CN115758371A - Container mirror image deployment method - Google Patents
Container mirror image deployment method Download PDFInfo
- Publication number
- CN115758371A CN115758371A CN202211246006.8A CN202211246006A CN115758371A CN 115758371 A CN115758371 A CN 115758371A CN 202211246006 A CN202211246006 A CN 202211246006A CN 115758371 A CN115758371 A CN 115758371A
- Authority
- CN
- China
- Prior art keywords
- mirror image
- container mirror
- container
- deployment
- trusted
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Landscapes
- Storage Device Security (AREA)
Abstract
The invention relates to the technical field of information security, and provides a container mirror image deployment method, which comprises the following steps: creating a container mirror image and signing the container mirror image; judging whether the container mirror image meets the deployment condition or not by verifying the container mirror image and a physical server deployed by the container mirror image; and deploying the container mirror image meeting the deployment condition to the production environment. According to the container mirror image deployment method provided by the exemplary embodiment of the invention, the whole stack can be trusted from a code level to a deployment level, so that the supply chain attack in the delivery process of software delivery is effectively prevented, and the malicious attack from bottom hardware deployed on the site of a user is effectively prevented.
Description
Technical Field
The invention relates to the technical field of information security, in particular to a container mirror image deployment method.
Background
With the wide application of kubernets open source technology, cloud platforms which are constructed based on kubernets and take containers as operation objects are also produced, for example: and proprietary clouds provided by OpenShift, rancher and various public cloud manufacturers, and the like. In practical application, a business system operated based on a cloud platform is easy to be attacked by hackers from the outside, a container itself does not provide a complete isolation means, and even if the isolation means is provided, the isolation means is rarely used due to the problem of usability; the service system based on Pod operation comes from the network layer and the threat layer of the workload level and is in a endlessly growing state, and the existing solution is to solve the isolation problem of the operating system level through a security container, for example: the method comprises the steps that an open source solution such as kata container and the like is adopted, or cloud workload protection products are operated on a Pod, malicious threats are discovered, then a threat blocking scheme is blocked through a DPI module, the corresponding security threats are firstly identified, then blocking means can be used, and the attack of boot malware based on BOIS starting cannot be resisted. In addition, in practical application, the existing cloud platform has the following problems in terms of deployment security: malicious tampering and malicious attacks from a software supply chain and a hardware supply chain can not be detected through flexible policy configuration, so that an upper-layer service system can not operate reliably.
Therefore, how to provide a trusted container management method capable of avoiding hacking of the underlying hardware is a technical problem to be solved urgently.
Disclosure of Invention
In view of the above, in order to overcome the defects of the prior art, the present invention aims to provide a trusted container management method which can avoid the hacking of the underlying hardware.
The invention provides a container mirror image deployment method, which comprises the following steps:
step S1: creating a container mirror image and signing the container mirror image;
step S2: judging whether the container mirror image meets the deployment condition or not by verifying the container mirror image and a physical server deployed by the container mirror image;
and step S3: and deploying the container mirror image meeting the deployment condition to the production environment.
Further, step S1 of the container mirror image deployment method of the present invention includes:
step S11: establishing a system call data encryption service system KMS module to create a key through code compiling, and storing the key into TPCM hardware;
step S12: building a container mirror image by code compiling of a system call code base through code compiling;
step S13: adopting the key created in the step S11 to call a signature verification service module of the data encryption service system to generate signature data for the container mirror image constructed in the step S12 through a national cryptographic algorithm;
step S14: storing the container image and the signature data in an image repository.
Further, step S2 of the container mirror image deployment method of the present invention includes:
step S21: acquiring a container mirror image from a mirror image warehouse through a deployment system;
step S22: deploying a container mirror image through Kubernetes, verifying whether the container mirror image is tampered in the transmission process in the process of deploying the container mirror image, and marking the container mirror image according to the verification result;
step S23: verifying whether a physical server deployed by the container mirror image is trusted or not through a trusted computing service system, and marking the container mirror image according to a verification result;
step S24: and judging whether the container mirror image meets the deployment condition or not according to the verification results of the step S22 and the step S23.
Further, step S22 of the container mirror image deployment method of the present invention includes:
calling a signature verification service module of a local data encryption service system through the trusted container service system to verify whether the container mirror image is tampered;
if the signature data is not matched with the signature data, the container mirror image is judged to be tampered in the transmission process, and the container mirror image is marked to be in a deployment prohibition state through the trusted container service system;
and if the signature data is matched with the signature data, judging that the container mirror image is not tampered in the transmission process, and marking the container mirror image into a deployment-allowed state through the trusted container service system.
Further, step S23 of the container mirror image deployment method of the present invention includes:
acquiring starting trust chain information of a physical server of a production environment through a trusted computing service system, transmitting the acquired starting trust chain information to a policy management module of a trusted container service system, and verifying whether starting trust chain data are abnormal through the policy management module;
if the data of the starting trust chain is abnormal, judging that the physical server deployed by the container mirror image is not trusted, and marking the container mirror image as a deployment prohibition state through a trusted container service system;
and if the starting trust chain is the same as the factory configuration, judging that the physical server deployed by the container mirror image is trusted, and marking the container mirror image as a deployment-allowed state through a trusted container service system.
Further, step S24 of the container mirror image deployment method of the present invention includes:
when the container mirror image is tampered in the transmission process or a physical server deployed by the container mirror image is not trusted, a policy management module of a trusted container service system informs a Webhook interface to prohibit the deployment of the container mirror image;
when the container image is not tampered in the transmission process and the physical server deployed by the container image is trusted, the Webhook interface is notified through a policy management module of the trusted container service system, and the container image is allowed to be deployed.
Further, step S3 of the container mirror image deployment method of the present invention includes: and receiving the notification of the Webhook interface through Kubernetes, and deploying the container mirror image which meets the deployment condition to a physical server of the production environment.
The invention also provides a computer storage medium on which a computer program is stored which, when executed, performs the above-described method.
Finally, the invention provides a computer device comprising a memory, a processor and a computer program stored on said memory and executable on said processor, said processor performing the above method when executing said program.
The container mirror image deployment method has the following beneficial effects: compared with the traditional container deployment scheme, the method can realize full stack credibility from a code level to a deployment level, effectively prevent the supply chain attack in the delivery process of software leaving factory, and effectively prevent the malicious attack from bottom hardware deployed on the user site.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings required to be used in the embodiments will be briefly described below, and it is obvious that the drawings in the following description are only some embodiments of the present invention, and it is obvious for those skilled in the art that other drawings can be obtained according to the drawings without creative efforts.
Fig. 1 is a flowchart of a container mirror deployment method according to an exemplary first embodiment of the present invention.
Fig. 2 is a flowchart of a container mirror deployment method according to an exemplary second embodiment of the present invention.
Fig. 3 is a flowchart of a container mirror deployment method according to an exemplary third embodiment of the present invention.
Detailed Description
Embodiments of the present invention will be described in detail below with reference to the accompanying drawings.
It should be noted that, in the case of no conflict, the features in the following embodiments and examples may be combined with each other; moreover, based on the embodiments in the present disclosure, all other embodiments obtained by a person of ordinary skill in the art without making creative efforts shall fall within the protection scope of the present disclosure.
It is noted that various aspects of the embodiments are described below within the scope of the appended claims. It should be apparent that the aspects described herein may be embodied in a wide variety of forms and that any specific structure and/or function described herein is merely illustrative. Based on the disclosure, one skilled in the art should appreciate that one aspect described herein may be implemented independently of any other aspects and that two or more of these aspects may be combined in various ways. For example, an apparatus may be implemented and/or a method practiced using any number of the aspects set forth herein. In addition, such an apparatus may be implemented and/or such a method may be practiced using other structure and/or functionality in addition to or other than one or more of the aspects set forth herein.
The application scenario summary of the present embodiment and the names involved in the following embodiments are explained as follows:
the code compiling and building system is a client-specific continuous integrated engine, is mainly used for continuous and automatic compiling and building software projects and monitoring certain regularly-executed tasks.
The data encryption service system is a private/public cloud service formed by combining various encryption services, and comprises the following components: key Management Services (KMS), signature verification services, and the like. A Key Management Service (KMS) includes: the signature verification service comprises a signature function and a signature verification function, and the signature verification function can be completed only by using a key created by the key management service.
The signature and signature verification service module comprises a signature function and a signature verification function, and has the capability of calling an encryption algorithm to complete signature and signature verification and ensures the integrity of service data.
The local data encryption service system generally refers to a proprietary cloud data encryption service deployed to a user service scene.
The trusted container service system comprises a policy management module, a Webhook module in butt joint with k8s and a software module in butt joint with trusted computing service, and is a core management system deployed by a trusted container.
A trusted computing service system is a trusted computing platform widely used in computing and communication systems and based on the support of a hardware security module, so as to improve the overall security of the system.
And the strategy management module is responsible for interface interaction with safety management personnel, and is convenient for a user to flexibly set a detection strategy in different use scenes.
Webhook, webhook is one of the using paradigms of the micro-service API, also called reverse API, namely a URL receiving HTTP POST (or GET, PUT, DELETE), an API provider realizing Webhook is that when an event occurs, a piece of information is sent to the configured URL, and unlike the request-response mode, you can receive the change in real time by using Webhook.
The Kubernets, K8s management system is also called K8s, and is an open source platform capable of automatically implementing Linux container operation. It may help users to save many manual deployment and expansion operations of the application containerization process. Groups of hosts running Linux containers can be clustered together, with kubernets helping users to easily and efficiently manage these clusters, and these clusters can deploy hosts across public, private, or hybrid clouds.
The KMS module and the Key Management module (KMS) are safety Management services, can help a user to easily create and manage keys, protect the confidentiality, integrity and availability of the keys, meet the Key Management requirements of multiple applications and multiple services of the user, and meet the compliance requirements.
And (3) a national secret algorithm: an Elliptic Curve public key cryptographic algorithm is one of ECC (Elliptic Curve cryptography) algorithms, and is based on an Elliptic Curve discrete logarithm problem, the calculation complexity is exponential, the solving difficulty is higher, and the length of a key required by the Elliptic Curve cryptographic algorithm for quick issuing of the Elliptic Curve cryptographic key in seconds is much smaller than that of other public keys under the requirement of the same safety degree.
Fig. 1 is a flowchart of a container mirror image deployment method according to an exemplary first embodiment of the present invention, and as shown in fig. 1, the method of this embodiment includes:
step S1: creating a container mirror image and signing the container mirror image;
step S2: judging whether the container mirror image meets the deployment condition or not by verifying the container mirror image and a physical server deployed by the container mirror image;
and step S3: and deploying the container mirror image meeting the deployment condition to the production environment.
Fig. 2 is a flowchart of a container mirror image deployment method according to an exemplary second embodiment of the present invention, where this embodiment is a preferred embodiment of the method shown in fig. 1, and as shown in fig. 2, step S1 of the method of this embodiment includes:
step S11: a KMS module of a system call data encryption service system is constructed through code compiling to create a key, and the key is stored in TPCM hardware;
step S12: building a container mirror image by code compiling of a system call code base through code compiling;
step S13: adopting the key created in the step S11 to call a signature verification service module of the data encryption service system to generate signature data for the container mirror image constructed in the step S12 through a national cryptographic algorithm;
step S14: the container image and the signature data are stored in an image repository.
Fig. 3 is a flowchart of a method for deploying a container mirror image according to an exemplary third embodiment of the present invention, where this embodiment is a preferred embodiment of the method shown in fig. 1, and as shown in fig. 3, step S2 of the method of this embodiment includes:
step S21: acquiring a container mirror image from a mirror image warehouse through a deployment system;
step S22: deploying a container mirror image through Kubernets, verifying whether the container mirror image is tampered in the transmission process in the process of deploying the container mirror image, and marking the container mirror image according to the verification result;
step S23: verifying whether a physical server deployed by the container mirror image is trusted or not through a trusted computing service system, and marking the container mirror image according to a verification result;
step S24: and judging whether the container mirror image meets the deployment condition or not according to the verification results of the step S22 and the step S23.
A fourth exemplary embodiment of the present invention provides a container mirror image deployment method, where this embodiment is a preferred implementation of the method shown in fig. 1 and fig. 3, and step S22 of this embodiment includes:
calling a signature verification service module of a local data encryption service system through the trusted container service system to verify whether the container mirror image is tampered;
if the signature checking data are not matched with the signature data, judging that the container mirror image is tampered in the transmission process, and marking the container mirror image into a deployment prohibition state through a trusted container service system;
and if the signature data is matched with the signature data, judging that the container mirror image is not tampered in the transmission process, and marking the container mirror image into a deployment-allowed state through the trusted container service system.
An exemplary fifth embodiment of the present invention provides a container mirror image deployment method, where this embodiment is a preferred implementation of the method shown in fig. 1 and fig. 3, and step S23 of the method of this embodiment includes:
acquiring starting trust chain information of a physical server of a production environment through a trusted computing service system, transmitting the acquired starting trust chain information to a policy management module of a trusted container service system, and verifying whether starting trust chain data are abnormal through the policy management module;
if the data of the starting trust chain is abnormal, judging that the physical server deployed by the container mirror image is not trusted, and marking the container mirror image as a deployment prohibition state through a trusted container service system;
and if the starting trust chain is the same as the factory configuration, judging that the physical server deployed by the container mirror image is trusted, and marking the container mirror image as a deployment-allowed state through a trusted container service system.
An exemplary sixth embodiment of the present invention provides a container mirror image deployment method, where this embodiment is a preferred implementation of the method shown in fig. 1 and fig. 3, and step S24 of the method of this embodiment includes:
when the container mirror image is tampered in the transmission process or a physical server deployed by the container mirror image is not trusted, a policy management module of a trusted container service system informs a Webhook interface to prohibit the deployment of the container mirror image;
when the container image is not tampered in the transmission process and the physical server deployed by the container image is trusted, a policy management module of the trusted container service system informs the Webhook interface to allow the container image to be deployed.
An exemplary sixth embodiment of the present invention provides a container mirror image deployment method, where this embodiment is a preferred implementation of the method shown in fig. 1 and fig. 3, and step S3 of the method of this embodiment includes: and receiving the notification of the Webhook interface through Kubernetes, and deploying the container mirror image which meets the deployment condition to a physical server of the production environment.
The invention also provides a computer storage medium on which a computer program is stored, which, when executed, performs the above-described method.
Finally, the invention provides a computer device comprising a memory, a processor and a computer program stored on said memory and executable on said processor, said processor performing the above method when executing said program.
The computer equipment has the corresponding technical effect of the trusted container management method.
The above description is only for the specific embodiment of the present invention, but the scope of the present invention is not limited thereto, and any changes or substitutions that can be easily conceived by those skilled in the art within the technical scope of the present invention are included in the scope of the present invention. Therefore, the protection scope of the present invention shall be subject to the protection scope of the claims.
Claims (9)
1. A container mirror image deployment method, comprising:
step S1: creating a container mirror image and signing the container mirror image;
step S2: judging whether the container mirror image meets the deployment condition or not by verifying the container mirror image and a physical server deployed by the container mirror image;
and step S3: and deploying the container mirror image meeting the deployment condition to the production environment.
2. The container mirror image deployment method according to claim 1, wherein step S1 includes:
step S11: establishing a system call data encryption service system KMS module to create a key through code compiling, and storing the key into TPCM hardware;
step S12: building a container mirror image by code compiling of a system call code base through code compiling;
step S13: adopting the key created in the step S11 to call a signature verification service module of the data encryption service system to generate signature data for the container mirror image constructed in the step S12 through a cryptographic algorithm;
step S14: storing the container image and the signature data in an image repository.
3. The container mirror deployment method of claim 1, wherein step S2 comprises:
step S21: acquiring a container mirror image from a mirror image warehouse through a deployment system;
step S22: deploying a container mirror image through Kubernetes, verifying whether the container mirror image is tampered in the transmission process in the process of deploying the container mirror image, and marking the container mirror image according to the verification result;
step S23: verifying whether a physical server deployed by the container mirror image is trusted or not through a trusted computing service system, and marking the container mirror image according to a verification result;
step S24: and judging whether the container mirror image meets the deployment condition or not according to the verification results of the step S22 and the step S23.
4. The container mirror deployment method of claim 3, wherein step S22 comprises:
calling a signature verification service module of a local data encryption service system through the trusted container service system to verify whether the container mirror image is tampered;
if the signature data is not matched with the signature data, the container mirror image is judged to be tampered in the transmission process, and the container mirror image is marked to be in a deployment prohibition state through the trusted container service system;
and if the signature data is matched with the signature data, judging that the container mirror image is not tampered in the transmission process, and marking the container mirror image into a deployment-allowed state through a trusted container service system.
5. The container mirror deployment method of claim 3, wherein step S23 comprises:
acquiring starting trust chain information of a physical server of a production environment through a trusted computing service system, transmitting the acquired starting trust chain information to a policy management module of a trusted container service system, and verifying whether starting trust chain data are abnormal through the policy management module;
if the data of the starting trust chain is abnormal, judging that the physical server deployed by the container mirror image is not trusted, and marking the container mirror image as a deployment prohibition state through a trusted container service system;
and if the starting trust chain is the same as the factory configuration, judging that the physical server deployed by the container mirror image is trusted, and marking the container mirror image as a deployment-allowed state through a trusted container service system.
6. The container mirror deployment method of claim 3, wherein step S24 comprises:
when the container mirror image is tampered in the transmission process or a physical server deployed by the container mirror image is not trusted, a policy management module of a trusted container service system informs a Webhook interface to prohibit the deployment of the container mirror image;
when the container image is not tampered in the transmission process and the physical server deployed by the container image is trusted, the Webhook interface is notified through a policy management module of the trusted container service system, and the container image is allowed to be deployed.
7. The container mirror image deployment method according to claim 1, wherein step S3 comprises: and receiving the notification of the Webhook interface through Kubernetes, and deploying the container mirror image which meets the deployment condition to a physical server of the production environment.
8. A computer storage medium, having stored thereon a computer program which, when executed, performs the method of any one of claims 1 to 7.
9. A computer device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, the processor executing the program to perform the method according to any one of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211246006.8A CN115758371A (en) | 2022-10-12 | 2022-10-12 | Container mirror image deployment method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211246006.8A CN115758371A (en) | 2022-10-12 | 2022-10-12 | Container mirror image deployment method |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN115758371A true CN115758371A (en) | 2023-03-07 |
Family
ID=85351230
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202211246006.8A Pending CN115758371A (en) | 2022-10-12 | 2022-10-12 | Container mirror image deployment method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115758371A (en) |
-
2022
- 2022-10-12 CN CN202211246006.8A patent/CN115758371A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| EP3937424B1 (en) | Blockchain data processing methods and apparatuses based on cloud computing | |
| US9864608B2 (en) | Client authentication during network boot | |
| US10367834B2 (en) | Systems and methods for implementing intrusion prevention | |
| CN110492990B (en) | Private key management method, device and system under block chain scene | |
| US10650139B2 (en) | Securing temporal digital communications via authentication and validation for wireless user and access devices with securitized containers | |
| US10862926B2 (en) | Cybersecurity threat detection and mitigation system | |
| EP2965192B1 (en) | Configuration and verification by trusted provider | |
| EP2256656A1 (en) | Key management to protect encrypted data of an endpoint computing device | |
| Jeong et al. | An efficient authentication system of smart device using multi factors in mobile cloud service architecture | |
| CN110266872B (en) | Address book data management and control method and device, cloud address book system, computer equipment and computer readable storage medium | |
| EP3598333B1 (en) | Electronic device update management | |
| Alani | Elements of cloud computing security: A survey of key practicalities | |
| Pitropakis et al. | It's All in the Cloud: Reviewing Cloud Security | |
| Kim et al. | An iot device-trusted remote attestation framework | |
| CN115758371A (en) | Container mirror image deployment method | |
| CN115514470A (en) | Storage method and system for community correction data security | |
| CN116050537A (en) | Federal learning method and device, readable storage medium and electronic equipment | |
| CN116628696A (en) | Vulnerability detection method based on proxy client and related equipment | |
| KR20160137032A (en) | Apparatus and method for authenticating remote of between networking devices | |
| WO2019133326A1 (en) | Securing temporal digital communications | |
| CN115795556B (en) | Data processing method, device, computer equipment and storage medium | |
| Alqahtani | A novel approach to providing secure data storage using multi cloud computing | |
| CN108076008B (en) | Implementation method for elastically storing alarm information by cloud platform of security operation and maintenance service | |
| Battisti et al. | Security and Resilience Challenges for the Critical Infrastructures of the Communications Sector | |
| CN116954693A (en) | State coordination method, device, computer equipment and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |