CN111935110B

CN111935110B - Method and device for controlling permission of tenant to access container instance

Info

Publication number: CN111935110B
Application number: CN202010725429.2A
Authority: CN
Inventors: 杨傲寒
Original assignee: Beijing Kingsoft Cloud Network Technology Co Ltd
Current assignee: Beijing Kingsoft Cloud Network Technology Co Ltd
Priority date: 2020-07-24
Filing date: 2020-07-24
Publication date: 2022-05-06
Anticipated expiration: 2040-07-24
Also published as: CN111935110A

Abstract

The application relates to a method and a device for controlling the permission of a tenant to access a container instance, which are applied to a container management platform in a container cluster, wherein the container cluster further comprises a plurality of container instances, the container instances belong to at least two different tenants, the container instances of the different tenants are deployed in different network spaces to be isolated from each other, and the method comprises the following steps: receiving a container creation request of a target tenant; creating a target user account in the container cluster for the target tenant; creating an authentication certificate corresponding to a target user account; and generating a target configuration file corresponding to the target user account, wherein the target configuration file is used for operating the container instance created by the target tenant in the container cluster by using a management tool provided by the container management platform, and the target configuration file records certificate information of the target tenant and the authentication certificate. The method and the device solve the technical problem that in the related art, the flexibility of the tenant for accessing and managing the container instance is poor.

Description

Method and device for controlling permission of tenant to access container instance

Technical Field

The present application relates to the field of computers, and in particular, to a method and an apparatus for controlling a right of a tenant to access a container instance.

Background

In a public cloud computing scenario, traditionally, container services are provided to tenants in container clusters, which include a container management platform. The tenant may create a container instance based on various tools (e.g., a kubecect client, a kubernets client library, etc.) of a container management platform (e.g., kubernets) ecology, deploy its own application program in the container instance, and perform management operations such as adding, deleting, modifying, and checking the container instance as needed. In this scenario, the network isolation policy between different tenants is at a cluster level, that is, one tenant can only access its own container cluster and cannot access the container cluster of another tenant, and in the container cluster of the same tenant, each container instance does not need to be isolated before each other.

A new way for providing container services is provided, wherein the container clusters are not taken as units, but the single container instances are taken as units to provide services for tenants. Compared with the traditional mode, the new mode can ensure that the tenant does not need to maintain the container management platform, but container instances of different tenants are all in the same container cluster, and a cloud computing manufacturer maintains a uniform container management platform. In this scenario, the network isolation policy between different tenants is at the container instance level (i.e., a tenant can only access its container instance and cannot access the container instance of another tenant), and thus when accessing the container instance, the tenant needs to control its authority.

In a new scenario, the permission control scheme in the related art is as follows: and performing access control management through a console or an encapsulated openAPI. The method specifically comprises the following steps: and secondarily packaging the operation interface of the container management platform into an OpenAPI, calling the OpenAPI by the tenant to realize the access to the container instance, and managing and controlling the permission of the tenant on the side of the OpenAPI. However, this method may cause that the tenant cannot manage the container instance by using various tools in the container management platform ecology, and only can pass through the OpenAPI after the secondary encapsulation, resulting in poor flexibility of the tenant in accessing and managing the container instance.

Disclosure of Invention

The application provides a method and a device for controlling the permission of a tenant to access a container instance, so as to at least solve the technical problem that the flexibility of the tenant to access and manage the container instance is poor in the related technology.

According to an aspect of the embodiments of the present application, there is provided a method for controlling authority of a tenant to access a container instance, which is applied to a container management platform in a container cluster, wherein the container cluster further includes a plurality of container instances belonging to at least two different tenants, and the container instances of the different tenants are deployed in different network spaces to be isolated from each other, and the method includes:

receiving a container creation request of a target tenant, wherein the container creation request is used for requesting to create a container instance in a container cluster;

creating a target user account in the container cluster for the target tenant, wherein the target user account specifies target access rights of the target tenant in the container cluster;

creating an authentication certificate corresponding to the target user account, wherein the authentication certificate is used for authenticating the identity of the target tenant;

and generating a target configuration file corresponding to the target user account, wherein the target configuration file is used for operating the container instance created by the target tenant in the container cluster by using a management tool provided by the container management platform, and the target configuration file records the target tenant and the certificate information of the authentication certificate.

Optionally, creating a target user account in the container cluster for the target tenant comprises:

creating a target namespace for the target tenant in the container cluster, wherein the target namespace is used for creating a container instance of the target tenant;

acquiring the target access right corresponding to the target tenant, wherein the target access right is used for indicating that the target tenant is allowed to access the target namespace and the resources which are allowed to be accessed by the target tenant;

creating an initial user account corresponding to the target tenant in the container cluster;

and binding the target access authority with the initial user account to obtain the target user account.

Optionally, the obtaining of the target access right corresponding to the target tenant includes one of:

acquiring a first initial role corresponding to the target tenant from a plurality of roles, wherein the first initial role is used for indicating resources which are allowed to be accessed by the target tenant; adding a namespace access right to the first initial role to obtain a target role as the target access right, wherein the namespace access right is used for indicating that the target tenant is allowed to access the target namespace;

acquiring a second initial role, wherein the second initial role is used for indicating initial resources which are allowed to be accessed by the tenant; and modifying the second initial role into a target role as the target access permission, wherein the target role is used for indicating that the target tenant is allowed to access the target namespace and the resources which are allowed to be accessed by the target tenant.

Optionally, generating the target configuration file corresponding to the target user account includes:

generating an initial configuration file of a target format, wherein the target format is a format which accords with the access condition of the container cluster;

and writing the target tenant and the certificate information into the initial configuration file to obtain the target configuration file.

Optionally, after generating the target configuration file corresponding to the target user account, the method further includes:

receiving a downloading request initiated by a user and included by the target tenant, wherein the downloading request is used for requesting to download the configuration file;

responding to the downloading request to obtain the target configuration file corresponding to the target tenant;

and downloading the target configuration file to a downloading position indicated by the user.

Optionally, the obtaining the target configuration file corresponding to the target tenant in response to the download request includes:

acquiring the target user account corresponding to the target tenant from the tenants and the user accounts with the corresponding relationship;

and acquiring the target configuration file corresponding to the target user account from the user account and the configuration file with the corresponding relation.

According to another aspect of the embodiments of the present application, there is further provided an apparatus for controlling authority of a tenant to access a container instance, which is applied to a container management platform in a container cluster, wherein the container cluster further includes a plurality of container instances belonging to at least two different tenants, and the container instances of the different tenants are deployed in different network spaces to be isolated from each other, and the apparatus includes:

a first receiving module, configured to receive a container creation request of a target tenant, where the container creation request is used to request creation of a container instance in a container cluster;

a first creating module, configured to create a target user account in the container cluster for the target tenant, wherein the target user account specifies a target access right of the target tenant in the container cluster;

a second creating module, configured to create an authentication certificate corresponding to the target user account, where the authentication certificate is used to authenticate an identity of the target tenant;

a generating module, configured to generate a target configuration file corresponding to the target user account, where the target configuration file is used to operate, using a management tool provided by the container management platform, a container instance created by the target tenant in the container cluster, and the target configuration file records certificate information of the target tenant and the authentication certificate.

Optionally, the first creating module includes:

a first creating unit, configured to create a target namespace for the target tenant in the container cluster;

a first obtaining unit, configured to obtain the target access right corresponding to the target tenant, where the target access right is used to indicate that the target tenant is allowed to access the target namespace and a resource that the target tenant is allowed to access;

a second creating unit, configured to create an initial user account corresponding to the target tenant in the container cluster;

and the binding unit is used for binding the target access right with the initial user account to obtain the target user account.

According to another aspect of the embodiments of the present application, there is also provided a storage medium including a stored program which, when executed, performs the above-described method.

According to another aspect of the embodiments of the present application, there is also provided an electronic device, including a memory, a processor, and a computer program stored on the memory and executable on the processor, wherein the processor executes the above method through the computer program.

In the embodiment of the application, a container creation request of a target tenant is received, wherein the container creation request is used for requesting to create a container instance in a container cluster; creating a target user account in the container cluster for the target tenant, wherein the target user account specifies a target access right of the target tenant in the container cluster; creating an authentication certificate corresponding to a target user account, wherein the authentication certificate is used for authenticating the identity of a target tenant; generating a target configuration file corresponding to a target user account, wherein the target configuration file is used for operating a container instance created by a target tenant in the container cluster by using a management tool provided by the container management platform, the target configuration file records certificate information of the target tenant and an authentication certificate, when the target tenant requests to create the container instance, the target tenant creates a corresponding target user account and an authentication certificate which specify a target access authority of the target tenant in the container cluster, so as to generate the target configuration file recorded with the target tenant and the certificate information, and a user can operate the container instance created by the target tenant in the container cluster by using the management tool provided by the container management platform through the target configuration file, so that the purposes of controlling the access authority of the user and allowing the user to flexibly operate resources are achieved, therefore, the technical effect of improving the flexibility of the tenant in accessing and managing the container instances is achieved, and the technical problem that the flexibility of the tenant in accessing and managing the container instances is poor in the related technology is solved.

Drawings

The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate embodiments consistent with the invention and together with the description, serve to explain the principles of the invention.

In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, and it is obvious for those skilled in the art that other drawings can be obtained according to the drawings without inventive exercise.

FIG. 1 is a schematic diagram of a hardware environment for a method of controlling access rights of a tenant to a container instance according to an embodiment of the application;

FIG. 2 is a flowchart of an alternative method for controlling the access rights of a tenant to a container instance according to an embodiment of the present application;

FIG. 3 is a schematic diagram of an access rights control process according to an alternative embodiment of the present application;

FIG. 4 is a schematic diagram of an alternative control apparatus for controlling access rights of a tenant to a container instance according to an embodiment of the application;

fig. 5 is a block diagram of an electronic device according to an embodiment of the present application.

Detailed Description

In order to make the technical solutions better understood by those skilled in the art, the technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are only partial embodiments of the present application, but not all embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.

It should be noted that the terms "first," "second," and the like in the description and claims of this application and in the drawings described above are used for distinguishing between similar elements and not necessarily for describing a particular sequential or chronological order. It is to be understood that the data so used is interchangeable under appropriate circumstances such that the embodiments of the application described herein are capable of operation in sequences other than those illustrated or described herein. Furthermore, the terms "comprises," "comprising," and "having," and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed, but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus.

According to an aspect of the embodiments of the present application, there is provided an embodiment of a method for controlling authority of a tenant to access a container instance, which is applied to a container management platform in a container cluster, where the container cluster further includes a plurality of container instances, the plurality of container instances belong to at least two different tenants, and the container instances of the different tenants are deployed in different network spaces to be isolated from each other.

Alternatively, in the present embodiment, the above method for controlling the authority of the tenant to access the container instance may be applied to a hardware environment formed by the terminal 101 and the server 103 as shown in fig. 1. As shown in fig. 1, a server 103 is connected to a terminal 101 through a network, which may be used to provide services (such as game services, application services, etc.) for the terminal or a client installed on the terminal, and a database may be provided on the server or separately from the server for providing data storage services for the server 103, and the network includes but is not limited to: the terminal 101 is not limited to a PC, a mobile phone, a tablet computer, and the like. The method for controlling the tenant access authority to the container instance according to the embodiment of the present application may be executed by the server 103, or may be executed by the terminal 101, or may be executed by both the server 103 and the terminal 101. The method for controlling the tenant access right to the container instance, in which the terminal 101 executes the tenant access right according to the embodiment of the present application, may also be executed by a client installed thereon.

Fig. 2 is a flowchart of an optional method for controlling the authority of a tenant to access a container instance according to an embodiment of the present application, and as shown in fig. 2, the method may include the following steps:

step S202, receiving a container creating request of a target tenant, wherein the container creating request is used for requesting to create a container instance in a container cluster;

step S204, a target user account is created in the container cluster for the target tenant, wherein the target user account designates the target access authority of the target tenant in the container cluster;

step S206, an authentication certificate corresponding to the target user account is created, wherein the authentication certificate is used for authenticating the identity of the target tenant;

step S208, a target configuration file corresponding to the target user account is generated, where the target configuration file is used to operate, using a management tool provided by the container management platform, a container instance created by the target tenant in the container cluster, and the target configuration file records certificate information of the target tenant and the authentication certificate.

Through the steps S202 to S208, when a target tenant requests to create a container instance, a corresponding target user account and an authentication certificate that specify a target access permission of the target tenant in the container cluster are created for the target tenant, so that a target configuration file that records information of the target tenant and the authentication certificate is generated, and a user can operate the container instance created by the target tenant in the container cluster by using a management tool provided by the container management platform through the target configuration file, thereby achieving the purposes of controlling the access permission of the user and allowing the user to flexibly operate resources, achieving a technical effect of improving flexibility of accessing and managing the container instance by the tenant, and further solving a technical problem that the flexibility of accessing and managing the container instance by the tenant in related technologies is poor.

In the technical solution provided in step S202, the target tenant may be, but is not limited to, a tenant registered on the container cluster, the tenant on the container cluster may request to create a container instance function from the container cluster by sending a container creation request, and the target tenant may create a container instance on the container cluster after the container instance creation request is successful. The network space may be, but is not limited to, a Virtual Private Cloud (VPC) of a Cloud tenant.

In the technical solution provided in step S204, in response to the container creation request of the target tenant, a corresponding target user account may be first created for the target tenant on the container cluster, where the target user account is used to specify a target access right of the target tenant in the container cluster, for example: a namespace and resources on the cluster that the target tenant is allowed to access.

Optionally, in this embodiment, the target user account may be, but is not limited to, a user account, and information of the target tenant on the container cluster may be recorded in the user account.

In the technical solution provided in step S206, a corresponding authentication certificate is created for the target user account, and the authentication certificate may be used for authenticating the identity of the target tenant. The target tenant may access the resources of the container cluster using the authentication credential.

Optionally, in this embodiment, the authentication certificate may be, but is not limited to, generated by using a private key obtained by a target tenant, the generated authentication certificate may be stored in a unified certificate management platform, when the target tenant uses a target configuration file to connect to a container cluster, the container cluster may read certificate information in the target configuration file, the container cluster may call the authentication certificate from the certificate management platform according to the certificate information, and verify the authentication certificate by using a public key of the target tenant, and the connection with the target tenant may be established only after the verification passes.

In the technical solution provided in step S208, a corresponding target profile is generated for the target user account, and the target profile records certificate information of the target tenant and the authentication certificate. The target configuration file is used for operating the container instance created by the target tenant in the container cluster by using the management tool provided by the container management platform. When the target configuration file is used for accessing the resource, the authority is matched and verified according to the target tenant recorded in the resource.

Optionally, in this embodiment, the management tool may include, but is not limited to, various tools in the k8s ecology, such as: kubectl and kubernets client library, and the like.

Optionally, in this embodiment, the target configuration file may be, but is not limited to, a kubeconfig file. Management tools such as Kubectl and kubernets client library directly access the k8s cluster through the kubeconfig file in the standard format, and the kubeconfig file in the standard format is generated for each user, so that the user can be supported to manage the container instance by using various tools (such as a kubecect client, the kubernets client library and the like) in the k8s ecology, and the flexibility of the tenant access cluster resources is improved.

As an alternative embodiment, creating a target user account in the container cluster for the target tenant comprises:

s11, creating a target namespace for the target tenant in the container cluster, wherein the target namespace is used for creating a container instance of the target tenant;

s12, acquiring the target access right corresponding to the target tenant, wherein the target access right is used for indicating that the target tenant is allowed to access the target namespace and the resource which the target tenant is allowed to access;

s13, creating an initial user account corresponding to the target tenant in the container cluster;

s14, the target access authority is bound with the initial user account to obtain the target user account.

Optionally, in this embodiment, when creating a container instance function for a target tenant, a target namespace is created for the target tenant, and all container instances created by the target tenant after successful creation are stored in the target namespace.

Optionally, in this embodiment, the namespace may be, but is not limited to, namespace, the created namespace corresponds to tenants of the container cluster one to one, and user _ id information is included in the name of the namespace as an identifier of the namespace.

Optionally, in this embodiment, the target access right is used to indicate that the target tenant is allowed to access the target namespace and the resource that the target tenant is allowed to access. That is, the target access permission indicates that the target tenant can only access the target namespace created for the target tenant and indicates the resources that the target tenant can access in the container cluster.

Optionally, in this embodiment, the target access right may be obtained, but is not limited to, by generating or looking up a ROLE roll. The ROLE ROLE defines which operations can be performed on which resources by the type of ROLEs, so that the purpose of limiting the access rights of the users is achieved.

Optionally, in this embodiment, an initial user account is first generated for the target tenant, and then the initial user account is bound to the obtained target access right, so as to obtain the target user account.

As an optional embodiment, acquiring the target access right corresponding to the target tenant includes one of:

s21, obtaining a first initial role corresponding to the target tenant from the roles, wherein the first initial role is used for indicating resources which the target tenant is allowed to access; adding a namespace access right to the first initial role to obtain a target role as the target access right, wherein the namespace access right is used for indicating that the target tenant is allowed to access the target namespace;

s22, acquiring a second initial role, wherein the second initial role is used for indicating initial resources which are allowed to be accessed by tenants; and modifying the second initial role into a target role as the target access authority, wherein the target role is used for indicating that the target tenant is allowed to access the target namespace and the resources which are allowed to be accessed by the target tenant.

Optionally, in this embodiment, a manner of obtaining the target access permission is to create a plurality of roles in the container cluster in advance, where each role is used to indicate a resource in the container cluster that is allowed to be accessed by the tenant, obtain a role corresponding to the permission from the plurality of roles according to the permission of the target tenant as a first initial role, add a namespace access permission for indicating that the target tenant is allowed to access the target namespace to the first initial role, and obtain the target access permission of the target role as the target tenant.

Optionally, in this embodiment, another way to obtain the target access permission is to create a second initial role in the container cluster in advance to indicate the initial resource that the tenant is allowed to access, and modify the second initial role according to the target namespace that the target tenant is allowed to access and the resource that the target tenant is allowed to access, so as to obtain the target role as the target access permission.

As an optional embodiment, generating the target configuration file corresponding to the target user account includes:

s31, generating an initial configuration file of a target format, wherein the target format is a format which accords with the access condition of the container cluster;

s32, writing the target tenant and the certificate information into the initial configuration file to obtain the target configuration file.

Optionally, in this embodiment, the format of the target configuration file is a target format that meets the access condition of the container cluster, and an initial configuration file that meets the target format may be generated first, and then data such as certificate information of a target tenant and an authentication certificate corresponding to the created target user account is added to the initial configuration file to obtain the target configuration file.

As an optional embodiment, after generating the target configuration file corresponding to the target user account, the method further includes:

s41, receiving a downloading request initiated by a user and included by the target tenant, wherein the downloading request is used for requesting to download the configuration file;

s42, responding to the download request to obtain the target configuration file corresponding to the target tenant;

and S43, downloading the target configuration file to the downloading position indicated by the user.

Optionally, in this embodiment, the target tenant may be, but is not limited to, an organization, a group, an individual, and a family registered on the container cluster, and each target tenant may include, but is not limited to, one or more users, such as: the video website can become a registered tenant on the container cluster, and a user of the video website can become a registered user of the video website tenant, namely, the video website tenant comprises a user. One family can become a registered tenant on the container cluster, and family members in the family can become registered users of the family tenant, namely the family tenant comprises family member users. A business or organization may become a registered tenant on the container cluster, and employees or departments in the business or organization may become registered users of the business or organization tenant, that is, the business or organization tenant includes employee users and department users.

Optionally, in this embodiment, the registration relationship between tenants and users may also be multi-tiered, a group may become a registered tenant on the container cluster, an enterprise or a company in the group may become a registered user of the group tenant, and an employee or a department of the enterprise or the company may become a registered user of the enterprise user or the company user. That is, a group tenant may include enterprise users, corporate users, employee users, departmental users, and the like.

Optionally, in this embodiment, a user included in the target tenant may obtain a configuration file corresponding to the target tenant by actively sending a download request, so that a management tool provided by the container management platform is used to flexibly operate resources in the container cluster through the configuration file. And after receiving the downloading request, returning the target configuration file with the corresponding relation with the target tenant to the user. The target configuration file may be downloaded to a download location indicated by the user, such as: the user initiates a download request from the web page, which may be downloaded to a default download location of the browser, or a user-specified location (desktop, specified folder, etc.).

Optionally, in this embodiment, a user included in the target tenant may manage the container instance created by the user through the downloaded target configuration file using a tool, such as a kubecect client provided by the cluster, a kubernets client library, and the like.

As an optional embodiment, the obtaining the target configuration file corresponding to the target tenant in response to the download request includes:

s51, acquiring the target user account corresponding to the target tenant from the tenants and user accounts with corresponding relations;

s52, obtaining the target configuration file corresponding to the target user account from the user account and the configuration file having the corresponding relationship.

Optionally, in this embodiment, the tenant and the user account having the corresponding relationship, and the user account and the configuration file having the corresponding relationship are stored in the cluster, that is, the target tenant may be used as a key to find the value target user account, and then the target user account may be used as a key to find the value target configuration file.

The application further provides an optional embodiment, which provides an access authority control process of multiple tenants in a container instance cluster, when a tenant creates a container instance product, a user account is automatically created for the tenant, corresponding access authority is configured, an authentication certificate is generated, and finally a kubeconfig file corresponding to the tenant is obtained, and the tenant can manage container instances by using various tools (such as a kubecect client, a kubberenetesclerent library and the like) in a k8s ecology through the config file. Fig. 3 is a schematic diagram of an access right control process according to an alternative embodiment of the present application, as shown in fig. 3, when a public cloud user (tenant a and tenant B) creates a namespace in a kubernets cluster for the user when creating a container instance product, where the namespace and the tenant are in one-to-one correspondence, and the name of the namespace contains user _ id information as an identifier, for example: and creating namespace A for the tenant A and creating namespace B for the tenant B. Container instances created by tenant a (e.g., Pot a1 and Pot a2) are each created in namespace a, and container instances created by tenant B (e.g., Pot B1 and Pot B2) are each created in namespace B.

For each user, a user account is created for it in the kubernets cluster, for example: a user account a is created for tenant a, a user account B is created for tenant B, and a certificate is created for it, which is used to access the kubernets cluster. Binding role for user account, the rule of role is (limit user to access only self namespace, limit user to access only limited resource, such as Pod, Deployment, etc.), such as: an initial role is created in advance, the namespace which can be accessed by the user is limited to namespace X in the initial role, and the user is limited to access limited resource: pods, deployments and configmaps. And (3) performing role binding (RoleBinding) on the user account A and the initial role, and modifying namespace X in the initial role into namespace A to obtain the role corresponding to the user account A. And (3) performing role binding (RoleBinding) on the user account B and the initial role, and modifying namespace X in the initial role into namespace B to obtain the role corresponding to the user account B.

The public cloud user can download the kubeconfig file corresponding to the user account, and then manage the container instance through the kubecect client (or client library, etc.).

It should be noted that, for simplicity of description, the above-mentioned method embodiments are described as a series of acts or combination of acts, but those skilled in the art will recognize that the present application is not limited by the order of acts described, as some steps may occur in other orders or concurrently depending on the application. Further, those skilled in the art should also appreciate that the embodiments described in the specification are preferred embodiments and that the acts and modules referred to are not necessarily required in this application.

Through the above description of the embodiments, those skilled in the art can clearly understand that the method according to the above embodiments can be implemented by software plus a necessary general hardware platform, and certainly can also be implemented by hardware, but the former is a better implementation mode in many cases. Based on such understanding, the technical solutions of the present application may be embodied in the form of a software product, which is stored in a storage medium (e.g., ROM/RAM, magnetic disk, optical disk) and includes instructions for enabling a terminal device (e.g., a mobile phone, a computer, a server, or a network device) to execute the method according to the embodiments of the present application.

According to another aspect of the embodiments of the present application, there is also provided a control apparatus for controlling authority of tenant to access a container instance, which is applied to a container management platform in a container cluster, and is used for implementing the control method for controlling authority of tenant to access a container instance. Fig. 4 is a schematic diagram of an alternative control apparatus for controlling a tenant's authority to access a container instance according to an embodiment of the present application, and as shown in fig. 4, the apparatus may include:

a first receiving module 42, configured to receive a container creation request of a target tenant, where the container creation request is used to request that a container instance be created in a container cluster;

a first creating module 44, configured to create a target user account in the container cluster for the target tenant, wherein the target user account specifies a target access right of the target tenant in the container cluster;

a second creating module 46, configured to create an authentication certificate corresponding to the target user account, where the authentication certificate is used to authenticate the identity of the target tenant;

a generating module 48, configured to generate a target configuration file corresponding to the target user account, where the target configuration file is used to operate, using a management tool provided by the container management platform, a container instance created by the target tenant in the container cluster, and the target configuration file records certificate information of the target tenant and the authentication certificate.

It should be noted that the first receiving module 42 in this embodiment may be configured to execute step S202 in this embodiment, the first creating module 44 in this embodiment may be configured to execute step S204 in this embodiment, the second creating module 46 in this embodiment may be configured to execute step S206 in this embodiment, and the generating module 48 in this embodiment may be configured to execute step S208 in this embodiment.

It should be noted here that the modules described above are the same as the examples and application scenarios implemented by the corresponding steps, but are not limited to the disclosure of the above embodiments. It should be noted that the modules described above as a part of the apparatus may operate in a hardware environment as shown in fig. 1, and may be implemented by software or hardware.

Through the module, when a target tenant requests to create a container instance, a corresponding target user account and an authentication certificate which designate a target access authority of the target tenant in a container cluster are created for the target tenant, so that a target configuration file which records information of the target tenant and the authentication certificate is generated, a user can operate the container instance created by the target tenant in the container cluster through the target configuration file by using a management tool provided by the container management platform, the purposes of controlling the access authority of the user and allowing the user to flexibly operate resources are achieved, the technical effect of improving the flexibility of the container instance accessed and managed by the tenant is achieved, and the technical problem that the flexibility of the container instance accessed and managed by the tenant in the related technology is poor is solved.

As an alternative embodiment, the first creating module includes:

a first creating unit, configured to create a target namespace for the target tenant in the container cluster, where the target namespace is used to create a container instance of the target tenant;

As an alternative embodiment, the obtaining unit is configured to:

acquiring a second initial role, wherein the second initial role is used for indicating initial resources which are allowed to be accessed by the tenant; and modifying the second initial role into a target role as the target access authority, wherein the target role is used for indicating that the target tenant is allowed to access the target namespace and the resources which are allowed to be accessed by the target tenant.

As an alternative embodiment, the generating module includes:

a generating unit, configured to generate an initial configuration file in a target format, where the target format is a format that meets an access condition of the container cluster;

and the writing unit is used for writing the target tenant and the certificate information into the initial configuration file to obtain the target configuration file.

As an alternative embodiment, the apparatus further comprises:

a second receiving module, configured to receive a download request initiated by a user and included by the target tenant after generating a target configuration file corresponding to the target user account, where the download request is used to request to download the configuration file;

the acquisition module is used for responding to the downloading request to acquire the target configuration file corresponding to the target tenant;

and the downloading module is used for downloading the target configuration file to the downloading position indicated by the user.

As an alternative embodiment, the obtaining module includes:

the second acquisition unit is used for acquiring the target user account corresponding to the target tenant from the tenants and the user accounts with the corresponding relationship;

and the third acquisition unit is used for acquiring the target configuration file corresponding to the target user account from the user account and the configuration file with the corresponding relation.

It should be noted here that the modules described above are the same as the examples and application scenarios implemented by the corresponding steps, but are not limited to the disclosure of the above embodiments. It should be noted that the modules described above as a part of the apparatus may be operated in a hardware environment as shown in fig. 1, and may be implemented by software, or may be implemented by hardware, where the hardware environment includes a network environment.

According to another aspect of the embodiment of the application, an electronic device for implementing the above control method for the tenant access authority to the container instance is further provided.

Fig. 5 is a block diagram of an electronic device according to an embodiment of the present application, and as shown in fig. 5, the electronic device may include: one or more processors 501 (only one of which is shown), a memory 503, and a transmission means 505. as shown in fig. 5, the electronic apparatus may further include an input/output device 507.

The memory 503 may be used to store software programs and modules, such as program instructions/modules corresponding to the method and apparatus for controlling the authority of the tenant to access the container instance in the embodiment of the present application, and the processor 501 executes various functional applications and data processing by running the software programs and modules stored in the memory 503, that is, the method for controlling the authority of the tenant to access the container instance is implemented. The memory 503 may include high speed random access memory and may also include non-volatile memory, such as one or more magnetic storage devices, flash memory, or other non-volatile solid-state memory. In some examples, the memory 503 may further include memory located remotely from the processor 501, which may be connected to the electronic device through a network. Examples of such networks include, but are not limited to, the internet, intranets, local area networks, mobile communication networks, and combinations thereof.

The transmission means 505 is used for receiving or sending data via a network, and may also be used for data transmission between the processor and the memory. Examples of the network may include a wired network and a wireless network. In one example, the transmission device 505 includes a Network adapter (NIC) that can be connected to a router via a Network cable and other Network devices to communicate with the internet or a local area Network. In one example, the transmission device 505 is a Radio Frequency (RF) module, which is used for communicating with the internet in a wireless manner.

Among them, the memory 503 is used to store an application program in particular.

The processor 501 may call the application stored in the memory 503 through the transmission means 505 to perform the following steps:

creating an authentication certificate corresponding to the target user account, wherein the authentication certificate is used for accessing and authenticating the identity of the target tenant;

By adopting the embodiment of the application, a scheme for controlling the permission of the tenant to access the container instance is provided. When a target tenant requests to create a container instance, a corresponding target user account and an authentication certificate which designate a target access authority of the target tenant in a container cluster are created for the target tenant, so that a target configuration file which records information of the target tenant and the authentication certificate is generated, and a user can operate the container instance created by the target tenant in the container cluster by using a management tool provided by the container management platform through the target configuration file, so that the purposes of controlling the access authority of the user and allowing the user to flexibly operate resources are achieved, the technical effect of improving the flexibility of the container instance accessed and managed by the tenant is achieved, and the technical problem that the flexibility of the container instance accessed and managed by the tenant in the related technology is poor is solved.

Optionally, the specific examples in this embodiment may refer to the examples described in the above embodiments, and this embodiment is not described herein again.

It will be understood by those skilled in the art that the structure shown in fig. 5 is only an example, and the electronic device may be a smart phone (e.g., an Android phone, an iOS phone, etc.), a tablet computer, a palm computer, and an electronic device such as a Mobile Internet Device (MID), a PAD, etc. Fig. 5 is a diagram illustrating a structure of the electronic device. For example, the electronic device may also include more or fewer components (e.g., network interfaces, display devices, etc.) than shown in FIG. 5, or have a different configuration than shown in FIG. 5.

Those skilled in the art will appreciate that all or part of the steps in the methods of the above embodiments may be implemented by a program for instructing hardware associated with an electronic device, where the program may be stored in a computer-readable storage medium, and the storage medium may include: flash disks, Read-Only memories (ROMs), Random Access Memories (RAMs), magnetic or optical disks, and the like.

Embodiments of the present application also provide a storage medium. Optionally, in this embodiment, the storage medium may be used for program codes of a method for controlling the authority of a tenant to access a container instance.

Optionally, in this embodiment, the storage medium may be located on at least one of a plurality of network devices in a network shown in the above embodiment.

Optionally, in this embodiment, the storage medium is configured to store program code for performing the following steps:

Optionally, in this embodiment, the storage medium may include, but is not limited to: a U-disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a removable hard disk, a magnetic or optical disk, and other various media capable of storing program codes.

The above-mentioned serial numbers of the embodiments of the present application are merely for description and do not represent the merits of the embodiments.

The integrated unit in the above embodiments, if implemented in the form of a software functional unit and sold or used as a separate product, may be stored in the above computer-readable storage medium. Based on such understanding, the technical solution of the present application may be substantially implemented or a part of or all or part of the technical solution contributing to the prior art may be embodied in the form of a software product stored in a storage medium, and including instructions for causing one or more computer devices (which may be personal computers, servers, network devices, or the like) to execute all or part of the steps of the method described in the embodiments of the present application.

In the above embodiments of the present application, the descriptions of the respective embodiments have respective emphasis, and for parts that are not described in detail in a certain embodiment, reference may be made to related descriptions of other embodiments.

In the several embodiments provided in the present application, it should be understood that the disclosed client may be implemented in other manners. The above-described embodiments of the apparatus are merely illustrative, and for example, the division of the units is only one type of division of logical functions, and there may be other divisions when actually implemented, for example, a plurality of units or components may be combined or may be integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection through some interfaces, units or modules, and may be in an electrical or other form.

The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.

In addition, functional units in the embodiments of the present application may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit. The integrated unit can be realized in a form of hardware, and can also be realized in a form of a software functional unit.

The foregoing is only a preferred embodiment of the present application and it should be noted that those skilled in the art can make several improvements and modifications without departing from the principle of the present application, and these improvements and modifications should also be considered as the protection scope of the present application.

Claims

1. A method for controlling the authority of a tenant to access a container instance is applied to a container management platform in a container cluster, and is characterized in that the container cluster further comprises a plurality of container instances, the container instances belong to at least two different tenants, and the container instances of the different tenants are deployed in different network spaces to be isolated from each other, and the method comprises the following steps:

2. The method of claim 1, wherein creating a target user account in the container cluster for the target tenant comprises:

3. The method of claim 2, wherein obtaining the target access right corresponding to the target tenant comprises one of:

4. The method of claim 1, wherein generating the target configuration file corresponding to the target user account comprises:

5. The method of claim 1, wherein after generating the target profile corresponding to the target user account, the method further comprises:

responding to the downloading request to acquire the target configuration file corresponding to the target tenant;

6. The method of claim 5, wherein obtaining the target configuration file corresponding to the target tenant in response to the download request comprises:

7. An apparatus for controlling authority of a tenant to access a container instance, applied to a container management platform in a container cluster, wherein the container cluster further includes a plurality of container instances belonging to at least two different tenants, and the container instances of the different tenants are deployed in different network spaces to be isolated from each other, the apparatus comprising:

a first creating module, configured to create a target user account in the container cluster for the target tenant, where the target user account specifies a target access right of the target tenant in the container cluster;

the second creating module is used for creating an authentication certificate corresponding to the target user account, wherein the authentication certificate is used for authenticating the identity of the target tenant;

8. The apparatus of claim 7, wherein the first creating module comprises:

9. A storage medium, characterized in that the storage medium comprises a stored program, wherein the program when executed performs the method of any of the preceding claims 1 to 6.

10. An electronic device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, wherein the processor executes the method of any of the preceding claims 1 to 6 by means of the computer program.