CN116011000B - Access method, device and computing equipment - Google Patents
Access method, device and computing equipment Download PDFInfo
- Publication number
- CN116011000B CN116011000B CN202310303212.6A CN202310303212A CN116011000B CN 116011000 B CN116011000 B CN 116011000B CN 202310303212 A CN202310303212 A CN 202310303212A CN 116011000 B CN116011000 B CN 116011000B
- Authority
- CN
- China
- Prior art keywords
- information
- target
- pod
- key
- management end
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02D—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
- Y02D10/00—Energy efficient computing, e.g. low power processors, power management or thermal management
Abstract
The embodiment of the application provides an access method, an access device and a computing device. The method is applied to the target plugin deployed in k8s, and comprises the following steps: receiving an acquisition request of a target Pod for key information; sending the acquisition request to a key management end so that the key management end generates the key information based on Pod information in the acquisition request; acquiring the key information from the key management terminal; and sending the key information to the target Pod. According to the technical scheme provided by the embodiment of the application, under the condition that the target Pod requests the key information, the key information is correspondingly generated based on the target Pod information through the external server, so that the situation that the non-target Pod acquires the key information through an illegal means is avoided, and the access security of the target Pod is ensured.
Description
Technical Field
The embodiment of the application relates to the technical field of computers, in particular to an access method, an access device and computing equipment.
Background
Kubernetes (k 8s for short) is an open-source container orchestration engine that supports functions such as automated deployment, large-scale scalability, and application containerization management. k8s allows the creation of multiple containers, each of which can run one application instance inside.
The Pod is a basic scheduling unit in k8s, and in order to ensure access security, the Pod may perform access operations based on key information, for example, access a corresponding server, obtain corresponding data, or complete a corresponding service.
However, the key information of k8s is stored in the secret (cipher) resource of k8s, and base64 encoding is performed only once on the secret resource, which results in that the key information can be obtained from the secret resource through a simple base64 anti-encoding tool, and then access attack is performed based on the key information.
Disclosure of Invention
The embodiment of the application provides an access method, an access device and a computing device, which are used for solving the problem that key information is easy to steal in the prior art.
In a first aspect, an embodiment of the present application provides an access method, which is applied to a target plugin deployed in k8s, including:
receiving an acquisition request of a target Pod for key information;
sending the acquisition request to a key management end so that the key management end generates the key information based on Pod information in the acquisition request;
acquiring the key information from the key management terminal;
and sending the key information to the target Pod.
In a second aspect, an embodiment of the present application provides an access method, which is applied to a key management end, including:
receiving an acquisition request of a target Pod aiming at key information, which is sent by a target plug-in;
acquiring Pod information in the acquisition request;
generating the key information based on the Pod information;
and sending the key information to the target plug-in unit so that the target plug-in unit returns the key information to the target Pod.
In a third aspect, an embodiment of the present application provides an access method, which is applied to a target Pod, including:
sending an acquisition request for key information to a target plug-in, wherein the acquisition request comprises Pod information;
receiving the key information, wherein the key information is that the target plug-in sends the acquisition request to a key management end, and the key management end generates and sends the acquisition request to the target plug-in based on Pod information in the acquisition request;
and executing access operation based on the key information.
In a fourth aspect, an embodiment of the present application provides an access device, which is applied to a target plugin deployed in k8s, including:
the receiving module is used for receiving an acquisition request of the target Pod for the key information;
The sending module is used for sending the acquisition request to a key management end so that the key management end can generate the key information based on the Pod information in the acquisition request; sending the key information to the target Pod;
and the acquisition module is used for acquiring the key information from the key management end.
In a fifth aspect, an embodiment of the present application provides an access device, which is applied to a key management end, including: the receiving module is used for receiving an acquisition request of a target Pod aiming at key information, which is sent by the target plug-in;
the acquisition module is used for acquiring Pod information in the acquisition request;
a generation module for generating the key information based on the Pod information;
and the sending module is used for sending the key information to the target plug-in unit so that the target plug-in unit returns the key information to the target Pod.
In a sixth aspect, an embodiment of the present application provides an access device, which is applied to a target Pod, including:
the device comprises a sending module, a receiving module and a receiving module, wherein the sending module is used for sending an acquisition request aiming at key information to a target plug-in unit, and the acquisition request comprises Pod information;
the receiving module is used for receiving the key information, the key information is that the target plug-in sends the acquisition request to a key management end, and the key management end generates and sends the acquisition request to the target plug-in based on the Pod information in the acquisition request;
And the access module is used for executing access operation based on the key information.
In a seventh aspect, embodiments of the present application provide a computing device including a processing component and a storage component;
the storage component stores one or more computer instructions; the one or more computer instructions are to be invoked by the processing component to implement the access method of the first aspect or the second aspect or the third aspect.
In an eighth aspect, in an embodiment of the present application, there is provided a computer storage medium storing a computer program, where the computer program is executed by a computer to implement an access method according to the first aspect, the second aspect, or the third aspect.
The embodiment of the application provides an access method, an access device and a computing device, wherein a target plug-in deployed in k8s receives an acquisition request of a target Pod for key information; sending the acquisition request to a key management end so that the key management end generates the key information based on Pod information in the acquisition request; acquiring the key information from the key management terminal; and sending the key information to the target Pod. According to the technical scheme provided by the embodiment of the application, under the condition that the target Pod requests the key information, the key information is correspondingly generated based on the target Pod information through the external server, so that the situation that the non-target Pod acquires the key information through an illegal means is avoided, and the access security of the target Pod is ensured.
These and other aspects of the present application will be more readily apparent from the following description of the embodiments.
Drawings
In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, a brief description will be given below of the drawings that are needed in the embodiments or the prior art descriptions, and it is obvious that the drawings in the following description are some embodiments of the present application, and that other drawings can be obtained according to these drawings without inventive effort for a person skilled in the art.
FIG. 1 illustrates a flow chart of one embodiment of an access method provided herein;
FIG. 2 illustrates a flow chart of another embodiment of an access method provided herein;
FIG. 3 illustrates a flow chart of yet another embodiment of an access method provided herein;
FIG. 4 is a schematic diagram illustrating one embodiment of an access device provided herein;
FIG. 5 is a schematic diagram illustrating another embodiment of an access device provided herein;
FIG. 6 is a schematic diagram illustrating another embodiment of an access device provided herein;
fig. 7 shows a schematic structural diagram of a computing device provided herein.
Detailed Description
In order to enable those skilled in the art to better understand the present application, the following description will make clear and complete descriptions of the technical solutions in the embodiments of the present application with reference to the accompanying drawings in the embodiments of the present application.
In some of the flows described in the specification and claims of this application and in the foregoing figures, a number of operations are included that occur in a particular order, but it should be understood that the operations may be performed in other than the order in which they occur or in parallel, that the order of operations such as 101, 102, etc. is merely for distinguishing between the various operations, and that the order of execution is not by itself represented by any order of execution. In addition, the flows may include more or fewer operations, and the operations may be performed sequentially or in parallel. It should be noted that, the descriptions of "first" and "second" herein are used to distinguish different messages, devices, modules, etc., and do not represent a sequence, and are not limited to the "first" and the "second" being different types.
The following description of the embodiments of the present application will be made clearly and fully with reference to the accompanying drawings, in which it is evident that the embodiments described are only some, but not all, of the embodiments of the present application. All other embodiments, which can be made by those skilled in the art based on the embodiments herein without making any inventive effort, are intended to be within the scope of the present application.
In view of the above background art, the key information of k8s is stored in the secret (password) resource of k8s, and the key information in the secret resource is configured to Pod by configuring the yaml file, but since the base64 encoding is performed only once on the secret resource, the key information can be obtained from the secret resource by a simple base64 anti-encoding tool, and then an access attack is performed based on the key information.
In view of the above, the embodiment of the present application provides an access method, an access device, and a computing device, where a target plug-in deployed in k8s receives an acquisition request of a target Pod for key information; sending the acquisition request to a key management end so that the key management end generates the key information based on Pod information in the acquisition request; acquiring the key information from the key management terminal; and sending the key information to the target Pod. According to the technical scheme provided by the embodiment of the application, under the condition that the target Pod requests the key information, the key information is correspondingly generated based on the target Pod information through the external server, so that the situation that the non-target Pod acquires the key information through an illegal means is avoided, and the access security of the target Pod is ensured.
Fig. 1 is a flow chart of an access method provided in an embodiment of the present application, where an execution body of the embodiment may be a target plugin, and the target plugin may be deployed in k8 s. As shown in fig. 2, the method of the present embodiment may include:
101. and receiving an acquisition request of the target Pod for the key information.
The target Pod may be any Pod that sends an acquisition request for key information to the target plug-in, and the target Pod operates in k8s, and the target Pod may access a corresponding server based on the key information to acquire corresponding data or obtain a corresponding service, where the key information may correspond to an API interface of the server, that is, only access the server through the key information.
102. And sending the acquisition request to a key management end so that the key management end generates the key information based on the Pod information in the acquisition request.
The key management end may be a key management end used for generating and managing a key by a key management service (Key Management Service, KMS for short), an identity and access management system (Identity and Access Management, IAM for short), etc., wherein the obtaining request includes Pod information of the target Pod, and the key management end may generate unique key information corresponding to the target Pod based on the Pod information.
It should be noted that, the key management side and the server side that the target Pod wants to access are interactive, after the key management side generates the key information, the key information may be synchronized to the server side, so that the server side may allow the target Pod to access the server side based on the key information.
103. And acquiring the key information from the key management terminal.
104. And sending the key information to the target Pod.
Further, the target plug-in may obtain the key information from the key management terminal and send the key information to the target Pod, so that the target Pod may access the corresponding server terminal based on the key information.
According to the technical scheme provided by the embodiment of the application, under the condition that the target Pod requests the key information, the key management terminal correspondingly generates the key information based on the target Pod information, so that the situation that the non-target Pod acquires the key information through an illegal means is avoided, and the access security of the target Pod is ensured.
In some embodiments, in a process that the target plug-in sends the acquisition request to the key management end, verification needs to be performed on Pod information of the target Pod, and the sending the acquisition request to the key management end includes: verifying whether the target Pod is run in the namespace of the k8 s; and sending the acquisition request to a key management end under the condition that the target Pod is operated in the name space of k8 s.
It should be noted that, among the multiple Pod running in k8s, in order to improve the security of the key information and the rapidity of acquiring the key information, only the Pod running in the namespace of k8s may interact with the target plug-in to acquire the corresponding key information, so after the target plug-in receives the acquisition request, it needs to be verified whether the target Pod sending the acquisition request is the Pod running in the namespace. And the acquisition request is sent to the key management side only after the target Pod is the Pod running in the namespace.
Alternatively, verifying whether the target Pod is executed in the namespace of the k8s may be implemented as: acquiring Pod information of a plurality of pods running in the namespace of the k8s through a pre-configured Pod information acquisition authority; and judging whether the target Pod is included in the multiple Pod based on Pod information of the multiple Pod.
The Pod information obtaining authority may be configured by a file, and optionally, the authority of the target plugin may be configured by a yaml file.
Alternatively, the configuration procedure of the target plugin may be implemented as: defining a file for identifying the target plugin, namely defining main information of the target plugin, wherein the main information comprises an interface and a type of the target plugin, and starting a Pod which is used for being configured into a scp, wherein the Pod can be any Pod running in k8 s;
And configuring the main information for identifying the target plugin to the Pod by using a configuration file, wherein the configuration file comprises Pod information in a name space.
It can be understood that, because the target plugin is used for implementing the function of the controller in k8s, the corresponding authority of the controller needs to be configured for the target plugin, and the main functions of the controller include the authority of acquiring Pod information, the monitored Pod authority and the authority of listing Pod information, so that Pod information in the namespace needs to be acquired, and further, the identifier is applied for the target plugin.
Further, the target plug-in may acquire Pod information of a plurality of pods running in the namespace of the k8s through a preconfigured Pod information acquisition authority after receiving the acquisition request, and determine whether the target Pod is included in the plurality of pods based on the Pod information of the plurality of pods.
In addition to verifying whether a target Pod is running in a namespace, a verification flag needs to be verified, where in the case that the target Pod is running in the namespace of k8s, sending the obtaining request to the key management end may be implemented as: acquiring an authentication mark which is pre-allocated to the target Pod; determining whether the authentication flag is within a valid time; and sending the authentication mark to a key management end under the condition that the authentication mark is in the effective time, so that the key management end generates the key information based on the Pod information under the condition that the authentication mark passes verification.
The authentication mark is distributed when the Pod is started each time, and a valid time is defaulted, and reapplication is performed when the valid time is found in the running process of the Pod, wherein the authentication mark comprises authentication mark creation time, authentication mark valid time and the like, and further the target plug-in can judge whether the authentication mark is in the valid time or not based on the authentication mark creation time, the authentication mark valid time and the current time, and the authentication mark is sent to the key management end under the condition that the authentication mark is in the valid time, so that the key management end generates the key information based on the Pod information under the condition that the authentication mark is verified.
Wherein, the certification mark is allocated at each start of Pod, if the certification mark is not verified, it may happen that the Pod is not running, and even if the key information corresponding to the acquisition request is sent to the target Pod, the target Pod cannot receive the key information, so that in the case that the target Pod runs and the certification mark is out of date, the target Pod can re-request the certification mark, thereby indicating that the target Pod is not running if the certification mark is out of date.
Optionally, the authentication mark may be verified in the key management tube in addition to the target plug-in, and the method further includes: obtaining a public key corresponding to an authentication mark and first target information, wherein the first target information comprises: node information of k8s, a plurality of Pod information of k8s and monitoring a name space identifier; the public key and the first target information are sent to a key management end; the step of sending the authentication mark to a key management end when the authentication mark is in the valid time, so that the key management end generates the key information based on the Pod information when the authentication mark passes verification, including: and under the condition that the authentication mark is in the effective time, sending the authentication mark to a key management end so that the key management end analyzes the authentication mark through a public key to obtain corresponding second target information, and under the condition that the first target information is consistent with the second target information, generating the key information based on the Pod information.
The public key corresponding to the authentication mark can be obtained from k8s after the target plug-in is built, and the authentication mark is generated based on the private key corresponding to the public key, so that the key management end can analyze the authentication mark based on the public key.
After the target plug-in obtains the public key, the target plug-in sends the public key to the key management end.
Further, under the condition that the target Pod runs in the name space and the authentication mark is in the effective time, the authentication mark is sent to the key management end, and the key management end analyzes the authentication mark by utilizing the public key.
Alternatively, the key management end may parse the authentication flag by using the public key as follows: firstly, the target plug-in and the key management terminal can define a digest algorithm, the key management terminal can utilize the digest algorithm to convert the authentication mark into digest information after receiving the authentication mark, and the key management terminal can analyze the digest information based on the public key, namely the authentication mark, because the authentication mark is generated based on the private key corresponding to the public key.
It should be noted that, the key management end may store a plurality of public keys corresponding to k8s, when receiving the authentication flag, the key management end may determine k8s corresponding to the authentication flag based on a preset encryption algorithm, and analyze the authentication flag by using the public key corresponding to k8s, where the preset encryption algorithm may be a hash function (also an algorithm, a symmetric encryption algorithm, an asymmetric encryption algorithm, a combined encryption technology, and the like).
In addition, after the creation of the target plug-in is completed and started, the target plug-in can acquire first target information such as node information of k8s, a plurality of Pod information of k8s, monitoring namespace identification corresponding to k8s and the like, synchronize the first target information to the key management end, further, the authentication mark can also include the information, in order to ensure the verification security of the authentication mark, after the authentication mark is analyzed, acquire second target information corresponding to the authentication mark, the second target information can also include a plurality of Pod information of k8s, monitoring namespace identification corresponding to k8s and the like, and the key management end can verify whether the first target information and the second target information are always, under the condition of coincidence, indicate that the authentication mark is successfully verified, generate key information based on Pod information sent before the target plug-in, and send the key information to the target plug-in.
It should be noted that, the key information includes a key generation time and a key valid time, and after the key management end generates the key information, the key management end synchronizes the key information, the key generation time and the key valid time to the service end, so that when the target Pod accesses the service end based on the key information, the service end can determine whether the key information is within the valid time based on the key generation time and the key valid time in combination with the current time, and under the condition that the key information is within the valid time, return corresponding data or provide corresponding service.
In addition, at the time of reconstruction or restarting of the target Pod, the authentication flag corresponding to the target Pod is updated, and optionally, the method further includes: detecting an update operation for the target Pod through a pre-configured Pod information detection authority; and updating the authentication mark corresponding to the target Pod in response to the updating operation.
As described above, the target plug-in is configured with the authority to detect the Pod, and when the Pod has a process of rebuilding or restarting, the target plug-in will apply for the authentication flag again by the Pod, and will update the existing authentication flag in time.
Fig. 2 is a flow chart of an access method provided in an embodiment of the present application, where an execution body of the embodiment may be a key management end, where the key management end may be used to generate key information. As shown in fig. 2, the method of the present embodiment may include:
201. and receiving an acquisition request of the target Pod aiming at the key information, wherein the acquisition request is sent by the target plug-in.
202. And acquiring Pod information in the acquisition request.
203. And generating the key information based on the Pod information.
204. And sending the key information to the target plug-in unit so that the target plug-in unit returns the key information to the target Pod.
The execution process of the key management end is described in detail above and is not described in detail here.
According to the technical scheme provided by the embodiment of the application, under the condition that the target Pod requests the key information, the key management terminal correspondingly generates the key information based on the target Pod information, so that the situation that the non-target Pod acquires the key information through an illegal means is avoided, and the access security of the target Pod is ensured.
Optionally, the method further comprises: receiving an authentication mark corresponding to the target Pod sent by the target plug-in; the authentication mark is sent under the condition that the target plug-in verifies that the authentication mark is in a valid time; said generating said key information based on said Pod information; generating the key information based on the Pod information in case that the authentication flag is verified;
optionally, the method further comprises:
receiving a public key corresponding to the authentication mark and first target information sent by the target plug-in, wherein the first target information comprises: node information of k8s, a plurality of Pod information of k8s and monitoring a name space identifier;
the generating the key information based on the Pod information includes, in a case where the authentication flag verifies passing,:
Analyzing the authentication mark based on the public key to obtain second target information corresponding to the authentication mark currently;
and generating the key information based on the Pod information when the first target information is consistent with the second target information.
Fig. 3 is a flow chart of an access method provided in an embodiment of the present application, where an execution body of the embodiment may be a target Pod, as shown in fig. 3, and the method of the embodiment may include:
301. and sending an acquisition request for the key information to the target plugin, wherein the acquisition request comprises Pod information.
302. And receiving the key information, wherein the key information is the target plug-in unit and sends the acquisition request to a key management end, and the key management end generates and sends the acquisition request to the target plug-in unit based on the Pod information in the acquisition request.
303. And executing access operation based on the key information.
The execution of the target Pod is described in detail above and will not be described in detail here.
According to the technical scheme provided by the embodiment of the application, under the condition that the target Pod requests the key information, the key management terminal correspondingly generates the key information based on the target Pod information, so that the situation that the non-target Pod acquires the key information through an illegal means is avoided, and the access security of the target Pod is ensured.
The embodiment of the application also provides an access device. FIG. 4 is a schematic diagram of an embodiment of a document labeling apparatus according to an embodiment of the present application. As shown in fig. 4, the device is applied to a target plugin deployed in k8s, and comprises: a receiving module 401, a transmitting module 402, and an acquiring module 403.
A receiving module 401, configured to receive an acquisition request of a target Pod for key information;
a sending module 402, configured to send the obtaining request to a key management end, so that the key management end generates the key information based on Pod information in the obtaining request; sending the key information to the target Pod;
and the obtaining module 403 is configured to obtain the key information from the key management end.
Optionally, the sending module 402 is specifically configured to:
verifying whether the target Pod is run in the namespace of the k8 s;
and sending the acquisition request to a key management end under the condition that the target Pod is operated in the name space of k8 s.
Optionally, the sending module 402 is further specifically configured to:
acquiring an authentication mark which is pre-allocated to the target Pod;
determining whether the authentication flag is within a valid time;
And sending the authentication mark to a key management end under the condition that the authentication mark is in the effective time, so that the key management end generates the key information based on the Pod information under the condition that the authentication mark passes verification.
Optionally, the sending module 402 is further specifically configured to:
obtaining a public key corresponding to the authentication mark;
sending the public key to a key management end;
the step of sending the authentication mark to a key management end when the authentication mark is in the valid time, so that the key management end generates the key information based on the Pod information when the authentication mark passes verification, including:
and under the condition that the authentication mark is in the effective time, sending the authentication mark to a key management end so that the key management end analyzes the authentication mark to acquire a second public key corresponding to the authentication mark currently, and under the condition that the public key is consistent with the second public key, generating the key information based on the Pod information.
Optionally, the sending module 402 is further specifically configured to:
acquiring Pod information of a plurality of pods running in the namespace of the k8s through a pre-configured Pod information acquisition authority;
And judging whether the target Pod is included in the multiple Pod based on Pod information of the multiple Pod.
Optionally, the sending module 402 is further specifically configured to:
detecting an update operation for the target Pod through a pre-configured Pod information detection authority;
and updating the authentication mark corresponding to the target Pod in response to the updating operation.
The access device shown in fig. 4 may perform the access method described in the embodiment shown in fig. 1, and its implementation principle and technical effects are not repeated. The specific manner in which the individual modules, units, and operations of the access device in the above embodiments are performed has been described in detail in connection with the embodiments of the method, and will not be described in detail here.
The embodiment of the application also provides an access device. FIG. 5 is a schematic diagram of an embodiment of a document labeling apparatus according to the embodiments of the present application. As shown in fig. 5, the device is applied to a key management end, and includes: a receiving module 501, an acquiring module 502, a generating module 503 and a transmitting module 504.
A receiving module 501, configured to receive an acquisition request for key information from a target Pod sent by a target plug-in;
an obtaining module 502, configured to obtain Pod information in the obtaining request;
A generating module 503, configured to generate the key information based on the Pod information;
and a sending module 504, configured to send the key information to the target plugin, so that the target plugin returns the key information to the target Pod.
Optionally, the receiving module 501 is further configured to receive an authentication flag corresponding to the target Pod sent by the target plug-in; the authentication mark is sent under the condition that the target plug-in verifies that the authentication mark is in a valid time;
the generating module 503 is further specifically configured to generate the key information based on the Pod information if the authentication flag verifies.
Optionally, the receiving module 501 is further configured to receive a public key corresponding to the authentication flag and first target information sent by the target plug-in, where the first target information includes: node information of k8s, a plurality of Pod information of k8s, and monitoring name space identification.
The generating module 503 is further specifically configured to:
analyzing the authentication mark based on the public key to obtain second target information corresponding to the authentication mark currently;
and generating the key information based on the Pod information when the first target information is consistent with the second target information.
The access device shown in fig. 5 may perform the access method described in the embodiment shown in fig. 2, and its implementation principle and technical effects are not repeated. The specific manner in which the individual modules, units, and operations of the access device in the above embodiments are performed has been described in detail in connection with the embodiments of the method, and will not be described in detail here.
The embodiment of the application also provides an access device. FIG. 6 is a schematic diagram of an embodiment of a document labeling apparatus according to an embodiment of the present application. As shown in fig. 6, the apparatus is applied to a key management terminal, and includes: a transmitting module 601, a receiving module 602, and an executing module 603.
A sending module 601, configured to send an acquisition request for key information to a target plugin, where the acquisition request includes Pod information;
the receiving module 602 is configured to receive the key information, where the key information is the target plugin and sends the obtaining request to a key management end, and the key management end generates and sends the obtaining request to the target plugin based on Pod information in the obtaining request;
and an execution module 603, configured to execute an access operation based on the key information.
The access device shown in fig. 6 may perform the access method described in the embodiment shown in fig. 3, and its implementation principle and technical effects are not repeated. The specific manner in which the individual modules, units, and operations of the access device in the above embodiments are performed has been described in detail in connection with the embodiments of the method, and will not be described in detail here.
In one possible design, the access apparatus of the embodiments shown in fig. 4 or 5 or 6 may be implemented as a computing device, which may include a storage component 701 and a processing component 702, as shown in fig. 7;
the storage component 701 stores one or more computer instructions for execution by the processing component 702.
The processing assembly is configured to:
receiving an acquisition request of a target Pod for key information;
sending the acquisition request to a key management end so that the key management end generates the key information based on Pod information in the acquisition request;
acquiring the key information from the key management terminal;
and sending the key information to the target Pod.
Or alternatively, the process may be performed,
receiving an acquisition request of a target Pod aiming at key information, which is sent by a target plug-in;
acquiring Pod information in the acquisition request;
generating the key information based on the Pod information;
and sending the key information to the target plug-in unit so that the target plug-in unit returns the key information to the target Pod.
Or alternatively, the process may be performed,
sending an acquisition request for key information to a target plug-in, wherein the acquisition request comprises Pod information;
Receiving the key information, wherein the key information is that the target plug-in sends the acquisition request to a key management end, and the key management end generates and sends the acquisition request to the target plug-in based on Pod information in the acquisition request;
and executing access operation based on the key information.
Wherein the processing component 702 may include one or more processors to execute computer instructions to perform all or part of the steps in the methods described above. Of course, the processing component may also be implemented as one or more Application Specific Integrated Circuits (ASICs), digital Signal Processors (DSPs), digital Signal Processing Devices (DSPDs), programmable Logic Devices (PLDs), field Programmable Gate Arrays (FPGAs), controllers, microcontrollers, microprocessors or other electronic elements for executing the methods described above.
The storage component 701 is configured to store various types of data to support operations at the terminal. The memory component may be implemented by any type or combination of volatile or nonvolatile memory devices such as Static Random Access Memory (SRAM), electrically erasable programmable read-only memory (EEPROM), erasable programmable read-only memory (EPROM), programmable read-only memory (PROM), read-only memory (ROM), magnetic memory, flash memory, magnetic or optical disk.
Of course, the computing device may necessarily include other components, such as input/output interfaces, communication components, and the like.
The input/output interface provides an interface between the processing component and a peripheral interface module, which may be an output device, an input device, etc.
The communication component is configured to facilitate wired or wireless communication between the computing device and other devices, and the like.
The computing device may be a physical device or an elastic computing host provided by the cloud computing platform, and at this time, the computing device may be a cloud server, and the processing component, the storage component, and the like may be a base server resource rented or purchased from the cloud computing platform.
The embodiment of the application further provides a computer readable storage medium, and a computer program is stored, and when the computer program is executed by a computer, the access method of the embodiment shown in the above fig. 1, 2 or 3 can be realized.
It will be clear to those skilled in the art that, for convenience and brevity of description, specific working procedures of the above-described systems, apparatuses and units may refer to corresponding procedures in the foregoing method embodiments, which are not repeated herein.
The apparatus embodiments described above are merely illustrative, wherein the elements illustrated as separate elements may or may not be physically separate, and the elements shown as elements may or may not be physical elements, may be located in one place, or may be distributed over a plurality of network elements. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of this embodiment. Those of ordinary skill in the art will understand and implement the present invention without undue burden.
From the above description of the embodiments, it will be apparent to those skilled in the art that the embodiments may be implemented by means of software plus necessary general hardware platforms, or of course may be implemented by means of hardware. Based on this understanding, the foregoing technical solution may be embodied essentially or in a part contributing to the prior art in the form of a software product, which may be stored in a computer readable storage medium, such as ROM/RAM, a magnetic disk, an optical disk, etc., including several instructions for causing a computer device (which may be a personal computer, a server, or a network device, etc.) to execute the method described in the respective embodiments or some parts of the embodiments.
Finally, it should be noted that: the above embodiments are only for illustrating the technical solution of the present application, and are not limiting thereof; although the present application has been described in detail with reference to the foregoing embodiments, it should be understood by those of ordinary skill in the art that: the technical scheme described in the foregoing embodiments can be modified or some technical features thereof can be replaced by equivalents; such modifications and substitutions do not depart from the spirit and scope of the corresponding technical solutions.
Claims (10)
1. An access method, which is applied to a target plugin deployed in k8s, comprises the following steps:
receiving an acquisition request of a target Pod for key information;
sending the acquisition request to a key management end so that the key management end generates the key information based on Pod information in the acquisition request;
acquiring the key information from the key management terminal;
sending the key information to the target Pod;
the sending the acquisition request to the key management end comprises the following steps:
verifying whether the target Pod is run in the namespace of the k8 s;
under the condition that the target Pod is operated in the name space of k8s, sending the acquisition request to a key management end;
The sending the obtaining request to the key management end under the condition that the target Pod is operated in the k8s name space comprises:
acquiring an authentication mark which is pre-allocated to the target Pod;
determining whether the authentication flag is within a valid time;
transmitting an authentication mark to a key management end under the condition that the authentication mark is in effective time, so that the key management end generates the key information based on the Pod information under the condition that the authentication mark passes verification;
the method further comprises the steps of:
obtaining a public key corresponding to an authentication mark and first target information, wherein the first target information comprises: node information of k8s, a plurality of Pod information of k8s and monitoring a name space identifier;
the public key and the first target information are sent to a key management end;
the step of sending the authentication mark to a key management end when the authentication mark is in the valid time, so that the key management end generates the key information based on the Pod information when the authentication mark passes verification, including:
and under the condition that the authentication mark is in the effective time, sending the authentication mark to a key management end so that the key management end analyzes the authentication mark through a public key to obtain corresponding second target information, and under the condition that the first target information is consistent with the second target information, generating the key information based on the Pod information.
2. The method of claim 1, wherein the verifying whether the target Pod is executed in the namespace of k8s comprises:
acquiring Pod information of a plurality of pods running in the namespace of the k8s through a pre-configured Pod information acquisition authority;
and judging whether the target Pod is included in the multiple Pod based on Pod information of the multiple Pod.
3. The method according to claim 2, wherein the method further comprises:
detecting an update operation for the target Pod through a pre-configured Pod information detection authority;
and updating the authentication mark corresponding to the target Pod in response to the updating operation.
4. An access method, applied to a key management end, comprising:
receiving an acquisition request of a target Pod aiming at key information, which is sent by a target plug-in;
acquiring Pod information in the acquisition request;
generating the key information based on the Pod information;
sending the key information to the target plugin so that the target plugin returns the key information to the target Pod;
receiving an authentication mark corresponding to the target Pod sent by the target plug-in; the authentication mark is sent under the condition that the target plug-in verifies that the authentication mark is in a valid time;
Said generating said key information based on said Pod information;
generating the key information based on the Pod information in case that the authentication flag is verified;
receiving a public key corresponding to the authentication mark and first target information sent by the target plug-in, wherein the first target information comprises: node information of k8s, a plurality of Pod information of k8s and monitoring a name space identifier;
the generating the key information based on the Pod information includes, in a case where the authentication flag verifies passing,:
analyzing the authentication mark based on the public key to obtain second target information corresponding to the authentication mark currently;
and generating the key information based on the Pod information when the first target information is consistent with the second target information.
5. An access method, applied to a target Pod, comprising:
sending an acquisition request for key information to a target plug-in, wherein the acquisition request comprises Pod information;
receiving the key information, wherein the key information is that the target plug-in sends the acquisition request to a key management end, and the key management end generates and sends the acquisition request to the target plug-in based on Pod information in the acquisition request;
Performing an access operation based on the key information;
the target plug-in is used for verifying whether the target Pod runs in the name space of k8 s; under the condition that the target Pod is operated in the name space of k8s, sending the acquisition request to a key management end;
the target plug-in is further used for acquiring an authentication mark which is distributed for the target Pod in advance; determining whether the authentication flag is within a valid time; transmitting an authentication mark to a key management end under the condition that the authentication mark is in effective time, so that the key management end generates the key information based on the Pod information under the condition that the authentication mark passes verification;
the target plug-in is further configured to obtain a public key corresponding to the authentication mark and first target information, where the first target information includes: node information of k8s, a plurality of Pod information of k8s and monitoring a name space identifier; the public key and the first target information are sent to a key management end; and under the condition that the authentication mark is in the effective time, sending the authentication mark to a key management end so that the key management end analyzes the authentication mark through a public key to obtain corresponding second target information, and under the condition that the first target information is consistent with the second target information, generating the key information based on the Pod information.
6. An access device, applied to a target plugin deployed in k8s, comprising:
the receiving module is used for receiving an acquisition request of the target Pod for the key information;
the sending module is used for sending the acquisition request to a key management end so that the key management end can generate the key information based on the Pod information in the acquisition request; sending the key information to the target Pod;
the acquisition module is used for acquiring the key information from the key management end;
the sending module is specifically configured to: verifying whether the target Pod is run in the namespace of the k8 s; under the condition that the target Pod is operated in the name space of k8s, sending the acquisition request to a key management end;
the sending module is further specifically configured to: acquiring an authentication mark which is pre-allocated to the target Pod; determining whether the authentication flag is within a valid time; transmitting an authentication mark to a key management end under the condition that the authentication mark is in effective time, so that the key management end generates the key information based on the Pod information under the condition that the authentication mark passes verification;
the sending module is further specifically configured to: obtaining a public key corresponding to an authentication mark and first target information, wherein the first target information comprises: node information of k8s, a plurality of Pod information of k8s and monitoring a name space identifier; the public key and the first target information are sent to a key management end; the step of sending the authentication mark to a key management end when the authentication mark is in the valid time, so that the key management end generates the key information based on the Pod information when the authentication mark passes verification, including: and under the condition that the authentication mark is in the effective time, sending the authentication mark to a key management end so that the key management end analyzes the authentication mark through a public key to obtain corresponding second target information, and under the condition that the first target information is consistent with the second target information, generating the key information based on the Pod information.
7. An access device, applied to a key management terminal, comprising:
the receiving module is used for receiving an acquisition request of a target Pod aiming at key information, which is sent by the target plug-in;
the acquisition module is used for acquiring Pod information in the acquisition request;
a generation module for generating the key information based on the Pod information;
the sending module is used for sending the key information to the target plugin so that the target plugin returns the key information to the target Pod;
the receiving module is further used for receiving an authentication mark corresponding to the target Pod sent by the target plug-in; the authentication mark is sent under the condition that the target plug-in verifies that the authentication mark is in a valid time;
the generation module is further specifically configured to generate the key information based on the Pod information if the authentication flag verifies passing;
the receiving module is further configured to receive a public key corresponding to the authentication flag and first target information sent by the target plug-in, where the first target information includes: node information of k8s, a plurality of Pod information of k8s and monitoring a name space identifier;
the generation module is further specifically configured to parse the authentication flag based on the public key, so as to obtain second target information currently corresponding to the authentication flag; and generating the key information based on the Pod information when the first target information is consistent with the second target information.
8. An access device for application to a target Pod, comprising:
the device comprises a sending module, a receiving module and a receiving module, wherein the sending module is used for sending an acquisition request aiming at key information to a target plug-in unit, and the acquisition request comprises Pod information;
the receiving module is used for receiving the key information, the key information is that the target plug-in sends the acquisition request to a key management end, and the key management end generates and sends the acquisition request to the target plug-in based on the Pod information in the acquisition request;
the execution module is used for executing access operation based on the key information;
the target plug-in is used for verifying whether the target Pod runs in the name space of k8 s; under the condition that the target Pod is operated in the name space of k8s, sending the acquisition request to a key management end;
the target plug-in is further used for acquiring an authentication mark which is distributed for the target Pod in advance; determining whether the authentication flag is within a valid time; transmitting an authentication mark to a key management end under the condition that the authentication mark is in effective time, so that the key management end generates the key information based on the Pod information under the condition that the authentication mark passes verification;
The target plug-in is further configured to obtain a public key corresponding to the authentication mark and first target information, where the first target information includes: node information of k8s, a plurality of Pod information of k8s and monitoring a name space identifier; the public key and the first target information are sent to a key management end; and under the condition that the authentication mark is in the effective time, sending the authentication mark to a key management end so that the key management end analyzes the authentication mark through a public key to obtain corresponding second target information, and under the condition that the first target information is consistent with the second target information, generating the key information based on the Pod information.
9. A computing device comprising a processing component and a storage component;
the storage component stores one or more computer instructions; the one or more computer instructions are configured to be invoked by the processing component to implement the access method of any one of claims 1-3 or claim 4 or claim 5.
10. A computer storage medium storing a computer program which, when executed by a computer, implements the access method of any one of claims 1 to 3 or claim 4 or claim 5.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310303212.6A CN116011000B (en) | 2023-03-27 | 2023-03-27 | Access method, device and computing equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310303212.6A CN116011000B (en) | 2023-03-27 | 2023-03-27 | Access method, device and computing equipment |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN116011000A CN116011000A (en) | 2023-04-25 |
| CN116011000B true CN116011000B (en) | 2023-06-20 |
Family
ID=86032184
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202310303212.6A Active CN116011000B (en) | 2023-03-27 | 2023-03-27 | Access method, device and computing equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN116011000B (en) |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111970240A (en) * | 2020-07-10 | 2020-11-20 | 北京金山云网络技术有限公司 | Cluster receiving and managing method and device and electronic equipment |
| CN115269198A (en) * | 2022-08-10 | 2022-11-01 | 抖音视界有限公司 | Access request processing method based on server cluster and related equipment |
| US11494518B1 (en) * | 2020-03-02 | 2022-11-08 | Styra, Inc. | Method and apparatus for specifying policies for authorizing APIs |
| CN115473648A (en) * | 2022-08-05 | 2022-12-13 | 超聚变数字技术有限公司 | Certificate signing and issuing system and related equipment |
Family Cites Families (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US10339333B2 (en) * | 2016-07-20 | 2019-07-02 | Montage Technology Co., Ltd. | Method and apparatus for controlling application to access memory |
| CN110399717B (en) * | 2018-11-21 | 2023-03-14 | 腾讯科技(深圳)有限公司 | Key acquisition method and device, storage medium and electronic device |
| CN111800273B (en) * | 2020-06-30 | 2021-12-24 | 联想(北京)有限公司 | Information processing method, electronic device, and storage medium |
| CN111740828B (en) * | 2020-07-29 | 2021-02-12 | 北京信安世纪科技股份有限公司 | Key generation method, device and equipment and encryption and decryption method |
| CN113986448A (en) * | 2021-09-09 | 2022-01-28 | 新华三大数据技术有限公司 | Container deployment method and device |
| US20230082851A1 (en) * | 2021-09-10 | 2023-03-16 | International Business Machines Corporation | Open-source container data management |
| CN114499836A (en) * | 2021-12-29 | 2022-05-13 | 北京像素软件科技股份有限公司 | Key management method, key management device, computer equipment and readable storage medium |
| CN114629644A (en) * | 2022-03-29 | 2022-06-14 | 贝壳找房网(北京)信息技术有限公司 | Data encryption method, storage medium, computer program product and electronic device |
| CN115114657A (en) * | 2022-06-23 | 2022-09-27 | 北京信安世纪科技股份有限公司 | Data protection method, electronic device and computer storage medium |
-
2023
- 2023-03-27 CN CN202310303212.6A patent/CN116011000B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US11494518B1 (en) * | 2020-03-02 | 2022-11-08 | Styra, Inc. | Method and apparatus for specifying policies for authorizing APIs |
| CN111970240A (en) * | 2020-07-10 | 2020-11-20 | 北京金山云网络技术有限公司 | Cluster receiving and managing method and device and electronic equipment |
| CN115473648A (en) * | 2022-08-05 | 2022-12-13 | 超聚变数字技术有限公司 | Certificate signing and issuing system and related equipment |
| CN115269198A (en) * | 2022-08-10 | 2022-11-01 | 抖音视界有限公司 | Access request processing method based on server cluster and related equipment |
Also Published As
| Publication number | Publication date |
|---|---|
| CN116011000A (en) | 2023-04-25 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN107483509B (en) | A kind of auth method, server and readable storage medium storing program for executing | |
| CN109788032B (en) | Method and device for acquiring mirror image file, computer equipment and storage medium | |
| KR100823738B1 (en) | Method for integrity attestation of a computing platform hiding its configuration information | |
| US9792374B2 (en) | Method and system for facilitating terminal identifiers | |
| CN111708991A (en) | Service authorization method, service authorization device, computer equipment and storage medium | |
| JP2018501567A (en) | Device verification method and equipment | |
| CN108243188B (en) | Interface access, interface call and interface verification processing method and device | |
| CN112527912B (en) | Data processing method and device based on block chain network and computer equipment | |
| CN112019493A (en) | Identity authentication method, identity authentication device, computer device, and medium | |
| CN110381075B (en) | Block chain-based equipment identity authentication method and device | |
| CN104573435A (en) | Method for terminal authority management and terminal | |
| CN111666564B (en) | Application program safe starting method and device, computer equipment and storage medium | |
| CN111435913A (en) | Identity authentication method and device for terminal of Internet of things and storage medium | |
| CN110730081B (en) | Block chain network-based certificate revocation method, related equipment and medium | |
| CN112559993A (en) | Identity authentication method, device and system and electronic equipment | |
| CN111460410A (en) | Server login method, device and system and computer readable storage medium | |
| CN110597541A (en) | Interface updating processing method, device, equipment and storage medium based on block chain | |
| CN112581233A (en) | Method, device, equipment and computer-readable storage medium for order offline operation | |
| CN111324912B (en) | File checking method, system and computer readable storage medium | |
| CN106709281A (en) | Patch releasing and obtaining method and device | |
| CN111597537B (en) | Block chain network-based certificate issuing method, related equipment and medium | |
| CN111600701B (en) | Private key storage method, device and storage medium based on blockchain | |
| CN116011000B (en) | Access method, device and computing equipment | |
| CN114584313B (en) | Equipment physical identity authentication method, system, device and first platform | |
| CN112995357B (en) | Domain name management method, device, medium and electronic equipment based on cloud hosting service |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |