CN114301841A - K8S-based micro-isolation strategy processing method and device - Google Patents
K8S-based micro-isolation strategy processing method and device Download PDFInfo
- Publication number
- CN114301841A CN114301841A CN202111565071.2A CN202111565071A CN114301841A CN 114301841 A CN114301841 A CN 114301841A CN 202111565071 A CN202111565071 A CN 202111565071A CN 114301841 A CN114301841 A CN 114301841A
- Authority
- CN
- China
- Prior art keywords
- micro
- isolation
- target
- strategy
- data
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000002955 isolation Methods 0.000 title claims abstract description 378
- 238000003672 processing method Methods 0.000 title claims abstract description 20
- 238000000034 method Methods 0.000 claims abstract description 36
- 238000010276 construction Methods 0.000 claims description 11
- 238000010845 search algorithm Methods 0.000 abstract description 6
- 238000010586 diagram Methods 0.000 description 15
- 238000004590 computer program Methods 0.000 description 10
- 230000008569 process Effects 0.000 description 6
- 230000006870 function Effects 0.000 description 5
- 230000000694 effects Effects 0.000 description 3
- 230000003287 optical effect Effects 0.000 description 3
- 230000008859 change Effects 0.000 description 2
- 238000005516 engineering process Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 101150053844 APP1 gene Proteins 0.000 description 1
- 101100189105 Homo sapiens PABPC4 gene Proteins 0.000 description 1
- 102100039424 Polyadenylate-binding protein 4 Human genes 0.000 description 1
- 230000005540 biological transmission Effects 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 238000007689 inspection Methods 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 230000003068 static effect Effects 0.000 description 1
Images
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The application discloses a processing method and device of a K8S-based micro-isolation strategy. The method comprises the following steps: respectively establishing hash tables for the APP and the Service by taking the IP as a keyword to obtain a data table I; establishing a strategy fast lookup table according to the type of the source of the micro-isolation strategy to obtain a second data table, wherein the type of the source of the micro-isolation strategy is one of the following types: APP, Service and IP/Mask; establishing a strategy fast lookup table according to the target type of the micro-isolation strategy to obtain a data table III, wherein the target type of the micro-isolation strategy is one of the following types: service and IP/Mask; and matching the data table I, the data table II and the data table III according to target information of the target flow to obtain a micro-isolation strategy of the target flow. By the method and the device, the problem that in the related art, no corresponding micro-isolation strategy search algorithm exists in the K8S environment, and therefore the efficiency of obtaining the micro-isolation strategy is low is solved.
Description
Technical Field
The application relates to the technical field of computers, in particular to a processing method and device of a micro-isolation strategy based on K8S.
Background
With the popularization of micro services of Kubernetes (K8S for short), the security requirement of the micro services is stronger. Assets such as App, Service and the like of the micro-Service are changed in real time, and the changes are important for matching the micro-isolation strategy. With the increase of the micro-isolation service scale and the policy configuration scale, new challenges are brought to the real-time judgment of the traffic. In the prior art, for a flow to be determined, as shown in fig. 1, a source IP (Src IP) of the flow is Matched with a Src Prefix fast lookup tree recorded in the Src Prefix, and a result set Src IP Matched is obtained. And (5) rapidly searching the Dst Prefix tree of the matching record of the destination IP (Dst IP) to obtain a result set Dst IP Matched. Matching the destination Port (dstport) with the hash lookup tree of the record, and combining the result with the dstport Matched. Each result set is a micro-isolation strategy matched with the flow, and the strategy micro-isolation strategies contained in the three result sets are the strategies matched with the flow. However, this matching method is not applicable to the policy of the K8S environment, the microservice of the K8S environment, ports are randomly allocated when the Service area is released, and the assets App and Service (corresponding to the address book in the conventional firewall) change very frequently.
Aiming at the problem that the micro-isolation strategy acquisition efficiency is low because no corresponding micro-isolation strategy search algorithm exists in the K8S environment in the related art, an effective solution is not provided at present.
Disclosure of Invention
The main purpose of the present application is to provide a method and an apparatus for processing a micro-isolation policy based on K8S, so as to solve the problem in the related art that there is no corresponding micro-isolation policy search algorithm in a K8S environment, which results in low efficiency of obtaining the micro-isolation policy.
In order to achieve the above object, according to one aspect of the present application, a processing method based on K8S micro-isolation strategy is provided. The method comprises the following steps: respectively establishing hash tables for the APP and the Service by taking the IP as a keyword to obtain a data table I; establishing a strategy fast lookup table according to the type of the source of the micro-isolation strategy to obtain a second data table, wherein the type of the source of the micro-isolation strategy is one of the following types: APP, Service and IP/Mask; establishing a strategy fast lookup table according to the target type of the micro-isolation strategy to obtain a data table III, wherein the target type of the micro-isolation strategy is one of the following types: service and IP/Mask; and matching the data table I, the data table II and the data table III according to target information of the target flow to obtain a micro-isolation strategy of the target flow.
Further, establishing a policy fast lookup table according to the type of the source of the micro-isolation policy to obtain a second data table, including: when the type of the source of the micro-isolation strategy is APP or Service, a hash table is established to obtain a data sub-table I, wherein the data sub-table I comprises all micro-isolation strategies corresponding to the APP and all micro-isolation strategies corresponding to the Service; when the type of the source of the micro-isolation strategy is IP/Mask, establishing a fast matching tree to obtain a data sub-table II, wherein the data sub-table II comprises all micro-isolation strategies corresponding to the IP/Mask; and taking the first data sub-table and the second data sub-table as the first data table.
Further, establishing a policy fast lookup table according to the type of the purpose of the micro-isolation policy to obtain a data table three, including: when the target type of the micro-isolation strategy is Service, establishing a hash table to obtain a data sub-table III, wherein the data sub-table III comprises all micro-isolation strategies corresponding to the Service; when the target type of the micro-isolation strategy is IP/Mask, establishing a fast matching tree to obtain a data sub-table four, wherein the data sub-table four comprises all micro-isolation strategies corresponding to the IP/Mask; and the third data sub-table and the fourth data sub-table are used as the third data table.
Further, the target information includes: the method comprises the following steps that a source IP, a target IP and a target port are matched in a data table I, a data table II and a data table III according to target information of target flow to obtain a micro-isolation strategy of the target flow, and the micro-isolation strategy comprises the following steps: according to the source IP, the destination IP and the destination port of the target flow, target asset information is found in the first data table; matching in the data table II according to the source IP of the target flow and the target asset information to obtain a micro-isolation strategy set; matching in the data table III according to the target IP of the target flow and the target asset information to obtain a micro-isolation strategy set II; matching the micro-isolation strategy set I with the micro-isolation strategy set II to obtain a target micro-isolation strategy set; and according to the sequence of the micro-isolation strategies in the target micro-isolation strategy set, checking whether a target port of the target flow is matched by the micro-isolation strategies in the target micro-isolation strategies to determine the micro-isolation strategies of the target flow.
Further, according to the order of the micro-isolation policies in the set of target traffic, checking whether a destination port of the target traffic is matched by the micro-isolation policies in the set of target traffic to determine the micro-isolation policy of the target traffic, including: detecting whether a target port of the target flow is matched by a first micro-isolation strategy in the target micro-isolation strategy set or not according to the sequence; when the destination port of the target traffic can be matched by the first micro-isolation strategy, the first micro-isolation strategy is the micro-isolation strategy of the target traffic; when the target port of the target traffic cannot be matched by the first micro-isolation policy, continuously checking whether the target port of the target traffic is matched by the next micro-isolation policy in the set of the target traffic according to the sequence until the micro-isolation policy of the target traffic is determined.
In order to achieve the above object, according to another aspect of the present application, a processing apparatus based on K8S micro-isolation strategy is provided. The device includes: the first construction unit is used for respectively establishing hash tables for the APP and the Service by taking the IP as a keyword to obtain a first data table; the second construction unit is used for establishing a strategy fast lookup table according to the type of the source of the micro-isolation strategy to obtain a second data table, wherein the type of the source of the micro-isolation strategy is one of the following types: APP, Service and IP/Mask; a third constructing unit, configured to establish a policy fast lookup table according to the type of the purpose of the micro-isolation policy, so as to obtain a third data table, where the type of the purpose of the micro-isolation policy is one of the following: service and IP/Mask; and the matching unit is used for matching the data table I, the data table II and the data table III according to target information of target flow so as to obtain a micro-isolation strategy of the target flow.
Further, the second building unit comprises: the first construction subunit is used for establishing a hash table to obtain a first data sub-table when the type of the source of the micro-isolation strategy is APP or Service, wherein the first data sub-table comprises all micro-isolation strategies corresponding to the APPs and all micro-isolation strategies corresponding to the services; a second constructing subunit, configured to establish a fast matching tree to obtain a second data sub-table when the type of the source of the micro-isolation policy is IP/Mask, where the second data sub-table includes all micro-isolation policies corresponding to the IP/Mask; and taking the first data sub-table and the second data sub-table as the first data table.
Further, the third building element comprises: the third construction subunit is used for establishing a hash table to obtain a data sub-table three when the type of the purpose of the micro-isolation strategy is Service, wherein the data sub-table three comprises all micro-isolation strategies corresponding to the Service; a third constructing subunit, configured to, when the type of the micro-isolation policy is IP/Mask, establish a fast matching tree to obtain a data sub-table four, where the data sub-table four includes all micro-isolation policies corresponding to the IP/Mask; and the third data sub-table and the fourth data sub-table are used as the third data table.
Further, the target information includes: the source IP, the destination IP and the destination port, according to the destination information of the destination flow, the matching unit includes: the searching subunit is used for finding target asset information in the first data table according to the source IP, the target IP and the target port of the target flow; the first matching subunit is used for matching in the second data table according to the source IP of the target flow and the target asset information to obtain a micro-isolation strategy set; the second matching subunit is used for matching in the data table III according to the target IP of the target flow and the target asset information to obtain a micro-isolation strategy set II; the third matching subunit is used for matching the micro-isolation strategy set I with the micro-isolation strategy set II to obtain a target micro-isolation strategy set; and the verifying subunit is configured to verify whether the destination port of the target traffic is matched by a micro-isolation policy in the target micro-isolation policy according to the order of the micro-isolation policies in the target micro-isolation policy set, so as to determine the micro-isolation policy of the target traffic.
Further, the inspection subunit includes: a first checking module, configured to detect, according to the order, whether a destination port of the target traffic is matched by a first micro-isolation policy in the target micro-isolation policy set; a determining module, configured to determine that the first micro-isolation policy is the micro-isolation policy of the target traffic when the destination port of the target traffic can be matched by the first micro-isolation policy; and a second checking module, configured to, when the destination port of the target traffic cannot be matched by the first micro-isolation policy, continue checking whether the destination port of the target traffic is matched by a next micro-isolation policy in the set of target traffic according to the order until the micro-isolation policy of the target traffic is determined.
In order to achieve the above object, according to another aspect of the present application, there is provided a computer-readable storage medium including a stored program, wherein the program performs any one of the above processing methods based on the K8S micro-isolation policy.
In order to achieve the above object, according to another aspect of the present application, there is provided a processor configured to execute a program, where the program executes a processing method based on the K8S micro-isolation policy according to any one of the above aspects.
Through the application, the following steps are adopted: respectively establishing hash tables for the APP and the Service by taking the IP as a keyword to obtain a data table I; establishing a strategy fast lookup table according to the type of the source of the micro-isolation strategy to obtain a second data table, wherein the type of the source of the micro-isolation strategy is one of the following types: APP, Service and IP/Mask; establishing a strategy fast lookup table according to the target type of the micro-isolation strategy to obtain a data table III, wherein the target type of the micro-isolation strategy is one of the following types: service and IP/Mask; and matching the data table I, the data table II and the data table III according to target information of the target flow to obtain a micro-isolation strategy of the target flow. By the method and the device, the problem that in the related art, no corresponding micro-isolation strategy search algorithm exists in the K8S environment, and therefore the efficiency of obtaining the micro-isolation strategy is low is solved. By establishing the first data table, the second data table and the third data table, the first data table, the second data table and the third data table are matched according to the information carried by the target flow, so that the micro-isolation strategy of the target flow is obtained, and the effect of improving the efficiency of obtaining the micro-isolation strategy is achieved.
Drawings
The accompanying drawings, which are incorporated in and constitute a part of this application, illustrate embodiments of the application and, together with the description, serve to explain the application and are not intended to limit the application. In the drawings:
FIG. 1 is a flow chart of a prior art micro-isolation strategy matching;
FIG. 2 is a flow chart of a processing method of a K8S-based micro-isolation policy provided according to an embodiment of the present application;
FIG. 3 is a schematic diagram of an alternative asset fast lookup table provided in accordance with an embodiment of the present application;
FIG. 4 is a schematic diagram of a policy fast lookup table provided according to an embodiment of the present application when the optional source types are APP and Service;
FIG. 5 is a schematic diagram of a policy fast lookup table provided according to an embodiment of the present application when the alternative source type is IP/Mask;
FIG. 6 is a diagram illustrating a policy fast lookup table when the optional destination type is Service according to an embodiment of the present application;
FIG. 7 is a schematic diagram of a policy fast lookup table provided according to an embodiment of the present application when the optional destination type is IP/Mask;
FIG. 8 is a flow chart of micro-isolation policy matching for optional target traffic provided in accordance with an embodiment of the present application;
fig. 9 is a schematic diagram of a processing device based on the K8S micro-isolation strategy according to an embodiment of the present application.
Detailed Description
It should be noted that the embodiments and features of the embodiments in the present application may be combined with each other without conflict. The present application will be described in detail below with reference to the embodiments with reference to the attached drawings.
In order to make the technical solutions better understood by those skilled in the art, the technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are only partial embodiments of the present application, but not all embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
It should be noted that the terms "first," "second," and the like in the description and claims of this application and in the drawings described above are used for distinguishing between similar elements and not necessarily for describing a particular sequential or chronological order. It should be understood that the data so used may be interchanged under appropriate circumstances such that embodiments of the application described herein may be used. Furthermore, the terms "comprises," "comprising," and "having," and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed, but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus.
The invention is described below with reference to preferred implementation steps, and fig. 2 is a flowchart of a processing method of the K8S-based micro-isolation strategy according to an embodiment of the present application, and as shown in fig. 2, the method includes the following steps:
step S101, hash tables are respectively established for the APP and the Service by taking the IP as a keyword, and a data table I is obtained.
For example, a Hash (Hash) table is respectively built for APP and Service with IP as a key, so as to obtain an asset fast lookup table (i.e. the aforementioned data table one). As shown in fig. 3, all corresponding App and Service information can be quickly located through the IP address.
Step S102, establishing a strategy fast lookup table according to the type of the source of the micro-isolation strategy to obtain a second data table, wherein the type of the source of the micro-isolation strategy is one of the following types: APP, Service and IP/Mask.
For example, the types of the source of the micro-isolation policy may be App, Service, and IP/Mask, so a policy fast lookup table is established according to the type of the source of the micro-isolation policy, and a policy fast lookup table corresponding to the source (i.e., the second data table) is obtained.
Step S103, establishing a strategy fast lookup table according to the target type of the micro-isolation strategy to obtain a data table III, wherein the target type of the micro-isolation strategy is one of the following types: service and IP/Mask.
For example, the type of the purpose of the micro-isolation policy may be Service and IP/Mask, so a policy fast lookup table is established according to the type of the purpose of the micro-isolation policy, and a policy fast lookup table corresponding to the purpose is obtained (i.e., the data table three).
And step S104, matching the data table I, the data table II and the data table III according to the target information of the target flow to obtain a micro-isolation strategy of the target flow.
For example, according to the target information of the target traffic (wherein, the target information includes a source IP, a destination IP and a destination port), matching is performed in the asset fast lookup table, the policy fast lookup table corresponding to the source and the policy fast lookup table corresponding to the destination to obtain the micro-isolation policy for the target traffic.
Through the steps, the resource data table I, the strategy data table II and the strategy data table III are established, and the data table I, the strategy data table II and the strategy data table III are matched according to target information carried by the target flow to obtain the micro-isolation strategy of the target flow, so that the matching efficiency of the micro-isolation strategy of the flow is improved.
Optionally, in the processing method of the K8S-based micro-isolation policy provided in the embodiment of the present application, the establishing a policy fast lookup table according to the type of the source of the micro-isolation policy to obtain a second data table includes: when the type of the source of the micro-isolation strategy is APP or Service, a hash table is established to obtain a data sub-table I, wherein the data sub-table I comprises all micro-isolation strategies corresponding to the APP and all micro-isolation strategies corresponding to the Service; when the type of the source of the micro-isolation strategy is IP/Mask, establishing a fast matching tree to obtain a data sub-table II, wherein the data sub-table II comprises all micro-isolation strategies corresponding to the IP/Mask; and taking the data sub-table I and the data sub-table II as a data table I.
For example, building a fast look-up table for the source (Src) portion includes: if the type of Src is App, establishing a Hash table, and recording micro-isolation strategies corresponding to all APPs; if the Src is of Service type, a Hash table is established, and micro-isolation strategies corresponding to all services are recorded, as shown in fig. 4, a data sub-table one. If the type of Src is IP/Mask, a fast matching tree is established, and all micro-isolation strategies corresponding to IP/Mask are recorded, as shown in fig. 5, in a data sub-table two. And taking the first data sub-table and the second data sub-table as strategy fast lookup tables corresponding to the source.
Through the steps, the strategy fast lookup tables corresponding to all the sources (Src) are established, so that the micro-isolation strategies can be matched fast according to the type of the source of the target flow.
Optionally, in the processing method of the K8S-based micro-isolation policy provided in the embodiment of the present application, the establishing a policy fast lookup table according to the type of the purpose of the micro-isolation policy to obtain a data table three includes: when the target type of the micro-isolation strategy is Service, a Hash table is established to obtain a data sub-table III, wherein the data sub-table III comprises all micro-isolation strategies corresponding to the Service; when the target type of the micro-isolation strategy is IP/Mask, establishing a fast matching tree to obtain a data sub-table four, wherein the data sub-table four comprises all micro-isolation strategies corresponding to the IP/Mask; and taking the data sub-table three and the data sub-table four as a data table three.
For example, building a fast look-up table for the destination (Dst) portion includes: if the type of the Dst is Service, establishing an index table, and recording micro-isolation strategies corresponding to all services, as shown in fig. 6, and a data sub-table III; if the type of Dst is IP/Mask, establishing a fast matching tree, and recording all micro-isolation strategies corresponding to the IP/Mask, as shown in FIG. 7, a data sub-table IV. And taking the third data sub-table and the fourth data sub-table as strategy fast lookup tables corresponding to the purposes.
Through the steps, the strategy fast lookup tables corresponding to all purposes (Dst) are established, and the micro-isolation strategy can be matched fast according to the type of the purpose of the target flow.
Optionally, in the processing method of the K8S-based micro-isolation policy provided in the embodiment of the present application, the target information includes: the method comprises the following steps that a source IP, a target IP and a target port are matched in a data table I, a data table II and a data table III according to target information of target flow, so that a micro-isolation strategy of the target flow is obtained, and the method comprises the following steps: according to the source IP, the destination IP and the destination port of the target flow, target asset information is found in the first data table; matching in the data table II according to the source IP of the target flow and the target asset information to obtain a micro-isolation strategy set; matching in a data table III according to the target IP of the target flow and the target asset information to obtain a micro-isolation strategy set II; matching the micro-isolation strategy set I with the micro-isolation strategy set II to obtain a target micro-isolation strategy set; and according to the sequence of the micro-isolation strategies in the target micro-isolation strategy set, checking whether a target port of the target flow is matched by the micro-isolation strategies in the target micro-isolation strategies to determine the micro-isolation strategies of the target flow.
The destination information includes source IP (src IP), destination IP (Dst IP), and destination Port (Dst Port). And according to the target information, determining asset information corresponding to the target information in the asset fast lookup table, for example, the asset information corresponding to the source of the target traffic is APP1, and the asset information corresponding to the destination is Service 1. Through the Src IP of the target traffic and the corresponding asset information, a corresponding micro-isolation policy set (including a plurality of micro-isolation policies, for example, including policy1, policy3, policy5, and policy7) is obtained in the policy fast lookup table corresponding to the source. And acquiring a corresponding micro-isolation policy set two (comprising a plurality of micro-isolation policies, such as policy1 and policy7) in a policy fast lookup table corresponding to the destination through the Dst IP of the target traffic and the corresponding asset information. And intersecting the micro-isolation strategy set I and the micro-isolation strategy set II to obtain a target micro-isolation strategy set (for example, comprising policy1 and policy 7). Checking whether Dst Port of the target traffic is matched by policy1 and policy7 in order of the micro-isolation policies in the target micro-isolation policy set to determine the micro-isolation policy of the target traffic.
Through the steps, the accuracy of the target flow matching micro-isolation strategy can be effectively improved, and the data security is ensured.
Optionally, in the processing method of the K8S-based micro-isolation policy provided in this embodiment of the present application, according to an order of the micro-isolation policies in the set of target traffic, checking whether a destination port of the target traffic is matched by the micro-isolation policies in the set of target traffic to determine the micro-isolation policy of the target traffic, including: detecting whether a target port of the target flow is matched with a first micro-isolation strategy in the target micro-isolation strategy set or not according to the sequence; when the target port of the target flow can be matched by the first micro-isolation strategy, the first micro-isolation strategy is the micro-isolation strategy of the target flow; and when the target port of the target flow cannot be matched by the first micro-isolation strategy, continuously checking whether the target port of the target flow is matched by the next micro-isolation strategy in the set of the target flow according to the sequence until the micro-isolation strategy of the target flow is determined.
For example, in order of the micro-isolation policies in the target micro-isolation policy set, it is checked whether the Dst ports of the target traffic are matched by policy1 and policy7 to determine the micro-isolation policy of the target traffic. Then, it is first verified whether the Dst Port of the target traffic is matched by policy1, and if the Dst Port of the target traffic can be matched, then policy1 is the micro-isolation policy corresponding to the target traffic, and it is not necessary to verify policy 7. If the Dst Port cannot be matched by policy1, then it is checked whether the Dst Port is matched by policy7 until the micro-quarantine policy for the target traffic is determined.
According to the processing method of the K8S-based micro-isolation strategy, a hash table is respectively established for APP and Service by taking IP as a keyword, and a data table I is obtained; establishing a strategy fast lookup table according to the type of the source of the micro-isolation strategy to obtain a second data table, wherein the type of the source of the micro-isolation strategy is one of the following types: APP, Service and IP/Mask; establishing a strategy fast lookup table according to the target type of the micro-isolation strategy to obtain a data table III, wherein the target type of the micro-isolation strategy is one of the following types: service and IP/Mask; and matching the data table I, the data table II and the data table III according to target information of the target flow to obtain a micro-isolation strategy of the target flow. By the method and the device, the problem that in the related art, no corresponding micro-isolation strategy search algorithm exists in the K8S environment, and therefore the efficiency of obtaining the micro-isolation strategy is low is solved. The micro-isolation strategy of the target flow is obtained by establishing a first resource data table, a second strategy data table and a third strategy data table and matching the first data table, the second data table and the third data table according to the information carried by the target flow, so that the effect of improving the efficiency of obtaining the micro-isolation strategy is achieved.
Fig. 8 is a flowchart illustrating micro-isolation policy matching for optional target traffic according to an embodiment of the present disclosure. Firstly, utilizing the information of Src IP, Dst IP and Dst Port of flow to locate the asset information belonging to K8S, including App and Service, in the asset fast lookup table; secondly, as shown in a path 1 in fig. 8, acquiring a Policy matching result in a Src quick table by using Src IP of flow and corresponding asset information; the third step is as path 2 in fig. 8, using Dst IP of flow and corresponding asset information to obtain Policy's matching result in the Dst fast table. The fourth step is as path 3 in fig. 8, and the intersection of Src and Dst results is taken as Policy matching set. And fifthly, checking whether the Dst Port is matched by the strategy or not according to the sequence of the micro-isolation strategies in the Policy matching set. And selecting the final matching strategy.
It should be noted that the steps illustrated in the flowcharts of the figures may be performed in a computer system such as a set of computer-executable instructions and that, although a logical order is illustrated in the flowcharts, in some cases, the steps illustrated or described may be performed in an order different than presented herein.
The embodiment of the present application further provides a processing apparatus based on the K8S micro-isolation policy, and it should be noted that the processing apparatus based on the K8S micro-isolation policy of the embodiment of the present application may be used to execute the processing method based on the K8S micro-isolation policy provided by the embodiment of the present application. The following describes a processing apparatus based on the K8S micro-isolation strategy provided in the embodiment of the present application.
Fig. 9 is a schematic diagram of a processing device based on the K8S micro-isolation strategy according to an embodiment of the present application. As shown in fig. 9, the apparatus includes: a first building element 901, a second building element 902, a third building element 903 and a matching element 904.
The first building unit 901 is configured to build hash tables for the APP and the Service respectively by using the IP as a keyword, so as to obtain a first data table.
A second constructing unit 902, configured to establish a policy fast lookup table according to a type of a source of the micro-isolation policy, to obtain a second data table, where the type of the source of the micro-isolation policy is one of: APP, Service and IP/Mask.
A third constructing unit 903, configured to establish a policy fast lookup table according to a type of an object of the micro-isolation policy, to obtain a third data table, where the type of the object of the micro-isolation policy is one of the following: service and IP/Mask.
And the matching unit 904 is configured to perform matching in the first data table, the second data table, and the third data table according to the target information of the target traffic, so as to obtain a micro-isolation policy of the target traffic.
To sum up, in the processing apparatus of the K8S-based micro-isolation policy provided in this embodiment of the present application, hash tables are respectively established for APP and Service by using IP as a keyword through the first establishing unit 901, so as to obtain a first data table; the second constructing unit 902 establishes a policy fast lookup table according to the type of the source of the micro-isolation policy to obtain a second data table, where the type of the source of the micro-isolation policy is one of the following: APP, Service and IP/Mask; the third constructing unit 903 establishes a policy fast lookup table according to the type of the purpose of the micro-isolation policy to obtain a third data table, where the type of the purpose of the micro-isolation policy is one of the following: service and IP/Mask. The matching unit 904 performs matching in the first data table, the second data table, and the third data table according to the target information of the target traffic to obtain the micro-isolation policy of the target traffic, which solves the problem that there is no corresponding micro-isolation policy search algorithm in the K8S environment in the related art, resulting in low efficiency of obtaining the micro-isolation policy. The micro-isolation strategy of the target flow is obtained by establishing a first resource data table, a second strategy data table and a third strategy data table and matching the first data table, the second data table and the third data table according to the information carried by the target flow, so that the effect of improving the efficiency of obtaining the micro-isolation strategy is achieved.
Optionally, in the processing apparatus based on the K8S micro-isolation policy provided in this embodiment of the present application, the second building unit includes: the first construction subunit is used for establishing a hash table when the type of the source of the micro-isolation strategy is APP or Service to obtain a data sub-table I, wherein the data sub-table I comprises all micro-isolation strategies corresponding to the APPs and all micro-isolation strategies corresponding to the services; the second construction subunit is used for establishing a fast matching tree when the type of the source of the micro-isolation strategy is IP/Mask to obtain a second data sub-table, wherein the second data sub-table comprises all micro-isolation strategies corresponding to the IP/Mask; and taking the data sub-table I and the data sub-table II as a data table I.
Optionally, in the processing apparatus based on the K8S micro-isolation policy provided in this embodiment of the present application, the third building unit includes: the third construction subunit is used for establishing a hash table when the type of the purpose of the micro-isolation strategy is Service, so as to obtain a data sub-table three, wherein the data sub-table three comprises all micro-isolation strategies corresponding to the Service; a third constructing subunit, configured to, when the type of the micro-isolation policy is IP/Mask, establish a fast matching tree to obtain a data sub-table four, where the data sub-table four includes all micro-isolation policies corresponding to the IP/Mask; and taking the data sub-table three and the data sub-table four as a data table three.
Optionally, in the processing apparatus based on the K8S micro-isolation policy provided in this embodiment of the present application, the target information includes: the source IP, the destination IP and the destination port, according to the destination information of the destination flow, the matching unit comprises: the searching subunit is used for finding the target asset information in the first data table according to the source IP, the target IP and the target port of the target flow; the first matching subunit is used for matching in the data table II according to the source IP of the target flow and the target asset information to obtain a micro-isolation strategy set; the second matching subunit is used for matching in the data table III according to the target IP of the target flow and the target asset information to obtain a micro-isolation strategy set II; the third matching subunit is used for matching the first micro-isolation strategy set and the second micro-isolation strategy set to obtain a target micro-isolation strategy set; and the checking subunit is used for checking whether the target port of the target flow is matched with the micro-isolation strategy in the target micro-isolation strategy set according to the sequence of the micro-isolation strategies in the target micro-isolation strategy set so as to determine the micro-isolation strategy of the target flow.
Optionally, in the processing apparatus based on the K8S micro-isolation policy provided in this embodiment of the present application, the verifying subunit includes: the first checking module is used for detecting whether a target port of the target flow is matched with a first micro-isolation strategy in the target micro-isolation strategy set or not according to the sequence; the judging module is used for judging whether the target port of the target flow is matched with the first micro-isolation strategy or not; and the second checking module is used for continuously checking whether the destination port of the target flow is matched by the next micro-isolation strategy in the set of the target flow according to the sequence until the micro-isolation strategy of the target flow is determined when the destination port of the target flow cannot be matched by the first micro-isolation strategy.
The processing device based on the K8S micro-isolation strategy comprises a processor and a memory, wherein the first building unit 901, the second building unit 903, the third building unit 904, the matching unit 905 and the like are stored in the memory as program units, and the processor executes the program units stored in the memory to realize corresponding functions.
The processor comprises a kernel, and the kernel calls the corresponding program unit from the memory. The kernel can be set to be one or more, and the matching of the micro-isolation strategy in the K8S environment is realized by adjusting the kernel parameters.
The memory may include volatile memory in a computer readable medium, Random Access Memory (RAM) and/or nonvolatile memory such as Read Only Memory (ROM) or flash memory (flash RAM), and the memory includes at least one memory chip.
The embodiment of the invention provides a storage medium, wherein a program is stored on the storage medium, and the program realizes the processing method based on the K8S micro-isolation strategy when being executed by a processor.
The embodiment of the invention provides a processor, which is used for running a program, wherein the program runs to execute the processing method based on the K8S micro-isolation strategy.
The embodiment of the invention provides equipment, which comprises a processor, a memory and a program which is stored on the memory and can run on the processor, wherein the processor executes the program and realizes the following steps: respectively establishing hash tables for the APP and the Service by taking the IP as a keyword to obtain a data table I; establishing a strategy fast lookup table according to the type of the source of the micro-isolation strategy to obtain a second data table, wherein the type of the source of the micro-isolation strategy is one of the following types: APP, Service and IP/Mask; establishing a strategy fast lookup table according to the target type of the micro-isolation strategy to obtain a data table III, wherein the target type of the micro-isolation strategy is one of the following types: service and IP/Mask; and matching the data table I, the data table II and the data table III according to the target information of the target flow to obtain the micro-isolation strategy of the target flow.
Optionally, establishing a policy fast lookup table according to the type of the source of the micro-isolation policy to obtain a second data table, including: when the type of the source of the micro-isolation strategy is APP or Service, a hash table is established to obtain a data sub-table I, wherein the data sub-table I comprises all micro-isolation strategies corresponding to the APP and all micro-isolation strategies corresponding to the Service; when the type of the source of the micro-isolation strategy is IP/Mask, establishing a fast matching tree to obtain a data sub-table II, wherein the data sub-table II comprises all micro-isolation strategies corresponding to the IP/Mask; and taking the data sub-table I and the data sub-table II as a data table I.
Optionally, establishing a policy fast lookup table according to the type of the purpose of the micro-isolation policy to obtain a data table three, including: when the target type of the micro-isolation strategy is Service, a Hash table is established to obtain a data sub-table III, wherein the data sub-table III comprises all micro-isolation strategies corresponding to the Service; when the target type of the micro-isolation strategy is IP/Mask, establishing a fast matching tree to obtain a data sub-table four, wherein the data sub-table four comprises all micro-isolation strategies corresponding to the IP/Mask; and taking the data sub-table three and the data sub-table four as a data table three.
Optionally, the target information includes: the method comprises the following steps that a source IP, a target IP and a target port are matched in a data table I, a data table II and a data table III according to target information of target flow, so that a micro-isolation strategy of the target flow is obtained, and the method comprises the following steps: according to the source IP, the destination IP and the destination port of the target flow, target asset information is found in the first data table; matching in the data table II according to the source IP of the target flow and the target asset information to obtain a micro-isolation strategy set; matching in a data table III according to the target IP of the target flow and the target asset information to obtain a micro-isolation strategy set II; matching the micro-isolation strategy set I with the micro-isolation strategy set II to obtain a target micro-isolation strategy set; and according to the sequence of the micro-isolation strategies in the target micro-isolation strategy set, checking whether a target port of the target flow is matched by the micro-isolation strategies in the target micro-isolation strategies to determine the micro-isolation strategies of the target flow.
Optionally, verifying whether a destination port of the target traffic is matched by the micro-isolation policy in the set of target traffic according to the order of the micro-isolation policies in the set of target traffic to determine the micro-isolation policy of the target traffic, including: detecting whether a target port of the target flow is matched with a first micro-isolation strategy in the target micro-isolation strategy set or not according to the sequence; when the target port of the target flow can be matched by the first micro-isolation strategy, the first micro-isolation strategy is the micro-isolation strategy of the target flow; and when the target port of the target flow cannot be matched by the first micro-isolation strategy, continuously checking whether the target port of the target flow is matched by the next micro-isolation strategy in the set of the target flow according to the sequence until the micro-isolation strategy of the target flow is determined. The device herein may be a server, a PC, a PAD, a mobile phone, etc.
The present application further provides a computer program product adapted to perform a program for initializing the following method steps when executed on a data processing device: respectively establishing hash tables for the APP and the Service by taking the IP as a keyword to obtain a data table I; establishing a strategy fast lookup table according to the type of the source of the micro-isolation strategy to obtain a second data table, wherein the type of the source of the micro-isolation strategy is one of the following types: APP, Service and IP/Mask; establishing a strategy fast lookup table according to the target type of the micro-isolation strategy to obtain a data table III, wherein the target type of the micro-isolation strategy is one of the following types: service and IP/Mask; and matching the data table I, the data table II and the data table III according to the target information of the target flow to obtain the micro-isolation strategy of the target flow.
Optionally, establishing a policy fast lookup table according to the type of the source of the micro-isolation policy to obtain a second data table, including: when the type of the source of the micro-isolation strategy is APP or Service, a hash table is established to obtain a data sub-table I, wherein the data sub-table I comprises all micro-isolation strategies corresponding to the APP and all micro-isolation strategies corresponding to the Service; when the type of the source of the micro-isolation strategy is IP/Mask, establishing a fast matching tree to obtain a data sub-table II, wherein the data sub-table II comprises all micro-isolation strategies corresponding to the IP/Mask; and taking the data sub-table I and the data sub-table II as a data table I.
Optionally, establishing a policy fast lookup table according to the type of the purpose of the micro-isolation policy to obtain a data table three, including: when the target type of the micro-isolation strategy is Service, a Hash table is established to obtain a data sub-table III, wherein the data sub-table III comprises all micro-isolation strategies corresponding to the Service; when the target type of the micro-isolation strategy is IP/Mask, establishing a fast matching tree to obtain a data sub-table four, wherein the data sub-table four comprises all micro-isolation strategies corresponding to the IP/Mask; and taking the data sub-table three and the data sub-table four as a data table three.
Optionally, the target information includes: the method comprises the following steps that a source IP, a target IP and a target port are matched in a data table I, a data table II and a data table III according to target information of target flow, so that a micro-isolation strategy of the target flow is obtained, and the method comprises the following steps: according to the source IP, the destination IP and the destination port of the target flow, target asset information is found in the first data table; matching in the data table II according to the source IP of the target flow and the target asset information to obtain a micro-isolation strategy set; matching in a data table III according to the target IP of the target flow and the target asset information to obtain a micro-isolation strategy set II; matching the micro-isolation strategy set I with the micro-isolation strategy set II to obtain a target micro-isolation strategy set; and according to the sequence of the micro-isolation strategies in the target micro-isolation strategy set, checking whether a target port of the target flow is matched by the micro-isolation strategies in the target micro-isolation strategies to determine the micro-isolation strategies of the target flow.
Optionally, verifying whether a destination port of the target traffic is matched by the micro-isolation policy in the set of target traffic according to the order of the micro-isolation policies in the set of target traffic to determine the micro-isolation policy of the target traffic, including: detecting whether a target port of the target flow is matched with a first micro-isolation strategy in the target micro-isolation strategy set or not according to the sequence; when the target port of the target flow can be matched by the first micro-isolation strategy, the first micro-isolation strategy is the micro-isolation strategy of the target flow; and when the target port of the target flow cannot be matched by the first micro-isolation strategy, continuously checking whether the target port of the target flow is matched by the next micro-isolation strategy in the set of the target flow according to the sequence until the micro-isolation strategy of the target flow is determined.
As will be appreciated by one skilled in the art, embodiments of the present application may be provided as a method, system, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The present application is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the application. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
In a typical configuration, a computing device includes one or more processors (CPUs), input/output interfaces, network interfaces, and memory.
The memory may include forms of volatile memory in a computer readable medium, Random Access Memory (RAM) and/or non-volatile memory, such as Read Only Memory (ROM) or flash memory (flash RAM). The memory is an example of a computer-readable medium.
Computer-readable media, including both non-transitory and non-transitory, removable and non-removable media, may implement information storage by any method or technology. The information may be computer readable instructions, data structures, modules of a program, or other data. Examples of computer storage media include, but are not limited to, phase change memory (PRAM), Static Random Access Memory (SRAM), Dynamic Random Access Memory (DRAM), other types of Random Access Memory (RAM), Read Only Memory (ROM), Electrically Erasable Programmable Read Only Memory (EEPROM), flash memory or other memory technology, compact disc read only memory (CD-ROM), Digital Versatile Discs (DVD) or other optical storage, magnetic cassettes, magnetic tape magnetic disk storage or other magnetic storage devices, or any other non-transmission medium that can be used to store information that can be accessed by a computing device. As defined herein, a computer readable medium does not include a transitory computer readable medium such as a modulated data signal and a carrier wave.
It should also be noted that the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other identical elements in the process, method, article, or apparatus that comprises the element.
As will be appreciated by one skilled in the art, embodiments of the present application may be provided as a method, system, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The above are merely examples of the present application and are not intended to limit the present application. Various modifications and changes may occur to those skilled in the art. Any modification, equivalent replacement, improvement, etc. made within the spirit and principle of the present application should be included in the scope of the claims of the present application.
Claims (10)
1. A processing method of a K8S-based micro-isolation strategy is characterized by comprising the following steps:
respectively establishing hash tables for the APP and the Service by taking the IP as a keyword to obtain a data table I;
establishing a strategy fast lookup table according to the type of the source of the micro-isolation strategy to obtain a second data table, wherein the type of the source of the micro-isolation strategy is one of the following types: APP, Service and IP/Mask;
establishing a strategy fast lookup table according to the target type of the micro-isolation strategy to obtain a data table III, wherein the target type of the micro-isolation strategy is one of the following types: service and IP/Mask;
and matching the data table I, the data table II and the data table III according to target information of the target flow to obtain a micro-isolation strategy of the target flow.
2. The method of claim 1, wherein establishing a policy fast lookup table according to the type of the source of the micro-isolation policy to obtain a second data table comprises:
when the type of the source of the micro-isolation strategy is APP or Service, a hash table is established to obtain a data sub-table I, wherein the data sub-table I comprises all micro-isolation strategies corresponding to the APP and all micro-isolation strategies corresponding to the Service;
when the type of the source of the micro-isolation strategy is IP/Mask, establishing a fast matching tree to obtain a data sub-table II, wherein the data sub-table II comprises all micro-isolation strategies corresponding to the IP/Mask;
and taking the first data sub-table and the second data sub-table as the first data table.
3. The method of claim 1, wherein establishing a policy fast lookup table according to the type of the purpose of the micro-isolation policy to obtain a data table three comprises:
when the target type of the micro-isolation strategy is Service, establishing a hash table to obtain a data sub-table III, wherein the data sub-table III comprises all micro-isolation strategies corresponding to the Service;
when the target type of the micro-isolation strategy is IP/Mask, establishing a fast matching tree to obtain a data sub-table four, wherein the data sub-table four comprises all micro-isolation strategies corresponding to the IP/Mask;
and the third data sub-table and the fourth data sub-table are used as the third data table.
4. The method of claim 1, wherein the target information comprises: the method comprises the following steps that a source IP, a target IP and a target port are matched in a data table I, a data table II and a data table III according to target information of target flow to obtain a micro-isolation strategy of the target flow, and the micro-isolation strategy comprises the following steps:
according to the source IP, the destination IP and the destination port of the target flow, target asset information is found in the first data table;
matching in the data table II according to the source IP of the target flow and the target asset information to obtain a micro-isolation strategy set;
matching in the data table III according to the target IP of the target flow and the target asset information to obtain a micro-isolation strategy set II;
matching the micro-isolation strategy set I with the micro-isolation strategy set II to obtain a target micro-isolation strategy set;
and according to the sequence of the micro-isolation strategies in the target micro-isolation strategy set, checking whether a target port of the target flow is matched by the micro-isolation strategies in the target micro-isolation strategies to determine the micro-isolation strategies of the target flow.
5. The method of claim 4, wherein verifying whether a destination port of the target traffic is matched by a micro-isolation policy in the set of target traffic to determine the micro-isolation policy of the target traffic, in an order of the micro-isolation policies in the set of target traffic, comprises:
detecting whether a target port of the target flow is matched by a first micro-isolation strategy in the target micro-isolation strategy set or not according to the sequence;
when the destination port of the target traffic can be matched by the first micro-isolation strategy, the first micro-isolation strategy is the micro-isolation strategy of the target traffic;
when the target port of the target traffic cannot be matched by the first micro-isolation policy, continuously checking whether the target port of the target traffic is matched by the next micro-isolation policy in the set of the target traffic according to the sequence until the micro-isolation policy of the target traffic is determined.
6. A processing device based on K8S micro-isolation strategy is characterized by comprising:
the first construction unit is used for respectively establishing hash tables for the APP and the Service by taking the IP as a keyword to obtain a first data table;
the second construction unit is used for establishing a strategy fast lookup table according to the type of the source of the micro-isolation strategy to obtain a second data table, wherein the type of the source of the micro-isolation strategy is one of the following types: APP, Service and IP/Mask;
a third constructing unit, configured to establish a policy fast lookup table according to the type of the purpose of the micro-isolation policy, so as to obtain a third data table, where the type of the purpose of the micro-isolation policy is one of the following: service and IP/Mask;
and the matching unit is used for matching the data table I, the data table II and the data table III according to target information of target flow so as to obtain a micro-isolation strategy of the target flow.
7. The apparatus according to claim 6, wherein the second building unit comprises:
the first construction subunit is used for establishing a hash table to obtain a first data sub-table when the type of the source of the micro-isolation strategy is APP or Service, wherein the first data sub-table comprises all micro-isolation strategies corresponding to the APPs and all micro-isolation strategies corresponding to the services;
a second constructing subunit, configured to establish a fast matching tree to obtain a second data sub-table when the type of the source of the micro-isolation policy is IP/Mask, where the second data sub-table includes all micro-isolation policies corresponding to the IP/Mask;
and taking the first data sub-table and the second data sub-table as the first data table.
8. The apparatus according to claim 6, characterized in that the third building unit comprises:
the third construction subunit is used for establishing a hash table to obtain a data sub-table three when the type of the purpose of the micro-isolation strategy is Service, wherein the data sub-table three comprises all micro-isolation strategies corresponding to the Service;
a third constructing subunit, configured to, when the type of the micro-isolation policy is IP/Mask, establish a fast matching tree to obtain a data sub-table four, where the data sub-table four includes all micro-isolation policies corresponding to the IP/Mask;
and the third data sub-table and the fourth data sub-table are used as the third data table.
9. A computer-readable storage medium, characterized in that the storage medium includes a stored program, wherein the program executes the processing method based on the K8S micro-isolation policy of any one of claims 1 to 5.
10. A processor, characterized in that the processor is configured to execute a program, wherein the program executes a processing method based on the K8S micro-isolation policy according to any one of claims 1 to 5.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111565071.2A CN114301841B (en) | 2021-12-20 | 2021-12-20 | K8S-based micro-isolation strategy processing method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111565071.2A CN114301841B (en) | 2021-12-20 | 2021-12-20 | K8S-based micro-isolation strategy processing method and device |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN114301841A true CN114301841A (en) | 2022-04-08 |
| CN114301841B CN114301841B (en) | 2024-02-06 |
Family
ID=80968078
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111565071.2A Active CN114301841B (en) | 2021-12-20 | 2021-12-20 | K8S-based micro-isolation strategy processing method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114301841B (en) |
Citations (14)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108092979A (en) * | 2017-12-20 | 2018-05-29 | 国家电网公司 | A kind of firewall policy processing method and processing device |
| US20180234459A1 (en) * | 2017-01-23 | 2018-08-16 | Lisun Joao Kung | Automated Enforcement of Security Policies in Cloud and Hybrid Infrastructure Environments |
| CN109167795A (en) * | 2018-09-27 | 2019-01-08 | 深信服科技股份有限公司 | A kind of safety defense system and method |
| US20190372895A1 (en) * | 2018-06-05 | 2019-12-05 | Arista Networks, Inc. | System and method of a data processing pipeline with policy based routing |
| CN110798341A (en) * | 2019-10-12 | 2020-02-14 | 中盈优创资讯科技有限公司 | Service opening method, device and system |
| US20200137125A1 (en) * | 2018-10-26 | 2020-04-30 | Valtix, Inc. | Managing computer security services for cloud computing platforms |
| CN112671861A (en) * | 2020-12-15 | 2021-04-16 | 交控科技股份有限公司 | Method and device for improving security of micro-service system |
| CN113098727A (en) * | 2019-12-23 | 2021-07-09 | 上海云盾信息技术有限公司 | Data packet detection processing method and device |
| CN113141356A (en) * | 2021-04-14 | 2021-07-20 | 国网山东省电力公司淄博供电公司 | Micro-isolation device and method under cloud computing platform |
| US20210273910A1 (en) * | 2020-03-02 | 2021-09-02 | Cisco Technology, Inc. | Systems and methods for implementing universal targets in network traffic classification |
| CN113342468A (en) * | 2021-06-23 | 2021-09-03 | 山石网科通信技术股份有限公司 | Container data processing method and device |
| CN113382019A (en) * | 2021-06-30 | 2021-09-10 | 山石网科通信技术股份有限公司 | Flow data processing method |
| CN113794690A (en) * | 2021-08-20 | 2021-12-14 | 山石网科通信技术股份有限公司 | Data processing method, data processing device, nonvolatile storage medium and processor |
| CN113791865A (en) * | 2021-09-08 | 2021-12-14 | 山石网科通信技术股份有限公司 | Container security processing method and device, storage medium and processor |
-
2021
- 2021-12-20 CN CN202111565071.2A patent/CN114301841B/en active Active
Patent Citations (14)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20180234459A1 (en) * | 2017-01-23 | 2018-08-16 | Lisun Joao Kung | Automated Enforcement of Security Policies in Cloud and Hybrid Infrastructure Environments |
| CN108092979A (en) * | 2017-12-20 | 2018-05-29 | 国家电网公司 | A kind of firewall policy processing method and processing device |
| US20190372895A1 (en) * | 2018-06-05 | 2019-12-05 | Arista Networks, Inc. | System and method of a data processing pipeline with policy based routing |
| CN109167795A (en) * | 2018-09-27 | 2019-01-08 | 深信服科技股份有限公司 | A kind of safety defense system and method |
| US20200137125A1 (en) * | 2018-10-26 | 2020-04-30 | Valtix, Inc. | Managing computer security services for cloud computing platforms |
| CN110798341A (en) * | 2019-10-12 | 2020-02-14 | 中盈优创资讯科技有限公司 | Service opening method, device and system |
| CN113098727A (en) * | 2019-12-23 | 2021-07-09 | 上海云盾信息技术有限公司 | Data packet detection processing method and device |
| US20210273910A1 (en) * | 2020-03-02 | 2021-09-02 | Cisco Technology, Inc. | Systems and methods for implementing universal targets in network traffic classification |
| CN112671861A (en) * | 2020-12-15 | 2021-04-16 | 交控科技股份有限公司 | Method and device for improving security of micro-service system |
| CN113141356A (en) * | 2021-04-14 | 2021-07-20 | 国网山东省电力公司淄博供电公司 | Micro-isolation device and method under cloud computing platform |
| CN113342468A (en) * | 2021-06-23 | 2021-09-03 | 山石网科通信技术股份有限公司 | Container data processing method and device |
| CN113382019A (en) * | 2021-06-30 | 2021-09-10 | 山石网科通信技术股份有限公司 | Flow data processing method |
| CN113794690A (en) * | 2021-08-20 | 2021-12-14 | 山石网科通信技术股份有限公司 | Data processing method, data processing device, nonvolatile storage medium and processor |
| CN113791865A (en) * | 2021-09-08 | 2021-12-14 | 山石网科通信技术股份有限公司 | Container security processing method and device, storage medium and processor |
Non-Patent Citations (1)
| Title |
|---|
| 史长琼;张理阳;赵凯;: "哈希表动态负载平衡策略的优化", 长沙理工大学学报(自然科学版), no. 01 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN114301841B (en) | 2024-02-06 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CA3034034C (en) | Data storage, data check, and data linkage method and apparatus | |
| US20210326885A1 (en) | Method and Apparatus of Identifying a Transaction Risk | |
| CN109658238B (en) | Data processing method and device | |
| CN110020544B (en) | Hash information processing method and system for storage record in block of block chain | |
| CN113079200A (en) | Data processing method, device and system | |
| US20210049281A1 (en) | Reducing risk of smart contracts in a blockchain | |
| CN106873958B (en) | Calling method and device of application programming interface | |
| CN106951795B (en) | Application data access isolation method and device | |
| US20230336421A1 (en) | Virtualized Network Functions | |
| CN109145621B (en) | Document management method and device | |
| CN112712125B (en) | Event stream pattern matching method and device, storage medium and processor | |
| CN114297719A (en) | Data desensitization method and device, storage medium and electronic equipment | |
| CN113468384A (en) | Network information source information processing method, device, storage medium and processor | |
| CN114301841B (en) | K8S-based micro-isolation strategy processing method and device | |
| CN111131474A (en) | Method, device and medium for managing user protocol based on block chain | |
| CN105684343B (en) | A kind of information processing method and equipment | |
| CN114567678B (en) | Resource calling method and device for cloud security service and electronic equipment | |
| CN113285952B (en) | Network vulnerability plugging method, device, storage medium and processor | |
| CN114880300A (en) | Processing method and device based on block chain file, processor and electronic equipment | |
| CN111241376B (en) | Multistage information matching method and device and cloud service platform | |
| CN111355716B (en) | Method, system, equipment and medium for determining unique identifier of virtual machine | |
| CN110347699B (en) | Method and device for determining activity of entity related to identity card | |
| CN111953637B (en) | Application service method and device | |
| CN115225396A (en) | Access request auditing method and device, storage medium and electronic equipment | |
| CN112749189A (en) | Data query method and device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |