CN114979286B - Access control method, device, equipment and computer storage medium for container service - Google Patents

Access control method, device, equipment and computer storage medium for container service Download PDF

Info

Publication number
CN114979286B
CN114979286B CN202210509869.3A CN202210509869A CN114979286B CN 114979286 B CN114979286 B CN 114979286B CN 202210509869 A CN202210509869 A CN 202210509869A CN 114979286 B CN114979286 B CN 114979286B
Authority
CN
China
Prior art keywords
port
container
target
host
service instance
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202210509869.3A
Other languages
Chinese (zh)
Other versions
CN114979286A (en
Inventor
张庆
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Migu Cultural Technology Co Ltd
China Mobile Communications Group Co Ltd
Original Assignee
Migu Cultural Technology Co Ltd
China Mobile Communications Group Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Migu Cultural Technology Co Ltd, China Mobile Communications Group Co Ltd filed Critical Migu Cultural Technology Co Ltd
Priority to CN202210509869.3A priority Critical patent/CN114979286B/en
Publication of CN114979286A publication Critical patent/CN114979286A/en
Application granted granted Critical
Publication of CN114979286B publication Critical patent/CN114979286B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/46Multiprogramming arrangements
    • G06F9/48Program initiating; Program switching, e.g. by interrupt
    • G06F9/4806Task transfer initiation or dispatching
    • G06F9/4843Task transfer initiation or dispatching by program, e.g. task dispatcher, supervisor, operating system
    • G06F9/4881Scheduling strategies for dispatcher, e.g. round robin, multi-level priority queues
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02DCLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
    • Y02D30/00Reducing energy consumption in communication networks
    • Y02D30/50Reducing energy consumption in communication networks in wire-line communication networks, e.g. low power modes or reduced link rate

Landscapes

  • Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

A method, apparatus, device and computer storage medium for controlling access to container services. The embodiment of the invention relates to the technical field of Internet, and discloses a port exposure method based on a container cluster, which comprises the following steps: acquiring an access request sent to a target host port; determining a target container port corresponding to the target host port according to the port mapping relation; the target container port is a port monitored by the target service instance; the port mapping relation is determined according to the dynamic port segment corresponding to the target service instance; the dynamic port segment is pre-declared for the target service instance; forwarding the access request to the target container port. By the mode, the embodiment of the invention realizes that the dynamic port in the running process of the container cluster is exposed outside the cluster.

Description

Access control method, device, equipment and computer storage medium for container service
Technical Field
The embodiment of the invention relates to the technical field of Internet, in particular to a method, a device, equipment and a computer storage medium for controlling access to container services.
Background
In the prior art, when a container cluster manager such as Kubernetes is used to deploy a service, the container cluster can expose a corresponding port for monitoring the service to the outside of the cluster through a third party component for access by clients outside the cluster, and the common point is that one or several network ports for monitoring the service need to be declared when the service is deployed, and the container cluster is exposed to the outside of the cluster through an NAT or the third party component. The business service operation must monitor the corresponding port according to the statement of deployment to receive the external request.
For the containerized service of the monitoring port which can be determined only by negotiating with the client in the running process, the container cluster such as Kubernetes and the like cannot participate in the running process and the monitoring port which is determined by negotiating in the running process is dynamically changed, so that the existing deployment method has the problem that the dynamically negotiated port cannot be exposed out of the container cluster.
Disclosure of Invention
In view of the above problems, an embodiment of the present invention provides an access control method for a container service, which is used to solve the problem in the prior art that a container port determined by negotiation cannot be accessed outside a cluster in a running process.
According to an aspect of an embodiment of the present invention, there is provided an access control method for a container service, the method including:
acquiring an access request sent to a target host port;
determining a target container port corresponding to the target host port according to the port mapping relation; the target container port is a port monitored by the target service instance; the port mapping relation is determined according to the dynamic port segment corresponding to the target service instance; the dynamic port segment is pre-declared for the target service instance;
forwarding the access request to the target container port.
In an alternative manner, the dynamic port segment includes a container dynamic port segment and a host dynamic port segment; the method further comprises the steps of:
determining a port of a container to be monitored according to a port monitoring request sent by the target service instance; the target container port is one of the container ports to be monitored;
when the container port to be monitored is matched with the container dynamic port segment, determining an optional host port according to the host dynamic port segment; the target host port is one of the selectable host ports;
and establishing a mapping relation between the selectable host port and the port to be monitored.
In an alternative, the method further comprises:
and determining any idle host port in the host dynamic port section as the selectable host port.
In an alternative, the method further comprises:
when the call request for the kernel function in the linux system is determined to comprise the target network name space identifier corresponding to the target service instance, intercepting the kernel function to obtain the port of the container to be monitored; the kernel function is used for realizing the monitoring of the target service instance on the port of the container to be monitored.
In an alternative, the method further comprises:
when the dynamic port segment corresponding to the target service instance is determined not to be empty, acquiring the target network name space identifier of the target service instance;
transmitting the target network namespace identification to an interceptor; the interceptor is deployed in a kernel module of the linux system; the interceptor is used for intercepting the kernel function.
In an alternative manner, the container cluster includes a plurality of host nodes therein; a plurality of selectable service instances are deployed on one host node; the target service instance is one of the selectable service instances; the dynamic port segment comprises a host dynamic port segment; the method further comprises the steps of:
and when determining that the intersection exists among the host dynamic port segments corresponding to the plurality of selectable service instances on the same host node, migrating and deploying the selectable service instances to other host nodes.
In an alternative, the method further comprises:
acquiring flow statistical information of each host node, and flow scheduling rules and flow estimated information of the selectable service instance;
and determining the host node where each service instance is deployed according to the flow statistic information, the flow scheduling rule and the flow estimation information.
According to another aspect of the embodiment of the present invention, there is provided an access control apparatus for a container service, including:
acquiring an access request sent to a target host port;
determining a target container port corresponding to the target host port according to the port mapping relation; the target container port is a port monitored by the target service instance; the port mapping relation is determined according to the dynamic port segment corresponding to the target service instance; the dynamic port segment is pre-declared for the target service instance;
forwarding the access request to the target container port.
According to another aspect of the embodiment of the present invention, there is provided an access control apparatus for a container service, including:
acquiring an access request sent to a target host port;
determining a target container port corresponding to the target host port according to the port mapping relation; the target container port is a port monitored by the target service instance; the port mapping relation is determined according to the dynamic port segment corresponding to the target service instance; the dynamic port segment is pre-declared for the target service instance;
forwarding the access request to the target container port.
According to yet another aspect of embodiments of the present invention, there is provided a computer-readable storage medium having stored therein at least one executable instruction for causing an access control device of a container service to:
acquiring an access request sent to a target host port;
determining a target container port corresponding to the target host port according to the port mapping relation; the target container port is a port monitored by the target service instance; the port mapping relation is determined according to the dynamic port segment corresponding to the target service instance; the dynamic port segment is pre-declared for the target service instance;
forwarding the access request to the target container port.
The embodiment of the invention obtains the access request sent to the target host port; determining a target container port corresponding to the target host port according to the port mapping relation; the target container port is a port monitored by the target service instance; the port mapping relation is determined according to the dynamic port segment corresponding to the target service instance; the dynamic port segment is pre-declared for the target service instance; the method and the system realize the mapping of network rules between the container port dynamically monitored by the target instance in the running process and the external host port, and forward the access request outside the cluster to the target container port newly monitored by the target service instance outside the cluster through the mapping, thereby realizing the external exposure of the dynamic port in the service running process.
The foregoing description is only an overview of the technical solutions of the embodiments of the present invention, and may be implemented according to the content of the specification, so that the technical means of the embodiments of the present invention can be more clearly understood, and the following specific embodiments of the present invention are given for clarity and understanding.
Drawings
The drawings are only for purposes of illustrating embodiments and are not to be construed as limiting the invention. Also, like reference numerals are used to designate like parts throughout the figures. In the drawings:
fig. 1 is a flow diagram of a method for controlling access to a container service according to an embodiment of the present invention;
FIG. 2 is a flow chart of a method for controlling access to a container service according to yet another embodiment of the present invention;
fig. 3 is a schematic structural diagram of an access control device for container services according to an embodiment of the present invention;
fig. 4 is a schematic structural diagram of an access control device for container services according to an embodiment of the present invention.
Detailed Description
Exemplary embodiments of the present invention will be described in more detail below with reference to the accompanying drawings. While exemplary embodiments of the present invention are shown in the drawings, it should be understood that the present invention may be embodied in various forms and should not be limited to the embodiments set forth herein.
Prior art will be described before proceeding with the description of the embodiments of the present invention.
When using Kubernetes to deploy a business service, it is often necessary to route external traffic to the business service. The existing Kubernetes supports ClusterIp, nodePort, loadBalancer, ingress and other third party controls to expose services in the cluster for clients outside the cluster to access. Each of the above approaches is applicable to different scenarios, and has in common that one or several network ports that need to be declared self-listening at the time of service deployment are exposed outside the cluster by Kubernetes through NAT or third party components. The business service operation must monitor the corresponding port according to the statement of deployment to receive the external request.
Kubernetes only achieves external exposure of ports through the content of the deployment script at the service deployment stage. In the service operation process, the Kubernetes does not have a mechanism to sense the requirement of port exposure, so if the requirement of exposing a new port to the outside is generated in the service operation process, the port deployment method of the Kubernetes in the prior art cannot be realized, and thus the service cannot be provided to the outside through the new port. Therefore, the existing access control method for the container service has the problem that the dynamic container port obtained by negotiation between the service and the client cannot be exposed outside the cluster in the operation process, so that the client cannot access the container port obtained by negotiation from outside the cluster.
Fig. 1 shows a flowchart of a method for controlling access to a container service according to an embodiment of the present invention, which is performed by a computer processing device. The computer processing device may include a cell phone, a notebook computer, etc. As shown in fig. 1, the method comprises the steps of:
step 10: an access request sent to a target host port is obtained.
In one embodiment of the present invention, the target host port is a port on a host on which the target service instance is deployed, and the target host port is used for a visitor to access a container cluster from outside, where the container cluster may be Kubernetes, and the container cluster is composed of a plurality of host nodes, and a plurality of containers are deployed on each host node. A target service instance generally corresponds to a container.
Step 20: determining a target container port corresponding to the target host port according to the port mapping relation; the target container port is a port monitored by the target service instance; the port mapping relation is determined according to the dynamic port segment corresponding to the target service instance; the dynamic port segment is declared for the target service instance when deployed onto a host node.
In one embodiment of the present invention, in order to provide a container service for a client outside the cluster, the target service instance needs to negotiate with the client to determine through which container port to provide a service for the outside, and after the negotiation with the client requesting the container service is successful, the target service instance sends a call request to the kernel function of the network namespace of linux, requesting to start listening for the negotiated target container port. The target container port may be obtained through interception of the call to the kernel function.
At the same time, it is contemplated that multiple service instances are typically deployed on a host node, and that each service instance may conflict with a container port negotiated with a client during operation. Therefore, when the target service instance is created, a section of special host port section and a section of container port section are allocated for the external mapping of the port obtained by negotiation in the subsequent process, so that external services among all service instances on one host cannot be mutually influenced. Specifically, when the target service instance is deployed on the host node, the host port segment and the container port segment that it needs to occupy can be declared for externally providing service usage in the subsequent service running process. The port mapping relation is used for mapping the container ports inside the cluster with host ports outside the cluster.
In one embodiment of the invention, the dynamic port segment comprises a container dynamic port segment and a host dynamic port segment. The container dynamic port section comprises a port number interval of a container port which can be used for providing service to the outside, and the host dynamic port section comprises a port number interval of a host port which can be used for being accessed outside the cluster.
The method further comprises the following steps before the step 20:
step 201: determining a port of a container to be monitored according to a port monitoring request sent by the target service instance; the target container port is one of the container ports to be monitored.
In one embodiment of the invention, to realize the monitoring of the container port, the kernel function of the network naming space in the linux system needs to be called, and the container port to be monitored and the listener are transferred to the kernel function, so that the kernel function can be monitored, and when the kernel function is called by the target service instance to monitor a new container port, the port monitoring parameter of the kernel function is obtained, and the container port to be monitored is obtained.
In one embodiment of the present invention, step 201 further comprises:
step 2011: when the call request for the kernel function in the linux system is determined to comprise the target network name space identifier corresponding to the target service instance, intercepting the kernel function to obtain the port of the container to be monitored; the kernel function is used for realizing the monitoring of the target service instance on the port of the container to be monitored.
In one embodiment of the present invention, in order to implement the listening to the new port, the target service instance needs to call a kernel function, where the call request includes the port of the container to be listened and the target network namespace identifier of the target service instance itself. The kernel function may be, for example, func (port, the term), where port is a port field of a container to be listened to, which is sent by the target service instance. Specifically, interception of kernel functions can be realized by adopting tracking technology in linux.
Step 2011 further comprises: step 210: and when the dynamic port segment corresponding to the target service instance is not empty, acquiring the target network name space identification of the target service instance.
In one embodiment of the present invention, when a target service instance is created or deployed on a target host node, a dynamic port segment that the target service instance needs to occupy may be declared, and when the dynamic port segment corresponding to the target service instance is not empty, it is explained that the target service instance configures dynamic port segment information, so that listening time of starting a new container port by the target service instance is required to be monitored, and a container port that the target service instance newly listens to is obtained, thereby exposing the newly monitored container port to outside of the cluster. The target network namespace identifier is used for the linux system to specifically identify the target service instance.
Step 211: transmitting the target network namespace identification to an interceptor; the interceptor is deployed in a kernel module of the linux system; the interceptor is used for intercepting the kernel function.
In one embodiment of the invention, the interceptor intercepts the call request initiated by the kernel function by the target network namespace identifier to obtain the port parameter of the container to be monitored, which is included in the call request.
In yet another embodiment of the present invention, a node snoop (pod-watch) service may also be created, the pod-watch service being deployed in advance in each node of the Kubernetes cluster. The pod-watch service is used for monitoring the Kubernetes container dispatch event, checking whether the pod dispatched to the node is matched with an instance selector of dynamic PortService, and if so, collecting information and sending the information to the kernel module port-watch.
The DynamicPortService is a resource object customized in Kubernetes and is used for storing business service names, instance selectors, communication protocols, container dynamic port segments, host dynamic port segments, network traffic prediction (the unit can be megas/s), network traffic scheduling rule (the most idle priority, the host traffic load is lower than a certain threshold value and the like) information.
The instance selector is a set of labels (each label contains a name and a corresponding Value, i.e. Key: value), and the service instance also has a set of labels, and the role of the instance selector is to find the service instance (the same label set) that the DynamicPortService needs to be responsible for. If so, the service instance is processed by the current dynamicintport service, and then the dynamic port end of the current dynamicintport service is acquired, and compared with the dynamicintport service which is being deployed, whether the service instance is repeated is confirmed.
In yet another embodiment of the present invention, a port snoop (port-watch) service of a Linux kernel module can be created on the basis of the pod-watch service, and the port-watch service is deployed in each node of the Kubernetes cluster in advance. The port-watch service is used for receiving and storing the service instance information sent by the port-watch service, intercepting the kernel function call monitored by the creation server, and setting a mapping relation for the port meeting the preset condition. The preset condition may include that the container port to be monitored is located in the container dynamic port section.
Step 202: when the container port to be monitored is matched with the container dynamic port segment, determining an optional host port according to the host dynamic port segment; the target host port is one of the selectable host ports.
In one embodiment of the invention, when it is determined that the container port to be listened to is located within the container dynamic port segment, it is determined that the two match. The matched port of the container to be monitored is exposed to the outside without affecting the outside services of other service examples. An idle host port may be selected from the host dynamic port segment as an optional host port.
In one embodiment of the present invention, step 202 further comprises:
step 2021: and determining any idle host port in the host dynamic port section as the selectable host port.
Step 203: and establishing a mapping relation between the selectable host port and the port to be monitored.
In one embodiment of the invention, the mapping relation is used for establishing a route between the selectable host port and the port to be monitored, so that the external access request received by the selectable host port can be forwarded to the corresponding port to be monitored according to the mapping relation, and the access to the container service in the cluster is realized.
In one embodiment of the invention, the container cluster includes a plurality of the host nodes; one of the host nodes has a plurality of selectable service instances deployed thereon; the target service instance is one of the selectable service instances; the dynamic port segment includes a host dynamic port segment.
The method further comprises the following steps before the step 20: step 204: and when determining that the intersection exists among the host dynamic port segments corresponding to the plurality of selectable service instances on the same host node, migrating and deploying the selectable service instances to other host nodes.
In one embodiment of the present invention, deployment of service instances on multiple hosts may be scheduled in order to avoid external host port conflicts between different service instances on the same host, i.e., access requests sent by clients cannot be sent to corresponding host ports.
Specifically, all nodes in the cluster may be traversed, for each node, the scheduler obtains all the dynamicintport service information deployed thereon from Kubernetes ApiServer, compares the dynamicintport service information deployed by each node with the newly added dynamicintport service's host dynamic port segment, checks if there is an intersection, takes this node as a preselected node if there is no intersection, and otherwise traverses the next node. For the preselected node, acquiring network flow statistical information from an index library (such as Prometaheus and the like), and calculating whether the node meets deployment requirements by combining flow estimation and flow scheduling rules of newly added DynamicPortService, if so, releasing deployment information for deploying the service corresponding to the DynamicPortService to the current node to Kubernetes ApiServer, and finally executing service deployment by a Kubelet component of the current node, otherwise traversing the next node.
In yet another embodiment of the present invention, the resource scheduling may be accomplished by expanding the Kubernetes resource scheduler, where the expanded resource scheduler is used to check that the newly added DynamicPortService communication protocol, the host dynamic port segment, and the dispatching candidate host have deployed DynamicPortService communication protocols, and the host dynamic port segment have intersections; judging whether the idle network traffic of the host meets the requirement according to the host network traffic statistical information, service network traffic estimation and traffic scheduling rules.
Also included before step 204 is:
step 205: and acquiring flow statistical information of each host node, and flow scheduling rules and flow estimation information of the selectable service instance.
In one embodiment of the invention, the traffic statistics include total network traffic of the host node. The traffic scheduling rules are used to characterize rules that schedule hosts on which services are deployed according to traffic load conditions of the hosts. The traffic scheduling rules may include at least one of most idle priority deployment, priority concentrated deployment to the same host if the network traffic is below a certain threshold, and priority decentralized deployment to different hosts if the network traffic is below a certain threshold. The traffic forecast information includes the estimated traffic for each of the selectable service instances.
Step 206: and determining the host node where each service instance is deployed according to the flow statistic information, the flow scheduling rule and the flow estimation information.
In one embodiment of the present invention, firstly, the flow estimated information and the flow statistical information are matched to obtain the estimated load condition of each host node, and service scheduling is performed according to the flow scheduling rules according to the estimated load condition.
If the traffic scheduling rule is the most idle priority deployment, deploying the service instance to be deployed currently to the idle host node.
When the traffic scheduling rule is that the network traffic is lower than a certain threshold value, the service instance to be deployed currently is deployed on the host on which the service instance of which the last deployment is completed is deployed, or when the traffic scheduling rule is that the network traffic is lower than a certain threshold value, the service instance to be deployed currently is deployed on other hosts different from the host on which the service instance of which the last deployment is completed is deployed, the service instance to be deployed currently is deployed in a preferential and decentralized manner on different hosts.
Step 30: forwarding the access request to the target container port.
In yet another embodiment of the present invention, the process of access control for container services may also be as shown in FIG. 2.
As shown in fig. 2, step a, a Kubernetes resource object dynamicinservice is created for each service requiring dynamic port exposure to be enabled.
The dynamicPortService mainly comprises the following information: service name, instance selector, communication protocol (which may be tcp, udp, etc.), container dynamic port segment, host dynamic port segment.
By declaring various information and rules of business services in Kubernetes, i.e., user requirements made of Kubernetes, the scheduler and other components in subsequent steps need to execute in accordance with the data interpretation of this resource object.
Step 2, performing port conflict checking through an extended Kubernetes scheduler.
The embodiment of the invention uses a Kubernetes scheduler with expanded functions, and performs port repeated check firstly besides the original scheduling function, and specifically comprises the following steps:
firstly, acquiring a service instance label, and verifying whether an instance selector of a certain dynamicPortService is matched; if so, checking whether the communication protocol of the dynamic PortService service, the communication protocol of the dynamic port segment of the host and the communication protocol of all the dynamic PortService service sets deployed by a certain node of the cluster are overlapped or not; if not, continuing the following steps, otherwise, checking other nodes in the cluster.
By expanding the Kubernetes scheduler, the method can avoid that a plurality of services with the same port section are deployed to the same node, so that the ports conflict with each other, and the external service provision is affected.
Step C: the expanded Kubernetes scheduler acquires the host traffic statistical information and judges whether the host can be deployed at the current host according to service network traffic estimation and network traffic scheduling rules.
Network traffic scheduling rules include, but are not limited to, the following: the most idle priority deployment is preferably concentrated and deployed to the same host when the network traffic is below a certain threshold value, and the most idle priority deployment is preferably dispersed and deployed to different hosts when the network traffic is below a certain threshold value. The scheduler selects the host computer which best accords with the flow scheduling rule to deploy the new service.
Step D: after the scheduling is completed, a new service instance is started on the scheduled node.
The pod-watch service of the node monitors a container scheduling event from Kubernetes ApiServer, waits for instance creation if a service instance is scheduled to the node and a dynamic port segment is set, acquires an instance network naming space identifier, and sends the network naming space identifier, a communication protocol, the container dynamic port segment and the host dynamic port segment to a kernel module port-watch of the current node.
The pod-watch is a bridge for communicating Kubernetes ApiServer with the port-watch of the kernel module, and information acquisition and transmission of port segments, network namespaces and the like are realized.
Step 5: NAT rules are generated for the container ports and the host ports through a kernel module port-watch, so that the NAT rules can be accessed through the deployed cluster node host ports.
First, the kernel module port-watch receives and stores network namespace identification, communication protocol, container dynamic port segment, host dynamic port segment, and creates interceptors for service network namespace kernel function calls.
Then, when the service instance starts monitoring a certain port, the kernel module port-watch acquires the monitored communication protocol and port, judges whether the port is in the dynamic port range, if so, calculates the host port corresponding to the port, and generates NAT rules for the container port and the host port, so that the port-watch can be accessed through the deployed host port of the cluster node, and the port-watch is exposed outside the cluster.
Optionally, when a service instance is stopped, deleted or migrated to another node deployment, the pod-watch monitors the above changes, transmits the network namespace identity of the stopped container to the kernel module port-watch, which stops interceptors to the service network namespaces, clears the service-related NAT rules, and deletes the stored service dynamic port segment-related records. Through the process shown in fig. 2, it is realized whether a certain container port is newly monitored in the service operation process, and then the cluster external exposure of the newly monitored container port is realized.
The embodiment of the invention obtains the access request sent to the target host port; determining a target container port corresponding to the target host port according to the port mapping relation; the target container port is a port monitored by the target service instance; the port mapping relation is determined according to the dynamic port segment corresponding to the target service instance; the dynamic port segment is pre-declared for the target service instance; the method and the system realize the mapping of network rules between the container port dynamically monitored by the target instance in the running process and the external host port, and forward the access request outside the cluster to the target container port newly monitored by the target service instance outside the cluster through the mapping, thereby realizing the external exposure of the dynamic port in the service running process.
Fig. 3 is a schematic structural diagram of an access control device for container services according to an embodiment of the present invention. As shown in fig. 3, the apparatus 40 includes: an acquisition module 401, a determination module 402 and a forwarding module 403.
The acquiring module 401 is configured to acquire an access request sent to a target host port;
a determining module 402, configured to determine a target container port corresponding to the target host port according to a port mapping relationship; the target container port is a port monitored by the target service instance; the port mapping relation is determined according to the dynamic port segment corresponding to the target service instance; the dynamic port segment is pre-declared for the target service instance;
a forwarding module 403, configured to forward the access request to the target container port.
The operation process used for executing the access control device for container service provided by the embodiment of the present invention is substantially identical to the foregoing method embodiment, and will not be described in detail.
The access control device of the container service provided by the embodiment of the invention obtains the access request sent to the target host port; determining a target container port corresponding to the target host port according to the port mapping relation; the target container port is a port monitored by the target service instance; the port mapping relation is determined according to the dynamic port segment corresponding to the target service instance; the dynamic port segment is pre-declared for the target service instance; the method and the system realize the mapping of network rules between the container port dynamically monitored by the target instance in the running process and the external host port, and forward the access request outside the cluster to the target container port newly monitored by the target service instance outside the cluster through the mapping, thereby realizing the external exposure of the dynamic port in the service running process.
Fig. 4 is a schematic structural diagram of an access control device for a container service according to an embodiment of the present invention, and the specific embodiment of the present invention is not limited to the specific implementation of the access control device for a container service.
As shown in fig. 4, the access control device of the container service may include: a processor 502, a communication interface (Communications Interface) 504, a memory 506, and a communication bus 508.
Wherein: processor 502, communication interface 504, and memory 506 communicate with each other via communication bus 508. A communication interface 504 for communicating with network elements of other devices, such as clients or other servers. The processor 502 is configured to execute the program 510, and may specifically perform relevant steps in the above-described embodiment of the access control method for container services.
In particular, program 510 may include program code comprising computer-executable instructions.
The processor 502 may be a central processing unit CPU, or a specific integrated circuit ASIC (Application Specific Integrated Circuit), or one or more integrated circuits configured to implement embodiments of the present invention. The access control device of the container service may comprise one or more processors, which may be the same type of processor, such as one or more CPUs; but may also be different types of processors such as one or more CPUs and one or more ASICs.
A memory 506 for storing a program 510. Memory 506 may comprise high-speed RAM memory or may also include non-volatile memory (non-volatile memory), such as at least one disk memory.
The program 510 may be specifically invoked by the processor 502 to cause an access control device of a container service to:
acquiring an access request sent to a target host port;
determining a target container port corresponding to the target host port according to the port mapping relation; the target container port is a port monitored by the target service instance; the port mapping relation is determined according to the dynamic port segment corresponding to the target service instance; the dynamic port segment is pre-declared for the target service instance;
forwarding the access request to the target container port.
The operation process used for executing the access control device for container service provided by the embodiment of the present invention is substantially identical to the foregoing method embodiment, and will not be described in detail.
The access control equipment of the container service provided by the embodiment of the invention obtains the access request sent to the target host port; determining a target container port corresponding to the target host port according to the port mapping relation; the target container port is a port monitored by the target service instance; the port mapping relation is determined according to the dynamic port segment corresponding to the target service instance; the dynamic port segment is pre-declared for the target service instance; the method and the system realize the mapping of network rules between the container port dynamically monitored by the target instance in the running process and the external host port, and forward the access request outside the cluster to the target container port newly monitored by the target service instance outside the cluster through the mapping, thereby realizing the external exposure of the dynamic port in the service running process.
An embodiment of the present invention provides a computer readable storage medium storing at least one executable instruction that, when executed on an access control device of a container service, causes the access control device of the container service to execute an access control method of the container service in any of the foregoing method embodiments.
The executable instructions may be particularly useful for causing an access control device of a container service to:
acquiring an access request sent to a target host port;
determining a target container port corresponding to the target host port according to the port mapping relation; the target container port is a port monitored by the target service instance; the port mapping relation is determined according to the dynamic port segment corresponding to the target service instance; the dynamic port segment is pre-declared for the target service instance;
forwarding the access request to the target container port.
The operation process of executing the instructions stored in the computer storage medium provided in the embodiment of the present invention is substantially identical to the foregoing method embodiment, and will not be described in detail.
The instructions stored in the computer storage medium provided by the embodiment of the invention are obtained by obtaining the access request sent to the target host port; determining a target container port corresponding to the target host port according to the port mapping relation; the target container port is a port monitored by the target service instance; the port mapping relation is determined according to the dynamic port segment corresponding to the target service instance; the dynamic port segment is pre-declared for the target service instance; the method and the system realize the mapping of network rules between the container port dynamically monitored by the target instance in the running process and the external host port, and forward the access request outside the cluster to the target container port newly monitored by the target service instance outside the cluster through the mapping, thereby realizing the external exposure of the dynamic port in the service running process.
The embodiment of the invention provides an access control device for container service, which is used for executing the access control method for the container service.
An embodiment of the present invention provides a computer program that can be invoked by a processor to cause an access control device of a container service to execute an access control method of the container service in any of the above-described method embodiments.
An embodiment of the present invention provides a computer program product comprising a computer program stored on a computer readable storage medium, the computer program comprising program instructions which, when run on a computer, cause the computer to perform the method of access control of a container service in any of the method embodiments described above.
The algorithms or displays presented herein are not inherently related to any particular computer, virtual system, or other apparatus. Various general-purpose systems may also be used with the teachings herein. The required structure for a construction of such a system is apparent from the description above. In addition, embodiments of the present invention are not directed to any particular programming language. It will be appreciated that the teachings of the present invention described herein may be implemented in a variety of programming languages, and the above description of specific languages is provided for disclosure of enablement and best mode of the present invention.
In the description provided herein, numerous specific details are set forth. However, it is understood that embodiments of the invention may be practiced without these specific details. In some instances, well-known methods, structures and techniques have not been shown in detail in order not to obscure an understanding of this description.
Similarly, it should be appreciated that in the above description of exemplary embodiments of the invention, various features of the embodiments of the invention are sometimes grouped together in a single embodiment, figure, or description thereof for the purpose of streamlining the disclosure and aiding in the understanding of one or more of the various inventive aspects. However, the disclosed method should not be construed as reflecting the intention that: i.e., the claimed invention requires more features than are expressly recited in each claim.
Those skilled in the art will appreciate that the modules in the apparatus of the embodiments may be adaptively changed and disposed in one or more apparatuses different from the embodiments. The modules or units or components of the embodiments may be combined into one module or unit or component, and they may be divided into a plurality of sub-modules or sub-units or sub-components. Any combination of all features disclosed in this specification (including any accompanying claims, abstract and drawings), and all of the processes or units of any method or apparatus so disclosed, may be used in combination, except insofar as at least some of such features and/or processes or units are mutually exclusive. Each feature disclosed in this specification (including any accompanying claims, abstract and drawings), may be replaced by alternative features serving the same, equivalent or similar purpose, unless expressly stated otherwise.
It should be noted that the above-mentioned embodiments illustrate rather than limit the invention, and that those skilled in the art will be able to design alternative embodiments without departing from the scope of the appended claims. In the claims, any reference signs placed between parentheses shall not be construed as limiting the claim. The word "comprising" does not exclude the presence of elements or steps not listed in a claim. The word "a" or "an" preceding an element does not exclude the presence of a plurality of such elements. The invention may be implemented by means of hardware comprising several distinct elements, and by means of a suitably programmed computer. In the unit claims enumerating several means, several of these means may be embodied by one and the same item of hardware. The use of the words first, second, third, etc. do not denote any order. These words may be interpreted as names. The steps in the above embodiments should not be construed as limiting the order of execution unless specifically stated.

Claims (10)

1. A method of access control for a container service, the method comprising:
acquiring an access request sent to a target host port;
determining a target container port corresponding to the target host port according to the port mapping relation; the target container port is a port monitored by the target service instance; the port mapping relation is determined according to the dynamic port segment corresponding to the target service instance; the dynamic port segment is pre-declared for the target service instance;
forwarding the access request to the target container port.
2. The method of claim 1, wherein the dynamic port segment comprises a container dynamic port segment and a host dynamic port segment; before determining the target container port corresponding to the target host port according to the port mapping relation, the method comprises the following steps:
determining a port of a container to be monitored according to a port monitoring request sent by the target service instance; the target container port is one of the container ports to be monitored;
when the container port to be monitored is matched with the container dynamic port segment, determining an optional host port according to the host dynamic port segment; the target host port is one of the selectable host ports;
and establishing a mapping relation between the selectable host port and the port to be monitored.
3. The method of claim 2, wherein when determining that the to-be-listened container port matches the container dynamic port segment, determining an optional host port from the host dynamic port segment comprises:
and determining any idle host port in the host dynamic port section as the selectable host port.
4. The method according to claim 2, wherein the determining a port of the container to be listened to according to the port listening request sent by the target service instance comprises:
when the call request for the kernel function in the linux system is determined to comprise the target network name space identifier corresponding to the target service instance, intercepting the kernel function to obtain the port of the container to be monitored; the kernel function is used for realizing the monitoring of the target service instance on the port of the container to be monitored.
5. The method of claim 4, wherein intercepting the kernel function to obtain the container port to be listened to comprises:
when the dynamic port segment corresponding to the target service instance is determined not to be empty, acquiring the target network name space identifier of the target service instance;
transmitting the target network namespace identification to an interceptor; the interceptor is deployed in a kernel module of the linux system; the interceptor is used for intercepting the kernel function.
6. The method of claim 1, wherein the container cluster includes a plurality of the host nodes therein; one of the host nodes has a plurality of selectable service instances deployed thereon; the target service instance is one of the selectable service instances; the dynamic port segment comprises a host dynamic port segment; before determining the target container port corresponding to the target host port according to the port mapping relation, the method comprises the following steps:
and when determining that the intersection exists among the host dynamic port segments corresponding to the plurality of selectable service instances on the same host node, migrating and deploying the selectable service instances to other host nodes.
7. The method of claim 6, comprising, prior to said deploying the alternative service instance migration to other host nodes:
acquiring flow statistical information of each host node, and flow scheduling rules and flow estimated information of the selectable service instance;
and determining the host node where each service instance is deployed according to the flow statistic information, the flow scheduling rule and the flow estimation information.
8. An access control device for a container service, the device comprising:
the acquisition module is used for acquiring an access request sent to the target host port;
the determining module is used for determining a target container port corresponding to the target host port according to the port mapping relation; the target container port is a port monitored by the target service instance; the port mapping relation is determined according to the dynamic port segment corresponding to the target service instance; the dynamic port segment is pre-declared for the target service instance;
and the forwarding module is used for forwarding the access request to the target container port.
9. An access control device for a container service, comprising: the device comprises a processor, a memory, a communication interface and a communication bus, wherein the processor, the memory and the communication interface complete communication with each other through the communication bus;
the memory is configured to store at least one executable instruction that causes the processor to perform the operations of the access control method for container services according to any one of claims 1-7.
10. A computer readable storage medium, characterized in that at least one executable instruction is stored in the storage medium, which executable instruction, when run on an access control device of a container service, causes the access control device of the container service to perform the operations of the access control method of the container service according to any of claims 1-7.
CN202210509869.3A 2022-05-11 2022-05-11 Access control method, device, equipment and computer storage medium for container service Active CN114979286B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210509869.3A CN114979286B (en) 2022-05-11 2022-05-11 Access control method, device, equipment and computer storage medium for container service

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210509869.3A CN114979286B (en) 2022-05-11 2022-05-11 Access control method, device, equipment and computer storage medium for container service

Publications (2)

Publication Number Publication Date
CN114979286A CN114979286A (en) 2022-08-30
CN114979286B true CN114979286B (en) 2023-09-19

Family

ID=82981638

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210509869.3A Active CN114979286B (en) 2022-05-11 2022-05-11 Access control method, device, equipment and computer storage medium for container service

Country Status (1)

Country Link
CN (1) CN114979286B (en)

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN118214565A (en) * 2022-12-09 2024-06-18 华为云计算技术有限公司 Access control system, method and computing device cluster
CN116074309B (en) * 2023-03-06 2023-06-16 深圳前海环融联易信息科技服务有限公司 Access method of operating system in cross-platform container and related equipment

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108377671A (en) * 2016-11-28 2018-08-07 华为技术有限公司 Handle the method and computer equipment of message
CN110225146A (en) * 2019-05-20 2019-09-10 浙江华创视讯科技有限公司 Intranet and extranet mapping method, device, electronic equipment, medium and video conferencing system
CN111447300A (en) * 2020-03-26 2020-07-24 深信服科技股份有限公司 Target port determination method, device, equipment and readable storage medium
CN111726399A (en) * 2020-06-08 2020-09-29 中国工商银行股份有限公司 Docker container secure access method and device
CN113596159A (en) * 2021-07-30 2021-11-02 北京南凯自动化系统工程有限公司 Cluster communication method and device based on k8s cloud container platform
CN113961312A (en) * 2021-10-28 2022-01-21 北京金山云网络技术有限公司 Target service deployment method and device and electronic equipment
WO2022033121A1 (en) * 2020-08-14 2022-02-17 苏州浪潮智能科技有限公司 Method and system for resource exposure in kubernetes, and device and medium

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20060045098A1 (en) * 2004-08-31 2006-03-02 Krause Michael R System for port mapping in a network
US10691504B2 (en) * 2017-08-14 2020-06-23 International Business Machines Corporation Container based service management
US11044229B2 (en) * 2017-12-22 2021-06-22 International Business Machines Corporation Dynamically opening ports for trusted application processes hosted in containers

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108377671A (en) * 2016-11-28 2018-08-07 华为技术有限公司 Handle the method and computer equipment of message
CN110225146A (en) * 2019-05-20 2019-09-10 浙江华创视讯科技有限公司 Intranet and extranet mapping method, device, electronic equipment, medium and video conferencing system
CN111447300A (en) * 2020-03-26 2020-07-24 深信服科技股份有限公司 Target port determination method, device, equipment and readable storage medium
CN111726399A (en) * 2020-06-08 2020-09-29 中国工商银行股份有限公司 Docker container secure access method and device
WO2022033121A1 (en) * 2020-08-14 2022-02-17 苏州浪潮智能科技有限公司 Method and system for resource exposure in kubernetes, and device and medium
CN113596159A (en) * 2021-07-30 2021-11-02 北京南凯自动化系统工程有限公司 Cluster communication method and device based on k8s cloud container platform
CN113961312A (en) * 2021-10-28 2022-01-21 北京金山云网络技术有限公司 Target service deployment method and device and electronic equipment

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
Kubernetes之service;彭宇栋;《https://blogs.csdn.net/qq_49530779/article/details/122164671》;全文 *

Also Published As

Publication number Publication date
CN114979286A (en) 2022-08-30

Similar Documents

Publication Publication Date Title
US10528390B2 (en) Idempotent task execution in on-demand network code execution systems
EP3313023B1 (en) Life cycle management method and apparatus
CN114979286B (en) Access control method, device, equipment and computer storage medium for container service
WO2021227999A1 (en) Cloud computing service system and method
CN111245634B (en) Virtualization management method and device
KR20170056350A (en) NFV(Network Function Virtualization) resource requirement verifier
US20240111549A1 (en) Method and apparatus for constructing android running environment
CN112631680B (en) Micro-service container scheduling system, method, device and computer equipment
CN110677475A (en) Micro-service processing method, device, equipment and storage medium
CN116800616B (en) Management method and related device of virtualized network equipment
US11269691B2 (en) Load distribution for integration scenarios
CN113055199B (en) Gateway access method and device and gateway equipment
EP3470983A1 (en) Method, system and computer readable medium to allocate resources to at least one application
WO2023091215A1 (en) Mapping an application signature to designated cloud resources
EP3672203A1 (en) Distribution method for distributed data computing, device, server and storage medium
EP3398304B1 (en) Network service requests
CN112860421B (en) Method, apparatus and computer program product for job processing
CN107045452B (en) Virtual machine scheduling method and device
CN109614242B (en) Computing capacity sharing method, device, equipment and medium
CN110245027B (en) Inter-process communication method and device
CN112860422B (en) Method, apparatus and computer program product for job processing
CN113691575A (en) Communication method, device and system
CN113703930A (en) Task scheduling method, device and system and computer readable storage medium
CN111741097B (en) Method for tenant to monopolize node, computer equipment and storage medium
US20220350656A1 (en) Increase assignment effectiveness of kubernetes pods by reducing repetitive pod mis-scheduling

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant