CN114281476A - Kubernetes cloud native cluster resource deletion protection method, device, equipment and storage medium - Google Patents
Kubernetes cloud native cluster resource deletion protection method, device, equipment and storage medium Download PDFInfo
- Publication number
- CN114281476A CN114281476A CN202111568567.5A CN202111568567A CN114281476A CN 114281476 A CN114281476 A CN 114281476A CN 202111568567 A CN202111568567 A CN 202111568567A CN 114281476 A CN114281476 A CN 114281476A
- Authority
- CN
- China
- Prior art keywords
- deletion
- resources
- information
- cascade
- returning
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a Kubernetes cloud native cluster resource deletion protection method, relates to the technical field of information, and solves the technical problem that resources of a container cluster are deleted accidentally, and the method comprises the following steps: the API Server configures and uses Webhook Server through ValidatingWebhook configuration; the API Server receives a request for deleting the cascade resources; when receiving the request for deleting the cascade resources, the API Server performs authentication and authorization processes, and if the authentication process passes, executes step 4; otherwise, returning the information of forbidding deletion; entering an acceptance controller to carry out compliance verification, and if the compliance verification passes, returning the information of agreeing to delete; otherwise, returning the information for prohibiting deletion. The invention also discloses a Kubernetes cloud native cluster resource deletion protection device, equipment and a storage medium. The invention realizes the protection of some key resources from being deleted by introducing the set annotation configuration and the acceptance hooks, can carry out special protection on the cascade resources, allows the deletion when the subordinate resources do not exist, and realizes the conditional protection of the resources.
Description
Technical Field
The invention relates to the technical field of information, in particular to a Kubernetes cloud native cluster resource deletion protection method, device, equipment and storage medium.
Background
In the kubernets cloud native cluster, there are a large variety of resources, some of which are extremely important, such as namespaces (namespaces), deployments (deployments), user-defined resource definitions (CRDs), and so on. The importance of these resources is that they all belong to cascading resources, i.e., they are both managers, or owners, of some other resource. For example, a container group (pod) may be included under the namespace, and the user-defined resource may be associated with a Custom Resource (CR). Once such resources are deleted, kubernets adopt a mechanism of cascade deletion, that is, when the resources are deleted, their subordinate resources are also deleted, and the deletion is generally irreversible, and when some system key resources are deleted, serious failure that may cause system crash may occur.
In the current Kubernetes cloud native cluster, no protection mechanism is provided for the deletion of these resources. Only one deployment policy configuration is available in the deployment and state copy set (stateful set) for specifying whether to delete the generated container group in the foreground, the background or not, and the first two configurations will eventually cause the resource to be completely deleted. The 3 rd configuration can protect the generated container group from being deleted, but their parent resources are still deleted, leaving the orphan (orphan) container group as it is not particularly useful. Therefore, the existing solutions can not effectively prevent the accidental deletion of the key important resources.
Disclosure of Invention
The invention aims to solve the technical problem of the prior art, and provides a Kubernetes cloud native cluster resource deletion protection method, device, equipment and storage medium, which can effectively prevent key important resources from being deleted accidentally.
The invention provides a Kubernetes cloud native cluster resource deletion protection method, which comprises the following steps:
step 4, entering an acceptance controller to carry out compliance verification, and returning the information of agreeing to deletion if the compliance verification passes; otherwise, returning the information for prohibiting deletion.
As a further improvement, the step 4 comprises:
step 41, entering a multicasting adaptation controller, and serially executing a preconfigured multicasting adaptation webhook;
step 42, entering a Validating acceptance Controller, and executing Validating acceptance webhook;
step 43, the validation administration Controller sends the request for deleting the cascade resources and the information of the cascade resources to the Webhook Server;
step 44, the Webhook Server detects a metadata _ entries field of the concatenated resource, and if there is a caih.io/deletion-prediction, it needs to further determine a value of the caih.io/deletion-prediction; otherwise, returning the information of agreeing to delete;
step 45, when caih. io/deletion-preservation: when true, returning the information of forbidding deletion;
step 46, when caih. io/deletion-preservation: during cascade, further judging subordinate resources of the cascade resources; if the subordinate resources exist, returning the information of forbidding deletion; otherwise, returning the information of agreeing to delete.
Further, when caih. io/deletion-preservation: when true, at the deletion of caih. io/deletion-prediction: after true, the concatenation resource may be deleted.
Further, when caih. io/deletion-preservation: and during cascade, after the subordinate resource quantity of the cascade resource is reduced to 0, deleting the cascade resource.
Further, the cascade resource comprises at least one of Namespace, CustomResourceDefinition, Deployment, StateUfSet and ReplicaSet.
The invention provides a Kubernetes cloud native cluster resource deletion protection device, which comprises:
the API Server module is used for configuring and using a Webhook Server through ValidatingWebhook configuration, receiving a request for deleting cascade resources and sending the request to the authentication module;
the authentication module is used for executing authentication processes of authentication and authorization, and if the authentication processes pass, sending a request for deleting the cascade resources to the compliance verification module; otherwise, returning the information of forbidding deletion;
the compliance verification module is used for performing compliance verification through the administration controller, and if the compliance verification passes, returning the information of agreeing to deletion; otherwise, returning the information for prohibiting deletion.
As a further improvement, the compliance verification module comprises:
a multicasting adaptation controller module for serially executing the preconfigured multicasting adaptation webhook;
the system comprises a Validating acceptance Controller module, a Webhook Server module and a resource management module, wherein the Validating acceptance Controller module is used for sending a request for deleting the cascade resources and information of the cascade resources to the Webhook Server module;
a Webhook Server module, configured to detect a metadata _ probabilities field of the concatenated resource, and if there is a caih.io/deletion-prediction, it needs to further determine a value of the caih.io/deletion-prediction; otherwise, returning the information of agreeing to delete;
when caih. io/deletion-preservation: when true, returning the information of forbidding deletion;
when caih. io/deletion-preservation: during cascade, further judging subordinate resources of the cascade resources; if the subordinate resources exist, returning the information of forbidding deletion; otherwise, returning the information of agreeing to delete.
The invention provides an electronic device, which comprises a processor and a memory, wherein the processor is used for:
the memory is used for storing program codes and transmitting the program codes to the processor;
the processor is used for executing the deletion protection method according to the instructions in the program codes.
The present invention provides a computer-readable storage medium for storing program code for executing the above-described deletion protection method.
Advantageous effects
Compared with the prior art, the invention has the advantages that:
by introducing the method of deleting the resources, the invention provides effective protection for the cascade type resources, improves the usability, and provides protection levels with different priorities, for example, the invention can carry out strong protection on the resources needing to be protected, and the resources can not be deleted before the protection is actively removed; for example, weak protection is performed on resources needing protection, and deletion can be performed as long as certain cascade resource conditions are met.
Drawings
FIG. 1 is a flow chart of the operation of the method of the present invention;
FIG. 2 is a block diagram of a practical application of the present invention;
FIG. 3 is a framework diagram of the deletion deployment of the present invention.
Detailed Description
The invention will be further described with reference to specific embodiments shown in the drawings.
Referring to fig. 1 to 3, the Kubernetes cloud native cluster resource deletion protection method provided by the present invention includes:
step 4, entering an acceptance controller to carry out compliance verification, and returning the information of agreeing to deletion if the compliance verification passes; otherwise, returning the information for prohibiting deletion.
Step 4 comprises the following steps:
step 41, entering a multicasting adaptation controller, and serially executing a preconfigured multicasting adaptation webhook;
step 42, entering a Validating acceptance Controller, and executing Validating acceptance webhook;
step 43, the validation administration Controller sends the request for deleting the cascade resources and the information of the cascade resources to the Webhook Server;
step 44, the Webhook Server detects a metadata _ entries field of the concatenated resource, and if there is a caih.io/deletion-prediction, it needs to further determine a value of the caih.io/deletion-prediction; otherwise, returning the information of agreeing to delete;
step 45, when caih. io/deletion-preservation: when true, returning the information of forbidding deletion;
step 46, when caih. io/deletion-preservation: during cascade, further judging subordinate resources of the cascade resources; if the subordinate resources exist, returning the information of forbidding deletion; otherwise, returning the information of agreeing to delete.
When caih. io/deletion-preservation: when true, at the deletion of caih. io/deletion-prediction: after true, the cascaded resources may be deleted.
When caih. io/deletion-preservation: in the cascade process, after the subordinate resource number of the cascade resource is reduced to 0, the cascade resource can be deleted.
The invention provides a Kubernetes cloud native cluster resource deletion protection device, which comprises:
the system comprises an API Server module, an authentication module and a client, wherein the API Server module is used for configuring and using a Webhook Server through ValidatingWebhook configuration, receiving a request for deleting cascade resources and sending the request to the authentication module, and the cascade resources comprise at least one of Namespace, CustomResourceDefinition, Deployment, StateUSet and repliSOset;
the authentication module is used for executing authentication processes of authentication and authorization, and if the authentication processes pass, sending a request for deleting the cascade resources to the compliance verification module; otherwise, returning the information of forbidding deletion;
the compliance verification module is used for performing compliance verification through the administration controller, and if the compliance verification passes, returning the information of agreeing to deletion; otherwise, returning the information for prohibiting deletion.
The compliance verification module includes:
a multicasting adaptation controller module for serially executing the preconfigured multicasting adaptation webhook;
the system comprises a Validating acceptance Controller module, a Webhook Server module and a resource management module, wherein the Validating acceptance Controller module is used for sending a request for deleting the cascade resources and information of the cascade resources to the Webhook Server module;
a Webhook Server module, configured to detect a metadata _ probabilities field of the concatenated resource, and if there is a caih.io/deletion-prediction, it needs to further determine a value of the caih.io/deletion-prediction; otherwise, returning the information of agreeing to delete;
when caih. io/deletion-preservation: when true, returning the information of forbidding deletion;
when caih. io/deletion-preservation: during cascade, further judging subordinate resources of the cascade resources; if the subordinate resources exist, returning the information of forbidding deletion; otherwise, returning the information of agreeing to delete.
The invention provides an electronic device, which comprises a processor and a memory, wherein the processor is used for:
the memory is used for storing program codes and transmitting the program codes to the processor;
the processor is used for executing the deletion protection method according to the instructions in the program codes.
The present invention provides a computer-readable storage medium for storing program code for executing the above-described deletion protection method.
Specific application of the method
As shown in fig. 2, in practical application, 3 Master nodes are used as control nodes, the control nodes are not responsible for running workloads, and only some components of kubernets run on the control nodes in the form of containers, including an application program interface Server API Server, a Controller management and control center Controller Manager, and a Scheduler.
N Worker nodes are adopted as working nodes, and a Kubelet component and a plurality of container groups are operated on each working Node to serve as working loads.
The API Server on each Master Node is connected with the distributed database etcd and used for storing various resource configurations and states in the cluster.
Each node contains a Kubelet component that acts as a proxy for the node to communicate with the kubernets cluster and also acts as a management component to manage the workload container group on the node. The API Server is a control component of the kubernets cluster, can receive requests of adding, modifying, deleting and monitoring of Node type resources and the like, and reflects the modification to the etcd.
As shown in fig. 3, a Webhook Server is used to receive a validating administrative Webhook request from an API Server, and to determine whether a certain cascaded resource can be deleted. And there are two deployments deployment, where deployment 1 is associated with 2 container groups Pod and has the annotation caih. cascade; deployment 2 has no associated set of containers with comments caih.io/deletion-preservation: true.
As shown in fig. 1 and fig. 3, the steps of applying the method are as follows:
And step 2 is executed, and a request for deleting the deployment 1 and the deployment 2 is sent to the API Server.
And step 3 is executed, after the api-server receives the request for deleting the deployment 1 and the deployment 2, the authorization process and the authorization process are firstly carried out, and if the authorization process and the authorization process do not pass, the information for prohibiting deletion is returned to the user. And entering an adaptation controller for compliance verification after the verification is passed.
The admission controller specifically executes the following steps:
the request first enters a multicasting adaptation controller, and the preconfigured multicasting adaptation webhook is executed serially.
Then, the method enters into a Validating Admission Controller to execute Validating Admission Webhook.
The Validating acceptance Controller sends the deployment 1 information and the deletion operation to be deleted to the Webhook Server, and the Webhook Server checks the deployment 1 and finds that there is a comment caih. cascade, and deployment 1 still has 2 cascaded container groups, so the interruption deletion operation is returned to the Validating administration Controller, and the information of prohibiting deletion is returned.
Similarly, after the request for deleting the deployment 2 and the deployment information are sent to the Webhook Server, the Webhook Server checks the deployment 2, and finds that the annotation caih.io/deletion-prediction: true, even if the deployment does not have a cascaded container group, it will return an interrupt deletion operation to the validity administration Controller, and return information prohibiting deletion.
Executing step 4, scaling deployment 1 to 0, namely, the cascaded container group becomes 0; delete deployment 2 annotation caih. io/deletion-preservation: true. And issues a request to delete deployment 1 and deployment 2 to the API Server again.
Step 5 is executed, after the same api-Server receives the request, the same api-Server goes through the earlier stage process in step 3, and after the deletion request is sent to the Webhook Server, the Webhook Server checks the deployment 1, and finds that there is a comment caih. cascade, but the deployment already exists in a stepless associative set, returns the information that the Validating Admission Controller agreed to delete deployment 1.
Webhook Server checks the deployment 2 and finds no annotation caih. io/deletion-prediction: and true, returning the information that the Validating Admission Controller agrees to delete deployment 2.
The above is only a preferred embodiment of the present invention, and it should be noted that it is obvious to those skilled in the art that several variations and modifications can be made without departing from the structure of the present invention, which will not affect the effect of the implementation of the present invention and the utility of the patent.
Claims (10)
1. A Kubernetes cloud native cluster resource deletion protection method is characterized by comprising the following steps:
step 1, the API Server configures and uses Webhook Server through ValidatingWebhook configuration;
step 2, the API Server receives the request of deleting the cascade resource;
step 3, after receiving the request for deleting the cascade resource, the API Server performs authentication and authorization authentication, and if the authentication passes, the step 4 is executed; otherwise, returning the information of forbidding deletion;
step 4, entering an acceptance controller to carry out compliance verification, and returning the information of agreeing to deletion if the compliance verification passes; otherwise, returning the information for prohibiting deletion.
2. The Kubernetes cloud native cluster resource deletion protection method according to claim 1, wherein the step 4 comprises:
step 41, entering a multicasting adaptation controller, and serially executing a preconfigured multicasting adaptation webhook;
step 42, entering a Validating acceptance Controller, and executing Validating acceptance webhook;
step 43, the validation administration Controller sends the request for deleting the cascade resources and the information of the cascade resources to the Webhook Server;
step 44, the Webhook Server detects a metadata _ entries field of the concatenated resource, and if there is a caih.io/deletion-prediction, it needs to further determine a value of the caih.io/deletion-prediction; otherwise, returning the information of agreeing to delete;
step 45, when caih. io/deletion-preservation: when true, returning the information of forbidding deletion;
step 46, when caih. io/deletion-preservation: during cascade, further judging subordinate resources of the cascade resources; if the subordinate resources exist, returning the information of forbidding deletion; otherwise, returning the information of agreeing to delete.
3. The Kubernetes cloud native cluster resource deletion protection method according to claim 2, wherein when caih.io/deletion-preservation: when true, at the deletion of caih. io/deletion-prediction: after true, the concatenation resource may be deleted.
4. The Kubernetes cloud native cluster resource deletion protection method according to claim 2, wherein when caih.io/deletion-preservation: and during cascade, after the subordinate resource quantity of the cascade resource is reduced to 0, deleting the cascade resource.
5. The Kubernetes cloud native cluster resource deletion protection method according to any one of claims 1-4, wherein the cascade resource comprises at least one of Namespace, CustomResourceDefinition, Delpoyment, StateUfUsSet, ReplicaSet.
6. A Kubernetes cloud native cluster resource deletion protection device, characterized in that the deletion protection device comprises:
the API Server module is used for configuring and using a Webhook Server through ValidatingWebhook configuration, receiving a request for deleting cascade resources and sending the request to the authentication module;
the authentication module is used for executing authentication processes of authentication and authorization, and if the authentication processes pass, sending a request for deleting the cascade resources to the compliance verification module; otherwise, returning the information of forbidding deletion;
the compliance verification module is used for performing compliance verification through the administration controller, and if the compliance verification passes, returning the information of agreeing to deletion; otherwise, returning the information for prohibiting deletion.
7. The Kubernetes cloud native cluster resource deletion protection device of claim 6, wherein the compliance verification module comprises:
a multicasting adaptation controller module for serially executing the preconfigured multicasting adaptation webhook;
the system comprises a Validating acceptance Controller module, a Webhook Server module and a resource management module, wherein the Validating acceptance Controller module is used for sending a request for deleting the cascade resources and information of the cascade resources to the Webhook Server module;
a Webhook Server module, configured to detect a metadata _ probabilities field of the concatenated resource, and if there is a caih.io/deletion-prediction, it needs to further determine a value of the caih.io/deletion-prediction; otherwise, returning the information of agreeing to delete;
when caih. io/deletion-preservation: when true, returning the information of forbidding deletion;
when caih. io/deletion-preservation: during cascade, further judging subordinate resources of the cascade resources; if the subordinate resources exist, returning the information of forbidding deletion; otherwise, returning the information of agreeing to delete.
8. The Kubernetes cloud native cluster resource deletion protection device of claim 6, wherein the cascading resources comprise at least one of Namespace, CustomResourceDefinition, Deployment, StateUfUseT, ReplicaSet.
9. An electronic device, comprising a processor and a memory:
the memory is used for storing program codes and transmitting the program codes to the processor;
the processor is configured to perform the deletion protection method of any of claims 1-5 in accordance with instructions in the program code.
10. A computer-readable storage medium, characterized in that the computer-readable storage medium is configured to store a program code for executing the deletion protection method of any of claims 1-5.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111568567.5A CN114281476A (en) | 2021-12-21 | 2021-12-21 | Kubernetes cloud native cluster resource deletion protection method, device, equipment and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111568567.5A CN114281476A (en) | 2021-12-21 | 2021-12-21 | Kubernetes cloud native cluster resource deletion protection method, device, equipment and storage medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN114281476A true CN114281476A (en) | 2022-04-05 |
Family
ID=80873420
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111568567.5A Pending CN114281476A (en) | 2021-12-21 | 2021-12-21 | Kubernetes cloud native cluster resource deletion protection method, device, equipment and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114281476A (en) |
-
2021
- 2021-12-21 CN CN202111568567.5A patent/CN114281476A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN108600029B (en) | Configuration file updating method and device, terminal equipment and storage medium | |
| US10048996B1 (en) | Predicting infrastructure failures in a data center for hosted service mitigation actions | |
| US9467460B1 (en) | Modularized database architecture using vertical partitioning for a state machine | |
| CN111049695A (en) | Cloud gateway configuration method and system | |
| US20220094600A1 (en) | Managed remediation of non-compliant resources | |
| US11429566B2 (en) | Approach for a controllable trade-off between cost and availability of indexed data in a cloud log aggregation solution such as splunk or sumo | |
| CN102081554A (en) | Cloud computing operating system as well as kernel control system and method thereof | |
| US11501000B2 (en) | Auto-injection of security protocols | |
| CN112749056A (en) | Application service index monitoring method and device, computer equipment and storage medium | |
| CN101477386B (en) | Timer implementing method and apparatus | |
| US11656902B2 (en) | Distributed container image construction scheduling system and method | |
| CN108255994A (en) | A kind of database version management method based on database snapshot | |
| CN103618762A (en) | System and method for enterprise service bus state pretreatment based on AOP | |
| US20230281179A1 (en) | Load Balancing For A Storage System | |
| CN114048201A (en) | Distributed stream computing engine Flink-based key field real-time deduplication method | |
| CN109697112B (en) | Distributed intensive one-stop operating system and implementation method | |
| CN111159142B (en) | Data processing method and device | |
| CN114281476A (en) | Kubernetes cloud native cluster resource deletion protection method, device, equipment and storage medium | |
| CN115373886A (en) | Service group container shutdown method, device, computer equipment and storage medium | |
| KR101888131B1 (en) | Method for Performing Real-Time Changed Data Publish Service of DDS-DBMS Integration Tool | |
| CN116263717A (en) | Order service processing method and device based on event | |
| US11334558B2 (en) | Adaptive metadata refreshing | |
| CN113992509A (en) | SDN network service configuration issuing method, device and storage medium | |
| Zhang et al. | Remove-win: a design framework for conflict-free replicated data types | |
| CN114268540B (en) | Rule engine optimization method, device and equipment |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |