the Egress part takes effect completely. For the parameters Ingress and Egress, the former defines the in-pod rule, and the latter defines the out-pod rule.
The embodiment of the invention is based on Kubernetes RBAC and namespace binding, and based on a Kubernetes RBAC mechanism, through establishing tenants, binding the tenants and the namespaces, establishing roles, setting the authority of the roles and a namespace list authority binding scheme corresponding to the tenants, the resource visibility and the mutual accessibility between the tenants are isolated hard, different network strategies are set for different namespaces, the mutual accessibility soft access is applied between the tenants, and the isolation requirement of the tenants of a container cloud platform is met, so that the resource isolation between the tenants is realized, the resource visibility isolation and the network isolation between the tenants are realized, and the characteristic integrity of the cloud platform and the use safety of users are improved.
As shown in fig. 3, an embodiment of the present invention further discloses a system for isolating resources between cloud tenants based on namespace binding, where the system includes:
the system comprises a tenant creating module, a cloud platform and a user setting module, wherein the tenant creating module is used for creating a tenant in the cloud platform, creating a plurality of users in the tenant and creating an incidence relation between the tenant and the users;
the system comprises a namespace binding module, a namespace setting module and a namespace setting module, wherein the namespace binding module is used for creating a plurality of namespaces for each user in a tenant, establishing the incidence relation among the tenant, the users and the namespaces and binding the tenant and the namespaces;
the role creating and binding module is used for creating roles on the cloud platform by utilizing a Kubernets RBAC and setting a role and tenant corresponding namespace list permission binding scheme;
and the namespace communication module is used for setting different network strategies for different namespaces and setting whether the communication can be carried out between the namespaces through the network strategies.
The method comprises the steps of creating a tenant in a cloud platform, storing information of the tenant into a database, creating a plurality of users in the tenant, creating an association relationship between the tenant and the users, and obtaining corresponding association information through a tenant ID or a user ID.
Each user in the tenant can create a plurality of namespaces, the association relationship is recorded during creation, and the tenant and the namespaces are bound through the relationship of the tenant- > user- > namespaces.
The method comprises the steps of establishing roles in a cloud platform, defining a characteristic role based on a Kubernets RBAC mechanism, associating the roles with a specific namespace group, setting that the roles can only access resources in a namespace list corresponding to a certain tenant, setting other resources without permission, establishing a serviceAccount for the tenant, binding the roles with the serviceAccount, and using the serviceAccount to have the permission range of the current role, so that the accessibility of the resources among the tenants is fundamentally avoided.
Setting different network strategies for different namespaces, setting whether applications can communicate with each other or not, allowing users in tenants to define network accessibility with users in other tenants and users outside the tenants, and typical setting modes include the following modes:
pod with same name space, inbound rule is all forbidden;
the same name space pod, the inbound rule is all open;
the outbound rule is all forbidden according to pod of the same name space;
with the pod of the namespace, the outbound rules are all open.
The setting is performed by two parameters, including the pod selector, PodSector, and the network policy PolicyTypes. The pod selector selects a pod in the same namespace as the network policy based on the tag, and if the pod is selected, applies the rules defined in the network policy thereto. The pod selector is an optional field that, when not present, indicates that all pods are selected. The field can be regarded as a switch, if the field contains Ingress, the rule defined by the Ingress part takes effect, if the field contains Egress, the rule defined by the Egress part takes effect, and if the field contains Egress, the rule defined by the Egress part takes effect completely. For the parameters Ingress and Egress, the former defines the in-pod rule, and the latter defines the out-pod rule.
The embodiment of the invention also discloses a device for isolating resources among cloud tenants based on the namespace binding, which comprises the following steps:
a memory for storing a computer program;
and the processor is used for executing the computer program to realize the method for isolating resources among cloud tenants based on the namespace binding.
The embodiment of the invention also discloses a readable storage medium for storing the computer program, wherein the computer program realizes the resource isolation method between the cloud tenants based on the namespace binding when being executed by the processor.
The above description is only for the purpose of illustrating the preferred embodiments of the present invention and is not to be construed as limiting the invention, and any modifications, equivalents and improvements made within the spirit and principle of the present invention are intended to be included within the scope of the present invention.
Claims (8)
1. A method for resource isolation among cloud tenants based on namespace binding is characterized by comprising the following steps:
s1, creating a tenant in the cloud platform, creating a plurality of users in the tenant, and creating an incidence relation between the tenant and the users;
s2, creating a plurality of namespaces for each user in the tenant, establishing an incidence relation among the tenant, the users and the namespaces, and binding the tenant and the namespaces;
s3, creating roles on the cloud platform by utilizing a Kubernets RBAC, and setting a namespace list authority binding scheme corresponding to the roles and tenants;
and S4, setting different network strategies for different namespaces, and setting whether communication can be carried out between the namespaces or not through the network strategies.
2. The method for resource isolation between cloud tenants based on namespace binding according to claim 1, wherein the network policy is set in the following ways:
pod with same name space, inbound rule is all forbidden;
the same name space pod, the inbound rule is all open;
the outbound rule is all forbidden according to pod of the same name space;
with the pod of the namespace, the outbound rules are all open.
3. The method for resource isolation between cloud tenants based on namespace binding according to claim 1, wherein the setting of the network policy is set by two parameters, including a pod selector, PodSector, and a network policy PolicyTypes; the pod selector selects a pod in the same namespace as the network policy based on the tag; the rules defined by the network policy are divided into two types, one is an Ingress rule of an incoming port, and the other is an Egress rule of an outgoing port.
4. A system for resource isolation between cloud tenants based on namespace binding, the system comprising:
the system comprises a tenant creating module, a cloud platform and a user setting module, wherein the tenant creating module is used for creating a tenant in the cloud platform, creating a plurality of users in the tenant and creating an incidence relation between the tenant and the users;
the system comprises a namespace binding module, a namespace setting module and a namespace setting module, wherein the namespace binding module is used for creating a plurality of namespaces for each user in a tenant, establishing the incidence relation among the tenant, the users and the namespaces and binding the tenant and the namespaces;
the role creating and binding module is used for creating roles on the cloud platform by utilizing a Kubernets RBAC and setting a role and tenant corresponding namespace list permission binding scheme;
and the namespace communication module is used for setting different network strategies for different namespaces and setting whether the communication can be carried out between the namespaces through the network strategies.
5. The system of claim 4, wherein the network policy is set according to the following modes:
pod with same name space, inbound rule is all forbidden;
the same name space pod, the inbound rule is all open;
the outbound rule is all forbidden according to pod of the same name space;
with the pod of the namespace, the outbound rules are all open.
6. The system of claim 4, wherein the network policy is set according to two parameters, including a pod selector, PodSector, and a network policy PolicyTypes; the pod selector selects a pod in the same namespace as the network policy based on the tag; the rules defined by the network policy are divided into two types, one is an Ingress rule of an incoming port, and the other is an Egress rule of an outgoing port.
7. A device for resource isolation between cloud tenants based on namespace binding, comprising:
a memory for storing a computer program;
a processor for executing the computer program to implement the namespace binding based cloud tenant-to-cloud resource isolation method according to any one of claims 1 to 3.
8. A readable storage medium storing a computer program, wherein the computer program when executed by a processor implements the namespace binding based inter-cloud tenant resource isolation method according to any one of claims 1 to 3.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010093625.2A CN111324456A (en) | 2020-02-14 | 2020-02-14 | Method and system for isolating resources among cloud tenants based on namespace binding |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010093625.2A CN111324456A (en) | 2020-02-14 | 2020-02-14 | Method and system for isolating resources among cloud tenants based on namespace binding |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN111324456A true CN111324456A (en) | 2020-06-23 |
Family
ID=71165220
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010093625.2A Withdrawn CN111324456A (en) | 2020-02-14 | 2020-02-14 | Method and system for isolating resources among cloud tenants based on namespace binding |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111324456A (en) |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114338405A (en) * | 2021-12-31 | 2022-04-12 | 中电福富信息科技有限公司 | Method and system for realizing cloud platform tenant-level network policy configuration based on Kubernetes |
| WO2022135167A1 (en) * | 2020-12-21 | 2022-06-30 | 上海商汤智能科技有限公司 | Cloud service method and apparatus, device and storage medium |
| CN115811441A (en) * | 2023-01-17 | 2023-03-17 | 华控清交信息科技(北京)有限公司 | Method and device for creating namespace on K8S cloud platform and electronic equipment |
-
2020
- 2020-02-14 CN CN202010093625.2A patent/CN111324456A/en not_active Withdrawn
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2022135167A1 (en) * | 2020-12-21 | 2022-06-30 | 上海商汤智能科技有限公司 | Cloud service method and apparatus, device and storage medium |
| CN114338405A (en) * | 2021-12-31 | 2022-04-12 | 中电福富信息科技有限公司 | Method and system for realizing cloud platform tenant-level network policy configuration based on Kubernetes |
| CN115811441A (en) * | 2023-01-17 | 2023-03-17 | 华控清交信息科技(北京)有限公司 | Method and device for creating namespace on K8S cloud platform and electronic equipment |
| CN115811441B (en) * | 2023-01-17 | 2023-04-25 | 华控清交信息科技(北京)有限公司 | Method and device for creating name space on K8S cloud platform and electronic equipment |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US8959657B2 (en) | Secure data management | |
| US9450945B1 (en) | Unified access controls for cloud services | |
| US9355261B2 (en) | Secure data management | |
| CN110192198B (en) | Security for accessing stored resources | |
| US8990950B2 (en) | Enabling granular discretionary access control for data stored in a cloud computing environment | |
| CN111324456A (en) | Method and system for isolating resources among cloud tenants based on namespace binding | |
| US8978122B1 (en) | Secure cross-tenancy federation in software-as-a-service system | |
| US10127401B2 (en) | Redacting restricted content in files | |
| US20160156631A1 (en) | Methods and systems for shared file storage | |
| US20190306171A1 (en) | System and method for externally-delegated access control and authorization | |
| Hu et al. | An access control scheme for big data processing | |
| US20220269806A1 (en) | System and method for policy control in databases | |
| CN107659450A (en) | Distribution method, distributor and the storage medium of big data cluster resource | |
| RU2546585C2 (en) | System and method of providing application access rights to computer files | |
| CN114650170B (en) | Cross-cluster resource management method, device, equipment and storage medium | |
| CN114244568B (en) | Security access control method, device and equipment based on terminal access behavior | |
| CN108133143A (en) | A kind of data leakage prevention method and system of facing cloud desktop application environment | |
| US10242174B2 (en) | Secure information flow | |
| JP2005100358A (en) | Moving principal across security boundary without interrupting service | |
| RU2573785C2 (en) | System and method for applying file access rules during transfer thereof between computers | |
| CN109873784A (en) | Mixed cloud secure storage management system towards big data | |
| Merdassi et al. | Surveying and analyzing security issues in mobile cloud computing | |
| Dong et al. | Task‐Oriented Multilevel Cooperative Access Control Scheme for Environment with Virtualization and IoT | |
| CN112035867A (en) | Web application authority management method, system, equipment and storage medium | |
| US9407641B2 (en) | Service access control |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| WW01 | Invention patent application withdrawn after publication |
Application publication date: 20200623 |
|
| WW01 | Invention patent application withdrawn after publication |