CN113315754A - Intelligent linkage method, device, equipment and medium for firewall of container visit - Google Patents
Intelligent linkage method, device, equipment and medium for firewall of container visit Download PDFInfo
- Publication number
- CN113315754A CN113315754A CN202110450592.7A CN202110450592A CN113315754A CN 113315754 A CN113315754 A CN 113315754A CN 202110450592 A CN202110450592 A CN 202110450592A CN 113315754 A CN113315754 A CN 113315754A
- Authority
- CN
- China
- Prior art keywords
- address
- target
- content
- container
- firewall
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/455—Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
- G06F9/45533—Hypervisors; Virtual machine monitors
- G06F9/45558—Hypervisor-specific management and integration aspects
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/06—Management of faults, events, alarms or notifications
- H04L41/0631—Management of faults, events, alarms or notifications using root cause analysis; using analysis of correlation between notifications, alarms or events based on decision criteria, e.g. hierarchy, tree or time analysis
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/06—Management of faults, events, alarms or notifications
- H04L41/0654—Management of faults, events, alarms or notifications using network fault recovery
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
- H04L63/0236—Filtering by address, protocol, port number or service, e.g. IP-address or URL
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/455—Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
- G06F9/45533—Hypervisors; Virtual machine monitors
- G06F9/45558—Hypervisor-specific management and integration aspects
- G06F2009/45595—Network integration; Enabling network access in virtual machine instances
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Software Systems (AREA)
- General Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- Computing Systems (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The application provides an intelligent linkage method, device, equipment and medium for a firewall during container visit, wherein the method comprises the following steps: acquiring an access change request to be processed, wherein the access change request comprises a container cluster identifier and change information of an IP address of a container Pod; determining a target container cluster according to the container cluster identifier, and determining target firewall equipment corresponding to the target container cluster according to the corresponding relation between the container cluster and the firewall equipment; determining a target address set corresponding to the target firewall equipment according to the change information of the IP address, and processing the original IP address content of the target address set to obtain the target IP address content; and generating a change script according to the content of the target IP address, and sending the change script to the target firewall equipment so as to apply the content of the target IP address to the corresponding access relation strategy. The change of the IP address of the Pod can be automatically applied to the access relation strategy of the firewall equipment, so that the labor cost is saved, and the service can be visited without sensing.
Description
Technical Field
The application relates to the technical field of network communication, in particular to an intelligent linkage method, device, equipment and medium for a container visiting firewall.
Background
Containers are a technique for effectively partitioning resources of a single operating system into isolated groups to better balance conflicting resource usage needs among the isolated groups. With the expansion of the scale of a service system, the requirements of basic environment are various, and the requirement of online period is shorter and shorter, so that the large-area popularization of lighter-weight containers is promoted. Also, as the business demands are driven, the network automation system has been greatly developed, and daily changes such as the network access relationship of the firewall have been automated.
After the service system is deployed to a container platform (container cloud), each module of the service system corresponds to one service container Pod of the container platform; the IP address of the service system changes from a static IP address to a dynamic IP address, and the IP address of the service container Pod in the container platform also changes with the environment of the container platform, which may also cause the IP of the service system to change, for example, the IP address different from the original IP address may be obtained after the service container Pod is restarted.
The network access relation of the traditional firewall needs to be opened by using a clear source IP address or a clear destination address, because the container platform is not linked with the network automation system, when the IP address of a service system in the container platform changes, the network access relation of the corresponding firewall can only be changed in a manual operation mode, but the manual operation mode is difficult to realize real-time change, and the manual operation mode also has the problems of large workload, high labor cost and the like, so that the network access relation change of the traditional firewall cannot meet the operation and maintenance requirements of the container platform.
Disclosure of Invention
In view of the above, the present application is provided to provide a method, device, and medium for intelligently linking a firewall for a container visit, which overcome or at least partially solve the above problems, and includes:
an intelligent linkage method for a container visit firewall, the method comprising:
acquiring an access change request to be processed; the access change request comprises a container cluster identifier and change information of an IP address of a container Pod;
determining a target container cluster according to the container cluster identifier, and determining target firewall equipment corresponding to the target container cluster according to the corresponding relation between the container cluster and the firewall equipment;
determining a target address set corresponding to the target firewall equipment according to the change information of the IP address, and processing the original IP address content of the target address set to obtain the target IP address content;
and generating a change script according to the content of the target IP address, and sending the change script to the target firewall equipment so as to apply the content of the target IP address to a corresponding access relation strategy.
Optionally, the determining, according to the correspondence between the container cluster and the firewall device, a target firewall device corresponding to the target container cluster includes:
determining a target network area corresponding to the target container cluster according to the corresponding relation between the container cluster and the network area;
and determining target firewall equipment corresponding to the target network area according to the corresponding relation between the network area and the firewall equipment.
Optionally, the changing information of the IP address of the Pod includes an address set identifier, a target IP address, and an operation type, and the determining, according to the changing information of the IP address, a target address set corresponding to the target firewall device, and processing the original IP address content of the target address set to obtain the target IP address content includes:
determining a target address set corresponding to the target firewall equipment according to the address set identifier;
and acquiring original IP address content of the target address set, and processing the original IP address content according to the target IP address and the corresponding operation type to obtain target IP address content.
Optionally, the operation type includes a creation operation, a deletion operation, and an update operation, and the processing the original IP address content according to the target IP address and the corresponding operation type to obtain the target IP address content includes:
when the operation type is an updating operation, splitting the updating operation into a deleting operation and a creating operation; and/or the presence of a gas in the gas,
when the operation type is a creating operation, adding the target IP address into the original IP address content to obtain the target IP address content; and/or the presence of a gas in the gas,
and when the operation type is a deleting operation, deleting the IP address corresponding to the target IP address in the original IP address content to obtain the target IP address content.
Optionally, before the generating a change script according to the content of the target IP address, the method further includes:
acquiring the current IP address of the container Pod corresponding to the target address set in the target container cluster to obtain the content of the current IP address; the current IP address content comprises current IP addresses of a plurality of the container Pods;
comparing whether the content of the current IP address is consistent with the content of the target IP address;
if not, determining the content of the current IP address as the content of the target IP address.
Optionally, before the generating a change script according to the content of the target IP address, the method further includes:
if the current IP address of the container Pod corresponding to the target address set in the target container cluster fails to be acquired, sending first fault notification information to corresponding operation and maintenance personnel, wherein the first fault notification information comprises a first fault corresponding to the current IP address acquisition failure, so that the operation and maintenance personnel can process the first fault;
when the operation type is a deleting operation, suspending an access change request corresponding to the deleting operation to obtain a suspended access change request;
and after the first fault is processed, re-executing the suspended access change request.
Optionally, the sending the change script to the target firewall device further includes:
if the sending of the change script fails, hanging a sending task corresponding to the sending of the change script;
sending second fault notification information to corresponding operation and maintenance personnel, wherein the second fault notification information comprises a second fault corresponding to the connection failure of the target firewall equipment, so that the operation and maintenance personnel can process the second fault;
and after the second fault is processed, re-executing the sending task.
Optionally, before the obtaining the pending access change request, the method further includes:
receiving an access change request sent by a container platform;
judging whether the access change request meets the requirement of a preset specification;
and if so, storing the access change request as a pending access change request in a data queue.
A container visit firewall intelligent linkage, the device comprising:
the change request acquisition module is used for acquiring the access change request to be processed; the access change request comprises a container cluster identifier and change information of an IP address of a container Pod;
the firewall equipment determining module is used for determining a target container cluster according to the container cluster identifier and determining target firewall equipment corresponding to the target container cluster according to the corresponding relation between the container cluster and the firewall equipment;
the target address set processing module is used for determining a target address set corresponding to the target firewall equipment according to the change information of the IP address and processing the original IP address content of the target address set to obtain the target IP address content;
and the access relation policy updating module generates a change script according to the target IP address content and sends the change script to the target firewall equipment so as to apply the target IP address content to a corresponding access relation policy.
Optionally, the firewall device determining module includes:
a first determining module, configured to determine, according to a correspondence between the container cluster and a network area, a target network area corresponding to the target container cluster;
and the second determining module is used for determining the target firewall equipment corresponding to the target network area according to the corresponding relation between the network area and the firewall equipment.
Optionally, the change information of the IP address of the container Pod includes an address set identifier, a target IP address, and an operation type, and the target address set processing module includes:
the address set determining module is used for determining a target address set corresponding to the target firewall equipment according to the address set identification;
and the content updating module is used for acquiring the original IP address content of the target address set and processing the original IP address content according to the target IP address and the corresponding operation type to obtain the target IP address content.
Optionally, the operation type includes a creation operation, a deletion operation, and an update operation, and the content update module is specifically configured to:
when the operation type is an updating operation, splitting the updating operation into a deleting operation and a creating operation; and/or the presence of a gas in the gas,
when the operation type is a creating operation, adding the target IP address into the original IP address content to obtain the target IP address content; and/or the presence of a gas in the gas,
and when the operation type is a deleting operation, deleting the IP address corresponding to the target IP address in the original IP address content to obtain the target IP address content.
Optionally, the apparatus further comprises:
a current IP address obtaining module, configured to obtain a current IP address of a container Pod corresponding to the target address set in the target container cluster, to obtain current IP address content; the current IP address content comprises current IP addresses of a plurality of the container Pods;
the consistency comparison module is used for comparing whether the content of the current IP address is consistent with the content of the target IP address;
and the address set processing module is used for determining the current IP address content as the target IP address content if the current IP address content is inconsistent with the target IP address content.
Optionally, the apparatus further comprises:
a first failure first processing module, configured to send first failure notification information to a corresponding operation and maintenance worker if acquiring a current IP address of a container Pod corresponding to the target address set in the target container cluster fails, where the first failure notification information includes a first failure corresponding to the current IP address acquisition failure, so that the operation and maintenance worker processes the first failure;
the first failure second processing module is used for suspending the access change request corresponding to the deletion operation when the operation type is the deletion operation, so as to obtain the suspended access change request;
and the first failure third processing module is used for re-executing the suspended access change request after the first failure is processed.
Optionally, the access relationship policy updating module further includes:
the second failure first processing module is used for suspending a sending task corresponding to sending the change script if the change script fails to be sent;
the second fault second processing module is used for sending second fault notification information to corresponding operation and maintenance personnel, wherein the second fault notification information comprises a second fault corresponding to the connection failure of the target firewall equipment, so that the operation and maintenance personnel can process the second fault;
and the second failure third processing module is used for re-executing the sending task after the second failure is processed.
Optionally, the apparatus further comprises:
the access change request receiving module is used for receiving an access change request sent by the container platform;
the standard judgment module is used for judging whether the access change request meets the preset standard requirement;
and the access change request storage module is used for storing the access change request serving as a pending access change request into a data queue if the access change request meets the preset standard requirement.
An electronic device comprising a processor, a memory, and a computer program stored on the memory and executable on the processor, wherein the computer program when executed by the processor implements the steps of the intelligent linking method for a container visit firewall as described above.
A computer readable storage medium having stored thereon a computer program which, when executed by a processor, implements the steps of the container visit firewall intelligent linking method as described above.
The application has the following advantages:
in the embodiment of the application, the network automation system acquires the access change request to be processed, wherein the access change request comprises the container cluster identifier and the change information of the IP address of the container Pod; determining a target container cluster according to the container cluster identifier, and determining target firewall equipment corresponding to the target container cluster according to the corresponding relation between the container cluster and the firewall equipment; determining a target address set corresponding to the target firewall equipment according to the change information of the IP address, and processing the original IP address content of the target address set to obtain the target IP address content; and generating a change script according to the content of the target IP address, and sending the change script to the target firewall equipment so as to apply the content of the target IP address to the corresponding access relation strategy. According to the embodiment of the application, the IP address change of the Pod can be automatically applied to the access relation strategy of the firewall equipment, so that the labor cost is saved, the influence of the random change of the address of the service system on the access relation strategy of the firewall equipment is avoided, the service non-perception visit is realized, and the real-time requirement of the service system visit is met;
further, the current IP address content is obtained by obtaining the current IP address of the Pod corresponding to the target address set, and the current IP address content is compared with the target IP address content of the target address set, so that secondary verification of data is realized, and the accuracy of the data is ensured;
further, when the current IP address of the Pod corresponding to the target address set cannot be obtained, it indicates that the data query interface fails, the access change request with the operation type of deletion operation is suspended, the access change request with the operation type of creation operation is normally processed, and the processing is automatically resumed after the failure of the data query interface is eliminated; when the connection with the firewall equipment fails, suspending a sending task corresponding to the change script, and automatically recovering the processing after the fault is eliminated; therefore, the system has good fault tolerance;
furthermore, when a fault is found, relevant operation and maintenance personnel are timely notified to process the fault, so that the fault can be found in real time and processed in time, and influence and loss are reduced.
Drawings
In order to more clearly illustrate the technical solutions of the present application, the drawings needed to be used in the description of the present application will be briefly introduced below, and it is apparent that the drawings in the following description are only some embodiments of the present application, and it is obvious for those skilled in the art that other drawings can be obtained according to the drawings without inventive labor.
Fig. 1 is a flowchart illustrating steps of an intelligent linking method for a firewall for container visit according to an embodiment of the present disclosure;
FIG. 2 is a flowchart illustrating the steps of preprocessing access change requests according to an embodiment of the present application;
FIG. 3 is a flowchart illustrating steps in processing an access change request according to an embodiment of the present application;
FIG. 4 is a flowchart illustrating steps taken to obtain a target address set according to an embodiment of the present application;
fig. 5 is a schematic overall flow chart of an intelligent linkage method for a container visit firewall according to an embodiment of the present application;
fig. 6 is a block diagram of an intelligent linkage device of a firewall for container visit according to an embodiment of the present application.
Detailed Description
In order to make the aforementioned objects, features and advantages of the present application more comprehensible, the present application is described in further detail with reference to the accompanying drawings and the detailed description. It is to be understood that the embodiments described are only a few embodiments of the present application and not all embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
First, the terms are defined and explained:
the container technology comprises the following steps: the method refers to that dependencies, class libraries, configuration files and the like required by the application program and the application are injected into a package of a container mirror image for publishing, so that container deployment can span the limitation of an operating system, a system kernel is shared, and multiple processes and multiple application programs are independently run. Compared with the traditional virtualization technology which is realized through hardware simulation or operating system software, the container technology is lighter.
And (4) container Pod: the container Pod is the smallest unit of deployment in the container environment. It may contain one or more closely connected containers, in most cases only one; and a container is a deployed program associated with a business system.
Cluster name: ClsName, the name identification of the container cluster.
A name space: NameSpace, an independent process space within a container cluster. A namespace will typically correspond to a business system.
Applying coding: AppCode, i.e., a business system name code (which serves as a unique identification).
And (3) module coding: ModCode, i.e., name code of business system sub-module (which serves as unique identification).
In the embodiment of the application, when a service system deployed on a container platform is online and applies for a network access relationship, a service address is not clarified, but an application of an address set corresponding to the service system is submitted, and a network automation system automatically generates and executes an access relationship script according to the region to which the address set belongs. After the execution is finished, the network automation system acquires the IP address of the container Pod corresponding to the service system corresponding to the address set according to the data query interface provided by the container platform, updates the IP address of the container Pod to the address set, and realizes the opening of the access relation strategy of the firewall.
Referring to fig. 1, a flowchart illustrating steps of an intelligent linkage method for a container visit firewall according to an embodiment of the present application is shown, where the method may be applied to a network automation system. The method specifically comprises the following steps:
103, determining a target address set corresponding to the target firewall equipment according to the change information of the IP address, and processing original IP address content of the target address set to obtain target IP address content;
and 104, generating a change script according to the target IP address content, and sending the change script to the target firewall equipment so as to apply the target IP address content to a corresponding access relation strategy.
In the embodiment of the application, the network automation system acquires the access change request to be processed, wherein the access change request comprises the container cluster identifier and the change information of the IP address of the container Pod; determining a target container cluster according to the container cluster identifier, and determining target firewall equipment corresponding to the target container cluster according to the corresponding relation between the container cluster and the firewall equipment; determining a target address set corresponding to the target firewall equipment according to the change information of the IP address, and processing the original IP address content of the target address set to obtain the target IP address content; and generating a change script according to the content of the target IP address, and sending the change script to the target firewall equipment so as to apply the content of the target IP address to the corresponding access relation strategy. According to the embodiment of the application, the IP address change of the Pod can be automatically applied to the access relation strategy of the firewall equipment, so that the labor cost is saved, the influence of the random address change of the service system on the access relation strategy of the firewall equipment is avoided, the service non-perception visit is realized, and the real-time requirement of the service system visit is met.
Next, the intelligent linkage method of the container visit firewall in the present exemplary embodiment will be further described.
In step 101, obtaining a pending access change request; the access change request includes a container cluster identifier and change information of an IP address of the container Pod.
In this embodiment of the present application, a container cluster may be divided into a plurality of namespaces, and each namespace generally corresponds to one business system. Each namespace includes a plurality of containers Pod, and the containers Pod in different namespaces are isolated from each other. When the IP address of the container Pod corresponding to the service system in the container platform changes, the container platform may automatically generate a corresponding access change request, and send the access change request to the network automation system in real time through the request push interface, and the network automation system receives the access change request pushed by the container platform in real time through the corresponding request receive interface.
In this embodiment, the access change request includes a container cluster identifier and change information of an IP address of the container Pod, where the change information of the IP address may include an address set identifier, a target IP address, and an operation type. Specifically, the access change request may include a cluster name, a namespace, an application code, a module code, an operation type, and a target IP address. Therefore, the container cluster identifier is the cluster name; the cluster name, the name space, the application code and the module code can be spliced into an address set name as an address set identifier, so that the address set identifier is a splicing result of the cluster name, the name space, the application code and the module code.
Specifically, referring to fig. 2, fig. 2 is a flowchart illustrating steps of access change request preprocessing in an embodiment of the present application; after receiving an access change request sent by a container platform, a network automation system first performs data format check on the access change request, for example, data of the access change request must meet requirements of an interface specification document, where the requirements of the interface specification document include that a key field cannot be empty, an IP address format is correct, and an operation type must be one of specified operation types.
For example, taking the above access change request including the cluster name, the namespace, the application code, the module code, the operation type, and the target IP address as an example, the specific data format verification content may include: and judging whether the cluster name, the name space, the application code, the module code, the operation type and the target IP address are correctly filled, and whether an address set formed by the cluster name, the name space, the application code and the module code creates a corresponding access relation strategy in the network automation system.
When the access change request fails to be verified, corresponding verification failure information is returned to the container platform; when the access change request passes the verification, the network automation system stores the verified access change request into the data queue, and obtains a preset number of or all the access change requests from the data queue for processing at preset time intervals (for example, every two seconds).
Therefore, before the obtaining of the pending access change request, the method may further include:
receiving an access change request sent by a container platform;
judging whether the access change request meets the requirement of a preset specification;
if so, the access change request is taken as a pending access change request and stored in a data queue, so that the pending access change request is obtained from the data queue.
In step 102, a target container cluster is determined according to the container cluster identifier, and a target firewall device corresponding to the target container cluster is determined according to the corresponding relationship between the container cluster and the firewall device.
In this embodiment of the present application, a correspondence between a container cluster and a firewall device may be stored in a network automation system, and used to locate the firewall device corresponding to the container cluster.
In practical application, the network automation system stores the corresponding relationship between the container cluster and the network area, and the corresponding relationship exists between the network area and the firewall device, when the access relationship policy related to the container cluster needs to be opened, the network automation system can determine the network area according to the corresponding relationship between the container cluster and the network area, and then determine the firewall device according to the corresponding relationship between the network area and the firewall device, and then perform issuing operation of the related access relationship policy on the firewall device.
For example, taking the container cluster CLS01 corresponding to the I4 network area as an example, when the access relationship policy of the container cluster CLS01 needs to be opened, the corresponding I4 network area firewall device may be found to issue the relevant policy.
Specifically, when the container cluster needs to open the relevant access relationship policy, the access work order relevant to the container cluster can be uploaded in the network automation system, and the network automation system can automatically generate the access relationship policy opening script corresponding to the firewall device according to the received information of the container cluster in the access work order and send the access relationship policy opening script to the corresponding firewall device. The firewall device stores a firewall address set, and the firewall address set comprises a source address, a destination address and a destination port of an access relationship, and is a main element of an access relationship policy of the firewall device. In the embodiment of the present application, the source address and the destination address may use an address object. And associating the needed IP address, the network segment and the like in the address object, and then calling the address object in the access relation policy, wherein the address object is the firewall address set. When the address set is updated, the policy for calling the address set is automatically changed.
When the access relation policy is opened, the IP address of the Pod in the Pod cluster is changed, and the content of the IP address in the firewall address set corresponding to the Pod in the firewall device corresponding to the Pod cluster needs to be synchronously changed, so that the service system with the changed IP address can normally visit.
Therefore, in the embodiment of the present application, when the network automation system receives the access change request, since the access change request includes the container cluster identifier, the corresponding target container cluster may be determined according to the container cluster identifier, then the target network area corresponding to the target container cluster may be determined according to the correspondence between the container cluster and the network area, and then the target firewall device corresponding to the target area may be determined according to the correspondence between the network area and the firewall device; the IP address content of the address set corresponding to the target firewall equipment is updated in the subsequent steps, so that the IP address content of the address set of the target firewall equipment is matched with the IP address of the corresponding container Pod in the container cluster, and the service system corresponding to the container cluster can be normally visited.
In step 103, a destination address set corresponding to the destination firewall device is determined according to the change information of the IP address, and the original IP address content of the destination address set is processed to obtain the destination IP address content.
In this embodiment, the database of the network automation system stores an address set of the firewall device; the change information of the IP address comprises an address set identifier, a target IP address and an operation type; and determining a target address set according to the address set identification, further acquiring original IP address content of the corresponding target address set from the database, and then processing the original IP address content according to the target IP address and the operation type to obtain the target IP address content.
Specifically, the operation types may include a Create (Create) operation, a Delete (Delete) operation, and an Update (Update) operation, wherein the Update operation may be split into one Delete operation and one Create operation. Therefore, the processing the original IP address content according to the target IP address and the corresponding operation type to obtain the target IP address content may include:
when the operation type is an updating operation, splitting the updating operation into a deleting operation and a creating operation; and/or the presence of a gas in the gas,
when the operation type is a creating operation, adding the target IP address into the original IP address content to obtain the target IP address content; and/or the presence of a gas in the gas,
and when the operation type is a deleting operation, deleting the IP address corresponding to the target IP address in the original IP address content to obtain the target IP address content.
In a specific implementation, when the operation type is an update operation, the target IP address includes a first target IP address and a second target IP address which are associated; the first target IP address is an IP address in the original IP address content, and the second target IP address is a new IP address; processing the original IP address content according to the target IP address and the corresponding operation type, and obtaining the target IP address content may specifically be: and deleting the IP address corresponding to the first target IP address in the original IP address content, and adding the second target IP address into the original IP address content of which the first target IP address is deleted to obtain the target IP address content. It should be noted that, in this embodiment, the target IP address and the target IP address content are different, the target IP address refers to a single IP address to be processed related to the operation type, and the target IP address content refers to the original IP address content in the target address set, and after the change information of the IP address is processed, the obtained corresponding IP address content is related to all the IP addresses in the processed target address set.
Referring to FIG. 3, FIG. 3 is a flow chart illustrating the steps of processing an access change request in one embodiment of the present application; in a specific implementation, the network automation system acquires all pending access change requests at regular time (e.g., every two seconds), where the pending access change requests include unprocessed and pending access change requests; classifying and screening data of the access change requests to be processed aiming at the access change requests to be processed of the same container cluster according to operation types, processing the requests of three types of creation, deletion and update, and searching an address set according to cluster names, name spaces, application codes and module codes in the access change requests. If the access change request of the creation operation and the access change request of the deletion operation can be offset, the access change request of the creation operation and the access change request of the deletion operation are not retained, for example, if the creation operation and the deletion operation are performed on the same IP address, the access change request of the creation operation and the access change request of the deletion operation on the IP address are deleted at the same time. Thereby reducing the amount of processing of the requested data. In order to reduce the times of connecting firewall equipment in the process of sending the subsequent change script and improve the change efficiency, the access change request to be processed is classified, screened and the like, and finally, a change script is generated for each firewall equipment to be sent.
Further, in an optional embodiment of the present application, in order to ensure data accuracy, after the processing the original IP address content of the target address set to obtain the target IP address content, the method may further include:
acquiring the current IP address of the container Pod corresponding to the target address set in the target container cluster to obtain the content of the current IP address; the current IP address content comprises current IP addresses of a plurality of the container Pods;
comparing whether the content of the current IP address is consistent with the content of the target IP address;
if not, determining the content of the current IP address as the content of the target IP address.
In this embodiment, after updating the IP address content of the target address set in the database to obtain the target IP address content, the network automation system may obtain the current IP address of the container Pod corresponding to the target address set in the target container cluster through a data query interface provided by the container platform, and determine the current IP addresses of all the container pods corresponding to the target address set as the current IP address content, which may be considered that the current IP address content is formed by the current IP addresses of all the container pods corresponding to the target address set; comparing whether the current IP address content is consistent with the target IP address content of the target address set in the network automation system, if so, generating a change script according to the target IP address content of the target address set in the network automation system; if the current IP address content is inconsistent with the target IP address content in the network automation system, the method takes the current IP address content obtained from the container platform as the standard, namely the target IP address content of the target address set is replaced according to the current IP address content in the container platform, and finally a change script is generated according to the target IP address content.
Further, in the process of obtaining the current IP address of the container Pod corresponding to the target address set in the target container cluster to obtain the content of the current IP address, when the data query interface provided by the container platform is invalid, the current IP address of the container Pod is failed to be obtained; correspondingly, the method may further include:
if the current IP address of the container Pod corresponding to the target address set in the target container cluster fails to be acquired, sending first fault notification information to corresponding operation and maintenance personnel, wherein the first fault notification information comprises a first fault corresponding to the current IP address acquisition failure, so that the operation and maintenance personnel can process the first fault;
when the operation type is a deleting operation, suspending an access change request corresponding to the deleting operation to obtain a suspended access change request;
and after the first fault is processed, re-executing the suspended access change request.
In this embodiment, when the network automation system fails to acquire the current IP address of the container Pod corresponding to the target address set in the target container cluster, it means that the data reference is lost, at this time, the network automation system uses the local database as a reference, stops processing the access change request of the deletion operation type, only processes the creation operation to ensure that the access of the service system is not affected, and simultaneously sends a corresponding first fault notification message to the corresponding operation and maintenance staff, so that the operation and maintenance staff can find the fault in time and process the first fault. After the first fault is processed, the network automation system can process the access change request corresponding to the suspended deletion operation without manual triggering.
Illustratively, in conjunction with fig. 4, fig. 4 shows a flowchart of steps for obtaining the content of the target IP address according to an embodiment of the present application. When a data query interface provided by a container platform is normal and a network automation system can obtain the content of a current IP address, comparing whether the content of the current IP address is consistent with the content of a target IP address, if so, generating a corresponding update script according to the content of the target IP address, wherein the update script can correspond to the difference between the content of the target IP address and the content of an original IP address and also can correspond to the total amount of the content of the target IP address; if not, generating a corresponding update script based on the content of the current IP address, wherein the update script can correspond to the whole content of the current IP address or the difference between the content of the current IP address and the content of the original IP address. When a data query interface provided by a container platform fails, the current IP address content cannot be acquired, at the moment, a task corresponding to an access change request for deleting an operation type is suspended, the access request for creating the operation type is normally processed to obtain target IP address content, and a corresponding update script is generated based on the target IP address content, wherein the update script can correspond to the difference between the target IP address content and the original IP address content and can also correspond to the total amount of the target IP address content. After the update script is generated, the update script can be automatically issued to the corresponding target firewall equipment.
Generally, in order to save data processing resources, when the content of the current IP address is consistent with the content of the target IP address and the current IP address fails to be obtained, a corresponding update script can be generated based on the processed access change request; specifically, when the current IP address content coincides with the target IP address content and when the current IP address content acquisition fails, the processed access change request is considered to be correct, and the processed access change request records the difference between the target IP address content and the original IP address content, and therefore, the update script can be generated according to the processed access change request. When the content of the current IP address is inconsistent with the content of the target IP address, generating a corresponding change script by using the total amount of the content of the current IP address; or when the content of the current IP address is inconsistent with the content of the target IP address, determining the difference between the content of the current IP address and the content of the original IP address, and generating a corresponding change script according to the difference.
In step 104, a change script is generated according to the target IP address content, and the change script is sent to the target firewall device, so that the target IP address content is applied to a corresponding access relationship policy.
In this embodiment, the network automation system generates a change script according to the content of the target IP address, specifically, the change script may be generated according to the total content of the target IP address, or the change script may be generated according to the difference between the content of the target IP address and the content of the original IP address; and then, the change script is issued to the corresponding firewall equipment, so that the target IP address of the service system can be centralized in the address of the firewall equipment, and the normal visit of the service system is realized.
In specific implementation, the network automation system may connect the target firewall device in an SSH (Secure Shell, Secure Shell protocol) manner, and execute an issuing operation of the change script, so that the target firewall device applies the target IP address content in the target address set to the corresponding access relationship policy according to the change script; optionally, in the process of executing the issuing operation of the change script, the execution return value of each line of script may be judged, so as to ensure that the issuing process is accurate.
In practical application, when a target firewall device fails and the network automation system cannot be connected to the target firewall device, namely the network automation system cannot issue the change script to the target firewall device, at the moment, the network automation system can suspend the sending task of issuing the change script and simultaneously inform corresponding network operation and maintenance personnel of processing the failure, and after the failure is processed, the network automation system can automatically process the suspended sending task without manual triggering. Therefore, the sending the change script to the target firewall device may further include:
if the sending of the change script fails, hanging a sending task corresponding to the sending of the change script;
sending second fault notification information to corresponding operation and maintenance personnel, wherein the second fault notification information comprises a second fault corresponding to the connection failure of the target firewall equipment, so that the operation and maintenance personnel can process the second fault;
and after the second fault is processed, re-executing the sending task.
Further, when the network automation system cannot receive the access change request sent by the container platform, the container platform may adopt a data retransmission mechanism to ensure that data is not lost, and simultaneously send corresponding third fault notification information to notify corresponding application operation and maintenance personnel to process the third fault, after the fault processing is completed, the container platform restarts sending the access change request to the network automation system without manual triggering.
Optionally, the Interface related in this embodiment may be a standard REST API (Representational State Transfer Programming Interface), which is a design and development manner for network applications, and may reduce complexity of development, improve scalability of the system, and may perform authentication through a username and a password, ensure accuracy of a data source, and implement Interface security.
In the embodiment of the application, the network automation system acquires the access change request to be processed, wherein the access change request comprises the container cluster identifier and the change information of the IP address of the container Pod; determining a target container cluster according to the container cluster identifier, and determining target firewall equipment corresponding to the target container cluster according to the corresponding relation between the container cluster and the firewall equipment; determining a target address set corresponding to the target firewall equipment according to the change information of the IP address, and processing the original IP address content of the target address set to obtain the target IP address content; and generating a change script according to the content of the target IP address, and sending the change script to the target firewall equipment so as to apply the content of the target IP address to the corresponding access relation strategy. According to the embodiment of the application, the IP address change of the Pod can be automatically applied to the access relation strategy of the firewall equipment, so that the labor cost is saved, the influence of the random change of the address of the service system on the access relation strategy of the firewall equipment is avoided, the service non-perception visit is realized, and the real-time requirement of the service system visit is met;
further, the current IP address content is obtained by obtaining the current IP address of the Pod corresponding to the target address set, and the current IP address content is compared with the target IP address content of the target address set, so that secondary verification of data is realized, and the accuracy of the data is ensured;
further, when the current IP address of the Pod corresponding to the target address set cannot be obtained, it indicates that the data query interface fails, the access change request with the operation type of deletion operation is suspended, the access change request with the operation type of creation operation is normally processed, and the processing is automatically resumed after the failure of the data query interface is eliminated; when the connection with the firewall equipment fails, suspending a sending task corresponding to the change script, and automatically recovering the processing after the fault is eliminated; therefore, the system has good fault tolerance;
furthermore, when a fault is found, relevant operation and maintenance personnel are timely notified to process the fault, so that the fault can be found in real time and processed in time, and influence and loss are reduced.
For facilitating those skilled in the art to understand the intelligent linkage method for the firewall for the container visit provided in the embodiment of the present application, the following description will exemplarily describe the intelligent linkage method for the firewall for the container visit from the perspective of the intelligent linkage system for the firewall for the container visit from the node where the service system is first on-line.
The intelligent linkage system of the firewall for the container visit comprises a container platform, a network automation system and the firewall. And the container platform pushes the access change request to a network automation system through an interface, and the network automation system acquires the IP address of the latest container Pod of the service system based on the received access change request and automatically opens the visiting access relation of the service system.
Specifically, referring to fig. 5, an overall flowchart of the intelligent linkage method for the container visit firewall according to the embodiment of the present application is shown.
When the service system is on-line, an access relation application is firstly required, that is, when the service system is on-line, an access relation policy of corresponding firewall equipment needs to be applied to the network automation system, which is the basis for realizing the visit of the service system.
The network automation system realizes the opening of the access relation of the service system by setting a firewall. At this time, the IP address associated with the address object in the firewall address set in the access relationship policy corresponding to the service system in the firewall device may be null.
After the service system access relationship is opened for the first time, a first update application needs to be performed, that is, the IP address associated with the address object in the firewall address set needs to be supplemented.
The container platform can send the address data of the business system to the network automation system so that the network automation system updates the address data to the firewall address set, and therefore the normal visit of the current business system can be achieved.
In the operation process, when the service system has a fault, the container platform can perform container Pod switching and address updating corresponding to the service system.
The container platform may push an address update request, i.e., an access change request, to the network automation system.
After the network automation system successfully receives the address updating request, data analysis processing is carried out according to the address updating request and existing data in an original database, meanwhile, the latest address data of the service system is obtained from the container platform, the obtained latest address data of the service system is compared with the address data after the data analysis processing, the address data which is finally used for updating a firewall address set in the access relation strategy is determined, and the access relation strategy of the firewall equipment is updated according to the finally determined address data.
According to the intelligent linkage method for the container visit firewall, the container platform and the network automation system are interacted through the API, the service system of the container platform does not need manual intervention when visiting externally, the IP address change of the container Pod can be directly pushed to the network automation system through the API, then the network automation system applies the new IP address after the change to the firewall strategy, the requirement that the service system visits rapidly is met, and the IP address change cannot be basically sensed by the service system. Therefore, the problem that the traditional network cannot cope with the change of the IP address of the container environment is solved.
It should be noted that, for simplicity of description, the method embodiments are described as a series of acts or combination of acts, but those skilled in the art will recognize that the embodiments are not limited by the order of acts described, as some steps may occur in other orders or concurrently depending on the embodiments. Further, those skilled in the art will also appreciate that the embodiments described in the specification are presently preferred and that no particular act is required of the embodiments of the application.
Referring to fig. 6, a block diagram of an embodiment of an intelligent linkage device for a container visit firewall according to the present application is shown, and in the embodiment of the present application, the device may specifically include the following modules:
a change request obtaining module 601, configured to obtain an access change request to be processed; the access change request comprises a container cluster identifier and change information of an IP address of a container Pod;
a firewall device determining module 602, configured to determine a target container cluster according to the container cluster identifier, and determine a target firewall device corresponding to the target container cluster according to a correspondence between the container cluster and a firewall device;
a destination address set processing module 603, configured to determine, according to the change information of the IP address, a destination address set corresponding to the destination firewall device, and process an original IP address content of the destination address set to obtain a destination IP address content;
and the access relationship policy updating module 604 generates a change script according to the content of the target IP address, and sends the change script to the target firewall device, so that the content of the target IP address is applied to a corresponding access relationship policy.
Optionally, the firewall device determining module 602 includes:
a first determining module, configured to determine, according to a correspondence between the container cluster and a network area, a target network area corresponding to the target container cluster;
and the second determining module is used for determining the target firewall equipment corresponding to the target network area according to the corresponding relation between the network area and the firewall equipment.
Optionally, the change information of the IP address of the container Pod includes an address set identifier, a target IP address, and an operation type, and the target address set processing module 603 includes:
the address set determining module is used for determining a target address set corresponding to the target firewall equipment according to the address set identification;
and the content updating module is used for acquiring the original IP address content of the target address set and processing the original IP address content according to the target IP address and the corresponding operation type to obtain the target IP address content.
Optionally, the operation type includes a creation operation, a deletion operation, and an update operation, and the content update module is specifically configured to:
when the operation type is an updating operation, splitting the updating operation into a deleting operation and a creating operation; and/or the presence of a gas in the gas,
when the operation type is a creating operation, adding the target IP address into the original IP address content to obtain the target IP address content; and/or the presence of a gas in the gas,
and when the operation type is a deleting operation, deleting the IP address corresponding to the target IP address in the original IP address content to obtain the target IP address content.
Optionally, the apparatus further comprises:
a current IP address obtaining module, configured to obtain a current IP address of a container Pod corresponding to the target address set in the target container cluster, to obtain current IP address content; the current IP address content comprises current IP addresses of a plurality of the container Pods;
the consistency comparison module is used for comparing whether the content of the current IP address is consistent with the content of the target IP address;
and the address set processing module is used for determining the current IP address content as the target IP address content if the current IP address content is inconsistent with the target IP address content.
Optionally, the apparatus further comprises:
a first failure first processing module, configured to send first failure notification information to a corresponding operation and maintenance worker if acquiring a current IP address of a container Pod corresponding to the target address set in the target container cluster fails, where the first failure notification information includes a first failure corresponding to the current IP address acquisition failure, so that the operation and maintenance worker processes the first failure;
the first failure second processing module is used for suspending the access change request corresponding to the deletion operation when the operation type is the deletion operation, so as to obtain the suspended access change request;
and the first failure third processing module is used for re-executing the suspended access change request after the first failure is processed.
Optionally, the access relationship policy updating module 604 further includes:
the second failure first processing module is used for suspending a sending task corresponding to sending the change script if the change script fails to be sent;
the second fault second processing module is used for sending second fault notification information to corresponding operation and maintenance personnel, wherein the second fault notification information comprises a second fault corresponding to the connection failure of the target firewall equipment, so that the operation and maintenance personnel can process the second fault;
and the second failure third processing module is used for re-executing the sending task after the second failure is processed.
Optionally, the apparatus further comprises:
the access change request receiving module is used for receiving an access change request sent by the container platform;
the standard judgment module is used for judging whether the access change request meets the preset standard requirement;
and the access change request storage module is used for storing the access change request serving as a pending access change request into a data queue if the access change request meets the preset standard requirement.
For the device embodiment, since it is basically similar to the method embodiment, the description is simple, and for the relevant points, refer to the partial description of the method embodiment.
The embodiment of the application also discloses electronic equipment, which comprises a processor, a memory and a computer program which is stored on the memory and can run on the processor, wherein when the computer program is executed by the processor, the steps of the intelligent linkage method for the container visiting firewall are realized.
The embodiment of the application also discloses a computer readable storage medium, wherein a computer program is stored on the computer readable storage medium, and when the computer program is executed by a processor, the steps of the intelligent linkage method for the firewall for the container visit are realized.
The embodiments in the present specification are described in a progressive manner, each embodiment focuses on differences from other embodiments, and the same and similar parts among the embodiments are referred to each other.
As will be appreciated by one of skill in the art, embodiments of the present application may be provided as a method, apparatus, or computer program product. Accordingly, embodiments of the present application may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, embodiments of the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
Embodiments of the present application are described with reference to flowchart illustrations and/or block diagrams of methods, terminal devices (systems), and computer program products according to embodiments of the application. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing terminal to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing terminal, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing terminal to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing terminal to cause a series of operational steps to be performed on the computer or other programmable terminal to produce a computer implemented process such that the instructions which execute on the computer or other programmable terminal provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
While preferred embodiments of the present application have been described, additional variations and modifications of these embodiments may occur to those skilled in the art once they learn of the basic inventive concepts. Therefore, it is intended that the appended claims be interpreted as including the preferred embodiment and all such alterations and modifications as fall within the true scope of the embodiments of the application.
Finally, it should also be noted that, herein, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or terminal that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or terminal. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other like elements in a process, method, article, or terminal that comprises the element.
The foregoing detailed description is provided for an intelligent linkage method, an intelligent linkage device, an apparatus and a medium for a firewall for container visit, which are provided by the present application, and specific examples are applied herein to explain the principle and the implementation of the present application, and the descriptions of the foregoing examples are only used to help understand the method and the core idea of the present application; meanwhile, for a person skilled in the art, according to the idea of the present application, there may be variations in the specific embodiments and the application scope, and in summary, the content of the present specification should not be construed as a limitation to the present application.
Claims (11)
1. An intelligent linkage method for a container visiting firewall is characterized by comprising the following steps:
acquiring an access change request to be processed; the access change request comprises a container cluster identifier and change information of an IP address of a container Pod;
determining a target container cluster according to the container cluster identifier, and determining target firewall equipment corresponding to the target container cluster according to the corresponding relation between the container cluster and the firewall equipment;
determining a target address set corresponding to the target firewall equipment according to the change information of the IP address, and processing the original IP address content of the target address set to obtain the target IP address content;
and generating a change script according to the content of the target IP address, and sending the change script to the target firewall equipment so as to apply the content of the target IP address to a corresponding access relation strategy.
2. The method according to claim 1, wherein the determining a target firewall device corresponding to the target container cluster according to the correspondence between the container cluster and the firewall device comprises:
determining a target network area corresponding to the target container cluster according to the corresponding relation between the container cluster and the network area;
and determining target firewall equipment corresponding to the target network area according to the corresponding relation between the network area and the firewall equipment.
3. The method according to claim 1, wherein the change information of the IP address of the Pod includes an address set identifier, a destination IP address, and an operation type, and the determining, according to the change information of the IP address, a destination address set corresponding to the destination firewall device and processing an original IP address content of the destination address set to obtain a destination IP address content includes:
determining a target address set corresponding to the target firewall equipment according to the address set identifier;
and acquiring original IP address content of the target address set, and processing the original IP address content according to the target IP address and the corresponding operation type to obtain target IP address content.
4. The method of claim 3, wherein the operation types include a create operation, a delete operation, and an update operation, and wherein the processing the original IP address content according to the target IP address and the corresponding operation type to obtain the target IP address content comprises:
when the operation type is an updating operation, splitting the updating operation into a deleting operation and a creating operation; and/or the presence of a gas in the gas,
when the operation type is a creating operation, adding the target IP address into the original IP address content to obtain the target IP address content; and/or the presence of a gas in the gas,
and when the operation type is a deleting operation, deleting the IP address corresponding to the target IP address in the original IP address content to obtain the target IP address content.
5. The method of claim 4, wherein prior to said generating a change script based on said target IP address content, said method further comprises:
acquiring the current IP address of the container Pod corresponding to the target address set in the target container cluster to obtain the content of the current IP address; the current IP address content comprises current IP addresses of a plurality of the container Pods;
comparing whether the content of the current IP address is consistent with the content of the target IP address;
if not, determining the content of the current IP address as the content of the target IP address.
6. The method of claim 5, wherein prior to said generating a change script based on said target IP address content, said method further comprises:
if the current IP address of the container Pod corresponding to the target address set in the target container cluster fails to be acquired, sending first fault notification information to corresponding operation and maintenance personnel, wherein the first fault notification information comprises a first fault corresponding to the current IP address acquisition failure, so that the operation and maintenance personnel can process the first fault;
when the operation type is a deleting operation, suspending an access change request corresponding to the deleting operation to obtain a suspended access change request;
and after the first fault is processed, re-executing the suspended access change request.
7. The method of claim 1, wherein sending the change script to the target firewall device further comprises:
if the sending of the change script fails, hanging a sending task corresponding to the sending of the change script;
sending second fault notification information to corresponding operation and maintenance personnel, wherein the second fault notification information comprises a second fault corresponding to the connection failure of the target firewall equipment, so that the operation and maintenance personnel can process the second fault;
and after the second fault is processed, re-executing the sending task.
8. The method of claim 1, wherein prior to obtaining the pending access change request, further comprising:
receiving an access change request sent by a container platform;
judging whether the access change request meets the requirement of a preset specification;
and if so, storing the access change request as a pending access change request in a data queue.
9. A firewall intelligent linkage device for container visits, the device comprising:
the change request acquisition module is used for acquiring the access change request to be processed; the access change request comprises a container cluster identifier and change information of an IP address of a container Pod;
the firewall equipment determining module is used for determining a target container cluster according to the container cluster identifier and determining target firewall equipment corresponding to the target container cluster according to the corresponding relation between the container cluster and the firewall equipment;
the target address set processing module is used for determining a target address set corresponding to the target firewall equipment according to the change information of the IP address and processing the original IP address content of the target address set to obtain the target IP address content;
and the access relation policy updating module generates a change script according to the target IP address content and sends the change script to the target firewall equipment so as to apply the target IP address content to a corresponding access relation policy.
10. An electronic device comprising a processor, a memory, and a computer program stored on the memory and executable on the processor, the computer program when executed by the processor implementing the steps of the container visit firewall intelligent linking method according to any one of claims 1 to 8.
11. A computer-readable storage medium, on which a computer program is stored, which, when executed by a processor, carries out the steps of the container visiting firewall intelligent linkage method according to any one of claims 1 to 8.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110450592.7A CN113315754B (en) | 2021-04-25 | 2021-04-25 | Intelligent linkage method, device, equipment and medium for firewall of container visit |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110450592.7A CN113315754B (en) | 2021-04-25 | 2021-04-25 | Intelligent linkage method, device, equipment and medium for firewall of container visit |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN113315754A true CN113315754A (en) | 2021-08-27 |
| CN113315754B CN113315754B (en) | 2022-07-12 |
Family
ID=77371011
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110450592.7A Active CN113315754B (en) | 2021-04-25 | 2021-04-25 | Intelligent linkage method, device, equipment and medium for firewall of container visit |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113315754B (en) |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114039751A (en) * | 2021-10-26 | 2022-02-11 | 杭州博盾习言科技有限公司 | Network dynamic sensing device, system and method |
| CN114374543A (en) * | 2021-12-20 | 2022-04-19 | 北京北信源软件股份有限公司 | Network security protection method, system, device, security switch and storage medium |
| CN117811838A (en) * | 2024-02-29 | 2024-04-02 | 博上(山东)网络科技有限公司 | HAproxy server IP white list synchronization method and system |
Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20080148380A1 (en) * | 2006-10-30 | 2008-06-19 | Microsoft Corporation | Dynamic updating of firewall parameters |
| US20140150050A1 (en) * | 2007-05-22 | 2014-05-29 | Skybox Security Inc. | Method, a system, and a computer program product for managing access change assurance |
| US20180176185A1 (en) * | 2016-12-19 | 2018-06-21 | Nicira, Inc. | Firewall rule management for hierarchical entities |
| CN108369525A (en) * | 2015-12-15 | 2018-08-03 | 微软技术许可有限责任公司 | scalable tenant network |
| EP3547134A1 (en) * | 2018-03-29 | 2019-10-02 | Hewlett-Packard Enterprise Development LP | Container cluster management |
| CN111614605A (en) * | 2019-02-26 | 2020-09-01 | 瞻博网络公司 | Automatic configuration of boundary firewall based on security group information of SDN virtual firewall |
| US20200351309A1 (en) * | 2019-04-30 | 2020-11-05 | Palo Alto Networks, Inc. | Security policy enforcement and visibility for network architectures that mask external source addresses |
-
2021
- 2021-04-25 CN CN202110450592.7A patent/CN113315754B/en active Active
Patent Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20080148380A1 (en) * | 2006-10-30 | 2008-06-19 | Microsoft Corporation | Dynamic updating of firewall parameters |
| US20140150050A1 (en) * | 2007-05-22 | 2014-05-29 | Skybox Security Inc. | Method, a system, and a computer program product for managing access change assurance |
| CN108369525A (en) * | 2015-12-15 | 2018-08-03 | 微软技术许可有限责任公司 | scalable tenant network |
| US20180176185A1 (en) * | 2016-12-19 | 2018-06-21 | Nicira, Inc. | Firewall rule management for hierarchical entities |
| EP3547134A1 (en) * | 2018-03-29 | 2019-10-02 | Hewlett-Packard Enterprise Development LP | Container cluster management |
| US20190306231A1 (en) * | 2018-03-29 | 2019-10-03 | Hewlett Packard Enterprise Development Lp | Container cluster management |
| CN111614605A (en) * | 2019-02-26 | 2020-09-01 | 瞻博网络公司 | Automatic configuration of boundary firewall based on security group information of SDN virtual firewall |
| US20200351309A1 (en) * | 2019-04-30 | 2020-11-05 | Palo Alto Networks, Inc. | Security policy enforcement and visibility for network architectures that mask external source addresses |
Non-Patent Citations (1)
| Title |
|---|
| 代向东等: "基于Ponder语言的防火墙策略描述方法研究", 《计算机应用与软件》 * |
Cited By (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114039751A (en) * | 2021-10-26 | 2022-02-11 | 杭州博盾习言科技有限公司 | Network dynamic sensing device, system and method |
| CN114039751B (en) * | 2021-10-26 | 2024-06-14 | 杭州博盾习言科技有限公司 | Network dynamic sensing device, system and method |
| CN114374543A (en) * | 2021-12-20 | 2022-04-19 | 北京北信源软件股份有限公司 | Network security protection method, system, device, security switch and storage medium |
| CN114374543B (en) * | 2021-12-20 | 2023-10-13 | 北京北信源软件股份有限公司 | Network security protection method, system, device, security switch and storage medium |
| CN117811838A (en) * | 2024-02-29 | 2024-04-02 | 博上(山东)网络科技有限公司 | HAproxy server IP white list synchronization method and system |
| CN117811838B (en) * | 2024-02-29 | 2024-05-17 | 博上(山东)网络科技有限公司 | HAProxy server IP white list synchronization method and system |
Also Published As
| Publication number | Publication date |
|---|---|
| CN113315754B (en) | 2022-07-12 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN113315754B (en) | Intelligent linkage method, device, equipment and medium for firewall of container visit | |
| CN111966305B (en) | Persistent volume allocation method and device, computer equipment and storage medium | |
| US11689638B2 (en) | Embedded database as a microservice for distributed container cloud platform | |
| CN109491776B (en) | Task arranging method and system | |
| EP3667500B1 (en) | Using a container orchestration service for dynamic routing | |
| US11368407B2 (en) | Failover management using availability groups | |
| CN110825420A (en) | Configuration parameter updating method, device, equipment and storage medium for distributed cluster | |
| CN108959385B (en) | Database deployment method, device, computer equipment and storage medium | |
| CN111324571A (en) | Container cluster management method, device and system | |
| CN103473696A (en) | Method and system for collecting, analyzing and distributing internet business information | |
| US10673694B2 (en) | Private network mirroring | |
| CN111464603B (en) | Server capacity expansion method and system | |
| CN106484321A (en) | A kind of date storage method and data center | |
| CN106790131B (en) | Parameter modification method and device and distributed platform | |
| CN113961312A (en) | Target service deployment method and device and electronic equipment | |
| CN110581893A (en) | data transmission method and device, routing equipment, server and storage medium | |
| CN111831567A (en) | Application test environment configuration method, device, system and medium | |
| CN111552494B (en) | Method, device, system and medium for managing container group | |
| CN114282210A (en) | Sandbox automatic construction method and system, computer equipment and readable storage medium | |
| CN110933184B (en) | Resource publishing platform and resource publishing method | |
| CN112631727A (en) | Method and device for monitoring pod | |
| CN114168179B (en) | Micro-service management method, micro-service management device, computer equipment and storage medium | |
| CN115103028B (en) | SaaS application request processing method and device and computer equipment | |
| WO2022001203A1 (en) | Mirror image distribution method, electronic device, and storage medium | |
| CN116225617A (en) | Management migration method and device for container instance, electronic equipment and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |