CN111324456A - Method and system for isolating resources among cloud tenants based on namespace binding - Google Patents

Method and system for isolating resources among cloud tenants based on namespace binding Download PDF

Info

Publication number
CN111324456A
CN111324456A CN202010093625.2A CN202010093625A CN111324456A CN 111324456 A CN111324456 A CN 111324456A CN 202010093625 A CN202010093625 A CN 202010093625A CN 111324456 A CN111324456 A CN 111324456A
Authority
CN
China
Prior art keywords
namespace
tenant
binding
pod
creating
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Withdrawn
Application number
CN202010093625.2A
Other languages
Chinese (zh)
Inventor
尹欣薇
吴栋
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Suzhou Inspur Intelligent Technology Co Ltd
Original Assignee
Suzhou Inspur Intelligent Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Suzhou Inspur Intelligent Technology Co Ltd filed Critical Suzhou Inspur Intelligent Technology Co Ltd
Priority to CN202010093625.2A priority Critical patent/CN111324456A/en
Publication of CN111324456A publication Critical patent/CN111324456A/en
Withdrawn legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/46Multiprogramming arrangements
    • G06F9/50Allocation of resources, e.g. of the central processing unit [CPU]
    • G06F9/5083Techniques for rebalancing the load in a distributed system

Landscapes

  • Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention provides a method and a system for isolating resources among cloud tenants based on namespace binding, wherein the method and the system are based on Kubernetes RBAC and namespace binding, and based on a Kubernetes RBAC mechanism, through establishing tenants, binding the tenants with namespaces, establishing roles, setting the authority of the roles and a binding scheme of the authority of a namespace list corresponding to the tenants, the resources among the tenants are isolated in a hard way and in a mutual access way, different network strategies are set for different namespaces, the application of the mutual access between the tenants is communicated in a soft way, and the isolation requirement of the tenants of a container cloud platform is met, so that the resources among the tenants are isolated, the resources are isolated in a visibility way and in a network, and the characteristic integrity of the cloud platform and the use safety of a user are improved.

Description

Method and system for isolating resources among cloud tenants based on namespace binding
Technical Field
The invention relates to the technical field of cloud computing platforms, in particular to a method and a system for isolating resources among cloud tenants based on namespace binding.
Background
With the development of information technology and social economy, the current informatization construction has fully entered the cloud computing era, a large-scale and centralized cloud data center becomes an important component of national infrastructure, and the country is also actively promoting cloud engineering of key industries such as government affairs, enterprises and finance.
In the cloud computing construction process, through multi-aspect exploration and research, the centralized large-scale clustering construction of the unified cloud data center is a more efficient implementation scheme. When a large-scale cloud computing platform is built, the requirement of resource isolation among tenants is brought, users accessing the cloud all want own services not to be influenced by others, at least, the services can be isolated on the network, and others cannot access own cloud resources at will. Aiming at the isolation requirements of cloud computing platform tenants with higher and higher requirements, the tiled management can cause great inconvenience for users, and meanwhile, mutual attack of service systems among the users can not be avoided, so that great potential safety hazards are brought.
Disclosure of Invention
The invention aims to provide a method and a system for isolating resources among cloud tenants based on namespace binding, and aims to solve the problem that the prior art cannot meet the requirement of increasingly high cloud computing platform tenant isolation, realize the resource isolation among tenants, and improve the characteristic integrity of a cloud platform and the use safety of users.
In order to achieve the technical purpose, the invention provides a method for isolating resources among cloud tenants based on namespace binding, which comprises the following steps:
s1, creating a tenant in the cloud platform, creating a plurality of users in the tenant, and creating an incidence relation between the tenant and the users;
s2, creating a plurality of namespaces for each user in the tenant, establishing an incidence relation among the tenant, the users and the namespaces, and binding the tenant and the namespaces;
s3, creating roles on the cloud platform by utilizing a Kubernets RBAC, and setting a namespace list authority binding scheme corresponding to the roles and tenants;
and S4, setting different network strategies for different namespaces, and setting whether communication can be carried out between the namespaces or not through the network strategies.
Preferably, the setting mode of the network policy includes the following steps:
pod with same name space, inbound rule is all forbidden;
the same name space pod, the inbound rule is all open;
the outbound rule is all forbidden according to pod of the same name space;
with the pod of the namespace, the outbound rules are all open.
Preferably, the setting of the network policy is set through two parameters, including a pod selector, PodSelector, and network policy PolicyTypes; the pod selector selects a pod in the same namespace as the network policy based on the tag; the rules defined by the network policy are divided into two types, one is an Ingress rule of an incoming port, and the other is an Egress rule of an outgoing port.
The invention also provides a system for isolating resources among cloud tenants based on the namespace binding, which comprises the following steps:
the system comprises a tenant creating module, a cloud platform and a user setting module, wherein the tenant creating module is used for creating a tenant in the cloud platform, creating a plurality of users in the tenant and creating an incidence relation between the tenant and the users;
the system comprises a namespace binding module, a namespace setting module and a namespace setting module, wherein the namespace binding module is used for creating a plurality of namespaces for each user in a tenant, establishing the incidence relation among the tenant, the users and the namespaces and binding the tenant and the namespaces;
the role creating and binding module is used for creating roles on the cloud platform by utilizing a Kubernets RBAC and setting a role and tenant corresponding namespace list permission binding scheme;
and the namespace communication module is used for setting different network strategies for different namespaces and setting whether the communication can be carried out between the namespaces through the network strategies.
Preferably, the setting mode of the network policy includes the following steps:
pod with same name space, inbound rule is all forbidden;
the same name space pod, the inbound rule is all open;
the outbound rule is all forbidden according to pod of the same name space;
with the pod of the namespace, the outbound rules are all open.
Preferably, the setting of the network policy is set through two parameters, including a pod selector, PodSelector, and network policy PolicyTypes; the pod selector selects a pod in the same namespace as the network policy based on the tag; the rules defined by the network policy are divided into two types, one is an Ingress rule of an incoming port, and the other is an Egress rule of an outgoing port.
The invention also provides a device for isolating resources among cloud tenants based on the namespace binding, which comprises the following components:
a memory for storing a computer program;
and the processor is used for executing the computer program to realize the method for isolating resources among cloud tenants based on the namespace binding.
The invention also provides a readable storage medium for storing a computer program, wherein the computer program is executed by a processor to implement the method for resource isolation between cloud tenants based on namespace binding.
The effect provided in the summary of the invention is only the effect of the embodiment, not all the effects of the invention, and one of the above technical solutions has the following advantages or beneficial effects:
compared with the prior art, the isolation method is based on Kubernetes RBAC and namespace binding, based on a KuberneteseRBAC mechanism, through creating tenants, binding the tenants and the namespaces, creating roles, setting permissions of the roles and binding schemes of the namespaces corresponding to the tenants, carrying out hard isolation of resource visibility and mutual accessibility among the tenants, setting different network strategies for different namespaces, carrying out soft access of application mutual accessibility among the tenants, meeting tenant isolation requirements of a container cloud platform, realizing resource isolation among the tenants, realizing resource visibility isolation and network isolation among the tenants, and improving the characteristic integrity of the cloud platform and the use safety of users.
Drawings
Fig. 1 is a flowchart of a method for resource isolation between cloud tenants based on namespace binding according to an embodiment of the present invention;
fig. 2 is a logic diagram of a namespace binding-based resource isolation scheme between cloud tenants provided in an embodiment of the present invention;
fig. 3 is a block diagram of a system for resource isolation between cloud tenants based on namespace binding according to an embodiment of the present invention.
Detailed Description
In order to clearly explain the technical features of the present invention, the following detailed description of the present invention is provided with reference to the accompanying drawings. The following disclosure provides many different embodiments, or examples, for implementing different features of the invention. To simplify the disclosure of the present invention, the components and arrangements of specific examples are described below. Furthermore, the present invention may repeat reference numerals and/or letters in the various examples. This repetition is for the purpose of simplicity and clarity and does not in itself dictate a relationship between the various embodiments and/or configurations discussed. It should be noted that the components illustrated in the figures are not necessarily drawn to scale. Descriptions of well-known components and processing techniques and procedures are omitted so as to not unnecessarily limit the invention.
The following describes in detail a method and a system for resource isolation between cloud tenants based on namespace binding according to an embodiment of the present invention with reference to the accompanying drawings.
As shown in fig. 1, the present invention discloses a method for resource isolation between cloud tenants based on namespace binding, which comprises the following steps:
s1, creating a tenant in the cloud platform, creating a plurality of users in the tenant, and creating an incidence relation between the tenant and the users;
s2, creating a plurality of namespaces for each user in the tenant, establishing an incidence relation among the tenant, the users and the namespaces, and binding the tenant and the namespaces;
s3, creating roles on the cloud platform by utilizing a Kubernets RBAC, and setting a namespace list authority binding scheme corresponding to the roles and tenants;
and S4, setting different network strategies for different namespaces, and setting whether communication can be carried out between the namespaces or not through the network strategies.
The embodiment of the invention realizes the resource isolation among tenants based on Kubernets RBAC and a manner of binding a namespace, and realizes the resource visibility isolation and network isolation among tenants.
Kubernetes is an open source application for managing containerization on multiple hosts in a cloud platform, which makes deploying containerized applications simple and college. RBAC is a role-based access control with three roles: role, defining the operation authority of a group of API objects; the Subject actor can be a human, a machine or a user of k8s, and is most commonly a ServiceAccount; RoleBinding, which defines the binding relationship between Subject and Role. And appointing a Role corresponding to the ServiceAccount through RoleBinding, binding the ServiceAccount by the pod to obtain a mounted secret to access the APIServer, and verifying corresponding authority by the APIServer.
The method comprises the steps of creating a tenant in a cloud platform, storing information of the tenant into a database, creating a plurality of users in the tenant, creating an association relationship between the tenant and the users, and obtaining corresponding association information through a tenant ID or a user ID.
Each user in the tenant can create a plurality of namespaces, the association relationship is recorded during creation, and the tenant and the namespaces are bound through the relationship of the tenant- > user- > namespaces.
The method comprises the steps of establishing roles in a cloud platform, defining a characteristic role based on a Kubernets RBAC mechanism, associating the roles with a specific namespace group, setting that the roles can only access resources in a namespace list corresponding to a certain tenant, setting other resources without permission, establishing a serviceAccount for the tenant, binding the roles with the serviceAccount, and using the serviceAccount to have the permission range of the current role, so that the accessibility of the resources among the tenants is fundamentally avoided.
Setting different network policies for different namespaces, and setting whether applications can communicate between them, as shown in fig. 2, allowing users in a tenant to define network accessibility to users in other tenants and users outside the tenant, which are typically set in the following ways:
pod with same name space, inbound rule is all forbidden;
the same name space pod, the inbound rule is all open;
the outbound rule is all forbidden according to pod of the same name space;
with the pod of the namespace, the outbound rules are all open.
The setting is performed by two parameters, including the pod selector, PodSector, and the network policy PolicyTypes. The pod selector selects a pod in the same namespace as the network policy based on the tag, and if the pod is selected, applies the rules defined in the network policy thereto. The pod selector is an optional field that, when not present, indicates that all pods are selected. The field can be regarded as a switch, if the field contains Ingress, the rule defined by the Ingress part takes effect, if the field contains Egress, the rule defined by the Egress part takes effect, and if the field contains Egress, the rule defined by the Egress part takes effect completely. For the parameters Ingress and Egress, the former defines the in-pod rule, and the latter defines the out-pod rule.
The embodiment of the invention is based on Kubernetes RBAC and namespace binding, and based on a Kubernetes RBAC mechanism, through establishing tenants, binding the tenants and the namespaces, establishing roles, setting the authority of the roles and a namespace list authority binding scheme corresponding to the tenants, the resource visibility and the mutual accessibility between the tenants are isolated hard, different network strategies are set for different namespaces, the mutual accessibility soft access is applied between the tenants, and the isolation requirement of the tenants of a container cloud platform is met, so that the resource isolation between the tenants is realized, the resource visibility isolation and the network isolation between the tenants are realized, and the characteristic integrity of the cloud platform and the use safety of users are improved.
As shown in fig. 3, an embodiment of the present invention further discloses a system for isolating resources between cloud tenants based on namespace binding, where the system includes:
the system comprises a tenant creating module, a cloud platform and a user setting module, wherein the tenant creating module is used for creating a tenant in the cloud platform, creating a plurality of users in the tenant and creating an incidence relation between the tenant and the users;
the system comprises a namespace binding module, a namespace setting module and a namespace setting module, wherein the namespace binding module is used for creating a plurality of namespaces for each user in a tenant, establishing the incidence relation among the tenant, the users and the namespaces and binding the tenant and the namespaces;
the role creating and binding module is used for creating roles on the cloud platform by utilizing a Kubernets RBAC and setting a role and tenant corresponding namespace list permission binding scheme;
and the namespace communication module is used for setting different network strategies for different namespaces and setting whether the communication can be carried out between the namespaces through the network strategies.
The method comprises the steps of creating a tenant in a cloud platform, storing information of the tenant into a database, creating a plurality of users in the tenant, creating an association relationship between the tenant and the users, and obtaining corresponding association information through a tenant ID or a user ID.
Each user in the tenant can create a plurality of namespaces, the association relationship is recorded during creation, and the tenant and the namespaces are bound through the relationship of the tenant- > user- > namespaces.
The method comprises the steps of establishing roles in a cloud platform, defining a characteristic role based on a Kubernets RBAC mechanism, associating the roles with a specific namespace group, setting that the roles can only access resources in a namespace list corresponding to a certain tenant, setting other resources without permission, establishing a serviceAccount for the tenant, binding the roles with the serviceAccount, and using the serviceAccount to have the permission range of the current role, so that the accessibility of the resources among the tenants is fundamentally avoided.
Setting different network strategies for different namespaces, setting whether applications can communicate with each other or not, allowing users in tenants to define network accessibility with users in other tenants and users outside the tenants, and typical setting modes include the following modes:
pod with same name space, inbound rule is all forbidden;
the same name space pod, the inbound rule is all open;
the outbound rule is all forbidden according to pod of the same name space;
with the pod of the namespace, the outbound rules are all open.
The setting is performed by two parameters, including the pod selector, PodSector, and the network policy PolicyTypes. The pod selector selects a pod in the same namespace as the network policy based on the tag, and if the pod is selected, applies the rules defined in the network policy thereto. The pod selector is an optional field that, when not present, indicates that all pods are selected. The field can be regarded as a switch, if the field contains Ingress, the rule defined by the Ingress part takes effect, if the field contains Egress, the rule defined by the Egress part takes effect, and if the field contains Egress, the rule defined by the Egress part takes effect completely. For the parameters Ingress and Egress, the former defines the in-pod rule, and the latter defines the out-pod rule.
The embodiment of the invention also discloses a device for isolating resources among cloud tenants based on the namespace binding, which comprises the following steps:
a memory for storing a computer program;
and the processor is used for executing the computer program to realize the method for isolating resources among cloud tenants based on the namespace binding.
The embodiment of the invention also discloses a readable storage medium for storing the computer program, wherein the computer program realizes the resource isolation method between the cloud tenants based on the namespace binding when being executed by the processor.
The above description is only for the purpose of illustrating the preferred embodiments of the present invention and is not to be construed as limiting the invention, and any modifications, equivalents and improvements made within the spirit and principle of the present invention are intended to be included within the scope of the present invention.

Claims (8)

1. A method for resource isolation among cloud tenants based on namespace binding is characterized by comprising the following steps:
s1, creating a tenant in the cloud platform, creating a plurality of users in the tenant, and creating an incidence relation between the tenant and the users;
s2, creating a plurality of namespaces for each user in the tenant, establishing an incidence relation among the tenant, the users and the namespaces, and binding the tenant and the namespaces;
s3, creating roles on the cloud platform by utilizing a Kubernets RBAC, and setting a namespace list authority binding scheme corresponding to the roles and tenants;
and S4, setting different network strategies for different namespaces, and setting whether communication can be carried out between the namespaces or not through the network strategies.
2. The method for resource isolation between cloud tenants based on namespace binding according to claim 1, wherein the network policy is set in the following ways:
pod with same name space, inbound rule is all forbidden;
the same name space pod, the inbound rule is all open;
the outbound rule is all forbidden according to pod of the same name space;
with the pod of the namespace, the outbound rules are all open.
3. The method for resource isolation between cloud tenants based on namespace binding according to claim 1, wherein the setting of the network policy is set by two parameters, including a pod selector, PodSector, and a network policy PolicyTypes; the pod selector selects a pod in the same namespace as the network policy based on the tag; the rules defined by the network policy are divided into two types, one is an Ingress rule of an incoming port, and the other is an Egress rule of an outgoing port.
4. A system for resource isolation between cloud tenants based on namespace binding, the system comprising:
the system comprises a tenant creating module, a cloud platform and a user setting module, wherein the tenant creating module is used for creating a tenant in the cloud platform, creating a plurality of users in the tenant and creating an incidence relation between the tenant and the users;
the system comprises a namespace binding module, a namespace setting module and a namespace setting module, wherein the namespace binding module is used for creating a plurality of namespaces for each user in a tenant, establishing the incidence relation among the tenant, the users and the namespaces and binding the tenant and the namespaces;
the role creating and binding module is used for creating roles on the cloud platform by utilizing a Kubernets RBAC and setting a role and tenant corresponding namespace list permission binding scheme;
and the namespace communication module is used for setting different network strategies for different namespaces and setting whether the communication can be carried out between the namespaces through the network strategies.
5. The system of claim 4, wherein the network policy is set according to the following modes:
pod with same name space, inbound rule is all forbidden;
the same name space pod, the inbound rule is all open;
the outbound rule is all forbidden according to pod of the same name space;
with the pod of the namespace, the outbound rules are all open.
6. The system of claim 4, wherein the network policy is set according to two parameters, including a pod selector, PodSector, and a network policy PolicyTypes; the pod selector selects a pod in the same namespace as the network policy based on the tag; the rules defined by the network policy are divided into two types, one is an Ingress rule of an incoming port, and the other is an Egress rule of an outgoing port.
7. A device for resource isolation between cloud tenants based on namespace binding, comprising:
a memory for storing a computer program;
a processor for executing the computer program to implement the namespace binding based cloud tenant-to-cloud resource isolation method according to any one of claims 1 to 3.
8. A readable storage medium storing a computer program, wherein the computer program when executed by a processor implements the namespace binding based inter-cloud tenant resource isolation method according to any one of claims 1 to 3.
CN202010093625.2A 2020-02-14 2020-02-14 Method and system for isolating resources among cloud tenants based on namespace binding Withdrawn CN111324456A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010093625.2A CN111324456A (en) 2020-02-14 2020-02-14 Method and system for isolating resources among cloud tenants based on namespace binding

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010093625.2A CN111324456A (en) 2020-02-14 2020-02-14 Method and system for isolating resources among cloud tenants based on namespace binding

Publications (1)

Publication Number Publication Date
CN111324456A true CN111324456A (en) 2020-06-23

Family

ID=71165220

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010093625.2A Withdrawn CN111324456A (en) 2020-02-14 2020-02-14 Method and system for isolating resources among cloud tenants based on namespace binding

Country Status (1)

Country Link
CN (1) CN111324456A (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114338405A (en) * 2021-12-31 2022-04-12 中电福富信息科技有限公司 Method and system for realizing cloud platform tenant-level network policy configuration based on Kubernetes
WO2022135167A1 (en) * 2020-12-21 2022-06-30 上海商汤智能科技有限公司 Cloud service method and apparatus, device and storage medium
CN115811441A (en) * 2023-01-17 2023-03-17 华控清交信息科技(北京)有限公司 Method and device for creating namespace on K8S cloud platform and electronic equipment

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2022135167A1 (en) * 2020-12-21 2022-06-30 上海商汤智能科技有限公司 Cloud service method and apparatus, device and storage medium
CN114338405A (en) * 2021-12-31 2022-04-12 中电福富信息科技有限公司 Method and system for realizing cloud platform tenant-level network policy configuration based on Kubernetes
CN115811441A (en) * 2023-01-17 2023-03-17 华控清交信息科技(北京)有限公司 Method and device for creating namespace on K8S cloud platform and electronic equipment
CN115811441B (en) * 2023-01-17 2023-04-25 华控清交信息科技(北京)有限公司 Method and device for creating name space on K8S cloud platform and electronic equipment

Similar Documents

Publication Publication Date Title
US9355261B2 (en) Secure data management
US8990950B2 (en) Enabling granular discretionary access control for data stored in a cloud computing environment
CN109525570B (en) Group client-oriented data layered security access control method
CN111324456A (en) Method and system for isolating resources among cloud tenants based on namespace binding
US20140283107A1 (en) Secure data management
US8978122B1 (en) Secure cross-tenancy federation in software-as-a-service system
CN110192198B (en) Security for accessing stored resources
US10127401B2 (en) Redacting restricted content in files
US20160156631A1 (en) Methods and systems for shared file storage
US20190306171A1 (en) System and method for externally-delegated access control and authorization
US20190147021A1 (en) Multiplexing, isolating and collaborative management information system and method
Hu et al. An access control scheme for big data processing
US20210303720A1 (en) Access controls for a dedicated database system storing user-generated content input to a multitenant service of a collaborative work environment
US20220269806A1 (en) System and method for policy control in databases
CN107659450A (en) Distribution method, distributor and the storage medium of big data cluster resource
RU2546585C2 (en) System and method of providing application access rights to computer files
CN114650170B (en) Cross-cluster resource management method, device, equipment and storage medium
CN112597511A (en) Remote government affair service cooperation method and device
CN114244568B (en) Security access control method, device and equipment based on terminal access behavior
CN108133143A (en) A kind of data leakage prevention method and system of facing cloud desktop application environment
US10242174B2 (en) Secure information flow
JP2005100358A (en) Moving principal across security boundary without interrupting service
Zheng et al. Dynamic Role-Based Access Control Model.
RU2573785C2 (en) System and method for applying file access rules during transfer thereof between computers
CN112818038A (en) Data management method based on combination of block chain and IPFS (Internet protocol file system) and related equipment

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
WW01 Invention patent application withdrawn after publication

Application publication date: 20200623

WW01 Invention patent application withdrawn after publication