CN114979286B - Access control method, device, equipment and computer storage medium for container service - Google Patents

Access control method, device, equipment and computer storage medium for container service Download PDF

Info

Publication number
CN114979286B
CN114979286B CN202210509869.3A CN202210509869A CN114979286B CN 114979286 B CN114979286 B CN 114979286B CN 202210509869 A CN202210509869 A CN 202210509869A CN 114979286 B CN114979286 B CN 114979286B
Authority
CN
China
Prior art keywords
port
container
target
host
service instance
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202210509869.3A
Other languages
Chinese (zh)
Other versions
CN114979286A (en
Inventor
张庆
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China Mobile Communications Group Co Ltd
MIGU Culture Technology Co Ltd
Original Assignee
China Mobile Communications Group Co Ltd
MIGU Culture Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China Mobile Communications Group Co Ltd, MIGU Culture Technology Co Ltd filed Critical China Mobile Communications Group Co Ltd
Priority to CN202210509869.3A priority Critical patent/CN114979286B/en
Publication of CN114979286A publication Critical patent/CN114979286A/en
Application granted granted Critical
Publication of CN114979286B publication Critical patent/CN114979286B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/46Multiprogramming arrangements
    • G06F9/48Program initiating; Program switching, e.g. by interrupt
    • G06F9/4806Task transfer initiation or dispatching
    • G06F9/4843Task transfer initiation or dispatching by program, e.g. task dispatcher, supervisor, operating system
    • G06F9/4881Scheduling strategies for dispatcher, e.g. round robin, multi-level priority queues
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02DCLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
    • Y02D30/00Reducing energy consumption in communication networks
    • Y02D30/50Reducing energy consumption in communication networks in wire-line communication networks, e.g. low power modes or reduced link rate

Landscapes

  • Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

容器服务的访问控制方法、装置、设备及计算机存储介质。本发明实施例涉及互联网技术领域,公开了一种基于容器集群的端口暴露方法,该方法包括:获取发送至目标主机端口的访问请求;根据端口映射关系确定所述目标主机端口对应的目标容器端口;其中,所述目标容器端口为目标服务实例所监听的端口;所述端口映射关系根据所述目标服务实例对应的动态端口段确定;所述动态端口段为所述目标服务实例预先声明的;将所述访问请求转发至所述目标容器端口。通过上述方式,本发明实施例实现了将容器集群运行过程中的动态端口暴露到集群外。

Access control methods, devices, equipment and computer storage media for container services. The embodiment of the present invention relates to the field of Internet technology and discloses a port exposure method based on a container cluster. The method includes: obtaining an access request sent to a target host port; and determining the target container port corresponding to the target host port according to the port mapping relationship. ; Wherein, the target container port is the port monitored by the target service instance; the port mapping relationship is determined according to the dynamic port segment corresponding to the target service instance; the dynamic port segment is pre-declared by the target service instance; Forward the access request to the target container port. Through the above method, the embodiment of the present invention realizes that the dynamic port during the operation of the container cluster is exposed to the outside of the cluster.

Description

容器服务的访问控制方法、装置、设备及计算机存储介质Access control methods, devices, equipment and computer storage media for container services

技术领域Technical field

本发明实施例涉及互联网技术领域,具体涉及一种容器服务的访问控制方法、装置、设备以及计算机存储介质。Embodiments of the present invention relate to the field of Internet technology, and specifically to an access control method, device, equipment and computer storage medium for container services.

背景技术Background technique

现有技术在使用容器集群管理器如Kubernetes部署业务服务时,容器集群可以通过第三方组件将业务服务监听的相应端口暴露到集群外,以供集群外的客户端访问,其共同点是需要在业务服务部署时声明自己监听的一个或几个网络端口,由容器集群通过NAT或第三方组件暴露到集群外。业务服务运行时必须按照部署时的声明监听相应的端口才能接收到外部的请求。In the existing technology, when using a container cluster manager such as Kubernetes to deploy business services, the container cluster can expose the corresponding port monitored by the business service to the outside of the cluster through third-party components for access by clients outside the cluster. The common point is that it needs to be When a business service is deployed, it declares one or several network ports that it listens on, and the container cluster exposes them to the outside of the cluster through NAT or third-party components. The business service runtime must listen to the corresponding port according to the declaration during deployment to receive external requests.

而对于需要在运行过程中与客户端进行协商才能确定的监听端口的容器化服务,由于运行时Kubernetes等容器集群无法参与并且运行过程中协商所确定的监听端口是动态变化的,因此现有的部署方法存在无法将动态协商的端口暴露到容器集群集群外的问题。For containerized services that require negotiation with the client during operation to determine the listening port, since container clusters such as Kubernetes cannot participate during runtime and the listening port determined by negotiation during operation changes dynamically, the existing The deployment method has the problem that the dynamically negotiated port cannot be exposed outside the container cluster cluster.

发明内容Contents of the invention

鉴于上述问题,本发明实施例提供了一种容器服务的访问控制方法,用于解决现有技术中存在的运行过程中协商所确定的容器端口无法被集群外访问的问题。In view of the above problems, embodiments of the present invention provide an access control method for container services to solve the problem in the existing technology that the container port determined by negotiation during operation cannot be accessed outside the cluster.

根据本发明实施例的一个方面,提供了一种容器服务的访问控制方法,所述方法包括:According to one aspect of an embodiment of the present invention, an access control method for container services is provided, and the method includes:

获取发送至目标主机端口的访问请求;Get the access request sent to the target host port;

根据端口映射关系确定所述目标主机端口对应的目标容器端口;其中,所述目标容器端口为目标服务实例所监听的端口;所述端口映射关系根据所述目标服务实例对应的动态端口段确定;所述动态端口段为所述目标服务实例预先声明的;The target container port corresponding to the target host port is determined according to the port mapping relationship; wherein the target container port is the port monitored by the target service instance; the port mapping relationship is determined according to the dynamic port segment corresponding to the target service instance; The dynamic port segment is pre-declared by the target service instance;

将所述访问请求转发至所述目标容器端口。Forward the access request to the target container port.

在一种可选的方式中,所述动态端口段包括容器动态端口段以及主机动态端口段;所述方法还包括:In an optional manner, the dynamic port segment includes a container dynamic port segment and a host dynamic port segment; the method further includes:

根据所述目标服务实例发送的端口监听请求确定待监听容器端口;所述目标容器端口为所述待监听容器端口中的一个;Determine the container port to be monitored according to the port monitoring request sent by the target service instance; the target container port is one of the container ports to be monitored;

当确定所述待监听容器端口与所述容器动态端口段匹配时,根据所述主机动态端口段确定可选主机端口;所述目标主机端口为所述可选主机端口中的一个;When it is determined that the container port to be monitored matches the container dynamic port segment, an optional host port is determined according to the host dynamic port segment; the target host port is one of the optional host ports;

在所述可选主机端口与所述待监听端口之间建立映射关系。A mapping relationship is established between the optional host port and the port to be monitored.

在一种可选的方式中,所述方法还包括:In an optional manner, the method further includes:

将所述主机动态端口段中任一空闲的主机端口确定为所述可选主机端口。Any idle host port in the host dynamic port segment is determined as the optional host port.

在一种可选的方式中,所述方法还包括:In an optional manner, the method further includes:

当确定针对linux系统中内核函数的调用请求中包括所述目标服务实例对应的目标网络命名空间标识时,对所述内核函数进行拦截,得到所述待监听容器端口;其中,所述内核函数用于实现所述目标服务实例对所述待监听容器端口的监听。When it is determined that the calling request for the kernel function in the Linux system includes the target network namespace identifier corresponding to the target service instance, the kernel function is intercepted to obtain the container port to be monitored; wherein, the kernel function uses In order to realize the monitoring of the container port to be monitored by the target service instance.

在一种可选的方式中,所述方法还包括:In an optional manner, the method further includes:

当确定所述目标服务实例对应的所述动态端口段不为空时,获取所述目标服务实例的所述目标网络命名空间标识;When it is determined that the dynamic port segment corresponding to the target service instance is not empty, obtain the target network namespace identifier of the target service instance;

将所述目标网络命名空间标识发送至拦截器;所述拦截器部署于所述linux系统的内核模块中;所述拦截器用于对所述内核函数进行拦截。The target network namespace identifier is sent to an interceptor; the interceptor is deployed in the kernel module of the Linux system; the interceptor is used to intercept the kernel function.

在一种可选的方式中,所述容器集群中包括多个主机节点;一个主机节点上部署有多个可选服务实例;所述目标服务实例为所述可选服务实例中的一个;所述动态端口段包括主机动态端口段;所述方法还包括:In an optional manner, the container cluster includes multiple host nodes; multiple optional service instances are deployed on one host node; the target service instance is one of the optional service instances; The dynamic port segment includes a host dynamic port segment; the method further includes:

当确定同一所述主机节点上的多个所述可选服务实例对应的所述主机动态端口段存在交集时,将所述可选服务实例迁移部署到其他主机节点上。When it is determined that the host dynamic port segments corresponding to multiple optional service instances on the same host node overlap, the optional service instances are migrated and deployed to other host nodes.

在一种可选的方式中,所述方法还包括:In an optional manner, the method further includes:

获取各个所述主机节点的流量统计信息以及所述可选服务实例的流量调度规则和流量预估信息;Obtain the traffic statistics information of each host node and the traffic scheduling rules and traffic estimation information of the optional service instance;

根据所述流量统计信息、流量调度规则以及流量预估信息确定各个所述服务实例所部署于的所述主机节点。The host node where each service instance is deployed is determined based on the traffic statistics information, traffic scheduling rules and traffic estimation information.

根据本发明实施例的另一方面,提供了一种容器服务的访问控制装置,包括:According to another aspect of the embodiment of the present invention, an access control device for container services is provided, including:

获取发送至目标主机端口的访问请求;Get the access request sent to the target host port;

根据端口映射关系确定所述目标主机端口对应的目标容器端口;其中,所述目标容器端口为目标服务实例所监听的端口;所述端口映射关系根据所述目标服务实例对应的动态端口段确定;所述动态端口段为所述目标服务实例预先声明的;The target container port corresponding to the target host port is determined according to the port mapping relationship; wherein the target container port is the port monitored by the target service instance; the port mapping relationship is determined according to the dynamic port segment corresponding to the target service instance; The dynamic port segment is pre-declared by the target service instance;

将所述访问请求转发至所述目标容器端口。Forward the access request to the target container port.

根据本发明实施例的另一方面,提供了一种容器服务的访问控制设备,包括:According to another aspect of the embodiment of the present invention, an access control device for container services is provided, including:

获取发送至目标主机端口的访问请求;Get the access request sent to the target host port;

根据端口映射关系确定所述目标主机端口对应的目标容器端口;其中,所述目标容器端口为目标服务实例所监听的端口;所述端口映射关系根据所述目标服务实例对应的动态端口段确定;所述动态端口段为所述目标服务实例预先声明的;The target container port corresponding to the target host port is determined according to the port mapping relationship; wherein the target container port is the port monitored by the target service instance; the port mapping relationship is determined according to the dynamic port segment corresponding to the target service instance; The dynamic port segment is pre-declared by the target service instance;

将所述访问请求转发至所述目标容器端口。Forward the access request to the target container port.

根据本发明实施例的又一方面,提供了一种计算机可读存储介质,所述存储介质中存储有至少一可执行指令,所述可执行指令使容器服务的访问控制设备执行以下操作:According to yet another aspect of the embodiment of the present invention, a computer-readable storage medium is provided, and at least one executable instruction is stored in the storage medium. The executable instruction causes the access control device of the container service to perform the following operations:

获取发送至目标主机端口的访问请求;Get the access request sent to the target host port;

根据端口映射关系确定所述目标主机端口对应的目标容器端口;其中,所述目标容器端口为目标服务实例所监听的端口;所述端口映射关系根据所述目标服务实例对应的动态端口段确定;所述动态端口段为所述目标服务实例预先声明的;The target container port corresponding to the target host port is determined according to the port mapping relationship; wherein the target container port is the port monitored by the target service instance; the port mapping relationship is determined according to the dynamic port segment corresponding to the target service instance; The dynamic port segment is pre-declared by the target service instance;

将所述访问请求转发至所述目标容器端口。Forward the access request to the target container port.

本发明实施例通过获取发送至目标主机端口的访问请求;根据端口映射关系确定所述目标主机端口对应的目标容器端口;其中,所述目标容器端口为目标服务实例所监听的端口;所述端口映射关系根据所述目标服务实例对应的动态端口段确定;所述动态端口段为所述目标服务实例预先声明的;从而实现了将目标实例在运行过程中所动态监听的容器端口与对外的主机端口进行网络规则的映射,从而通过该映射将集群外的所述访问请求转发至集群外的目标服务实例所新监听的目标容器端口,实现服务运行过程中的动态端口的对外暴露。The embodiment of the present invention obtains the access request sent to the target host port; determines the target container port corresponding to the target host port according to the port mapping relationship; wherein the target container port is the port monitored by the target service instance; the port The mapping relationship is determined based on the dynamic port segment corresponding to the target service instance; the dynamic port segment is pre-declared by the target service instance; thereby realizing the connection between the container port that the target instance dynamically monitors during operation and the external host The port is mapped to network rules, so that the access request outside the cluster is forwarded to the target container port newly monitored by the target service instance outside the cluster through this mapping, thereby realizing the external exposure of the dynamic port during service operation.

上述说明仅是本发明实施例技术方案的概述,为了能够更清楚了解本发明实施例的技术手段,而可依照说明书的内容予以实施,并且为了让本发明实施例的上述和其它目的、特征和优点能够更明显易懂,以下特举本发明的具体实施方式。The above description is only an overview of the technical solutions of the embodiments of the present invention. In order to have a clearer understanding of the technical means of the embodiments of the present invention, they can be implemented according to the content of the description, and in order to achieve the above and other purposes, features and The advantages can be more clearly understood, and specific embodiments of the present invention are listed below.

附图说明Description of drawings

附图仅用于示出实施方式,而并不认为是对本发明的限制。而且在整个附图中,用相同的参考符号表示相同的部件。在附图中:The drawings are only used to illustrate the embodiments and are not considered to be limitations of the present invention. Also throughout the drawings, the same reference characters are used to designate the same components. In the attached picture:

图1示出了本发明实施例提供的容器服务的访问控制方法的流程示意图;Figure 1 shows a schematic flowchart of the access control method for container services provided by an embodiment of the present invention;

图2示出了本发明再一实施例提供的容器服务的访问控制方法的流程示意图;Figure 2 shows a schematic flowchart of an access control method for container services provided by yet another embodiment of the present invention;

图3示出了本发明实施例提供的容器服务的访问控制装置的结构示意图;Figure 3 shows a schematic structural diagram of an access control device for container services provided by an embodiment of the present invention;

图4示出了本发明实施例提供的容器服务的访问控制设备的结构示意图。Figure 4 shows a schematic structural diagram of an access control device for container services provided by an embodiment of the present invention.

具体实施方式Detailed ways

下面将参照附图更详细地描述本发明的示例性实施例。虽然附图中显示了本发明的示例性实施例,然而应当理解,可以以各种形式实现本发明而不应被这里阐述的实施例所限制。Exemplary embodiments of the present invention will be described in more detail below with reference to the accompanying drawings. Although exemplary embodiments of the invention are shown in the drawings, it should be understood that the invention may be embodied in various forms and should not be limited to the embodiments set forth herein.

在进行本发明实施例的说明之前,先对现有技术进行说明。Before describing the embodiments of the present invention, the prior art will be described first.

使用Kubernetes部署业务服务程序时,常常需要将外部流量路由到业务服务程序。现有的Kubernetes支持ClusterIp、NodePort、LoadBalancer、Ingress等第三方控件的方式暴露集群中的服务,供集群外的客户端访问。以上每种方式分别适用于不同场景,其共同点是需要在业务服务部署时就声明自己监听的一个或几个网络端口,由Kubernetes通过NAT或第三方组件暴露到集群外。业务服务运行时必须按照部署时的声明监听相应的端口才能接收到外部的请求。When using Kubernetes to deploy business service programs, it is often necessary to route external traffic to the business service program. Existing Kubernetes supports ClusterIp, NodePort, LoadBalancer, Ingress and other third-party controls to expose services in the cluster for clients outside the cluster to access. Each of the above methods is suitable for different scenarios. The common point is that you need to declare one or several network ports that you are listening to when deploying business services, and Kubernetes will expose them to the outside of the cluster through NAT or third-party components. The business service runtime must listen to the corresponding port according to the declaration during deployment to receive external requests.

但Kubernetes只在服务部署阶段通过部署脚本的内容实现端口的对外暴露。在服务运行过程中,Kubernetes并没有机制感知到端口暴露的需求,因此,若是服务运行过程中产生了需要对外暴露新端口的需求,现有技术中的Kubernetes的端口部署方法是无法实现的,由此就导致无法通过新端口对外提供服务。因此,现有的容器服务的访问控制方法存在运行过程中服务与客户端协商得到的动态容器端口无法对集群外暴露,从而客户端无法从集群外访问该协商得到的容器端口的问题。However, Kubernetes only exposes the port through the content of the deployment script during the service deployment phase. During service operation, Kubernetes does not have a mechanism to detect the need for port exposure. Therefore, if there is a need to expose a new port to the outside world during service operation, the Kubernetes port deployment method in the existing technology cannot be implemented. This results in the inability to provide external services through the new port. Therefore, existing access control methods for container services have the problem that the dynamic container port negotiated between the service and the client during operation cannot be exposed outside the cluster, so the client cannot access the negotiated container port from outside the cluster.

图1示出了本发明实施例提供的容器服务的访问控制方法的流程图,该方法由计算机处理设备执行。该计算机处理设备可以包括手机、笔记本电脑等。如图1所示,该方法包括以下步骤:Figure 1 shows a flow chart of an access control method for container services provided by an embodiment of the present invention. The method is executed by a computer processing device. The computer processing device may include a mobile phone, a laptop, etc. As shown in Figure 1, the method includes the following steps:

步骤10:获取发送至目标主机端口的访问请求。Step 10: Get the access request sent to the target host port.

在本发明的一个实施例中,目标主机端口是目标服务实例所部署于的主机上的一个端口,目标主机端口用于访问者从外部访问容器集群,其中,容器集群可以是Kubernetes,容器集群由多个主机节点组成,各个主机节点上部署有多个容器。一个目标服务实例一般对应于一个容器。In one embodiment of the present invention, the target host port is a port on the host where the target service instance is deployed. The target host port is used for visitors to access the container cluster from the outside. The container cluster can be Kubernetes, and the container cluster is composed of It consists of multiple host nodes, and multiple containers are deployed on each host node. A target service instance generally corresponds to a container.

步骤20:根据端口映射关系确定所述目标主机端口对应的目标容器端口;其中,所述目标容器端口为目标服务实例所监听的端口;所述端口映射关系根据所述目标服务实例对应的动态端口段确定;所述动态端口段为所述目标服务实例在部署到主机节点上时所声明的。Step 20: Determine the target container port corresponding to the target host port according to the port mapping relationship; wherein the target container port is the port monitored by the target service instance; the port mapping relationship is based on the dynamic port corresponding to the target service instance The segment is determined; the dynamic port segment is declared by the target service instance when it is deployed on the host node.

在本发明的一个实施例中,为了为集群外的客户端提供容器服务,目标服务实例需要与客户端进行协商,从而确定通过哪一个容器端口对外提供服务,目标服务实例在和请求容器服务的客户端协商成功之后,会向linux的网络命名空间的内核函数发送调用请求,请求对协商得到的目标容器端口启动监听。因此通过对内核函数的调用的拦截就可以获取目标容器端口。In one embodiment of the present invention, in order to provide container services for clients outside the cluster, the target service instance needs to negotiate with the client to determine which container port to provide services to the outside world. The target service instance is in conjunction with the requesting container service. After the client negotiates successfully, it will send a call request to the kernel function of the Linux network namespace, requesting to start listening on the negotiated target container port. Therefore, the target container port can be obtained by intercepting the kernel function call.

与此同时,考虑到一个主机节点上一般部署有多个服务实例,而各个服务实例在运行过程中与客户端所协商得到的容器端口可能存在冲突。因此可以在目标服务实例创建时,即为其分配一段专用的主机端口段以及容器端口段,以用于后续过程中的协商得到的端口的对外映射,从而使得一个主机上的各个服务实例之间的对外服务不会相互影响。具体地,当目标服务实例部署在主机节点上时,可以声明其所需占用的主机端口段以及容器端口段,以用于后续服务运行过程中对外提供服务使用。端口映射关系用于将集群内部的容器端口与集群对外的主机端口进行映射。At the same time, considering that multiple service instances are generally deployed on a host node, each service instance may conflict with the container port negotiated by the client during operation. Therefore, when the target service instance is created, a dedicated host port segment and container port segment can be allocated to it for external mapping of the negotiated ports in the subsequent process, so that each service instance on a host can communicate with each other. The external services will not affect each other. Specifically, when the target service instance is deployed on the host node, the host port segment and container port segment it needs to occupy can be declared for external service use during subsequent service running. The port mapping relationship is used to map the container ports within the cluster to the host ports external to the cluster.

在本发明的一个实施例中,所述动态端口段包括容器动态端口段以及主机动态端口段。其中,容器动态端口段包括可用于对外提供服务的容器端口的端口号区间,主机动态端口段包括可用于被集群外访问的主机端口的端口号区间。In one embodiment of the present invention, the dynamic port segment includes a container dynamic port segment and a host dynamic port segment. Among them, the container dynamic port segment includes the port number range of the container port that can be used to provide external services, and the host dynamic port segment includes the port number range of the host port that can be accessed outside the cluster.

在步骤20之前还包括:Before step 20 also include:

步骤201:根据所述目标服务实例发送的端口监听请求确定待监听容器端口;所述目标容器端口为所述待监听容器端口中的一个。Step 201: Determine a container port to be monitored based on the port monitoring request sent by the target service instance; the target container port is one of the container ports to be monitored.

在本发明的一个实施例中,要实现对容器端口的监听需要调用linux系统中的网络命名空间的内核函数,并将待监听容器端口以及监听者的传递给该内核函数,因此可以对内核函数进行监听,当检测到目标服务实例调用内核函数以监听新的容器端口时,则获取内核函数的端口监听的参数,得到待监听容器端口。In one embodiment of the present invention, to monitor the container port, it is necessary to call the kernel function of the network namespace in the Linux system, and pass the container port to be monitored and the listener to the kernel function, so the kernel function can Monitoring is performed. When it is detected that the target service instance calls the kernel function to monitor a new container port, the port monitoring parameters of the kernel function are obtained and the container port to be monitored is obtained.

在本发明的一个实施例中,步骤201还包括:In one embodiment of the present invention, step 201 further includes:

步骤2011:当确定针对linux系统中内核函数的调用请求中包括所述目标服务实例对应的目标网络命名空间标识时,对所述内核函数进行拦截,得到所述待监听容器端口;其中,所述内核函数用于实现所述目标服务实例对所述待监听容器端口的监听。Step 2011: When it is determined that the calling request for the kernel function in the Linux system includes the target network namespace identifier corresponding to the target service instance, intercept the kernel function to obtain the container port to be monitored; wherein, The kernel function is used to implement the target service instance's monitoring of the container port to be monitored.

在本发明的一个实施例中,为了实现对新端口的监听,目标服务实例需要调用内核函数,调用请求中包括待监听容器端口以及目标服务实例自身的目标网络命名空间标识。其中,内核函数可以是如:func(port,..,..),其中,port即为目标服务实例所发送的待监听容器端口字段。具体地,可以采用linux中的tracing(追踪)技术实现对内核函数的拦截。In one embodiment of the present invention, in order to monitor the new port, the target service instance needs to call a kernel function, and the call request includes the container port to be monitored and the target network namespace identifier of the target service instance itself. Among them, the kernel function can be such as: func(port, .., ..), where port is the port field of the container to be monitored sent by the target service instance. Specifically, tracing technology in Linux can be used to intercept kernel functions.

步骤2011还包括:步骤210:当确定所述目标服务实例对应的所述动态端口段不为空时,获取所述目标服务实例的所述目标网络命名空间标识。Step 2011 also includes: Step 210: when it is determined that the dynamic port segment corresponding to the target service instance is not empty, obtain the target network namespace identifier of the target service instance.

在本发明的一个实施例中,目标服务实例在创建或部署到目标主机节点上时,可以声明其所需占用的动态端口段,当所述目标服务实例对应的所述动态端口段不为空时,说明目标服务实例配置了动态端口段信息,从而需要对目标服务实例启动新容器端口的监听时间进行监听,获取目标服务实例所新监听的容器端口,从而将该新监听的容器端口对集群外暴露。目标网络命名空间标识用于linux系统特异性标识目标服务实例。In one embodiment of the present invention, when the target service instance is created or deployed on the target host node, it can declare the dynamic port segment it needs to occupy. When the dynamic port segment corresponding to the target service instance is not empty, When , it means that the target service instance is configured with dynamic port segment information, so it is necessary to monitor the listening time of the new container port started by the target service instance, obtain the newly monitored container port of the target service instance, and then add the new monitored container port to the cluster. Exposed. The target network namespace identifier is used to specifically identify the target service instance in Linux systems.

步骤211:将所述目标网络命名空间标识发送至拦截器;所述拦截器部署于所述linux系统的内核模块中;所述拦截器用于对所述内核函数进行拦截。Step 211: Send the target network namespace identifier to an interceptor; the interceptor is deployed in the kernel module of the Linux system; the interceptor is used to intercept the kernel function.

在本发明的一个实施例中,拦截器对目标网络命名空间标识对内核函数发起的调用请求进行拦截,得到该调用请求中包括的待监听容器端口参数。In one embodiment of the present invention, the interceptor intercepts the call request initiated by the target network namespace identifier for the kernel function, and obtains the port parameters of the container to be monitored included in the call request.

在本发明的再一个实施例中,还可以创建一个节点监听(pod-watch)服务,pod-watch服务预先在Kubernetes集群的每个节点中部署。pod-watch服务用于监听Kubernetes容器调度事件,检查调度到本节点的pod是否与DynamicPortService(动态端口服务)的实例选择器匹配,若匹配则收集其信息并发送到内核模块port-watch。In another embodiment of the present invention, a node monitoring (pod-watch) service can also be created, and the pod-watch service is pre-deployed in each node of the Kubernetes cluster. The pod-watch service is used to monitor Kubernetes container scheduling events, check whether the pod scheduled to this node matches the instance selector of DynamicPortService (dynamic port service), and if it matches, collect its information and send it to the kernel module port-watch.

其中,DynamicPortService是在Kubernetes中自定义的资源对象,用于存储业务服务名称、实例选择器、通讯协议、容器动态端口段、主机动态端口段、网络流量预估(单位可为兆/秒)、网络流量调度规则(最空闲优先、主机流量负载低于某阈值等)信息。Among them, DynamicPortService is a resource object customized in Kubernetes, which is used to store business service names, instance selectors, communication protocols, container dynamic port segments, host dynamic port segments, network traffic estimates (units can be megabytes/second), Network traffic scheduling rules (idle first, host traffic load lower than a certain threshold, etc.) information.

实例选择器即为一组标签(每个标签包含一个名称和对应的值,即Key:Value),服务实例也有一组标签,实例选择器的作用是为了查找DynamicPortService需要负责的服务实例(标签组相同)。若匹配,则说明服务实例是由当前的DynamicPortService所负责处理的,再获取当前的DynamicPortService的动态端口端,与正在部署的DynamicPortService比较,确认是否重复。The instance selector is a set of tags (each tag contains a name and a corresponding value, namely Key:Value). The service instance also has a set of tags. The function of the instance selector is to find the service instance (tag group) that DynamicPortService needs to be responsible for. same). If they match, it means that the service instance is handled by the current DynamicPortService. Then obtain the dynamic port of the current DynamicPortService and compare it with the DynamicPortService being deployed to confirm whether it is a duplicate.

在本发明的再一个实施例中,在pod-watch服务的基础上还可以创建一个Linux内核模块的端口监听(port-watch)服务,port-watch服务预先在Kubernetes集群每个节点中部署。port-watch服务用于接收并存储前述的pod-watch服务发送的服务实例信息,拦截创建服务端监听的内核函数调用,并为符合预设条件的端口设置映射关系。其中,预设条件可以包括待监听容器端口位于所述容器动态端口段内。In another embodiment of the present invention, a port monitoring (port-watch) service of the Linux kernel module can also be created based on the pod-watch service. The port-watch service is pre-deployed in each node of the Kubernetes cluster. The port-watch service is used to receive and store the service instance information sent by the aforementioned pod-watch service, intercept kernel function calls that create server-side monitoring, and set mapping relationships for ports that meet preset conditions. The preset condition may include that the container port to be monitored is located in the container dynamic port segment.

步骤202:当确定所述待监听容器端口与所述容器动态端口段匹配时,根据所述主机动态端口段确定可选主机端口;所述目标主机端口为所述可选主机端口中的一个。Step 202: When it is determined that the container port to be monitored matches the container dynamic port segment, determine an optional host port according to the host dynamic port segment; the target host port is one of the optional host ports.

在本发明的一个实施例中,当确定待监听容器端口位于所述容器动态端口段内时,确定两者匹配。将匹配的待监听容器端口对外暴露,而不会影响其他服务实例的对外服务。可以从主机动态端口段中任选一个空闲的主机端口作为可选主机端口。In one embodiment of the present invention, when it is determined that the container port to be monitored is located within the container dynamic port segment, it is determined that the two match. Expose the matching port of the container to be listened to without affecting the external services of other service instances. You can select an idle host port from the host dynamic port segment as an optional host port.

在本发明的一个实施例中,步骤202还包括:In one embodiment of the present invention, step 202 further includes:

步骤2021:将所述主机动态端口段中任一空闲的主机端口确定为所述可选主机端口。Step 2021: Determine any idle host port in the host dynamic port segment as the optional host port.

步骤203:在所述可选主机端口与所述待监听端口之间建立映射关系。Step 203: Establish a mapping relationship between the optional host port and the port to be monitored.

在本发明的一个实施例中,映射关系用于在可选主机端口与待监听端口之间建立路由,从而可以将可选主机端口接收到的集群外访问请求按照映射关系转发至对应的待监听端口上,实现对集群内的容器服务的访问。In one embodiment of the present invention, the mapping relationship is used to establish a route between the optional host port and the port to be monitored, so that the out-of-cluster access request received by the optional host port can be forwarded to the corresponding port to be monitored according to the mapping relationship. Port to achieve access to container services in the cluster.

在本发明的一个实施例中,所述容器集群中包括多个所述主机节点;一个所述主机节点上部署有多个可选服务实例;所述目标服务实例为所述可选服务实例中的一个;所述动态端口段包括主机动态端口段。In one embodiment of the present invention, the container cluster includes multiple host nodes; multiple optional service instances are deployed on one host node; and the target service instance is one of the optional service instances. one; the dynamic port segment includes a host dynamic port segment.

在步骤20之前还包括:步骤204:当确定同一所述主机节点上的多个所述可选服务实例对应的所述主机动态端口段存在交集时,将所述可选服务实例迁移部署到其他主机节点上。Before step 20, it also includes: step 204: when it is determined that the host dynamic port segments corresponding to multiple optional service instances on the same host node overlap, migrate and deploy the optional service instance to other on the host node.

在本发明的一个实施例中,为了避免同一主机上的不同服务实例之间的对外的主机端口冲突,即无法将客户端发送的访问请求发送至对应的主机端口,可以对服务实例在多个主机上的部署进行调度。In one embodiment of the present invention, in order to avoid external host port conflicts between different service instances on the same host, that is, the access request sent by the client cannot be sent to the corresponding host port, the service instance can be configured in multiple Deployments on hosts are scheduled.

具体地,可以遍历集群中的全部节点,对于每个节点,调度器从KubernetesApiServer获取到所有在其上部署的DynamicPortService信息,将各个节点已部署的DynamicPortService信息与新增的DynamicPortService的主机动态端口段比较,检查是否存在交集,如果不存在交集则将此节点作为预选节点,否则遍历下一个节点。对于预选节点,从指标库(如Prometheus等)获取其网络流量统计信息,并结合新增DynamicPortService的流量预估、流量调度规则,计算节点是否满足部署要求,如果满足,则发布将此DynamicPortService对应的业务服务部署到当前节点的部署信息到Kubernetes ApiServer,并最终有当前节点的Kubelet组件执行服务部署,否则遍历下一个节点。Specifically, all nodes in the cluster can be traversed. For each node, the scheduler obtains all the DynamicPortService information deployed on it from KubernetesApiServer, and compares the deployed DynamicPortService information of each node with the host dynamic port segment of the newly added DynamicPortService. , check whether there is an intersection, if there is no intersection, use this node as the preselected node, otherwise traverse the next node. For the pre-selected node, obtain its network traffic statistics from the indicator library (such as Prometheus, etc.), and combine it with the traffic estimation and traffic scheduling rules of the newly added DynamicPortService to calculate whether the node meets the deployment requirements. If it meets the requirements, publish the corresponding DynamicPortService The business service is deployed to the deployment information of the current node to the Kubernetes ApiServer, and finally the Kubelet component of the current node performs service deployment, otherwise the next node is traversed.

在本发明的再一个实施例中,可以通过对Kubernetes的资源调度器可进行扩展来完成资源调度,扩展后的资源调度器用于检查新增DynamicPortService服务通讯协议、主机动态端口段与调度备选主机已部署DynamicPortService服务通讯协议、主机动态端口段存在交集;以及根据主机网络流量统计信息、服务网络流量预估、流量调度规则判断主机空闲网络流量是否满足要求。In another embodiment of the present invention, resource scheduling can be completed by extending the resource scheduler of Kubernetes. The expanded resource scheduler is used to check the newly added DynamicPortService service communication protocol, host dynamic port segment and schedule alternative host. The deployed DynamicPortService service communication protocol has an intersection with the host dynamic port segment; and based on the host network traffic statistics, service network traffic estimation, and traffic scheduling rules, it is judged whether the host's idle network traffic meets the requirements.

在步骤204之前还包括:Before step 204, it also includes:

步骤205:获取各个所述主机节点的流量统计信息以及所述可选服务实例的流量调度规则和流量预估信息。Step 205: Obtain the traffic statistical information of each host node and the traffic scheduling rules and traffic estimation information of the optional service instance.

在本发明的一个实施例中,流量统计信息包括主机节点的总网络流量。流量调度规则用于表征根据主机的流量负载情况来对服务部署于的主机进行调度的规则。流量调度规则可以包括最空闲优先部署、网络流量低于某阈值情况下优先集中部署到相同主机、网络流量低于某阈值情况下优先分散部署到不同主机中的至少一种。流量预估信息包括各个可选服务实例的预计流量。In one embodiment of the present invention, the traffic statistics information includes the total network traffic of the host node. Traffic scheduling rules are used to characterize the rules for scheduling the host where the service is deployed based on the traffic load of the host. The traffic scheduling rules may include at least one of the most idle priority for deployment, priority for centralized deployment to the same host when the network traffic is lower than a certain threshold, and priority for distributed deployment to different hosts when the network traffic is lower than a certain threshold. Traffic estimation information includes the estimated traffic of each optional service instance.

步骤206:根据所述流量统计信息、流量调度规则以及流量预估信息确定各个所述服务实例所部署于的所述主机节点。Step 206: Determine the host node where each service instance is deployed based on the traffic statistics information, traffic scheduling rules and traffic estimation information.

在本发明的一个实施例中,首先将流量预估信息与流量统计信息进行匹配,得到各个主机节点的预计负载情况,根据预计负载情况按照流量调度规进行服务的调度。In one embodiment of the present invention, the traffic estimate information is first matched with the traffic statistics information to obtain the expected load of each host node, and services are scheduled according to the traffic scheduling rules based on the expected load.

如当流量调度规则为最空闲优先部署时,则将当前待部署的服务实例部署到空闲的主机节点上。For example, when the traffic scheduling rule is to deploy the idlest first, the service instance currently to be deployed will be deployed to the idle host node.

当流量调度规则为网络流量低于某阈值情况下优先集中部署到相同主机时,将当前待部署的服务实例部署于上一部署完成的服务实例所部署于的主机,或者当流量调度规则为网络流量低于某阈值情况下优先分散部署到不同主机,将当前待部署的服务实例部署于与上一部署完成的服务实例所部署于的主机不同的其他主机。When the traffic scheduling rule is to prioritize centralized deployment to the same host when the network traffic is lower than a certain threshold, the service instance currently to be deployed is deployed on the host where the last deployed service instance was deployed, or when the traffic scheduling rule is network When the traffic is lower than a certain threshold, priority is given to distributed deployment to different hosts, and the currently to-be-deployed service instance is deployed on a different host from the host where the previously deployed service instance was deployed.

步骤30:将所述访问请求转发至所述目标容器端口。Step 30: Forward the access request to the target container port.

在本发明的再一个实施例中,进行容器服务的访问控制的过程还可以如图2所示。In another embodiment of the present invention, the process of access control of the container service can also be shown in Figure 2.

如图2所示,步骤A,对于每个需要启用动态端口暴露的业务服务,创建一个Kubernetes资源对象DynamicPortService(动态端口服务)。As shown in Figure 2, step A, for each business service that needs to enable dynamic port exposure, create a Kubernetes resource object DynamicPortService (dynamic port service).

其中,DynamicPortService主要包括如下信息:服务名称、实例选择器、通讯协议(可以是如tcp、udp等)、容器动态端口段、主机动态端口段。Among them, DynamicPortService mainly includes the following information: service name, instance selector, communication protocol (can be tcp, udp, etc.), container dynamic port segment, host dynamic port segment.

通过在Kubernetes中声明业务服务的各种信息及规则,即用户对Kubernetes提出的要求,后续步骤中调度器及其他组件需要按此资源对象的数据解释执行。By declaring various information and rules of business services in Kubernetes, that is, the user's requirements for Kubernetes, the scheduler and other components need to be executed according to the data interpretation of this resource object in subsequent steps.

步骤2,通过扩展的Kubernetes调度器执行端口冲突检查。Step 2, perform port conflict checking through the extended Kubernetes scheduler.

本发明实施例中使用的是扩展功能后的Kubernetes调度器,在完成原有调度功能之外,首先执行端口重复检查,具体包括如下:The Kubernetes scheduler with expanded functions is used in the embodiment of the present invention. In addition to completing the original scheduling function, port duplication checking is first performed, specifically including the following:

首先,获取服务实例标签,验证是否匹配某一个DynamicPortService的实例选择器;若匹配,则检查此DynamicPortService服务的通讯协议、主机动态端口段与集群某个节点已部署所有DynamicPortService服务集合的通讯协议、主机动态端口段是否存在重叠;若没有重叠则继续以下步骤,否则对集群中其他节点作以上检查。First, obtain the service instance label and verify whether it matches the instance selector of a certain DynamicPortService; if it matches, check the communication protocol and host dynamic port segment of this DynamicPortService service and the communication protocol and host of all DynamicPortService service collections deployed on a node in the cluster Check whether the dynamic port segments overlap; if there is no overlap, continue with the following steps; otherwise, perform the above checks on other nodes in the cluster.

通过对Kubernetes调度器进行扩展,实现避免端口段相同的多个服务部署到同一个节点,导致端口互相冲突,从而影响对外提供服务。By extending the Kubernetes scheduler, we can avoid multiple services with the same port segment being deployed to the same node, causing port conflicts with each other and thus affecting the provision of external services.

步骤C:扩展的Kubernetes调度器获取主机流量统计信息,根据服务网络流量预估及网络流量调度规则判断是否可在当前主机部署。Step C: The extended Kubernetes scheduler obtains host traffic statistics and determines whether it can be deployed on the current host based on the service network traffic estimate and network traffic scheduling rules.

网络流量调度规则包含但不限于以下方式:最空闲优先部署、网络流量低于某阈值情况下优先集中部署到相同主机、网络流量低于某阈值情况下优先分散部署到不同主机。调度器选取最符合流量调度规则的主机部署新服务。Network traffic scheduling rules include but are not limited to the following methods: the most idle priority is deployed, when the network traffic is lower than a certain threshold, priority is given to centralized deployment to the same host, and when the network traffic is lower than a certain threshold, priority is given to dispersed deployment to different hosts. The scheduler selects the host that best meets the traffic scheduling rules to deploy the new service.

步骤D:完成调度之后,新服务实例在所调度的节点上启动。Step D: After completing the scheduling, the new service instance is started on the scheduled node.

所在节点的pod-watch服务从Kubernetes ApiServer监听容器调度事件,若服务实例调度到本节点并且设置了动态端口段,则等待实例创建,获取实例网络命名空间标识,将网络命名空间标识、通讯协议、容器动态端口段、主机动态端口段发送给当前节点的内核模块port-watch。The pod-watch service of the node where it is located listens to container scheduling events from Kubernetes ApiServer. If the service instance is scheduled to this node and a dynamic port segment is set, it waits for the instance to be created, obtains the instance network namespace identifier, and adds the network namespace identifier, communication protocol, The container dynamic port segment and the host dynamic port segment are sent to the kernel module port-watch of the current node.

pod-watch是沟通Kubernetes ApiServer和内核模块port-watch的桥梁,实现端口段、网络命名空间标识等信息获取及传递。pod-watch is a bridge that communicates between Kubernetes ApiServer and the kernel module port-watch, realizing the acquisition and transmission of information such as port segments and network namespace identifiers.

步骤5:通过内核模块port-watch为容器端口、主机端口生成NAT规则,使其能通过所部署的集群节点主机端口访问。Step 5: Use the kernel module port-watch to generate NAT rules for the container port and host port so that they can be accessed through the deployed cluster node host port.

首先,内核模块port-watch接收并存储网络命名空间标识、通讯协议、容器动态端口段、主机动态端口段,并创建对服务网络命名空间内核函数调用的拦截器。First, the kernel module port-watch receives and stores the network namespace identification, communication protocol, container dynamic port segment, and host dynamic port segment, and creates an interceptor for the service network namespace kernel function call.

然后,当服务实例启动对某个端口的监听时,内核模块port-watch获取到其所监听的通讯协议、端口,并判断是否在动态端口范围内,若是动态端口,则计算此端口对应的主机端口,并为容器端口、主机端口生成NAT规则,使其能通过所部署的集群节点主机端口访问,从而使其暴露到集群外。Then, when the service instance starts monitoring a certain port, the kernel module port-watch obtains the communication protocol and port it is monitoring, and determines whether it is within the dynamic port range. If it is a dynamic port, calculates the host corresponding to this port. port, and generate NAT rules for the container port and host port so that they can be accessed through the host port of the deployed cluster node, thereby exposing it to the outside of the cluster.

可选地,当服务实例停止、删除或迁移到其他节点部署时,pod-watch监听到以上变化,传送所停止容器的网络命名空间标识给内核模块port-watch,port-watch停止对服务网络命名空间的拦截器,清除服务相关NAT规则,并删除所存储的服务动态端口段相关记录。通过图2所示出的过程,实现了感知业务服务运行过程中是否新监听了某个容器端口,进而实现对新监听的容器端口的集群外暴露。Optionally, when a service instance is stopped, deleted, or migrated to other nodes for deployment, pod-watch listens to the above changes and transmits the network namespace identifier of the stopped container to the kernel module port-watch, and port-watch stops naming the service network. Space interceptor, clears service-related NAT rules, and deletes stored service dynamic port segment-related records. Through the process shown in Figure 2, it is possible to detect whether a certain container port is newly monitored during the running of the business service, and then expose the newly monitored container port outside the cluster.

本发明实施例通过获取发送至目标主机端口的访问请求;根据端口映射关系确定所述目标主机端口对应的目标容器端口;其中,所述目标容器端口为目标服务实例所监听的端口;所述端口映射关系根据所述目标服务实例对应的动态端口段确定;所述动态端口段为所述目标服务实例预先声明的;从而实现了将目标实例在运行过程中所动态监听的容器端口与对外的主机端口进行网络规则的映射,从而通过该映射将集群外的所述访问请求转发至集群外的目标服务实例所新监听的目标容器端口,实现服务运行过程中的动态端口的对外暴露。The embodiment of the present invention obtains the access request sent to the target host port; determines the target container port corresponding to the target host port according to the port mapping relationship; wherein the target container port is the port monitored by the target service instance; the port The mapping relationship is determined based on the dynamic port segment corresponding to the target service instance; the dynamic port segment is pre-declared by the target service instance; thereby realizing the connection between the container port that the target instance dynamically monitors during operation and the external host The port is mapped to network rules, so that the access request outside the cluster is forwarded to the target container port newly monitored by the target service instance outside the cluster through this mapping, thereby realizing the external exposure of the dynamic port during service operation.

图3示出了本发明实施例提供的容器服务的访问控制装置的结构示意图。如图3所示,该装置40包括:获取模块401、确定模块402和转发模块403。Figure 3 shows a schematic structural diagram of an access control device for container services provided by an embodiment of the present invention. As shown in Figure 3, the device 40 includes: an acquisition module 401, a determination module 402 and a forwarding module 403.

其中,获取模块401,用于获取发送至目标主机端口的访问请求;Among them, the obtaining module 401 is used to obtain the access request sent to the target host port;

确定模块402,用于根据端口映射关系确定所述目标主机端口对应的目标容器端口;其中,所述目标容器端口为目标服务实例所监听的端口;所述端口映射关系根据所述目标服务实例对应的动态端口段确定;所述动态端口段为所述目标服务实例预先声明的;The determination module 402 is configured to determine the target container port corresponding to the target host port according to the port mapping relationship; wherein the target container port is the port monitored by the target service instance; the port mapping relationship corresponds to the target service instance according to the port mapping relationship. The dynamic port segment is determined; the dynamic port segment is pre-declared by the target service instance;

转发模块403,用于将所述访问请求转发至所述目标容器端口。Forwarding module 403 is used to forward the access request to the target container port.

本发明实施例提供的容器服务的访问控制装置所用于执行的操作过程与前述方法实施例大体一致,不再赘述。The operation process performed by the access control device for the container service provided by the embodiment of the present invention is generally consistent with the foregoing method embodiment, and will not be described again.

本发明实施例提供的容器服务的访问控制装置通过获取发送至目标主机端口的访问请求;根据端口映射关系确定所述目标主机端口对应的目标容器端口;其中,所述目标容器端口为目标服务实例所监听的端口;所述端口映射关系根据所述目标服务实例对应的动态端口段确定;所述动态端口段为所述目标服务实例预先声明的;从而实现了将目标实例在运行过程中所动态监听的容器端口与对外的主机端口进行网络规则的映射,从而通过该映射将集群外的所述访问请求转发至集群外的目标服务实例所新监听的目标容器端口,实现服务运行过程中的动态端口的对外暴露。The access control device of the container service provided by the embodiment of the present invention obtains the access request sent to the target host port; determines the target container port corresponding to the target host port according to the port mapping relationship; wherein the target container port is the target service instance The monitored port; the port mapping relationship is determined based on the dynamic port segment corresponding to the target service instance; the dynamic port segment is pre-declared by the target service instance; thereby realizing the dynamic port segment of the target instance during operation. The listening container port and the external host port are mapped with network rules, so that the access request outside the cluster is forwarded to the newly monitored target container port by the target service instance outside the cluster through this mapping, thereby realizing dynamic operation during service operation. The port is exposed to the outside world.

图4示出了本发明实施例提供的容器服务的访问控制设备的结构示意图,本发明具体实施例并不对容器服务的访问控制设备的具体实现做限定。Figure 4 shows a schematic structural diagram of the access control device for the container service provided by the embodiment of the present invention. The specific embodiment of the present invention does not limit the specific implementation of the access control device for the container service.

如图4所示,该容器服务的访问控制设备可以包括:处理器(processor)502、通信接口(Communications Interface)504、存储器(memory)506、以及通信总线508。As shown in Figure 4, the access control device of the container service may include: a processor (processor) 502, a communications interface (Communications Interface) 504, a memory (memory) 506, and a communication bus 508.

其中:处理器502、通信接口504、以及存储器506通过通信总线508完成相互间的通信。通信接口504,用于与其它设备比如客户端或其它服务器等的网元通信。处理器502,用于执行程序510,具体可以执行上述用于容器服务的访问控制方法实施例中的相关步骤。Among them: the processor 502, the communication interface 504, and the memory 506 complete communication with each other through the communication bus 508. The communication interface 504 is used to communicate with network elements of other devices such as clients or other servers. The processor 502 is configured to execute the program 510. Specifically, it can execute relevant steps in the above embodiment of the access control method for container services.

具体地,程序510可以包括程序代码,该程序代码包括计算机可执行指令。Specifically, program 510 may include program code including computer-executable instructions.

处理器502可能是中央处理器CPU,或者是特定集成电路ASIC(ApplicationSpecific Integrated Circuit),或者是被配置成实施本发明实施例的一个或多个集成电路。容器服务的访问控制设备包括的一个或多个处理器,可以是同一类型的处理器,如一个或多个CPU;也可以是不同类型的处理器,如一个或多个CPU以及一个或多个ASIC。The processor 502 may be a central processing unit (CPU), an application specific integrated circuit (ASIC), or one or more integrated circuits configured to implement embodiments of the present invention. The access control device of the container service includes one or more processors, which can be the same type of processor, such as one or more CPUs; or they can be different types of processors, such as one or more CPUs and one or more ASIC.

存储器506,用于存放程序510。存储器506可能包含高速RAM存储器,也可能还包括非易失性存储器(non-volatile memory),例如至少一个磁盘存储器。Memory 506 is used to store programs 510. The memory 506 may include high-speed RAM memory, and may also include non-volatile memory (non-volatile memory), such as at least one disk memory.

程序510具体可以被处理器502调用使容器服务的访问控制设备执行以下操作:Specifically, the program 510 can be called by the processor 502 to cause the access control device of the container service to perform the following operations:

获取发送至目标主机端口的访问请求;Get the access request sent to the target host port;

根据端口映射关系确定所述目标主机端口对应的目标容器端口;其中,所述目标容器端口为目标服务实例所监听的端口;所述端口映射关系根据所述目标服务实例对应的动态端口段确定;所述动态端口段为所述目标服务实例预先声明的;The target container port corresponding to the target host port is determined according to the port mapping relationship; wherein the target container port is the port monitored by the target service instance; the port mapping relationship is determined according to the dynamic port segment corresponding to the target service instance; The dynamic port segment is pre-declared by the target service instance;

将所述访问请求转发至所述目标容器端口。Forward the access request to the target container port.

本发明实施例提供的容器服务的访问控制设备所用于执行的操作过程与前述方法实施例大体一致,不再赘述。The operation process performed by the access control device of the container service provided by the embodiment of the present invention is generally consistent with the foregoing method embodiment, and will not be described again.

本发明实施例提供的容器服务的访问控制设备通过获取发送至目标主机端口的访问请求;根据端口映射关系确定所述目标主机端口对应的目标容器端口;其中,所述目标容器端口为目标服务实例所监听的端口;所述端口映射关系根据所述目标服务实例对应的动态端口段确定;所述动态端口段为所述目标服务实例预先声明的;从而实现了将目标实例在运行过程中所动态监听的容器端口与对外的主机端口进行网络规则的映射,从而通过该映射将集群外的所述访问请求转发至集群外的目标服务实例所新监听的目标容器端口,实现服务运行过程中的动态端口的对外暴露。The access control device of the container service provided by the embodiment of the present invention obtains the access request sent to the target host port; determines the target container port corresponding to the target host port according to the port mapping relationship; wherein the target container port is the target service instance The monitored port; the port mapping relationship is determined based on the dynamic port segment corresponding to the target service instance; the dynamic port segment is pre-declared by the target service instance; thereby realizing the dynamic port segment of the target instance during operation. The listening container port and the external host port are mapped with network rules, so that the access request outside the cluster is forwarded to the newly monitored target container port by the target service instance outside the cluster through this mapping, thereby realizing dynamic operation during service operation. The port is exposed to the outside world.

本发明实施例提供了一种计算机可读存储介质,所述存储介质存储有至少一可执行指令,该可执行指令在容器服务的访问控制设备上运行时,使得所述容器服务的访问控制设备执行上述任意方法实施例中的容器服务的访问控制方法。Embodiments of the present invention provide a computer-readable storage medium that stores at least one executable instruction. When the executable instruction is run on an access control device of a container service, the access control device of the container service causes the access control device of the container service to Execute the access control method of the container service in any of the above method embodiments.

可执行指令具体可以用于使得容器服务的访问控制设备执行以下操作:Specifically, executable instructions can be used to cause the access control device of the container service to perform the following operations:

获取发送至目标主机端口的访问请求;Get the access request sent to the target host port;

根据端口映射关系确定所述目标主机端口对应的目标容器端口;其中,所述目标容器端口为目标服务实例所监听的端口;所述端口映射关系根据所述目标服务实例对应的动态端口段确定;所述动态端口段为所述目标服务实例预先声明的;The target container port corresponding to the target host port is determined according to the port mapping relationship; wherein the target container port is the port monitored by the target service instance; the port mapping relationship is determined according to the dynamic port segment corresponding to the target service instance; The dynamic port segment is pre-declared by the target service instance;

将所述访问请求转发至所述目标容器端口。Forward the access request to the target container port.

本发明实施例提供的计算机存储介质所存储的指令所用于执行的操作过程与前述方法实施例大体一致,不再赘述。The operation process used by the instructions stored in the computer storage medium provided by the embodiments of the present invention is generally consistent with the foregoing method embodiments, and will not be described again.

本发明实施例提供的计算机存储介质所存储的指令通过获取发送至目标主机端口的访问请求;根据端口映射关系确定所述目标主机端口对应的目标容器端口;其中,所述目标容器端口为目标服务实例所监听的端口;所述端口映射关系根据所述目标服务实例对应的动态端口段确定;所述动态端口段为所述目标服务实例预先声明的;从而实现了将目标实例在运行过程中所动态监听的容器端口与对外的主机端口进行网络规则的映射,从而通过该映射将集群外的所述访问请求转发至集群外的目标服务实例所新监听的目标容器端口,实现服务运行过程中的动态端口的对外暴露。The instructions stored in the computer storage medium provided by the embodiment of the present invention obtain the access request sent to the target host port; determine the target container port corresponding to the target host port according to the port mapping relationship; wherein, the target container port serves the target The port monitored by the instance; the port mapping relationship is determined based on the dynamic port segment corresponding to the target service instance; the dynamic port segment is pre-declared by the target service instance; thereby achieving the target instance in the running process. The dynamically monitored container port and the external host port are mapped with network rules, so that the access request outside the cluster is forwarded to the newly monitored target container port by the target service instance outside the cluster through this mapping, thereby realizing the operation of the service. External exposure of dynamic ports.

本发明实施例提供一种容器服务的访问控制装置,用于执行上述容器服务的访问控制方法。An embodiment of the present invention provides an access control device for a container service, which is used to execute the above access control method for a container service.

本发明实施例提供了一种计算机程序,所述计算机程序可被处理器调用使容器服务的访问控制设备执行上述任意方法实施例中的容器服务的访问控制方法。Embodiments of the present invention provide a computer program, which can be called by a processor to cause the access control device of a container service to execute the access control method of the container service in any of the above method embodiments.

本发明实施例提供了一种计算机程序产品,计算机程序产品包括存储在计算机可读存储介质上的计算机程序,计算机程序包括程序指令,当程序指令在计算机上运行时,使得所述计算机执行上述任意方法实施例中的容器服务的访问控制方法。Embodiments of the present invention provide a computer program product. The computer program product includes a computer program stored on a computer-readable storage medium. The computer program includes program instructions. When the program instructions are run on a computer, the computer causes the computer to execute any of the above. The access control method of container service in the method embodiment.

在此提供的算法或显示不与任何特定计算机、虚拟系统或者其它设备固有相关。各种通用系统也可以与基于在此的示教一起使用。根据上面的描述,构造这类系统所要求的结构是显而易见的。此外,本发明实施例也不针对任何特定编程语言。应当明白,可以利用各种编程语言实现在此描述的本发明的内容,并且上面对特定语言所做的描述是为了披露本发明的最佳实施方式。The algorithms or displays provided herein are not inherently associated with any particular computer, virtual system, or other device. Various general-purpose systems can also be used with teaching based on this. From the above description, the structure required to construct such a system is obvious. Furthermore, embodiments of the present invention are not directed to any specific programming language. It should be understood that the invention described herein may be implemented using a variety of programming languages and that the above descriptions of specific languages are for the purpose of disclosing the best mode for carrying out the invention.

在此处所提供的说明书中,说明了大量具体细节。然而,能够理解,本发明的实施例可以在没有这些具体细节的情况下实践。在一些实例中,并未详细示出公知的方法、结构和技术,以便不模糊对本说明书的理解。In the instructions provided here, a number of specific details are described. However, it is understood that embodiments of the invention may be practiced without these specific details. In some instances, well-known methods, structures, and techniques have not been shown in detail so as not to obscure the understanding of this description.

类似地,应当理解,为了精简本发明并帮助理解各个发明方面中的一个或多个,在上面对本发明的示例性实施例的描述中,本发明实施例的各个特征有时被一起分组到单个实施例、图、或者对其的描述中。然而,并不应将该公开的方法解释成反映如下意图:即所要求保护的本发明要求比在每个权利要求中所明确记载的特征更多的特征。Similarly, it will be understood that in the above description of exemplary embodiments of the invention, various features of embodiments of the invention are sometimes grouped together into a single implementation in order to streamline the invention and assist in understanding one or more of the various inventive aspects. examples, diagrams, or descriptions thereof. This method of disclosure, however, is not to be interpreted as reflecting an intention that the claimed invention requires more features than are expressly recited in each claim.

本领域技术人员可以理解,可以对实施例中的设备中的模块进行自适应性地改变并且把它们设置在与该实施例不同的一个或多个设备中。可以把实施例中的模块或单元或组件组合成一个模块或单元或组件,以及可以把它们分成多个子模块或子单元或子组件。除了这样的特征和/或过程或者单元中的至少一些是相互排斥之外,可以采用任何组合对本说明书(包括伴随的权利要求、摘要和附图)中公开的所有特征以及如此公开的任何方法或者设备的所有过程或单元进行组合。除非另外明确陈述,本说明书(包括伴随的权利要求、摘要和附图)中公开的每个特征可以由提供相同、等同或相似目的的替代特征来代替。Those skilled in the art will understand that modules in the devices in the embodiment can be adaptively changed and arranged in one or more devices different from the embodiment. The modules or units or components in the embodiments may be combined into one module or unit or component, and they may be divided into multiple sub-modules or sub-units or sub-components. All features disclosed in this specification (including accompanying claims, abstract and drawings) and any method so disclosed may be employed in any combination, except that at least some of such features and/or processes or units are mutually exclusive. All processes or units of the equipment are combined. Each feature disclosed in this specification (including accompanying claims, abstract and drawings) may be replaced by alternative features serving the same, equivalent or similar purpose, unless expressly stated otherwise.

应该注意的是上述实施例对本发明进行说明而不是对本发明进行限制,并且本领域技术人员在不脱离所附权利要求的范围的情况下可设计出替换实施例。在权利要求中,不应将位于括号之间的任何参考符号构造成对权利要求的限制。单词“包含”不排除存在未列在权利要求中的元件或步骤。位于元件之前的单词“一”或“一个”不排除存在多个这样的元件。本发明可以借助于包括有若干不同元件的硬件以及借助于适当编程的计算机来实现。在列举了若干装置的单元权利要求中,这些装置中的若干个可以是通过同一个硬件项来具体体现。单词第一、第二、以及第三等的使用不表示任何顺序。可将这些单词解释为名称。上述实施例中的步骤,除有特殊说明外,不应理解为对执行顺序的限定。It should be noted that the above-mentioned embodiments illustrate rather than limit the invention, and that those skilled in the art will be able to design alternative embodiments without departing from the scope of the appended claims. In the claims, any reference signs placed between parentheses shall not be construed as limiting the claim. The word "comprising" does not exclude the presence of elements or steps not listed in a claim. The word "a" or "an" preceding an element does not exclude the presence of a plurality of such elements. The invention may be implemented by means of hardware comprising several different elements and by means of a suitably programmed computer. In the element claim enumerating several means, several of these means may be embodied by the same item of hardware. The use of the words first, second, third, etc. does not indicate any order. These words can be interpreted as names. Unless otherwise specified, the steps in the above embodiments should not be understood as limiting the order of execution.

Claims (10)

1. A method of access control for a container service, the method comprising:
acquiring an access request sent to a target host port;
determining a target container port corresponding to the target host port according to the port mapping relation; the target container port is a port monitored by the target service instance; the port mapping relation is determined according to the dynamic port segment corresponding to the target service instance; the dynamic port segment is pre-declared for the target service instance;
forwarding the access request to the target container port.
2. The method of claim 1, wherein the dynamic port segment comprises a container dynamic port segment and a host dynamic port segment; before determining the target container port corresponding to the target host port according to the port mapping relation, the method comprises the following steps:
determining a port of a container to be monitored according to a port monitoring request sent by the target service instance; the target container port is one of the container ports to be monitored;
when the container port to be monitored is matched with the container dynamic port segment, determining an optional host port according to the host dynamic port segment; the target host port is one of the selectable host ports;
and establishing a mapping relation between the selectable host port and the port to be monitored.
3. The method of claim 2, wherein when determining that the to-be-listened container port matches the container dynamic port segment, determining an optional host port from the host dynamic port segment comprises:
and determining any idle host port in the host dynamic port section as the selectable host port.
4. The method according to claim 2, wherein the determining a port of the container to be listened to according to the port listening request sent by the target service instance comprises:
when the call request for the kernel function in the linux system is determined to comprise the target network name space identifier corresponding to the target service instance, intercepting the kernel function to obtain the port of the container to be monitored; the kernel function is used for realizing the monitoring of the target service instance on the port of the container to be monitored.
5. The method of claim 4, wherein intercepting the kernel function to obtain the container port to be listened to comprises:
when the dynamic port segment corresponding to the target service instance is determined not to be empty, acquiring the target network name space identifier of the target service instance;
transmitting the target network namespace identification to an interceptor; the interceptor is deployed in a kernel module of the linux system; the interceptor is used for intercepting the kernel function.
6. The method of claim 1, wherein the container cluster includes a plurality of the host nodes therein; one of the host nodes has a plurality of selectable service instances deployed thereon; the target service instance is one of the selectable service instances; the dynamic port segment comprises a host dynamic port segment; before determining the target container port corresponding to the target host port according to the port mapping relation, the method comprises the following steps:
and when determining that the intersection exists among the host dynamic port segments corresponding to the plurality of selectable service instances on the same host node, migrating and deploying the selectable service instances to other host nodes.
7. The method of claim 6, comprising, prior to said deploying the alternative service instance migration to other host nodes:
acquiring flow statistical information of each host node, and flow scheduling rules and flow estimated information of the selectable service instance;
and determining the host node where each service instance is deployed according to the flow statistic information, the flow scheduling rule and the flow estimation information.
8. An access control device for a container service, the device comprising:
the acquisition module is used for acquiring an access request sent to the target host port;
the determining module is used for determining a target container port corresponding to the target host port according to the port mapping relation; the target container port is a port monitored by the target service instance; the port mapping relation is determined according to the dynamic port segment corresponding to the target service instance; the dynamic port segment is pre-declared for the target service instance;
and the forwarding module is used for forwarding the access request to the target container port.
9. An access control device for a container service, comprising: the device comprises a processor, a memory, a communication interface and a communication bus, wherein the processor, the memory and the communication interface complete communication with each other through the communication bus;
the memory is configured to store at least one executable instruction that causes the processor to perform the operations of the access control method for container services according to any one of claims 1-7.
10. A computer readable storage medium, characterized in that at least one executable instruction is stored in the storage medium, which executable instruction, when run on an access control device of a container service, causes the access control device of the container service to perform the operations of the access control method of the container service according to any of claims 1-7.
CN202210509869.3A 2022-05-11 2022-05-11 Access control method, device, equipment and computer storage medium for container service Active CN114979286B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210509869.3A CN114979286B (en) 2022-05-11 2022-05-11 Access control method, device, equipment and computer storage medium for container service

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210509869.3A CN114979286B (en) 2022-05-11 2022-05-11 Access control method, device, equipment and computer storage medium for container service

Publications (2)

Publication Number Publication Date
CN114979286A CN114979286A (en) 2022-08-30
CN114979286B true CN114979286B (en) 2023-09-19

Family

ID=82981638

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210509869.3A Active CN114979286B (en) 2022-05-11 2022-05-11 Access control method, device, equipment and computer storage medium for container service

Country Status (1)

Country Link
CN (1) CN114979286B (en)

Families Citing this family (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115567285A (en) * 2022-09-22 2023-01-03 深圳前海微众银行股份有限公司 Containerization service vulnerability detection method and device and server
CN115714692B (en) * 2022-11-18 2025-06-27 联通(广东)产业互联网有限公司 A model training method for monitoring network card and its application, system and electronic device
CN118214565A (en) * 2022-12-09 2024-06-18 华为云计算技术有限公司 Access control system, method and computing device cluster
CN116074309B (en) * 2023-03-06 2023-06-16 深圳前海环融联易信息科技服务有限公司 Access method of operating system in cross-platform container and related equipment

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108377671A (en) * 2016-11-28 2018-08-07 华为技术有限公司 Method and computer device for processing messages
CN110225146A (en) * 2019-05-20 2019-09-10 浙江华创视讯科技有限公司 Intranet and extranet mapping method, device, electronic equipment, medium and video conferencing system
CN111447300A (en) * 2020-03-26 2020-07-24 深信服科技股份有限公司 Target port determination method, device, equipment and readable storage medium
CN111726399A (en) * 2020-06-08 2020-09-29 中国工商银行股份有限公司 Docker container secure access method and device
CN113596159A (en) * 2021-07-30 2021-11-02 北京南凯自动化系统工程有限公司 Cluster communication method and device based on k8s cloud container platform
CN113961312A (en) * 2021-10-28 2022-01-21 北京金山云网络技术有限公司 Target service deployment method and device and electronic equipment
WO2022033121A1 (en) * 2020-08-14 2022-02-17 苏州浪潮智能科技有限公司 Method and system for resource exposure in kubernetes, and device and medium

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20060045098A1 (en) * 2004-08-31 2006-03-02 Krause Michael R System for port mapping in a network
US10691504B2 (en) * 2017-08-14 2020-06-23 International Business Machines Corporation Container based service management
US11044229B2 (en) * 2017-12-22 2021-06-22 International Business Machines Corporation Dynamically opening ports for trusted application processes hosted in containers

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108377671A (en) * 2016-11-28 2018-08-07 华为技术有限公司 Method and computer device for processing messages
CN110225146A (en) * 2019-05-20 2019-09-10 浙江华创视讯科技有限公司 Intranet and extranet mapping method, device, electronic equipment, medium and video conferencing system
CN111447300A (en) * 2020-03-26 2020-07-24 深信服科技股份有限公司 Target port determination method, device, equipment and readable storage medium
CN111726399A (en) * 2020-06-08 2020-09-29 中国工商银行股份有限公司 Docker container secure access method and device
WO2022033121A1 (en) * 2020-08-14 2022-02-17 苏州浪潮智能科技有限公司 Method and system for resource exposure in kubernetes, and device and medium
CN113596159A (en) * 2021-07-30 2021-11-02 北京南凯自动化系统工程有限公司 Cluster communication method and device based on k8s cloud container platform
CN113961312A (en) * 2021-10-28 2022-01-21 北京金山云网络技术有限公司 Target service deployment method and device and electronic equipment

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
Kubernetes之service;彭宇栋;《https://blogs.csdn.net/qq_49530779/article/details/122164671》;全文 *

Also Published As

Publication number Publication date
CN114979286A (en) 2022-08-30

Similar Documents

Publication Publication Date Title
CN114979286B (en) Access control method, device, equipment and computer storage medium for container service
EP3667500B1 (en) Using a container orchestration service for dynamic routing
US10528390B2 (en) Idempotent task execution in on-demand network code execution systems
US10701139B2 (en) Life cycle management method and apparatus
US20190377604A1 (en) Scalable function as a service platform
US5848234A (en) Object procedure messaging facility
US20230126651A1 (en) Streamlined onboarding of offloading devices for provider network-managed servers
US5818448A (en) Apparatus and method for identifying server computer aggregation topologies
CN111245634B (en) A virtualization management method and device
CN114172905B (en) Cluster network networking method, device, computer equipment and storage medium
CN113645262A (en) Cloud computing service system and method
CN109995842B (en) A grouping method and device for distributed server cluster
US20240111549A1 (en) Method and apparatus for constructing android running environment
CN116800616B (en) Management method and related device of virtualized network equipment
CN111752681A (en) Request processing method, apparatus, server, and computer-readable storage medium
WO2021232860A1 (en) Communication method, apparatus and system
CN115086166B (en) Computing system, container network configuration method, and storage medium
CN113810230A (en) Method, device and system for carrying out network configuration on containers in container cluster
US20200310828A1 (en) Method, function manager and arrangement for handling function calls
KR102662496B1 (en) Batch scheduling method for generating multiple deep learning model based inference responses using multi-gpu
CN114546587A (en) A method for expanding and shrinking capacity of online image recognition service and related device
CN114721824A (en) A resource allocation method, medium and electronic device
CN110365743B (en) Zookeeper-based implementation method of load balancer supporting multiple customizable load algorithms
CN115390982A (en) Method and device for realizing SAAS application arrangement engine, electronic equipment and storage medium
CN110245027B (en) Inter-process communication method and device

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant