CN115150129A - Container safety control method, container processing method, electronic device, and storage medium - Google Patents

Container safety control method, container processing method, electronic device, and storage medium Download PDF

Info

Publication number
CN115150129A
CN115150129A CN202210633450.9A CN202210633450A CN115150129A CN 115150129 A CN115150129 A CN 115150129A CN 202210633450 A CN202210633450 A CN 202210633450A CN 115150129 A CN115150129 A CN 115150129A
Authority
CN
China
Prior art keywords
container group
service
target container
target
container
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202210633450.9A
Other languages
Chinese (zh)
Inventor
段晓辉
周来
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Alibaba Cloud Computing Ltd
Original Assignee
Alibaba Cloud Computing Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Alibaba Cloud Computing Ltd filed Critical Alibaba Cloud Computing Ltd
Priority to CN202210633450.9A priority Critical patent/CN115150129A/en
Publication of CN115150129A publication Critical patent/CN115150129A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1433Vulnerability analysis
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Debugging And Monitoring (AREA)

Abstract

The embodiment of the application provides a container safety control and container processing method, electronic equipment and a storage medium. In the embodiment, on one hand, the container groups for providing services to the outside in the service cluster can be automatically, accurately and timely identified, and the container groups are marked as the container groups for providing services to the outside. On the other hand, the container group is subjected to anomaly detection based on the attribute information of the container group providing service to the outside, and if the container group is abnormal, the defense function of the container group is started to forbid the opening of an unallowable process or port in the container group, so that the probability of safety risk of the container in the container group is reduced, and the data safety of the container in the container group is enhanced.

Description

Container safety control method, container processing method, electronic device, and storage medium
Technical Field
The present disclosure relates to the field of computer technologies, and in particular, to a container security control method, a container processing method, an electronic device, and a storage medium.
Background
With the popularization of Cloud Native (Cloud Native) technology, the containerization degree is higher and higher, and tens of thousands or even hundreds of thousands of containers are deployed in a service cluster based on a Cloud Native architecture. Some containers expose their associated IP addresses to the external network to allow access by external clients outside the service cluster, thereby enabling the container to provide services to the outside. And the IP address of the container is exposed to the external network, which easily causes the containers to be attacked from the outside and causes security risk. Therefore, how to ensure the data security of the container providing the service to the outside becomes an urgent technical problem to be solved.
Disclosure of Invention
Aspects of the present disclosure provide a container security control method, a container processing method, an electronic device, and a storage medium, which are used to ensure data security of a container providing a service to the outside.
The embodiment of the application provides a container safety control method, which comprises the following steps: determining a target container group for providing service to the outside in the service cluster, and determining a first process and a first port which are allowed to be opened and correspond to the target container group; according to the attribute information of the target container group, carrying out anomaly detection on the target container group; and if the target container group is abnormal, starting the defense function of the target container group to forbid opening a second process and/or a second port in the target container group.
The embodiment of the present application further provides a container processing method, including: acquiring instance information of an external service object instance corresponding to a container group aiming at any one of an existing container group or a newly created new container group in a service cluster; and adding a service exposure mark for the container group according to the instance information of the external service object instance corresponding to the container group.
An embodiment of the present application further provides an electronic device, including: a memory and a processor; a memory for storing a computer program; the processor is coupled to the memory for executing a computer program for performing the steps in the container security control method or the container handling method.
Embodiments of the present application also provide a computer storage medium storing a computer program, which, when executed by a processor, causes the processor to implement a container security control method or steps in a container processing method.
In the embodiment, on one hand, the container groups for providing services to the outside in the service cluster can be automatically, accurately and timely identified, and the container groups are marked as the container groups for providing services to the outside. On the other hand, the container group is subjected to anomaly detection based on the attribute information of the container group which provides service for the outside, and if the container group is abnormal, the defense function of the container group is started to forbid the opening of an unallowable process or port in the container group, so that the probability of safety risks occurring to the containers in the container group is reduced, and the data safety of the containers in the container group is enhanced.
Drawings
The accompanying drawings, which are included to provide a further understanding of the application and are incorporated in and constitute a part of this application, illustrate embodiment(s) of the application and together with the description serve to explain the application and not to limit the application. In the drawings:
fig. 1 is an application scenario diagram provided in an embodiment of the present application;
FIG. 2 is a flow chart of a method of container handling according to an embodiment of the present disclosure;
fig. 3 is a flowchart of a container safety control method according to an embodiment of the present application;
fig. 4 is a diagram of another application scenario provided in the embodiment of the present application;
fig. 5 is a schematic structural diagram of a container safety control device according to an embodiment of the present disclosure;
fig. 6 is a schematic structural diagram of a container processing apparatus according to an embodiment of the present disclosure;
fig. 7 is a schematic structural diagram of an electronic device according to an embodiment of the present application.
Detailed Description
To make the objects, technical solutions and advantages of the present application more clear, the technical solutions of the present application will be clearly and completely described below with reference to specific embodiments of the present application and the accompanying drawings. It should be apparent that the described embodiments are only some of the embodiments of the present application, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
In the prior art, how to ensure the data security of a container providing services to the outside becomes a technical problem to be solved urgently. Therefore, the embodiment of the application provides a container safety control and container processing method, an electronic device and a storage medium. In the embodiment, on one hand, the container groups for providing services to the outside in the service cluster can be automatically, accurately and timely identified, and the container groups are marked as the container groups for providing services to the outside. On the other hand, the container group is subjected to anomaly detection based on the attribute information of the container group providing service to the outside, and if the container group is abnormal, the defense function of the container group is started to forbid the opening of an unallowable process or port in the container group, so that the probability of safety risk of the container in the container group is reduced, and the data safety of the container in the container group is enhanced.
The technical solutions provided by the embodiments of the present application are described in detail below with reference to the accompanying drawings.
Fig. 1 is an application scenario diagram provided in an embodiment of the present application. Referring to fig. 1, in this application scenario, a client accesses a service provided by a container group Pod in a service cluster. Wherein a service cluster may be a cluster that deploys any container orchestration service, such as, but not limited to: kubernets (K8 s for short), docker-Swarm, and extensible Container management Service (ECS). Generally, a service cluster includes a Master node (Master) and a plurality of worker nodes (nodes). And the main node is used as a control node and is responsible for managing the whole cluster. The Master node (Master) mainly includes components such as an API Server, a Controller, a Scheduler, and an etcd. The API Server is a core component of the service cluster, is a data bus and a data center of the whole system, and is responsible for interaction with other components in the main node and all the working nodes. The Controller is used for managing the cluster state. The Scheduler is mainly responsible for the scheduling function of the whole cluster resource, and schedules the Pod to a proper working node according to a specific scheduling algorithm and a strategy, so that the cluster resource is more reasonably and fully utilized. The etcd is a distributed data storage system that stores various state information of a cluster. Wherein one or more container groups Pod are deployed on the working node. A Pod is a minimum scheduling and resource unit in a service cluster, and a Pod can be considered as an abstraction of a set of containers, i.e., a Pod includes one or more containers. Each Pod is associated with an outbound Service object instance (Service). Service logically represents a group of Pod, can prevent the Pod from being disconnected, and defines an access policy of the group of Pod. The Service has an own IP address, the client only needs to access the IP address of the Service, and the Service cluster is responsible for establishing and maintaining the mapping relation between the Service and the Pod. No matter how the IP address of the backend Pod changes, there is no impact on the client because the IP address of the Service does not change. The Service types generally include the following types: clusterIP type, nodePort type, loadBalancer type, etc. The ClusterIP type is a default type, and the Service of the ClusterIP type can allocate a fixed virtual IP inside the cluster, so that the Pod can be accessed through the IP in the cluster. The Service of NodePort type is to start one port at each working node to expose Service, and can be accessed outside the cluster, and through NodeIP, nodePort accesses the Pod. Wherein, nodeIP represents the IP address of the working node, and NodePort represents the static port. The LoadBalancer type Service uses a load balancer, and can expose services to the outside. External load balancers can route to nodoport services and ClusterIP services.
In the embodiment of the application, the security control is performed on the container group which can be accessed by the client outside the service cluster, so that the probability that the container group providing the service to the outside is subjected to external attack is reduced, and the data security of the container in the container group is ensured.
Fig. 2 is a flowchart of a container processing method according to an embodiment of the present disclosure. The method may be performed by a container processing apparatus, which may be implemented in software and/or hardware, and may generally be integrated in a service cluster. Referring to fig. 2, the method may include the steps of:
201. and acquiring instance information of the external service object instance corresponding to the container group aiming at any one of the existing container group or the newly created new container group in the service cluster.
202. And adding a service exposure mark for the container group according to the instance information of the external service object instance corresponding to the container group.
In this embodiment, a container group already created in the Service cluster is referred to as an existing container group, and for the existing container group in the Service cluster, the API Server may be called to obtain a Service list, where the Service list includes one or more services, and each Service corresponds to one or more existing container groups. Traversing the Service in the Service list, acquiring instance information of the current Service aiming at the traversed current Service, identifying whether an existing container group corresponding to the current Service is a container group providing Service for the outside according to the instance information of the current Service, and if the existing container group is the container group providing Service for the outside, adding a Service exposure mark indicating that the Service is provided for the existing container group. And if the existing container group is not the container group for providing the service to the outside, forbidding adding a service exposure mark indicating the service to be provided to the outside for the existing container group.
It is noted that steps 201 and 202 may be performed in real time or periodically for existing container groups in the service cluster, and all container groups in the service cluster providing services to the outside are accurately discovered in real time and service exposure marks are added to the container groups.
In this embodiment, in order to timely and accurately find a container group providing a Service to the outside in a Service cluster, a container group creation event on the Service cluster is monitored, and when it is monitored that a new container group is created, a Service to which the new container group belongs is obtained, whether the new container group is a container group providing a Service to the outside is identified according to instance information of the Service to which the new container group belongs, and if the new container group is a container group providing a Service to the outside, a Service exposure flag indicating that a Service is provided to the outside is added to the new container group. And if the new container group is not the container group for providing the service to the outside, forbidding adding a service exposure mark indicating the service to be provided to the outside for the new container group.
In practical applications, the container group may be served externally through the micro service gateway. The microservice gateway may provide the service with a URL (Uniform Resource Locator) for external access of the cluster, load balancing, SSL (Secure Socket Layer) termination, HTTP (hypertext Transfer Protocol) routing, and the like. The service cluster provides an Ingress component to undertake the task of the micro-service gateway, and the container group provides services to the outside through the Ingress component.
In practical application, the Service type may be a nodecort type or a LoadBalancer type, and when the Service type is the foregoing type, it is described that the corresponding container group provides an external Service.
Based on the above, according to the instance information of the external service object instance corresponding to the container group, an optional implementation manner for adding the service exposure flag to the container group is as follows: if the external service object instance corresponding to the container group is associated with the micro service gateway, adding a service exposure mark for the container group; and if the external service object instance corresponding to the container group is not associated with the micro service gateway, adding a service exposure mark for the container group according to the type of the external service object instance. Wherein, according to the type of the external service object instance, adding the service exposure mark to the container group specifically comprises: the type of the external service object instance is a node port type or a load balancer type, and a service exposure mark is added to the container group.
Further optionally, after accurately grasping which containers in the service cluster are containers for providing services to the outside, information of the containers for providing services to the outside may be pushed to the operation and maintenance personnel, so that the operation and maintenance personnel strengthen security risk management and control on the containers, and security of the containers is ensured. For example, an exposure container group list may be generated from at least one container group to which a service exposure flag is added; and pushing the exposed container group list to the operation and maintenance personnel so that the operation and maintenance personnel configure the opening-allowed processes and ports associated with the defense function of the container group in the exposed container group list.
In this embodiment, the operation and maintenance personnel determines to expose processes and ports required by the container group to provide services to the outside in the container group list, and configures the processes and ports ensuring the reliability of the container group to be processes and ports that are allowed to be opened, so as to complete the task of configuring the defense function of the container group. Notably, the open-enabled processes corresponding to the container group can receive access from clients external to the service cluster, and include, for example and without limitation: http service processes, MYSQL processes, log collection processes, and the like. The open-allowed ports corresponding to the container group can receive access requests initiated by clients outside the service cluster.
In practical application, the external service container group may be abnormal, and if the external service container group solves the abnormal fault in a short time, it indicates that the external service container group can continue to provide the external service. If the abnormal fault cannot be solved in a short time, it indicates that the external service provision container group cannot continue to provide external services, and in order to reduce the access pressure influence on the service cluster caused by the client continuously sending an access request to the abnormal container group, the method is further optional, and further includes: if the target container group is abnormal, outputting abnormal prompt information; and if the target container group is still abnormal after the output abnormal prompt message reaches the preset duration, deleting the service exposure mark of the target container group and deleting the target container group from the exposed container group list. The target container group is a container group which is provided with a service and is worth paying attention to, and the abnormal prompt information can prompt operation and maintenance personnel to participate in solving the abnormal fault of the target container group so that the target container group can be recovered to be normal as soon as possible.
In this embodiment, the preset duration is flexibly set according to the actual application requirement. And when the output abnormal prompt message reaches the preset time, the target container group is still abnormal, which indicates that the target container group cannot solve the abnormal fault in a short time, and at this moment, in order to maintain the safety and reliability of the service cluster, the service exposure mark of the target container group is deleted, and the target container group is deleted from the exposed container group list. It should be understood that after the service exposure flag of the target container group is deleted, the target container group is no longer a container group that provides a service to the outside. Certainly, within the preset time length of outputting the abnormal prompt information, the target container group returns to normal, which indicates that the target container group solves the abnormal fault within a short time, and the target container group can continue to provide the service to the outside.
The container processing method provided by the embodiment of the application can automatically, accurately and timely identify the container groups which provide services to the outside in the service cluster, and mark the container groups as the container groups which provide services to the outside. And prerequisites are provided for strengthening security risk control of the externally provided service container groups subsequently, and the security of the container is ensured.
Fig. 3 is a flowchart of a container safety control method according to an embodiment of the present application. The method may be performed by a container security control apparatus, which may be implemented by means of software and/or hardware, and may generally be integrated in a service cluster. Referring to fig. 3, the method may include the steps of:
301. the method comprises the steps of determining a target container group for providing services to the outside in a service cluster, and determining a first process and a first port which are allowed to be opened and correspond to the target container group.
302. And carrying out abnormity detection on the target container group according to the attribute information of the target container group.
303. And if the target container group is abnormal, starting the defense function of the target container group to forbid opening a second process and/or a second port in the target container group.
In this embodiment, a target container group for providing a service to the outside may be manually selected from a plurality of container groups included in the service cluster. Service exposure marks can also be added to the container groups for providing the services to the outside in advance, so that an optional implementation manner for determining the target container groups for providing the services to the outside in the service cluster is as follows: a container group having a service exposure flag is selected as a target container group for providing a service to the outside from among a plurality of container groups included in a service cluster.
In this embodiment, after determining a target container group for providing a service to the outside, a process and a port which are allowed to be opened and associated with a defense function of the target container group may also be acquired. For ease of understanding and differentiation, the open-enabled process associated with the target container group's defense function is referred to as the first process, and the open-enabled port associated with the target container group's defense function is referred to as the first port. The number of the first processes or first ports of the target container group may be one or more, depending on the actual situation of the target container group.
It should be noted that, determining the first process and the first port that are allowed to be opened and correspond to the target container group can determine which processes or ports can be opened in the target container group and which processes or ports cannot be opened in the target container group after the defense function of the target container group is started, so as to ensure the security of the target container group.
In this embodiment, when performing security control on a target container group, abnormality detection may be performed on the target container group according to attribute information of the target container group. In practical application, the attribute information participating in the anomaly detection is set according to the requirements of practical application. Further optionally, in order to accurately perform anomaly detection on the target container group, the attribute information of the target container group may include, but is not limited to: operating system information of the target container group, a check value of a binary file of the target container group, and software configuration information of the target container group. Then, the abnormality detection may be performed on the target container group according to the attribute information of the target container group in one or more of the following manners:
mode 1: and detecting the vulnerability of the target container group according to the operating system information of the target container group, and if the vulnerability of the target container group occurs, determining that the target container group is abnormal.
Specifically, the operating system information includes, for example, but not limited to, version information of the operating system, directory file information, and third party software information used. Matching the operating system information of the target container group with the operating system information corresponding to each bug in a vulnerability library provided by an operating system provider, and if the matching is successful, determining that the target container group has bugs and the target container group is abnormal; and if the matching fails, determining that no loopholes exist in the target container group, and ensuring that the target container group is normal.
Mode 2: and matching the check value of the binary file of the target container group with the check value of the malicious file, and if the matching is successful, determining that the target container group is abnormal.
Specifically, check values of malicious files may be collected in advance. Check values include, for example, but are not limited to: MD5 (Message Digest Algorithm version 5), digital signature, hash value. And matching the check value of the binary file of the target container group with the check value of the malicious file, and if the matching is successful, determining that the target container group is abnormal. And if the matching fails, determining that the target container group is normal.
Mode 3: and matching the software configuration information of the target container group with preset software configuration information, and if the matching fails, determining that the target container group is abnormal.
Specifically, the preset software configuration information refers to software configuration information expected by the target container group, the software configuration information of the target container group is matched with the preset software configuration information, and if the matching fails, it is determined that the target container group is abnormal. And if the matching is successful, determining that the target container group is normal.
Note that, in practical applications, the abnormality detection may be performed by any of the method 1, the method 2, or the method 3. Abnormality detection may be performed in a plurality of manners of manner 1, manner 2, or manner 3. When the abnormality detection is performed in multiple ways, the target container group is determined to be abnormal only when a plurality of abnormality detection results are abnormal, otherwise, the target container group is determined to be normal. Of course, the number of abnormalities as the abnormality detection result is not limited.
In this embodiment, after the abnormality of the target container group is recognized, the defense function of the target container group is started to ensure the data security of the target container group. Specifically, after the defense function of the target container group is started, a first process and a first port corresponding to the target container group are allowed to be opened, and a second process different from the first process and/or a second port different from the first port are/is prevented from being opened in the target container group. Wherein the number of the second process and the second port is not limited.
According to the container safety control method provided by the embodiment of the application, the container group is subjected to abnormity detection based on the attribute information of the container group providing service to the outside, and when the container group is abnormal, the defense function of the container group is started to forbid the opening of an unallowed process or port in the container group, so that the probability of safety risk of the container in the container group is reduced, and the data safety of the container in the container group is enhanced.
In practical application, after the defense function of the target container group is started, the client may initiate access to the target container group through the first port to access the service of the first process corresponding to the first port. Further optionally, in order to better protect the data security of the target container group, after the defense function of the target container group is started, an access request initiated by the client to the first port through the external network is intercepted; verifying the access authority of the client based on the illegal client in the preset blacklist; and if the client has the access right, sending the access request to a process corresponding to the first port in the target container group. And if the client does not have the access right, discarding the access request.
Specifically, an extranet access log recording access information of a client accessing a container group may be analyzed in advance to determine an illegal client that has performed a preset attack operation, where the preset attack operation includes at least one of: the method comprises the following steps of managing operation, rebounding connection and vulnerability utilization by a webpage server; and generating a preset blacklist according to at least one illegal client. The web server management operation is, for example, a webshell operation, and the resilient connection is, for example, a resilient shell.
In this embodiment, a preset blacklist is used to screen clients of an access request initiated to a first port of a target container group, so as to reduce the probability that an illegal client accesses the target container group, and better protect the data security of the target container group.
It should be noted that before starting the defense function of the target container group, the access permission verification may also be performed by using a preset blacklist for an access request initiated by a client outside the service cluster to a port of the target container group, so as to reduce the probability that an illegal client accesses the target container group, and better protect the data security of the target container group.
In some embodiments, when a service exposure flag is added to a container group that provides a service to the outside in a cluster, instance information of an external service object instance corresponding to the container group may be acquired for any one of an existing container group or a newly created new container group in the service cluster; and adding a service exposure mark for the container group according to the instance information of the external service object instance corresponding to the container group.
In this embodiment, a container group already created in the Service cluster is referred to as an existing container group, and for the existing container group in the Service cluster, the API Server may be called to obtain a Service list, where the Service list includes one or more services, and each Service corresponds to one or more existing container groups. Traversing the Service in the Service list, acquiring instance information of the current Service aiming at the traversed current Service, identifying whether an existing container group corresponding to the current Service is a container group providing Service for the outside according to the instance information of the current Service, and if the existing container group is the container group providing Service for the outside, adding a Service exposure mark indicating that the Service is provided for the existing container group. And if the existing container group is not the container group for providing the service to the outside, forbidding adding a service exposure mark indicating the service to be provided to the outside for the existing container group.
It should be noted that the service exposure flag adding step may be repeatedly executed in real time or periodically for existing container groups in the service cluster, and all container groups providing services to the outside in the service cluster may be accurately discovered in real time and the service exposure flag may be added for these container groups.
In this embodiment, in order to timely and accurately find a container group providing a Service to the outside in a Service cluster, a container group creation event on the Service cluster is monitored, and when it is monitored that a new container group is created, a Service to which the new container group belongs is obtained, whether the new container group is a container group providing a Service to the outside is identified according to instance information of the Service to which the new container group belongs, and if the new container group is a container group providing a Service to the outside, a Service exposure flag indicating that a Service is provided to the outside is added to the new container group. And if the new container group is not the container group for providing the service to the outside, forbidding adding a service exposure mark indicating the service to be provided to the outside for the new container group.
In practical applications, the container group may be served externally through the micro service gateway. The microservice gateway may provide the service with a URL (Uniform Resource Locator) for external access of the cluster, load balancing, SSL (Secure Socket Layer) termination, HTTP (hypertext Transfer Protocol) routing, and the like. Generally, a service cluster provides an Ingress component to take on the role of a micro-service gateway, and a container group provides a service to the outside through the Ingress component. In practical application, the Service type may be a nodecort type or a LoadBalancer type, and when the Service type is the foregoing type, it is described that the corresponding container group provides an external Service. Based on the above, according to the instance information of the external service object instance corresponding to the container group, an optional implementation manner for adding the service exposure flag to the container group is as follows: if the external service object instance corresponding to the container group is associated with the micro service gateway, adding a service exposure mark for the container group; and if the external service object instance corresponding to the container group is not associated with the micro service gateway, adding a service exposure mark for the container group according to the type of the external service object instance. Wherein, according to the type of the external service object instance, adding the service exposure mark to the container group specifically comprises: the type of the external service object instance is a node port NodePort type or a load balancer type, and a service exposure mark is added to the container group.
Further optionally, after accurately grasping which containers in the service cluster are containers for providing services to the outside, information of the containers for providing services to the outside may be pushed to the operation and maintenance personnel, so that the operation and maintenance personnel strengthen security risk management and control on the containers, and security of the containers is ensured. For example, an exposure container group list may be generated from at least one container group to which a service exposure flag is added; and pushing the exposed container group list to the operation and maintenance personnel so that the operation and maintenance personnel configure the opening-allowed processes and ports associated with the defense function of the container group in the exposed container group list.
In this embodiment, the operation and maintenance personnel determines to expose processes and ports required by the container group to provide services to the outside in the container group list, and configures the processes and ports ensuring the reliability of the container group to be processes and ports that are allowed to be opened, so as to complete the task of configuring the defense function of the container group. Notably, the open-enabled processes corresponding to the container group can receive access from clients external to the service cluster, and include, for example and without limitation: http service processes, MYSQL processes, log collection processes, and the like. The open-allowed ports corresponding to the container group can receive access requests initiated by clients outside the service cluster.
In practical application, the external service container group may be abnormal, and if the external service container group solves the abnormal fault in a short time, it indicates that the external service container group can continue to provide the external service. If the abnormal fault cannot be solved in a short time, it indicates that the external service provision container group cannot continue to provide external services, and in order to reduce the access pressure influence on the service cluster caused by the client continuously sending an access request to the abnormal container group, the method is further optional, and further includes: if the target container group is abnormal, outputting abnormal prompt information; and if the target container group is still abnormal after the output abnormal prompt message reaches the preset duration, deleting the service exposure mark of the target container group and deleting the target container group from the exposed container group list. The target container group is a container group which is provided with a service and is worth paying attention to, and the abnormal prompt information can prompt operation and maintenance personnel to participate in solving the abnormal fault of the target container group so that the target container group can be recovered to be normal as soon as possible.
In this embodiment, the preset duration is flexibly set according to the actual application requirement. And when the output abnormal prompt message reaches the preset time, the target container group is still abnormal, which indicates that the target container group cannot solve the abnormal fault in a short time, and at this moment, in order to maintain the safety and reliability of the service cluster, the service exposure mark of the target container group is deleted, and the target container group is deleted from the exposed container group list. It should be understood that after the service exposure flag of the target container group is deleted, the target container group is no longer a container group that provides a service to the outside. Certainly, within the preset time length of outputting the abnormal prompt information, the target container group returns to normal, which indicates that the target container group solves the abnormal fault within a short time, and the target container group can continue to provide the service to the outside.
In order to better understand the technical solutions provided by the embodiments of the present application, the following description is made with reference to a scenario embodiment shown in fig. 4.
Scene embodiment:
referring to (1) in fig. 4, the container security control apparatus discovers container groups in the service cluster, which provide services to the outside, and marks service exposure marks on the container groups. Next, referring to (2) in fig. 4, the container security control apparatus pushes an exposure container group list including a plurality of container groups marked with service exposure marks to the operation and maintenance staff. Next, the operation and maintenance task sends the first process and the first port, which are allowed to be opened and are associated with the defense function configured for the container group in the exposed container group list, to the container security control device, see (3) in fig. 4. Next, referring to (4) in fig. 4, the container security control apparatus records the first process and the second port allowed to be opened associated with the defense function configured for the container group in the exposed container group list. Next, referring to fig. 4 (5), the container safety control device performs abnormality detection on the container group for any one of the container groups in the exposed container group list; and if the container group is abnormal, forbidding opening a second process and/or a second port in the container group. Next, referring to (6) in fig. 4, if the container group is abnormal, the container safety control device outputs an abnormal prompt message to the operation and maintenance staff. If the container safety control device judges that the container group is long in abnormal time, the service exposure mark of the container group is deleted, and the container group is deleted from the exposed container group list. Next, referring to (7) in fig. 4, the operation and maintenance personnel participate in the task of solving the abnormal fault. Next, referring to (8) in fig. 4, the client sends an access request to the first port of the group of containers in the service cluster. Next, referring to (9) in fig. 4, the container security control device intercepts the access request sent to the first port, verifies the access right of the client, and sends the access request to the process corresponding to the first port in the container group if the client has the access right. And if the client does not have the access right, discarding the access request.
Fig. 5 is a schematic structural diagram of a container safety control device according to an embodiment of the present application. The apparatus may be implemented by software and/or hardware, and may be generally integrated in an electronic device. Referring to fig. 5, the apparatus may include: a determination module 51, an abnormality detection module 52 and a start module 53;
the determining module 51 is configured to determine a target container group providing a service to the outside in the service cluster, and determine a first process and a first port that are allowed to be opened and correspond to the target container group;
an anomaly detection module 52, configured to perform anomaly detection on the target container group according to the attribute information of the target container group;
the starting module 53 is configured to start a defense function of the target container group to prohibit starting of the second process and/or the second port in the target container group if the target container group is abnormal.
Further optionally, when the anomaly detection module 52 performs anomaly detection on the target container group according to the attribute information of the target container group, the anomaly detection module is specifically configured to: detecting the vulnerability of the target container group according to the operating system information of the target container group, and if the vulnerability of the target container group occurs, determining that the target container group is abnormal; and/or matching the check value of the binary file of the target container group with the check value of the malicious file, and if the matching is successful, determining that the target container group is abnormal; and/or matching the software configuration information of the target container group with preset software configuration information, and if the matching fails, determining that the target container group is abnormal.
Further optionally, the apparatus further comprises: the intercepting module is used for intercepting an access request initiated by the client to the first port through an external network after starting the defense function of the target container group; verifying the access authority of the client based on the illegal client in the preset blacklist; and if the client has the access right, sending the access request to a process corresponding to the first port in the target container group.
Further optionally, the intercepting module is further configured to discard the access request if the client does not have the access right.
Further optionally, the intercepting module is further configured to, before verifying the access right of the client based on an illegal client in the preset blacklist, analyze an external network access log that records access information of the client accessing the container group to determine the illegal client that has performed the preset attack operation, where the preset attack operation includes at least one of: the method comprises the following steps of managing operation, rebounding connection and vulnerability utilization by a webpage server; and generating a preset blacklist according to at least one illegal client.
Further optionally, when the determining module 51 determines the target container group providing the service to the outside in the service cluster, the determining module is specifically configured to: a container group having a service exposure flag is selected as a target container group for providing a service to the outside from among a plurality of container groups included in a service cluster.
Further optionally, the method further includes: a marking module, configured to add, before the determining module 51 selects the container group with the service exposure mark as a target container group for providing a service to the outside, a service exposure mark to the container group according to the instance information of the external service object instance corresponding to the container group, for any one of an existing container group or a newly created new container group in the service cluster.
Further optionally, when the marking module adds the service exposure mark to the container group according to the instance information of the external service object instance corresponding to the container group, the marking module is specifically configured to: if the external service object instance corresponding to the container group is associated with the micro service gateway, adding a service exposure mark for the container group; and if the external service object instance corresponding to the container group is not associated with the micro service gateway, adding a service exposure mark for the container group according to the type of the external service object instance.
Further optionally, when the mark module adds the service exposure mark to the container group according to the type of the external service object instance, the mark module is specifically configured to: and if the type of the external service object instance is a node port NodePort type or a load balancer type, adding a service exposure mark for the container group.
Further optionally, the marking module is further configured to: generating an exposure container group list according to at least one container group to which the service exposure flag is added; and pushing the exposed container group list to the operation and maintenance personnel so that the operation and maintenance personnel configure the opening-allowed processes and ports associated with the defense function of the container group in the exposed container group list.
Further optionally, the anomaly detection module 52 is further configured to output an anomaly prompt message if the target container group is abnormal; and if the target container group is still abnormal after the output abnormal prompt message reaches the preset duration, deleting the service exposure mark of the target container group and deleting the target container group from the exposed container group list.
For specific ways of executing operations of each module in the container safety control device shown in fig. 5, reference may be made to the related description in the foregoing method embodiments, and details are not repeated here.
Fig. 6 is a schematic structural diagram of a container processing apparatus according to an embodiment of the present disclosure. The apparatus may be implemented by software and/or hardware, and may be generally integrated in an electronic device. Referring to fig. 6, the apparatus may include: an acquisition module 61 and a mark adding module 62;
an obtaining module 61, configured to obtain, for any one of an existing container group or a newly created new container group in the service cluster, instance information of an external service object instance corresponding to the container group;
and a tag adding module 62, configured to add a service exposure tag to the container group according to the instance information of the external service object instance corresponding to the container group.
Further optionally, when the mark adding module 62 adds the service exposure mark to the container group according to the instance information of the external service object instance corresponding to the container group, the mark adding module is specifically configured to: if the external service object instance corresponding to the container group is associated with the micro service gateway, adding a service exposure mark for the container group; and if the external service object instance corresponding to the container group is not associated with the micro service gateway, adding a service exposure mark for the container group according to the type of the external service object instance.
Further optionally, when the mark adding module 62 adds the service exposure mark to the container group according to the type of the external service object instance, the mark adding module is specifically configured to: and if the type of the external service object instance is a node port NodePort type or a load balancer type, adding a service exposure mark for the container group.
Further optionally, the mark adding module 62 is further configured to: generating an exposure container group list according to at least one container group to which the service exposure flag is added; and pushing the exposed container group list to the operation and maintenance personnel so that the operation and maintenance personnel configure the opening-allowed processes and ports associated with the defense function of the container group in the exposed container group list.
For specific ways of executing operations of the modules in the container processing apparatus shown in fig. 6, reference may be made to the related descriptions in the foregoing method embodiments, and details are not repeated here.
It should be noted that the execution subjects of the steps of the methods provided in the above embodiments may be the same device, or different devices may be used as the execution subjects of the methods. For example, the execution subjects of steps 301 to 303 may be device a; for another example, the execution subject of steps 301 and 302 may be device a, and the execution subject of step 303 may be device B; and so on.
In addition, in some of the flows described in the above embodiments and the drawings, a plurality of operations are included in a specific order, but it should be clearly understood that the operations may be executed out of the order presented herein or in parallel, and the sequence numbers of the operations, such as 301, 302, etc., are merely used for distinguishing different operations, and the sequence numbers do not represent any execution order per se. Additionally, the flows may include more or fewer operations, and the operations may be performed sequentially or in parallel. It should be noted that, the descriptions of "first", "second", etc. in this document are used for distinguishing different messages, devices, modules, etc., and do not represent a sequential order, nor limit the types of "first" and "second" to be different.
Fig. 7 is a schematic structural diagram of an electronic device according to an embodiment of the present application. As shown in fig. 7, the electronic apparatus includes: a memory 71 and a processor 72;
the memory 71 is used for storing computer programs and may be configured to store other various data to support operations on the computing platform. Examples of such data include instructions for any application or method operating on the computing platform, contact data, phonebook data, messages, pictures, videos, and so forth.
The memory 71 may be implemented by any type or combination of volatile or non-volatile memory devices, such as Static Random Access Memory (SRAM), electrically erasable programmable read-only memory (EEPROM), erasable programmable read-only memory (EPROM), programmable read-only memory (PROM), read-only memory (ROM), magnetic memory, flash memory, magnetic or optical disks.
A processor 72, coupled to the memory 71, for executing computer programs in the memory 71 for: determining a target container group for providing services to the outside in a service cluster, and determining a first process and a first port which are allowed to be opened and correspond to the target container group; according to the attribute information of the target container group, carrying out anomaly detection on the target container group; and if the target container group is abnormal, starting the defense function of the target container group to forbid opening a second process and/or a second port in the target container group.
Alternatively, the processor 72, coupled to the memory 71, is configured to execute the computer program in the memory 71 to: acquiring instance information of an external service object instance corresponding to a container group aiming at any one of an existing container group or a newly created new container group in a service cluster; and adding a service exposure mark for the container group according to the instance information of the external service object instance corresponding to the container group.
Further optionally, when the processor 72 performs the anomaly detection on the target container group according to the attribute information of the target container group, the processor is specifically configured to: detecting the vulnerability of the target container group according to the operating system information of the target container group, and if the vulnerability of the target container group occurs, determining that the target container group is abnormal; and/or matching the check value of the binary file of the target container group with the check value of the malicious file, and if the matching is successful, determining that the target container group is abnormal; and/or matching the software configuration information of the target container group with preset software configuration information, and if the matching fails, determining that the target container group is abnormal.
Further optionally, the processor 72 is further configured to intercept an access request initiated by the client to the first port through the external network after the defense function of the target container group is started; verifying the access authority of the client based on the illegal client in the preset blacklist; and if the client has the access right, sending the access request to a process corresponding to the first port in the target container group.
Further optionally, the processor 72 is further configured to discard the access request if the client does not have the access right.
Further optionally, the processor 72 is further configured to, before verifying the access right of the client based on the illegal client in the preset blacklist, analyze an external network access log that records access information of a client access container group to determine the illegal client that has performed a preset attack operation, where the preset attack operation includes at least one of: the method comprises the following steps of managing operation, rebounding connection and vulnerability utilization by a webpage server; and generating a preset blacklist according to at least one illegal client.
Further optionally, when the processor 72 determines the target container group providing the service to the outside in the service cluster, the processor is specifically configured to: a container group having a service exposure flag is selected as a target container group for providing a service to the outside from among a plurality of container groups included in a service cluster.
Further optionally, the processor 72 is further configured to, before selecting the container group with the service exposure flag as a target container group for providing a service to the outside, add, according to the instance information of the external service object instance corresponding to the container group, the service exposure flag to the container group for any one of an existing container group in the service cluster or a newly created new container group.
Further optionally, when the processor 72 adds the service exposure flag to the container group according to the instance information of the external service object instance corresponding to the container group, the processor is specifically configured to: if the external service object instance corresponding to the container group is associated with the micro service gateway, adding a service exposure mark for the container group; and if the external service object instance corresponding to the container group is not associated with the micro service gateway, adding a service exposure mark for the container group according to the type of the external service object instance.
Further optionally, when the processor 72 adds the service exposure flag to the container group according to the type of the external service object instance, the method is specifically configured to: and if the type of the external service object instance is a node port NodePort type or a load balancer type, adding a service exposure mark for the container group.
Further optionally, the processor 72 is further configured to: generating an exposure container group list according to at least one container group to which the service exposure flag is added; and pushing the exposed container group list to the operation and maintenance personnel so that the operation and maintenance personnel configure the opening-allowed processes and ports associated with the defense function of the container group in the exposed container group list.
Further optionally, the processor 72 is further configured to output an exception prompt message if the target container group is abnormal; and if the target container group is still abnormal after the output abnormal prompt message reaches the preset duration, deleting the service exposure mark of the target container group and deleting the target container group from the exposed container group list.
Further, as shown in fig. 7, the electronic device further includes: communication components 73, a display 74, power components 75, audio components 76, and the like. Only some of the components are schematically shown in fig. 7, and the electronic device is not meant to include only the components shown in fig. 7. In addition, the components within the dashed line frame in fig. 7 are optional components, not necessary components, and may be determined according to the product form of the electronic device. The electronic device of this embodiment may be implemented as a terminal device such as a desktop computer, a notebook computer, a smart phone, or an IOT device, or may be a server device such as a conventional server, a cloud server, or a server array. If the electronic device of this embodiment is implemented as a terminal device such as a desktop computer, a notebook computer, a smart phone, etc., the electronic device may include components within a dashed line frame in fig. 7; if the electronic device of this embodiment is implemented as a server device such as a conventional server, a cloud server, or a server array, the components in the dashed box in fig. 7 may not be included.
For details of the implementation process of the processor to perform each action, reference may be made to the related description in the foregoing method embodiments, and details are not repeated here.
Accordingly, the present application further provides a computer-readable storage medium storing a computer program, where the computer program is capable of implementing the steps that can be executed by the electronic device in the foregoing method embodiments when executed.
Accordingly, the present application also provides a computer program product, which includes a computer program/instruction, when the computer program/instruction is executed by a processor, the processor is enabled to implement the steps that can be executed by an electronic device in the above method embodiments.
The communication component is configured to facilitate wired or wireless communication between the device in which the communication component is located and other devices. The device where the communication component is located can access a wireless network based on a communication standard, such as a WiFi, a 2G, 3G, 4G/LTE, 5G and other mobile communication networks, or a combination thereof. In an exemplary embodiment, the communication component receives a broadcast signal or broadcast related information from an external broadcast management system via a broadcast channel. In one exemplary embodiment, the communication component further includes a Near Field Communication (NFC) module to facilitate short-range communications. For example, the NFC module may be implemented based on Radio Frequency Identification (RFID) technology, infrared data association (IrDA) technology, ultra Wideband (UWB) technology, bluetooth (BT) technology, and other technologies.
The display includes a screen, which may include a Liquid Crystal Display (LCD) and a Touch Panel (TP). If the screen includes a touch panel, the screen may be implemented as a touch screen to receive an input signal from a user. The touch panel includes one or more touch sensors to sense touch, slide, and gestures on the touch panel. The touch sensor may not only sense the boundary of a touch or slide action, but also detect the duration and pressure associated with the touch or slide operation.
The power supply assembly provides power for various components of the device in which the power supply assembly is located. The power components may include a power management system, one or more power supplies, and other components associated with generating, managing, and distributing power for the device in which the power component is located.
The audio component may be configured to output and/or input an audio signal. For example, the audio component includes a Microphone (MIC) configured to receive an external audio signal when the device in which the audio component is located is in an operational mode, such as a call mode, a recording mode, and a voice recognition mode. The received audio signal may further be stored in a memory or transmitted via a communication component. In some embodiments, the audio assembly further comprises a speaker for outputting audio signals.
As will be appreciated by one skilled in the art, embodiments of the present application may be provided as a method, system, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The present application is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the application. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
In a typical configuration, a computing device includes one or more processors (CPUs), input/output interfaces, network interfaces, and memory.
The memory may include forms of volatile memory in a computer readable medium, random Access Memory (RAM) and/or non-volatile memory, such as Read Only Memory (ROM) or flash memory (flash RAM). Memory is an example of a computer-readable medium.
Computer-readable media, including both non-transitory and non-transitory, removable and non-removable media, may implement information storage by any method or technology. The information may be computer readable instructions, data structures, modules of a program, or other data. Examples of computer storage media include, but are not limited to, phase change memory (PRAM), static Random Access Memory (SRAM), dynamic Random Access Memory (DRAM), other types of Random Access Memory (RAM), read Only Memory (ROM), electrically Erasable Programmable Read Only Memory (EEPROM), flash memory or other memory technology, compact disc read only memory (CD-ROM), digital Versatile Discs (DVD) or other optical storage, magnetic cassettes, magnetic tape, magnetic disk storage or other magnetic storage devices, or any other non-transmission medium that can be used to store information that can be accessed by a computing device. As defined herein, a computer readable medium does not include a transitory computer readable medium such as a modulated data signal and a carrier wave.
It should also be noted that the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising a … …" does not exclude the presence of another identical element in a process, method, article, or apparatus that comprises the element.
The above are merely examples of the present application and are not intended to limit the present application. Various modifications and changes may occur to those skilled in the art. Any modification, equivalent replacement, improvement, etc. made within the spirit and principle of the present application should be included in the scope of the claims of the present application.

Claims (13)

1. A method for controlling safety of a container, comprising:
determining a target container group for providing services to the outside in a service cluster, and determining a first process and a first port which are allowed to be opened and correspond to the target container group;
according to the attribute information of the target container group, carrying out abnormity detection on the target container group;
and if the target container group is abnormal, starting a defense function of the target container group to forbid opening a second process and/or a second port in the target container group.
2. The method according to claim 1, wherein performing anomaly detection on the target container group according to the attribute information of the target container group comprises:
detecting the vulnerability of the target container group according to the operating system information of the target container group, and if the vulnerability of the target container group occurs, determining that the target container group is abnormal; and/or the presence of a gas in the gas,
matching the check value of the binary file of the target container group with the check value of the malicious file, and if the matching is successful, determining that the target container group is abnormal; and/or the presence of a gas in the atmosphere,
and matching the software configuration information of the target container group with preset software configuration information, and if the matching fails, determining that the target container group is abnormal.
3. The method of claim 1, further comprising, after initiating the defensive function of the target group of containers:
intercepting an access request initiated by a client to the first port through an external network;
verifying the access authority of the client based on the illegal client in a preset blacklist;
and if the client has the access right, sending the access request to a process corresponding to the first port in the target container group.
4. The method of claim 3, before verifying the access right of the client based on the illegal client in the preset blacklist, further comprising:
analyzing an extranet access log recording access information of a client access container group to determine an illegal client which has executed a preset attack operation, wherein the preset attack operation comprises at least one of the following operations: the method comprises the following steps of managing operation, rebounding connection and vulnerability utilization by a webpage server;
and generating the preset blacklist according to at least one illegal client.
5. The method of any of claims 1 to 4, wherein determining a target set of containers in the service cluster for providing services to the outside comprises:
selecting a container group with a service exposure flag as a target container group of the externally provided service from a plurality of container groups included in the service cluster.
6. The method according to claim 5, further comprising, before selecting the container group with the service exposure flag as the target container group for providing the service to the outside, the steps of:
and adding a service exposure mark for any one of the existing container group or the newly created new container group in the service cluster according to the instance information of the external service object instance corresponding to the container group.
7. The method according to claim 6, wherein adding a service exposure flag to the container group according to the instance information of the external service object instance corresponding to the container group comprises:
if the external service object instance corresponding to the container group is associated with the micro service gateway, adding a service exposure mark for the container group;
and if the external service object instance corresponding to the container group is not associated with the micro service gateway, adding a service exposure mark to the container group according to the type of the external service object instance.
8. The method of claim 7, wherein adding a service exposure flag for the container group based on the type of the foreign service object instance comprises:
and if the type of the external service object instance is a node port type or a load balancer type, adding a service exposure mark for the container group.
9. The method of claim 6, further comprising:
generating an exposure container group list according to at least one container group to which the service exposure flag is added;
pushing the exposed container group list to an operation and maintenance person so that the operation and maintenance person configures the opening-allowed processes and ports associated with the defense function of the container group in the exposed container group list.
10. The method of claim 9, further comprising:
if the target container group is abnormal, outputting abnormal prompt information;
and if the target container group is still abnormal after the output abnormal prompt message reaches the preset time length, deleting the service exposure mark of the target container group and deleting the target container group from the exposure container group list.
11. A method of processing containers, comprising:
acquiring instance information of an external service object instance corresponding to a container group aiming at any one of an existing container group or a newly created new container group in a service cluster;
and adding a service exposure mark for the container group according to the instance information of the external service object instance corresponding to the container group.
12. An electronic device, comprising: a memory and a processor; the memory for storing a computer program; the processor is coupled to the memory for executing the computer program for performing the steps of the method of any of claims 1-11.
13. A computer storage medium having a computer program stored thereon, which, when executed by a processor, causes the processor to carry out the steps of the method of any one of claims 1 to 11.
CN202210633450.9A 2022-06-06 2022-06-06 Container safety control method, container processing method, electronic device, and storage medium Pending CN115150129A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210633450.9A CN115150129A (en) 2022-06-06 2022-06-06 Container safety control method, container processing method, electronic device, and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210633450.9A CN115150129A (en) 2022-06-06 2022-06-06 Container safety control method, container processing method, electronic device, and storage medium

Publications (1)

Publication Number Publication Date
CN115150129A true CN115150129A (en) 2022-10-04

Family

ID=83406871

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210633450.9A Pending CN115150129A (en) 2022-06-06 2022-06-06 Container safety control method, container processing method, electronic device, and storage medium

Country Status (1)

Country Link
CN (1) CN115150129A (en)

Citations (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105959250A (en) * 2015-10-22 2016-09-21 杭州迪普科技有限公司 Network attack black list management method and device
US20170116415A1 (en) * 2015-10-01 2017-04-27 Twistlock, Ltd. Profiling of container images and enforcing security policies respective thereof
US20180129803A1 (en) * 2015-10-01 2018-05-10 Twistlock, Ltd. Filesystem action profiling of containers and security enforcement
CN108737548A (en) * 2018-05-24 2018-11-02 南京邮电大学 Distributed WEB micro services container aggregated structure system and its implementation
CN110851241A (en) * 2019-11-20 2020-02-28 杭州安恒信息技术股份有限公司 Safety protection method, device and system for Docker container environment
CN111680304A (en) * 2020-06-15 2020-09-18 北京凌云信安科技有限公司 Scanning system for comprehensively detecting Docker vulnerability and unsafe configuration
CN111783106A (en) * 2019-07-08 2020-10-16 谷歌有限责任公司 System and method for detecting file system modifications via multi-tier file system state
CN112541181A (en) * 2020-12-22 2021-03-23 建信金融科技有限责任公司 Method and device for detecting server security
CN112558997A (en) * 2020-12-28 2021-03-26 航天信息股份有限公司 Method and device for deploying applications
CN112613042A (en) * 2020-12-28 2021-04-06 北京浪潮数据技术有限公司 Tool, method and equipment for safety inspection and repair of Docker container
CN113051036A (en) * 2021-03-31 2021-06-29 京东方科技集团股份有限公司 Application program licensing method, device, equipment and medium based on Docker container
CN114462024A (en) * 2022-02-10 2022-05-10 中国电信股份有限公司 Container safety protection method, device, equipment and storage medium

Patent Citations (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20170116415A1 (en) * 2015-10-01 2017-04-27 Twistlock, Ltd. Profiling of container images and enforcing security policies respective thereof
US20180129803A1 (en) * 2015-10-01 2018-05-10 Twistlock, Ltd. Filesystem action profiling of containers and security enforcement
CN105959250A (en) * 2015-10-22 2016-09-21 杭州迪普科技有限公司 Network attack black list management method and device
CN108737548A (en) * 2018-05-24 2018-11-02 南京邮电大学 Distributed WEB micro services container aggregated structure system and its implementation
CN111783106A (en) * 2019-07-08 2020-10-16 谷歌有限责任公司 System and method for detecting file system modifications via multi-tier file system state
CN110851241A (en) * 2019-11-20 2020-02-28 杭州安恒信息技术股份有限公司 Safety protection method, device and system for Docker container environment
CN111680304A (en) * 2020-06-15 2020-09-18 北京凌云信安科技有限公司 Scanning system for comprehensively detecting Docker vulnerability and unsafe configuration
CN112541181A (en) * 2020-12-22 2021-03-23 建信金融科技有限责任公司 Method and device for detecting server security
CN112558997A (en) * 2020-12-28 2021-03-26 航天信息股份有限公司 Method and device for deploying applications
CN112613042A (en) * 2020-12-28 2021-04-06 北京浪潮数据技术有限公司 Tool, method and equipment for safety inspection and repair of Docker container
CN113051036A (en) * 2021-03-31 2021-06-29 京东方科技集团股份有限公司 Application program licensing method, device, equipment and medium based on Docker container
CN114462024A (en) * 2022-02-10 2022-05-10 中国电信股份有限公司 Container safety protection method, device, equipment and storage medium

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
迟振春: "《CentOS 8 Linux 系统管理与一线运维实践》", 30 April 2022, 机械工业出版社, pages: 80 - 81 *

Similar Documents

Publication Publication Date Title
US11616803B2 (en) Hybrid deployment of ephemeral scanners
US10445502B1 (en) Susceptible environment detection system
US10382467B2 (en) Recursive multi-layer examination for computer network security remediation
US10264025B2 (en) Security policy generation for virtualization, bare-metal server, and cloud computing environments
US9762599B2 (en) Multi-node affinity-based examination for computer network security remediation
US10009317B2 (en) Security policy generation using container metadata
US9805202B2 (en) Automated SDK ingestion
US20170134422A1 (en) Deception Techniques Using Policy
US20160285914A1 (en) Exploit detection system
KR20180095798A (en) Systems and methods for security and risk assessment and testing of applications
JP6081386B2 (en) Information sharing apparatus, information sharing method, and information sharing program
US10516690B2 (en) Physical device detection for a mobile application
US20230254146A1 (en) Cybersecurity guard for core network elements
CN112217873B (en) Device sharing method, related device and storage medium
CN109660579B (en) Data processing method and system and electronic equipment
CN115150129A (en) Container safety control method, container processing method, electronic device, and storage medium
CN112241535A (en) Server security policy configuration method based on flow data analysis
US11790082B2 (en) Reasoning based workflow management
US11863704B2 (en) Call limiting using burst detection
EP4160454A1 (en) Computer-implemented systems and methods for application identification and authentication
US20230094066A1 (en) Computer-implemented systems and methods for application identification and authentication
JP2024523084A (en) Data Leak Detection
CN117675561A (en) Software configuration method and device and electronic equipment
CN117640165A (en) Defending method, defending device, defending equipment, defending medium and defending program product
CN117640163A (en) Abnormal access detection method, device, equipment, medium and program product

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination