CN114979286A - Access control method, device and equipment for container service and computer storage medium - Google Patents

Access control method, device and equipment for container service and computer storage medium Download PDF

Info

Publication number
CN114979286A
CN114979286A CN202210509869.3A CN202210509869A CN114979286A CN 114979286 A CN114979286 A CN 114979286A CN 202210509869 A CN202210509869 A CN 202210509869A CN 114979286 A CN114979286 A CN 114979286A
Authority
CN
China
Prior art keywords
port
container
target
host
service
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202210509869.3A
Other languages
Chinese (zh)
Other versions
CN114979286B (en
Inventor
张庆
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Migu Cultural Technology Co Ltd
China Mobile Communications Group Co Ltd
Original Assignee
Migu Cultural Technology Co Ltd
China Mobile Communications Group Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Migu Cultural Technology Co Ltd, China Mobile Communications Group Co Ltd filed Critical Migu Cultural Technology Co Ltd
Priority to CN202210509869.3A priority Critical patent/CN114979286B/en
Publication of CN114979286A publication Critical patent/CN114979286A/en
Application granted granted Critical
Publication of CN114979286B publication Critical patent/CN114979286B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/46Multiprogramming arrangements
    • G06F9/48Program initiating; Program switching, e.g. by interrupt
    • G06F9/4806Task transfer initiation or dispatching
    • G06F9/4843Task transfer initiation or dispatching by program, e.g. task dispatcher, supervisor, operating system
    • G06F9/4881Scheduling strategies for dispatcher, e.g. round robin, multi-level priority queues
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02DCLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
    • Y02D30/00Reducing energy consumption in communication networks
    • Y02D30/50Reducing energy consumption in communication networks in wire-line communication networks, e.g. low power modes or reduced link rate

Landscapes

  • Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

A container service access control method, device, equipment and computer storage medium. The embodiment of the invention relates to the technical field of Internet, and discloses a port exposure method based on a container cluster, which comprises the following steps: acquiring an access request sent to a target host port; determining a target container port corresponding to the target host port according to the port mapping relation; wherein, the target container port is a port monitored by a target service instance; the port mapping relation is determined according to the dynamic port section corresponding to the target service instance; the dynamic port segment is pre-declared for the target service instance; forwarding the access request to the target container port. Through the mode, the embodiment of the invention realizes that the dynamic port in the operation process of the container cluster is exposed out of the cluster.

Description

Access control method, device and equipment for container service and computer storage medium
Technical Field
The embodiment of the invention relates to the technical field of Internet, in particular to a method, a device and equipment for controlling access of container service and a computer storage medium.
Background
In the prior art, when a container cluster manager such as kubernets is used to deploy a service, a container cluster may expose a corresponding port monitored by the service to the outside of the cluster through a third-party component, so as to be accessed by a client outside the cluster. The business service runtime must listen to the corresponding port according to the declaration at deployment time to receive the external request.
For containerization service of a monitoring port which can be determined only by negotiation with a client in the operation process, because a Kubernetes and other container clusters cannot participate in the operation process and the monitoring port determined by negotiation in the operation process is dynamically changed, the existing deployment method has the problem that the dynamically negotiated port cannot be exposed out of the container cluster.
Disclosure of Invention
In view of the foregoing problems, embodiments of the present invention provide an access control method for a container service, which is used to solve a problem in the prior art that a container port determined by negotiation in an operation process cannot be accessed outside a cluster.
According to an aspect of an embodiment of the present invention, there is provided an access control method for a container service, the method including:
acquiring an access request sent to a target host port;
determining a target container port corresponding to the target host port according to the port mapping relation; wherein, the target container port is a port monitored by a target service instance; the port mapping relation is determined according to the dynamic port section corresponding to the target service instance; the dynamic port segment is pre-declared for the target service instance;
forwarding the access request to the target container port.
In an alternative approach, the dynamic port segments include a container dynamic port segment and a host dynamic port segment; the method further comprises the following steps:
determining a port of a container to be monitored according to a port monitoring request sent by the target service instance; the target container port is one of the container ports to be monitored;
when the port of the container to be monitored is determined to be matched with the dynamic port section of the container, determining an optional host port according to the dynamic port section of the host; the target host port is one of the selectable host ports;
and establishing a mapping relation between the optional host port and the port to be monitored.
In an optional manner, the method further comprises:
determining any idle host port in the host dynamic port segment as the optional host port.
In an optional manner, the method further comprises:
intercepting the kernel function to obtain the port of the container to be monitored when the calling request aiming at the kernel function in the linux system is determined to comprise the target network namespace identifier corresponding to the target service instance; and the kernel function is used for realizing the monitoring of the target service instance on the port of the container to be monitored.
In an optional manner, the method further comprises:
when the dynamic port section corresponding to the target service instance is determined not to be empty, acquiring the target network name space identifier of the target service instance;
sending the target network namespace identification to an interceptor; the interceptor is deployed in a kernel module of the linux system; the interceptor is used for intercepting the kernel function.
In an alternative, the container cluster includes a plurality of host nodes; a plurality of selectable service instances are deployed on one host node; the target service instance is one of the selectable service instances; the dynamic port segment comprises a host dynamic port segment; the method further comprises the following steps:
when the intersection of the host dynamic port sections corresponding to the multiple optional service instances on the same host node is determined, migrating and deploying the optional service instances to other host nodes.
In an optional manner, the method further comprises:
acquiring traffic statistical information of each host node and traffic scheduling rules and traffic prediction information of the selectable service instances;
and determining the host node where each service instance is deployed according to the traffic statistical information, the traffic scheduling rule and the traffic prediction information.
According to another aspect of the embodiments of the present invention, there is provided an access control apparatus for a container service, including:
acquiring an access request sent to a target host port;
determining a target container port corresponding to the target host port according to the port mapping relation; wherein, the target container port is a port monitored by a target service instance; the port mapping relation is determined according to the dynamic port section corresponding to the target service instance; the dynamic port segment is pre-declared for the target service instance;
forwarding the access request to the target container port.
According to another aspect of the embodiments of the present invention, there is provided an access control apparatus for a container service, including:
acquiring an access request sent to a target host port;
determining a target container port corresponding to the target host port according to the port mapping relation; wherein, the target container port is a port monitored by a target service instance; the port mapping relation is determined according to the dynamic port section corresponding to the target service instance; the dynamic port segment is pre-declared for the target service instance;
forwarding the access request to the target container port.
According to a further aspect of the embodiments of the present invention, there is provided a computer-readable storage medium having at least one executable instruction stored therein, the executable instruction causing an access control device of a container service to perform the following operations:
acquiring an access request sent to a target host port;
determining a target container port corresponding to the target host port according to the port mapping relation; wherein, the target container port is a port monitored by a target service instance; the port mapping relation is determined according to the dynamic port section corresponding to the target service instance; the dynamic port segment is pre-declared for the target service instance;
forwarding the access request to the target container port.
The embodiment of the invention obtains the access request sent to the port of the target host; determining a target container port corresponding to the target host port according to the port mapping relation; wherein, the target container port is a port monitored by a target service instance; the port mapping relation is determined according to the dynamic port section corresponding to the target service instance; the dynamic port segment is declared in advance for the target service instance; therefore, the mapping of the network rule between the container port dynamically monitored by the target instance in the running process and the external host port is realized, so that the access request outside the cluster is forwarded to the target container port newly monitored by the target service instance outside the cluster through the mapping, and the external exposure of the dynamic port in the service running process is realized.
The foregoing description is only an overview of the technical solutions of the embodiments of the present invention, and the embodiments of the present invention can be implemented according to the content of the description in order to make the technical means of the embodiments of the present invention more clearly understood, and the detailed description of the present invention is provided below in order to make the foregoing and other objects, features, and advantages of the embodiments of the present invention more clearly understandable.
Drawings
The drawings are only for purposes of illustrating embodiments and are not to be construed as limiting the invention. Also, like reference numerals are used to refer to like parts throughout the drawings. In the drawings:
fig. 1 is a flowchart illustrating an access control method for a container service according to an embodiment of the present invention;
fig. 2 is a flowchart illustrating an access control method for a container service according to another embodiment of the present invention;
fig. 3 is a schematic structural diagram of an access control device of a container service according to an embodiment of the present invention;
fig. 4 is a schematic structural diagram illustrating an access control device of a container service according to an embodiment of the present invention.
Detailed Description
Exemplary embodiments of the present invention will be described in more detail below with reference to the accompanying drawings. While exemplary embodiments of the invention are shown in the drawings, it should be understood that the invention can be embodied in various forms and should not be limited to the embodiments set forth herein.
Prior to the description of the embodiments of the present invention, the prior art will be described.
When deploying a business service using kubernets, it is often necessary to route external traffic to the business service. The existing Kubernetes supports the mode of third-party controls such as ClusterIp, NodePort, LoadBalancer, Ingress and the like to expose the service in the cluster for the access of clients outside the cluster. Each mode is respectively suitable for different scenes, and the common point of the modes is that one or more network ports which need to be declared to monitor when business services are deployed are exposed outside the cluster through NAT or a third-party component by Kubernets. The business service runtime must listen to the corresponding port according to the declaration at the time of deployment to receive the external request.
However, Kubernetes only realizes the external exposure of the port by deploying the content of the script in the service deployment phase. In the service operation process, kubernets have no mechanism to sense the requirement of port exposure, so that if the requirement of exposing a new port to the outside is generated in the service operation process, the port deployment method of kubernets in the prior art cannot be realized, and thus, the service cannot be provided to the outside through the new port. Therefore, the existing access control method for the container service has the problem that a dynamic container port obtained by negotiation between the service and a client in the operation process cannot be exposed outside a cluster, so that the client cannot access the container port obtained by negotiation from outside the cluster.
Fig. 1 is a flow chart illustrating an access control method for a container service provided by an embodiment of the present invention, the method being performed by a computer processing device. The computer processing device may include a cell phone, a notebook computer, etc. As shown in fig. 1, the method comprises the steps of:
step 10: and acquiring an access request sent to a target host port.
In an embodiment of the present invention, the target host port is a port on a host where the target service instance is deployed, and the target host port is used for a visitor to access a container cluster from the outside, where the container cluster may be kubernets, and the container cluster is composed of a plurality of host nodes, and each host node is deployed with a plurality of containers. A target service instance generally corresponds to a container.
Step 20: determining a target container port corresponding to the target host port according to the port mapping relation; wherein, the target container port is a port monitored by a target service instance; the port mapping relation is determined according to the dynamic port section corresponding to the target service instance; the dynamic port segment is declared for the target service instance when deployed onto a host node.
In an embodiment of the present invention, in order to provide container service for a client outside a cluster, a target service instance needs to negotiate with the client, so as to determine which container port provides service to the outside, and after the target service instance successfully negotiates with the client requesting container service, the target service instance sends a call request to a kernel function of a network namespace of linux, and requests to start monitoring on the negotiated target container port. The target container port is thus obtained by intercepting the call to the kernel function.
Meanwhile, it is considered that a plurality of service instances are generally deployed on one host node, and each service instance may conflict with a container port negotiated by a client during the operation process. Therefore, when the target service instance is created, a dedicated host port segment and a dedicated container port segment are allocated to the target service instance for external mapping of the negotiated port in the subsequent process, so that external services among the service instances on one host cannot be influenced mutually. Specifically, when the target service instance is deployed on the host node, the host port segment and the container port segment that the target service instance needs to occupy may be declared, so as to be used for providing service usage to the outside in the subsequent service running process. The port mapping relationship is used for mapping a container port inside the cluster and a host port outside the cluster.
In one embodiment of the invention, the dynamic port segments include a container dynamic port segment and a host dynamic port segment. Wherein the container dynamic port section comprises a port number interval of a container port which can be used for providing service to the outside, and the host dynamic port section comprises a port number interval of a host port which can be used for being accessed from the outside of the cluster.
Before step 20, further comprising:
step 201: determining a port of a container to be monitored according to a port monitoring request sent by the target service instance; the target container port is one of the container ports to be listened.
In an embodiment of the present invention, to implement the monitoring on the container port, a kernel function of a network namespace in the linux system needs to be called, and the container port to be monitored and the listener are transferred to the kernel function, so that the kernel function can be monitored, and when it is detected that a target service instance calls the kernel function to monitor a new container port, a parameter monitored by the port of the kernel function is obtained, and the container port to be monitored is obtained.
In one embodiment of the present invention, step 201 further comprises:
step 2011: intercepting the kernel function to obtain a port of the container to be monitored when the calling request aiming at the kernel function in the linux system is determined to include a target network namespace identifier corresponding to the target service instance; and the kernel function is used for realizing the monitoring of the target service instance on the port of the container to be monitored.
In an embodiment of the present invention, in order to implement snooping on a new port, a target service instance needs to call a kernel function, and a call request includes a port of a container to be snooped and a target network namespace identifier of the target service instance itself. The kernel function may be, for example, func, where port is a port field of the container to be listened to, which is sent by the target service instance. In particular, the interception of kernel functions can be implemented using tracing techniques in linux.
Step 2011 further includes: step 210: and when the dynamic port section corresponding to the target service instance is determined not to be empty, acquiring the target network namespace identifier of the target service instance.
In an embodiment of the present invention, when a target service instance is created or deployed on a target host node, a dynamic port segment that the target service instance needs to occupy may be declared, and when the dynamic port segment corresponding to the target service instance is not empty, it indicates that the target service instance configures dynamic port segment information, so that it is necessary to monitor the monitoring time for starting a new container port by the target service instance, obtain a newly monitored container port by the target service instance, and expose the newly monitored container port to the outside of a cluster. The target network namespace identification is used for linux system specific identification of target service instances.
Step 211: sending the target network namespace identification to an interceptor; the interceptor is deployed in a kernel module of the linux system; the interceptor is used for intercepting the kernel function.
In an embodiment of the present invention, an interceptor intercepts a call request initiated by a target network namespace identifier to a kernel function, and obtains a port parameter of a container to be monitored included in the call request.
In yet another embodiment of the present invention, a node listen (pod) service may also be created, which is deployed in advance in each node of the kubernets cluster. The pod-watch service is used for monitoring Kubernets container scheduling events, checking whether the pod scheduled to the node is matched with an instance selector of a dynamic Port service (dynamic Port service), and collecting information of the pod scheduled to the node and sending the information to the kernel module port-watch if the pod is matched with the instance selector of the dynamic Port service.
The dynamic PortService is a resource object customized in Kubernets and is used for storing information of service names, instance selectors, communication protocols, container dynamic port segments, host dynamic port segments, network flow prediction (the unit can be megaseconds), network flow scheduling rules (the idle priority is the highest, and the host flow load is lower than a certain threshold value and the like).
The instance selector is a set of tags (each tag contains a name and a corresponding Value, i.e. Key), and the service instance also has a set of tags, and the role of the instance selector is to find the service instance (tag set is the same) that the DynamicPortService needs to be responsible for. If the dynamic port end of the dynamic port service is matched with the dynamic port end of the dynamic port service, the dynamic port end of the dynamic port service is acquired, and the dynamic port end of the dynamic port service is compared with the dynamic port service which is deployed to determine whether the dynamic port end is duplicated.
In still another embodiment of the present invention, a port-watch service of a Linux kernel module may be created on the basis of the pod-watch service, and the port-watch service is deployed in each node of the kubernets cluster in advance. And the port-watch service is used for receiving and storing the service instance information sent by the pod-watch service, intercepting and creating kernel function call monitored by the service end, and setting a mapping relation for the port meeting the preset condition. Wherein the preset condition may include that the container port to be listened to is located in the container dynamic port segment.
Step 202: when the port of the container to be monitored is determined to be matched with the dynamic port section of the container, determining an optional host port according to the dynamic port section of the host; the target host port is one of the selectable host ports.
In one embodiment of the invention, when it is determined that a container port to be listened to is located within the container dynamic port segment, it is determined that the two match. And exposing the matched container port to be monitored to the outside without influencing the outside service of other service instances. One free host port may be selected from the host dynamic port segment as an optional host port.
In one embodiment of the present invention, step 202 further comprises:
step 2021: determining any idle host port in the host dynamic port segment as the optional host port.
Step 203: and establishing a mapping relation between the optional host port and the port to be monitored.
In an embodiment of the present invention, the mapping relationship is used to establish a route between the selectable host port and the port to be monitored, so that an extra-cluster access request received by the selectable host port can be forwarded to the corresponding port to be monitored according to the mapping relationship, thereby implementing access to a container service in the cluster.
In one embodiment of the invention, a plurality of said host nodes are included in said container cluster; a plurality of selectable service instances are deployed on one host node; the target service instance is one of the selectable service instances; the dynamic port segment includes a host dynamic port segment.
Before step 20, further comprising: step 204: when it is determined that the host dynamic port sections corresponding to the multiple optional service instances on the same host node have an intersection, migrating and deploying the optional service instances to other host nodes.
In an embodiment of the present invention, in order to avoid external host port collision between different service instances on the same host, that is, an access request sent by a client cannot be sent to a corresponding host port, deployment of a service instance on multiple hosts may be scheduled.
Specifically, all nodes in the cluster can be traversed, for each node, the scheduler acquires all DynamicPortService information deployed on the node from the Kubernetes api server, compares the DynamicPortService information deployed by each node with a host dynamic port segment of a newly added DynamicPortService, checks whether an intersection exists, and if the intersection does not exist, the node is taken as a preselected node, otherwise, the next node is traversed. For a preselected node, acquiring network flow statistical information from an index library (such as Prometheus and the like), calculating whether the node meets the deployment requirement by combining flow estimation and flow scheduling rules of newly added dynamic PortService, if so, issuing deployment information for deploying the service corresponding to the dynamic PortService to the current node to a Kubernetes ApiServer, and finally executing service deployment by a Kubelet component of the current node, otherwise, traversing the next node.
In another embodiment of the invention, the resource scheduling can be completed by expanding the resource scheduler of Kubernetes, and the expanded resource scheduler is used for checking that a newly added dynamic PortService service communication protocol, a dynamic port segment of a host and a scheduling alternative host have deployed the dynamic PortService service communication protocol and a dynamic port segment of the host have intersection; and judging whether the idle network flow of the host meets the requirements or not according to the host network flow statistical information, the service network flow pre-estimation and the flow scheduling rule.
Before step 204, the method further comprises:
step 205: and acquiring the traffic statistical information of each host node and the traffic scheduling rule and the traffic pre-estimation information of the optional service instance.
In one embodiment of the invention, the traffic statistics comprise the total network traffic of the host node. The traffic scheduling rule is used for characterizing a rule for scheduling the host where the service is deployed according to the traffic load condition of the host. The traffic scheduling rule may include at least one of a most idle-first deployment, a first centralized deployment to the same host if the network traffic is below a certain threshold, and a first distributed deployment to different hosts if the network traffic is below a certain threshold. The traffic prediction information includes the expected traffic for each of the alternative service instances.
Step 206: and determining the host node where each service instance is deployed according to the traffic statistical information, the traffic scheduling rule and the traffic prediction information.
In an embodiment of the present invention, the traffic prediction information is first matched with the traffic statistic information to obtain the predicted load condition of each host node, and service scheduling is performed according to the predicted load condition and a traffic scheduling rule.
And if the traffic scheduling rule is the most idle and preferentially deployed, deploying the service instance to be deployed currently to the idle host node.
When the traffic scheduling rule is that the network traffic is lower than a certain threshold value, the service instance to be deployed currently is deployed to the host where the last service instance is deployed, or when the traffic scheduling rule is that the network traffic is lower than a certain threshold value, the service instance to be deployed currently is deployed to different hosts in a preferentially dispersed manner, and the service instance to be deployed currently is deployed to other hosts different from the host where the last service instance is deployed.
Step 30: forwarding the access request to the target container port.
In yet another embodiment of the present invention, the process of performing access control of the container service may also be as shown in fig. 2.
As shown in fig. 2, step a, for each service that needs to enable dynamic port exposure, a Kubernetes resource object, dynamic port service, is created.
Wherein, the dynamic PortService mainly comprises the following information: service name, instance selector, communication protocol (which may be tcp, udp, etc.), container dynamic port segment, host dynamic port segment.
By declaring in kubernets the various information and rules of the business service, i.e. the requirements made by the user to kubernets, in subsequent steps the scheduler and other components need to perform as data interpretation of this resource object.
Step 2, the port conflict check is performed by the extended kubernets scheduler.
The kubernets scheduler used in the embodiment of the present invention after the function expansion performs the port duplication check first, in addition to completing the original scheduling function, and specifically includes the following steps:
firstly, acquiring a service instance label, and verifying whether the service instance label is matched with an instance selector of a certain dynamic PortService; if so, checking whether the communication protocol of the dynamic PortService service, the communication protocol of the host dynamic port segment and the communication protocol of all the dynamic PortService service sets deployed by a certain node of the cluster are overlapped or not; if not, continuing the following steps, otherwise, checking other nodes in the cluster.
By expanding the Kubernetes scheduler, the problem that a plurality of services with the same port section are deployed to the same node to cause mutual conflict of ports is avoided, and therefore the external service provision is influenced.
And C: the expanded Kubernetes dispatcher acquires host flow statistical information and judges whether the host can be deployed at the current host according to service network flow estimation and network flow dispatching rules.
The network traffic scheduling rules include, but are not limited to, the following: the method comprises the steps of deployment with priority on the most idle, centralized deployment to the same host machine with priority on the condition that the network flow is lower than a certain threshold value, and decentralized deployment to different host machines with priority on the condition that the network flow is lower than a certain threshold value. And the scheduler selects the host which best meets the flow scheduling rule to deploy the new service.
Step D: after scheduling is completed, a new service instance is started on the scheduled node.
And the pod-watch service of the node monitors a container scheduling event from the Kubernets ApiServer, waits for the creation of the instance if the service instance is scheduled to the node and a dynamic port section is set, acquires an instance network naming space identifier, and sends the network naming space identifier, a communication protocol, the container dynamic port section and the host dynamic port section to the kernel module port-watch of the current node.
The pod-watch is a bridge for communicating the Kubernets ApiServer and the kernel module port-watch, and information acquisition and transmission of port segments, network naming space identification and the like are achieved.
And 5: and generating NAT rules for the container port and the host port through the kernel module port-watch, so that the container port and the host port can be accessed through the host port of the deployed cluster node.
Firstly, a kernel module port-watch receives and stores a network name space identifier, a communication protocol, a container dynamic port segment and a host dynamic port segment, and creates an interceptor for calling a service network name space kernel function.
Then, when the service instance starts monitoring a certain port, the kernel module port-watch acquires the monitored communication protocol and port, and judges whether the monitored communication protocol and port are in the range of the dynamic port, if the monitored communication protocol and port are in the range of the dynamic port, the kernel module port-watch calculates a host port corresponding to the port, and generates an NAT rule for the container port and the host port, so that the container port and the host port can be accessed through the host port of the deployed cluster node, and the container port and the host port can be exposed out of the cluster.
Optionally, when the service instance stops, deletes or migrates to other node deployments, the pod-watch monitors the change, transmits the network namespace identifier of the stopped container to the kernel module port-watch, the port-watch stops interceptors of the service network namespace, clears the service related NAT rule, and deletes the stored service dynamic port segment related record. Through the process shown in fig. 2, whether a certain container port is newly monitored in the service operation process is sensed, and thus the cluster external exposure of the newly monitored container port is realized.
The embodiment of the invention obtains the access request sent to the port of the target host; determining a target container port corresponding to the target host port according to the port mapping relation; wherein, the target container port is a port monitored by a target service instance; the port mapping relation is determined according to the dynamic port section corresponding to the target service instance; the dynamic port segment is declared in advance for the target service instance; therefore, the mapping of the network rule between the container port dynamically monitored by the target instance in the running process and the external host port is realized, so that the access request outside the cluster is forwarded to the target container port newly monitored by the target service instance outside the cluster through the mapping, and the external exposure of the dynamic port in the service running process is realized.
Fig. 3 is a schematic structural diagram illustrating an access control apparatus for a container service according to an embodiment of the present invention. As shown in fig. 3, the apparatus 40 includes: an obtaining module 401, a determining module 402 and a forwarding module 403.
The acquiring module 401 is configured to acquire an access request sent to a target host port;
a determining module 402, configured to determine, according to a port mapping relationship, a target container port corresponding to the target host port; wherein, the target container port is a port monitored by a target service instance; the port mapping relation is determined according to the dynamic port section corresponding to the target service instance; the dynamic port segment is pre-declared for the target service instance;
a forwarding module 403, configured to forward the access request to the target container port.
The operation process executed by the access control device for container services provided by the embodiment of the present invention is substantially the same as that of the foregoing method embodiment, and is not described again.
The access control device of the container service provided by the embodiment of the invention acquires the access request sent to the port of the target host; determining a target container port corresponding to the target host port according to the port mapping relation; wherein, the target container port is a port monitored by a target service instance; the port mapping relation is determined according to the dynamic port section corresponding to the target service instance; the dynamic port segment is pre-declared for the target service instance; therefore, the mapping of the network rule between the container port dynamically monitored by the target instance in the running process and the external host port is realized, so that the access request outside the cluster is forwarded to the target container port newly monitored by the target service instance outside the cluster through the mapping, and the external exposure of the dynamic port in the service running process is realized.
Fig. 4 is a schematic structural diagram illustrating an access control device for a container service according to an embodiment of the present invention, and the specific embodiment of the present invention does not limit the specific implementation of the access control device for the container service.
As shown in fig. 4, the access control device of the container service may include: a processor (processor)502, a Communications Interface 504, a memory 506, and a communication bus 508.
Wherein: the processor 502, communication interface 504, and memory 506 communicate with one another via a communication bus 508. A communication interface 504 for communicating with network elements of other devices, such as clients or other servers. The processor 502, configured to execute the program 510, may specifically perform relevant steps in the above-described access control method embodiment for a container service.
In particular, program 510 may include program code comprising computer-executable instructions.
The processor 502 may be a central processing unit CPU, or an Application Specific Integrated Circuit (ASIC), or one or more Integrated circuits configured to implement an embodiment of the present invention. The access control device of the container service comprises one or more processors, which can be the same type of processor, such as one or more CPUs; or may be different types of processors such as one or more CPUs and one or more ASICs.
And a memory 506 for storing a program 510. The memory 506 may comprise high-speed RAM memory, and may also include non-volatile memory (non-volatile memory), such as at least one disk memory.
Specifically, the program 510 may be invoked by the processor 502 to cause the access control device of the container service to perform the following operations:
acquiring an access request sent to a target host port;
determining a target container port corresponding to the target host port according to the port mapping relation; wherein, the target container port is a port monitored by a target service instance; the port mapping relation is determined according to the dynamic port section corresponding to the target service instance; the dynamic port segment is pre-declared for the target service instance;
forwarding the access request to the target container port.
The operation process executed by the access control device for container service provided in the embodiment of the present invention is substantially the same as that of the foregoing method embodiment, and is not described again.
The access control equipment of the container service provided by the embodiment of the invention acquires the access request sent to the port of the target host; determining a target container port corresponding to the target host port according to the port mapping relation; wherein, the target container port is a port monitored by a target service instance; the port mapping relation is determined according to the dynamic port section corresponding to the target service instance; the dynamic port segment is pre-declared for the target service instance; therefore, the mapping of the network rule between the container port dynamically monitored by the target instance in the running process and the external host port is realized, so that the access request outside the cluster is forwarded to the target container port newly monitored by the target service instance outside the cluster through the mapping, and the external exposure of the dynamic port in the service running process is realized.
An embodiment of the present invention provides a computer-readable storage medium, where the storage medium stores at least one executable instruction, and when the executable instruction runs on an access control device of a container service, the access control device of the container service is enabled to execute an access control method of the container service in any method embodiment described above.
The executable instructions may be specifically configured to cause an access control device of the container service to perform the following operations:
acquiring an access request sent to a target host port;
determining a target container port corresponding to the target host port according to the port mapping relation; wherein, the target container port is a port monitored by a target service instance; the port mapping relation is determined according to the dynamic port section corresponding to the target service instance; the dynamic port segment is pre-declared for the target service instance;
forwarding the access request to the target container port.
The operation process executed by the instructions stored in the computer storage medium provided by the embodiment of the present invention is substantially the same as that of the foregoing method embodiment, and is not described again.
The instructions stored in the computer storage medium provided by the embodiment of the invention are transmitted to the port of the target host by obtaining the access request; determining a target container port corresponding to the target host port according to the port mapping relation; wherein, the target container port is a port monitored by a target service instance; the port mapping relation is determined according to the dynamic port section corresponding to the target service instance; the dynamic port segment is pre-declared for the target service instance; therefore, the mapping of the network rule between the container port dynamically monitored by the target instance in the running process and the external host port is realized, so that the access request outside the cluster is forwarded to the target container port newly monitored by the target service instance outside the cluster through the mapping, and the external exposure of the dynamic port in the service running process is realized.
The embodiment of the invention provides an access control device of a container service, which is used for executing the access control method of the container service.
Embodiments of the present invention provide a computer program, where the computer program can be called by a processor to enable an access control device of a container service to execute an access control method of the container service in any method embodiment described above.
Embodiments of the present invention provide a computer program product comprising a computer program stored on a computer-readable storage medium, the computer program comprising program instructions that, when run on a computer, cause the computer to perform the method for access control of a container service in any of the above-described method embodiments.
The algorithms or displays presented herein are not inherently related to any particular computer, virtual system, or other apparatus. Various general purpose systems may also be used with the teachings herein. The required structure for constructing such a system will be apparent from the description above. In addition, embodiments of the present invention are not directed to any particular programming language. It is appreciated that a variety of programming languages may be used to implement the teachings of the present invention as described herein, and any descriptions of specific languages are provided above to disclose the best mode of the invention.
In the description provided herein, numerous specific details are set forth. However, it is understood that embodiments of the invention may be practiced without these specific details. In some instances, well-known methods, structures and techniques have not been shown in detail in order not to obscure an understanding of this description.
Similarly, it should be appreciated that in the foregoing description of exemplary embodiments of the invention, various features of the embodiments of the invention are sometimes grouped together in a single embodiment, figure, or description thereof for the purpose of streamlining the invention and aiding in the understanding of one or more of the various inventive aspects. However, the disclosed method should not be interpreted as reflecting an intention that: that the invention as claimed requires more features than are expressly recited in each claim.
Those skilled in the art will appreciate that the modules in the device in an embodiment may be adaptively changed and disposed in one or more devices different from the embodiment. The modules or units or components of the embodiments may be combined into one module or unit or component, and may be divided into a plurality of sub-modules or sub-units or sub-components. All of the features disclosed in this specification (including any accompanying claims, abstract and drawings), and all of the processes or elements of any method or apparatus so disclosed, may be combined in any combination, except combinations where at least some of such features and/or processes or elements are mutually exclusive. Each feature disclosed in this specification (including any accompanying claims, abstract and drawings) may be replaced by alternative features serving the same, equivalent or similar purpose, unless expressly stated otherwise.
It should be noted that the above-mentioned embodiments illustrate rather than limit the invention, and that those skilled in the art will be able to design alternative embodiments without departing from the scope of the appended claims. In the claims, any reference signs placed between parentheses shall not be construed as limiting the claim. The word "comprising" does not exclude the presence of elements or steps not listed in a claim. The word "a" or "an" preceding an element does not exclude the presence of a plurality of such elements. The invention may be implemented by means of hardware comprising several distinct elements, and by means of a suitably programmed computer. In the unit claims enumerating several means, several of these means may be embodied by one and the same item of hardware. The usage of the words first, second and third, etcetera do not indicate any ordering. These words may be interpreted as names. The steps in the above embodiments should not be construed as limiting the order of execution unless specified otherwise.

Claims (10)

1. A method for access control of a container service, the method comprising:
acquiring an access request sent to a target host port;
determining a target container port corresponding to the target host port according to the port mapping relation; wherein, the target container port is a port monitored by a target service instance; the port mapping relation is determined according to the dynamic port section corresponding to the target service instance; the dynamic port segment is pre-declared for the target service instance;
forwarding the access request to the target container port.
2. The method of claim 1, wherein the dynamic port segments comprise a container dynamic port segment and a host dynamic port segment; before determining the target container port corresponding to the target host port according to the port mapping relationship, the method includes:
determining a port of a container to be monitored according to a port monitoring request sent by the target service instance; the target container port is one of the container ports to be monitored;
when the port of the container to be monitored is determined to be matched with the dynamic port section of the container, determining an optional host port according to the dynamic port section of the host; the target host port is one of the selectable host ports;
and establishing a mapping relation between the optional host port and the port to be monitored.
3. The method of claim 2, wherein when it is determined that the container port to be listened to matches the container dynamic port segment, determining an optional host port from the host dynamic port segment comprises:
determining any idle host port in the host dynamic port segment as the optional host port.
4. The method of claim 2, wherein the determining a port of a container to be monitored according to the port monitoring request sent by the target service instance comprises:
intercepting the kernel function to obtain a port of the container to be monitored when the calling request aiming at the kernel function in the linux system is determined to include a target network namespace identifier corresponding to the target service instance; and the kernel function is used for realizing the monitoring of the target service instance on the port of the container to be monitored.
5. The method according to claim 4, wherein the intercepting the kernel function to obtain the port of the container to be snooped comprises:
when the dynamic port section corresponding to the target service instance is determined not to be empty, acquiring the target network name space identifier of the target service instance;
sending the target network namespace identification to an interceptor; the interceptor is deployed in a kernel module of the linux system; the interceptor is used for intercepting the kernel function.
6. The method of claim 1, wherein a plurality of the host nodes are included in the container cluster; a plurality of selectable service instances are deployed on one host node; the target service instance is one of the selectable service instances; the dynamic port segment comprises a host dynamic port segment; before determining the target container port corresponding to the target host port according to the port mapping relationship, the method includes:
when it is determined that the host dynamic port sections corresponding to the multiple optional service instances on the same host node have an intersection, migrating and deploying the optional service instances to other host nodes.
7. The method of claim 6, prior to said migrating and deploying said optional service instance to other host nodes, comprising:
acquiring traffic statistical information of each host node and traffic scheduling rules and traffic prediction information of the selectable service instances;
and determining the host node where each service instance is deployed according to the traffic statistical information, the traffic scheduling rule and the traffic prediction information.
8. An access control device for a container service, the device comprising:
the acquisition module is used for acquiring an access request sent to a target host port;
the determining module is used for determining a target container port corresponding to the target host port according to the port mapping relation; wherein, the target container port is a port monitored by a target service instance; the port mapping relation is determined according to the dynamic port section corresponding to the target service instance; the dynamic port segment is pre-declared for the target service instance;
a forwarding module, configured to forward the access request to the target container port.
9. An access control device of a container service, characterized by comprising: the system comprises a processor, a memory, a communication interface and a communication bus, wherein the processor, the memory and the communication interface complete mutual communication through the communication bus;
the memory is configured to store at least one executable instruction that causes the processor to perform the operations of the access control method of the container service according to any one of claims 1 to 7.
10. A computer-readable storage medium, having stored therein at least one executable instruction, which when run on an access control device of a container service, causes the access control device of the container service to perform operations of an access control method of the container service according to any one of claims 1 to 7.
CN202210509869.3A 2022-05-11 2022-05-11 Access control method, device, equipment and computer storage medium for container service Active CN114979286B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210509869.3A CN114979286B (en) 2022-05-11 2022-05-11 Access control method, device, equipment and computer storage medium for container service

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210509869.3A CN114979286B (en) 2022-05-11 2022-05-11 Access control method, device, equipment and computer storage medium for container service

Publications (2)

Publication Number Publication Date
CN114979286A true CN114979286A (en) 2022-08-30
CN114979286B CN114979286B (en) 2023-09-19

Family

ID=82981638

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210509869.3A Active CN114979286B (en) 2022-05-11 2022-05-11 Access control method, device, equipment and computer storage medium for container service

Country Status (1)

Country Link
CN (1) CN114979286B (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116074309A (en) * 2023-03-06 2023-05-05 深圳前海环融联易信息科技服务有限公司 Access method of operating system in cross-platform container and related equipment
WO2024119993A1 (en) * 2022-12-09 2024-06-13 华为云计算技术有限公司 Access control system, method and computing device cluster

Citations (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20060045098A1 (en) * 2004-08-31 2006-03-02 Krause Michael R System for port mapping in a network
CN108377671A (en) * 2016-11-28 2018-08-07 华为技术有限公司 Handle the method and computer equipment of message
US20190050272A1 (en) * 2017-08-14 2019-02-14 International Business Machines Corporation Container based service management
US20190199687A1 (en) * 2017-12-22 2019-06-27 International Business Machines Corporation Dynamically opening ports for trusted application processes hosted in containers
CN110225146A (en) * 2019-05-20 2019-09-10 浙江华创视讯科技有限公司 Intranet and extranet mapping method, device, electronic equipment, medium and video conferencing system
CN111447300A (en) * 2020-03-26 2020-07-24 深信服科技股份有限公司 Target port determination method, device, equipment and readable storage medium
CN111726399A (en) * 2020-06-08 2020-09-29 中国工商银行股份有限公司 Docker container secure access method and device
CN113596159A (en) * 2021-07-30 2021-11-02 北京南凯自动化系统工程有限公司 Cluster communication method and device based on k8s cloud container platform
CN113961312A (en) * 2021-10-28 2022-01-21 北京金山云网络技术有限公司 Target service deployment method and device and electronic equipment
WO2022033121A1 (en) * 2020-08-14 2022-02-17 苏州浪潮智能科技有限公司 Method and system for resource exposure in kubernetes, and device and medium

Patent Citations (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20060045098A1 (en) * 2004-08-31 2006-03-02 Krause Michael R System for port mapping in a network
CN108377671A (en) * 2016-11-28 2018-08-07 华为技术有限公司 Handle the method and computer equipment of message
US20190050272A1 (en) * 2017-08-14 2019-02-14 International Business Machines Corporation Container based service management
US20190199687A1 (en) * 2017-12-22 2019-06-27 International Business Machines Corporation Dynamically opening ports for trusted application processes hosted in containers
CN110225146A (en) * 2019-05-20 2019-09-10 浙江华创视讯科技有限公司 Intranet and extranet mapping method, device, electronic equipment, medium and video conferencing system
CN111447300A (en) * 2020-03-26 2020-07-24 深信服科技股份有限公司 Target port determination method, device, equipment and readable storage medium
CN111726399A (en) * 2020-06-08 2020-09-29 中国工商银行股份有限公司 Docker container secure access method and device
WO2022033121A1 (en) * 2020-08-14 2022-02-17 苏州浪潮智能科技有限公司 Method and system for resource exposure in kubernetes, and device and medium
CN113596159A (en) * 2021-07-30 2021-11-02 北京南凯自动化系统工程有限公司 Cluster communication method and device based on k8s cloud container platform
CN113961312A (en) * 2021-10-28 2022-01-21 北京金山云网络技术有限公司 Target service deployment method and device and electronic equipment

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
彭宇栋: "Kubernetes之service", 《HTTPS://BLOGS.CSDN.NET/QQ_49530779/ARTICLE/DETAILS/122164671》 *

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2024119993A1 (en) * 2022-12-09 2024-06-13 华为云计算技术有限公司 Access control system, method and computing device cluster
CN116074309A (en) * 2023-03-06 2023-05-05 深圳前海环融联易信息科技服务有限公司 Access method of operating system in cross-platform container and related equipment
CN116074309B (en) * 2023-03-06 2023-06-16 深圳前海环融联易信息科技服务有限公司 Access method of operating system in cross-platform container and related equipment

Also Published As

Publication number Publication date
CN114979286B (en) 2023-09-19

Similar Documents

Publication Publication Date Title
US10701139B2 (en) Life cycle management method and apparatus
US11960915B2 (en) Method and apparatus for creating virtual machine based on parameter information of a virtual network interface card
US8863138B2 (en) Application service performance in cloud computing
WO2021227999A1 (en) Cloud computing service system and method
CN114979286B (en) Access control method, device, equipment and computer storage medium for container service
CN111245634B (en) Virtualization management method and device
CN114172905B (en) Cluster network networking method, device, computer equipment and storage medium
US20240111549A1 (en) Method and apparatus for constructing android running environment
US11301284B2 (en) Method for managing VNF instantiation and device
CN113810230A (en) Method, device and system for carrying out network configuration on containers in container cluster
CN116800616B (en) Management method and related device of virtualized network equipment
WO2022267646A1 (en) Pod deployment method and apparatus
CN115086166B (en) Computing system, container network configuration method, and storage medium
CN114296953B (en) Multi-cloud heterogeneous system and task processing method
CN116805946A (en) Message request processing method and device, electronic equipment and storage medium
CN112631680B (en) Micro-service container scheduling system, method, device and computer equipment
WO2021248972A1 (en) Default gateway management method, gateway manager, server, and storage medium
EP3672203A1 (en) Distribution method for distributed data computing, device, server and storage medium
CN108667750B (en) Virtual resource management method and device
CN110245027B (en) Inter-process communication method and device
CN109005071B (en) Decision deployment method and scheduling equipment
CN116436968A (en) Service grid communication method, system, device and storage medium
US9628401B2 (en) Software product instance placement
CN114924888A (en) Resource allocation method, data processing method, device, equipment and storage medium
CN115883283A (en) Deployment method and device of containerization VNF

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant