CN116015875A - Container environment safety protection method, device, equipment and storage medium - Google Patents
Container environment safety protection method, device, equipment and storage medium Download PDFInfo
- Publication number
- CN116015875A CN116015875A CN202211686599.XA CN202211686599A CN116015875A CN 116015875 A CN116015875 A CN 116015875A CN 202211686599 A CN202211686599 A CN 202211686599A CN 116015875 A CN116015875 A CN 116015875A
- Authority
- CN
- China
- Prior art keywords
- container
- trusted
- network
- containers
- security
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 50
- 238000001514 detection method Methods 0.000 claims description 27
- 230000008859 change Effects 0.000 claims description 16
- 230000007613 environmental effect Effects 0.000 claims description 12
- 239000003086 colorant Substances 0.000 claims description 10
- 239000000523 sample Substances 0.000 claims description 9
- 238000004364 calculation method Methods 0.000 claims description 7
- 238000002372 labelling Methods 0.000 claims description 7
- 238000004590 computer program Methods 0.000 claims description 5
- 238000012544 monitoring process Methods 0.000 claims description 5
- 238000004422 calculation algorithm Methods 0.000 claims description 4
- 238000010586 diagram Methods 0.000 description 5
- 230000008569 process Effects 0.000 description 5
- 230000009471 action Effects 0.000 description 3
- 230000006870 function Effects 0.000 description 3
- 238000004891 communication Methods 0.000 description 2
- 238000012545 processing Methods 0.000 description 2
- 238000011161 development Methods 0.000 description 1
- 230000004069 differentiation Effects 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000012502 risk assessment Methods 0.000 description 1
Images
Landscapes
- Storage Device Security (AREA)
Abstract
The present disclosure provides a container environment security protection method, device, equipment and storage medium, the method comprising: according to the network access relation among the containers in the target container cluster, a plurality of trusted network boundaries corresponding to the target container cluster are generated, the container security protection strategies are respectively configured for each trusted network boundary based on the trusted type of each trusted network boundary through the security policy device, the corresponding relation between each trusted network boundary and the container security protection strategy is pushed to the risk detector, and the container in each trusted network boundary is protected safely through the risk detector based on the container security protection strategies corresponding to each trusted network boundary. It can be seen that the embodiments of the present disclosure are capable of generating a plurality of trusted network boundaries based on the network access relationships between containers in a target container cluster and the network access rights supported by the containers, and implementing differentiated security protection for the containers in the target container cluster based on the trusted network boundaries.
Description
Technical Field
The present disclosure relates to the field of data processing, and in particular, to a method, an apparatus, a device, and a storage medium for protecting a container environment.
Background
With the rapid development of container technology, container safety problems in container environments are greatly concerned, and the risk detection of container environments is particularly important.
At present, the number of schemes for protecting the container in the container environment is small, so how to realize the safety protection of the container environment becomes a technical problem to be solved urgently.
Disclosure of Invention
In order to solve the technical problems, an embodiment of the present disclosure provides a container environment safety protection method.
In a first aspect, the present disclosure provides a method of securing a container environment, the method comprising:
generating a plurality of trusted network boundaries corresponding to a target container cluster according to a network access relation among containers in the target container cluster; the method comprises the steps that different trusted network boundaries are respectively provided with different levels of trusted types, and the trusted types are determined based on network access rights supported by containers in the corresponding trusted network boundaries;
based on the credible type of each credible network boundary, respectively configuring a container safety protection strategy for each credible network boundary through a safety strategy device, and pushing the corresponding relation between each credible network boundary and the container safety protection strategy to a risk detector; wherein the security policy maintains a plurality of container security policies of different security levels;
And carrying out safety protection on the containers in each trusted network boundary based on the container safety protection strategy corresponding to each trusted network boundary through the risk detector.
In an optional implementation manner, the generating a plurality of trusted network boundaries corresponding to the target container cluster according to the network access relationship between the containers in the target container cluster includes:
receiving network data acquired by a container event collector, and constructing a network access relation topological graph corresponding to the target container cluster according to the network data; nodes in the network access relation topological graph represent containers, and connection relations among the nodes represent access relations among the containers;
labeling corresponding trusted types for nodes in the network access relation topological graph according to the network access rights supported by containers in the target container cluster;
dividing the boundary of the trusted network according to the trusted type of the node in the network access relation topological graph; nodes within the same trusted network boundary have the same trusted type.
In an optional implementation manner, the labeling, according to the network access rights supported by the containers in the target container cluster, the corresponding trusted type for the node in the network access relationship topology graph includes:
Adopting a three-color marking algorithm to mark the colors of nodes in the network access relation topological graph based on the network access rights supported by the containers in the target container cluster; different colors identify different trusted types.
In an alternative embodiment, the security policer maintains a container security policy with three security levels, including a mandatory mode, a full detection mode, and a normal detection mode; different modes are used to protect against containers marked with different colors.
In an alternative embodiment, the method further comprises:
and when the risk detector detects a container security risk event, notifying a trusted boundary learner to dynamically adjust a trusted network boundary based on risk information of the container related to the container security risk event.
In an alternative embodiment, the risk detector performs security protection on the containers within each trusted network boundary based on the container security protection policy corresponding to each trusted network boundary, including:
receiving a system event acquired by a container event acquirer through the risk detector, and determining a target container related to the system event;
inquiring a policy rule cache list pushed by the security policy ware, and selecting a container security protection policy corresponding to the target container;
And carrying out rule calculation on the system event through a rule detection engine, judging whether the system event has a safety risk, and carrying out safety protection on the target container based on a container safety protection policy corresponding to the target container.
In an alternative embodiment, the method further comprises:
monitoring asset changes of a container orchestration system corresponding to the target container cluster through an asset probe; wherein the assets of the container orchestration system comprise containers in the target container cluster and network access rights for the containers;
upon a change in a container asset in the target container cluster, notifying a trusted boundary learner to dynamically adjust a trusted network boundary based on the asset change.
In a second aspect, the present disclosure provides a container environmental safety shield apparatus, the apparatus comprising:
the boundary generation module is used for generating a plurality of trusted network boundaries corresponding to the target container cluster according to the network access relation among the containers in the target container cluster; the method comprises the steps that different trusted network boundaries are respectively provided with different levels of trusted types, and the trusted types are determined based on network access rights supported by containers in the corresponding trusted network boundaries;
The policy configuration module is used for respectively configuring a container security protection policy for each trusted network boundary based on the trusted type of each trusted network boundary through the security policy device and pushing the corresponding relation between each trusted network boundary and the container security protection policy to the risk detector; wherein the security policy maintains a plurality of container security policies of different security levels;
and the security protection module is used for performing security protection on the containers in each trusted network boundary based on the container security protection policy corresponding to each trusted network boundary through the risk detector.
In a third aspect, the present disclosure provides a computer readable storage medium having instructions stored therein, which when run on a terminal device, cause the terminal device to implement the above-described method.
In a fourth aspect, the present disclosure provides a container environmental safety protection device comprising: the computer program comprises a memory, a processor and a computer program stored in the memory and capable of running on the processor, wherein the processor realizes the method when executing the computer program.
Compared with the prior art, the technical scheme provided by the embodiment of the disclosure has at least the following advantages:
In the container environment security protection method provided by the embodiment of the disclosure, a plurality of trusted network boundaries corresponding to a target container cluster are generated according to a network access relationship among containers in the target container cluster, wherein different trusted network boundaries are respectively provided with different levels of trusted types, the trusted types are determined based on network access rights supported by the containers in the corresponding trusted network boundaries, a container security protection policy is respectively configured for each trusted network boundary through a security policy device based on the trusted types of each trusted network boundary, and the corresponding relationship between each trusted network boundary and the container security protection policy is pushed to a risk detector, wherein the security policy device maintains a plurality of container security protection policies with different security levels, and security protection is performed for the containers in each trusted network boundary through the risk detector based on the container security protection policy corresponding to each trusted network boundary. It can be seen that the embodiments of the present disclosure are capable of generating a plurality of trusted network boundaries based on the network access relationships between containers in a target container cluster and the network access rights supported by the containers, and implementing differentiated security protection for the containers in the target container cluster based on the trusted network boundaries.
Drawings
The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate embodiments consistent with the disclosure and together with the description, serve to explain the principles of the disclosure.
In order to more clearly illustrate the embodiments of the present disclosure or the solutions in the prior art, the drawings that are required for the description of the embodiments or the prior art will be briefly described below, and it will be obvious to those skilled in the art that other drawings can be obtained from these drawings without inventive effort.
FIG. 1 is a flow chart of a method for safeguarding a container environment provided in an embodiment of the present disclosure;
FIG. 2 is a topology diagram of a network access relationship provided by an embodiment of the present disclosure;
FIG. 3 is a schematic view of a container environment safety shield provided in an embodiment of the present disclosure;
FIG. 4 is a schematic view of a container environmental safety device according to an embodiment of the present disclosure;
fig. 5 is a schematic structural diagram of a container environmental safety protection device according to an embodiment of the present disclosure.
Detailed Description
In order that the above objects, features and advantages of the present disclosure may be more clearly understood, a further description of aspects of the present disclosure will be provided below. It should be noted that, without conflict, the embodiments of the present disclosure and features in the embodiments may be combined with each other.
In the following description, numerous specific details are set forth in order to provide a thorough understanding of the present disclosure, but the present disclosure may be practiced otherwise than as described herein; it will be apparent that the embodiments in the specification are only some, but not all, embodiments of the disclosure.
In order to achieve container environmental safety protection, the present disclosure provides a container environmental safety protection method.
Specifically, according to a network access relation among containers in a target container cluster, generating a plurality of trusted network boundaries corresponding to the target container cluster, wherein different trusted network boundaries are respectively provided with different levels of trusted types, the trusted types are determined based on network access rights supported by the containers in the corresponding trusted network boundaries, a container security protection policy is respectively configured for each trusted network boundary through a security policy device based on the trusted types of each trusted network boundary, and the corresponding relation between each trusted network boundary and the container security protection policy is pushed to a risk detector, wherein the security policy device maintains a plurality of container security protection policies with different security levels, and the security detector performs security protection for the containers in each trusted network boundary based on the container security protection policy corresponding to each trusted network boundary. It can be seen that the embodiments of the present disclosure are capable of generating a plurality of trusted network boundaries based on the network access relationships between containers in a target container cluster and the network access rights supported by the containers, and implementing differentiated security protection for the containers in the target container cluster based on the trusted network boundaries.
Based on this, an embodiment of the disclosure provides a method for protecting a container environment, referring to fig. 1, which is a flowchart of the method for protecting a container environment provided by the embodiment of the disclosure, where the method includes:
s101: and generating a plurality of trusted network boundaries corresponding to the target container cluster according to the network access relation among the containers in the target container cluster.
The trusted network boundaries are respectively provided with different levels of trusted types, and the trusted types are determined based on network access rights supported by containers in the corresponding trusted network boundaries.
In the embodiment of the present disclosure, the target container cluster may be any container cluster, and specifically, the target container cluster may be one container cluster or a plurality of container clusters, which is not limited in any way in the embodiment of the present disclosure.
In the embodiment of the disclosure, the network access rights supported by the container include network access outside the container supporting target container cluster and network access inside the container supporting target container cluster.
In an alternative embodiment, the network access rights supported by the container may be determined based on the network attribute information of the container.
Wherein network attribute information may be collected from a container asset orchestration system, embodiments of the present disclosure are described taking the container asset orchestration system as the container orchestration engine Kubernetes for a clearer understanding of embodiments of the present disclosure.
Specifically, kubernetes, also known as K8s, is a container orchestration engine that is a Google open source for orchestration management of containers in a target container cluster, and the like.
In the embodiment of the disclosure, the network attribute information of the containers in the target container cluster corresponding to the Kubernetes container asset arrangement system can be automatically acquired through the communication between the asset probe and the interface provided by the Kubernetes container asset arrangement system.
Wherein the container network attribute information includes an ingress resource object, a service resource object, and the like.
Specifically, the ingesis resource object is a resource object in the Kubernetes container asset orchestration system, which is used to implement network access outside the target container cluster, and if the container a has the ingesis resource object, for example, it indicates that the network access rights supported by the container a are network access outside the target container cluster.
The service resource object is a resource object in the Kubernetes container asset orchestration system, and is used to implement network access inside the target container cluster, for example, if the container b has the service resource object, it indicates that the network access permission supported by the container b is network access inside the target container cluster.
In the embodiment of the disclosure, if the network access authority supported by the container in the trusted network boundary is the network access outside the target container cluster, a higher-level trusted type is set for the trusted network boundary; if the network access rights supported by the container within the trusted network boundary are network access within the target container cluster, a lower level trusted type is set for the trusted network boundary.
In an alternative embodiment, network data collected by a container event collector is received, a network access relation topological graph corresponding to a target container cluster is constructed according to the network data, corresponding trusted types are marked for nodes in the network access relation topological graph according to network access rights supported by containers in the target container cluster, and trusted network boundary division is performed according to the trusted types of the nodes in the network access relation topological graph.
The nodes in the network access relation topological graph represent containers, the connection relation among the nodes represents the access relation among the containers, and the nodes in the same trusted network boundary have the same trusted type.
In the embodiment of the disclosure, network data may be collected by a container event collector, specifically, the container event collector may monitor network data generated in a container in a target container cluster by injecting a compiled eBPF (extended Berkeley Packet Filter ) code into a Linux kernel of an operating system, and then report the collected network data to the container event collector by an asynchronous communication mechanism netlink, thereby obtaining the network data of the container in the target container cluster.
In the embodiment of the disclosure, after obtaining the network data of the containers in the target container cluster, determining the network access relationship of each container in the target container cluster based on the network data, so as to construct a network access relationship topological graph corresponding to the target container cluster based on the network access relationship of each container.
In the embodiment of the disclosure, after a network access relation topological graph corresponding to a target container cluster is constructed, each node (container) in the network access relation topological graph is marked with a trusted type according to the network access rights supported by the container in the target container cluster, and the trusted network boundary is divided according to the marked trusted type of each node (container).
Referring to fig. 2, in a topology diagram of network access relationships provided by an embodiment of the present disclosure, as shown in fig. 2, where a network access relationship between each container is displayed, and containers a, C, and D are all accessible by an external network (i.e., network access outside a target container cluster), then containers a, C, and D are labeled as a first trusted type; container B may be accessed by container C (i.e., network access inside the target container cluster), then container B is marked as a second trusted type; container E is not accessed by the external network and other containers, then container E is marked as a third trusted type.
Wherein the first trusted type is higher in level than the second trusted type, and the second trusted type is higher in level than the third trusted type.
In an alternative embodiment, a tri-color marking algorithm may also be used to color mark nodes in the network access relationship topology map based on network access rights supported by containers in the target container cluster.
Wherein different colors identify different trusted types.
With continued reference to fig. 2, since there is a network risk of accessing through an external network for each of the containers a, C, D, that is, the containers a, C, D belong to the same risk level, the nodes corresponding to each of the containers a, C, D may be marked black.
Container B only presents a network risk of access through an external network, and the node corresponding to container B may be marked gray.
The container E has neither network risk of accessing through an external network manner nor network risk of accessing through other containers, and the node corresponding to the container B may be marked as white.
Wherein, the black network risk level is higher than gray, and the gray network risk level is higher than white.
S102: and respectively configuring a container security protection policy for each trusted network boundary based on the trusted type of each trusted network boundary through a security policy device, and pushing the corresponding relation between each trusted network boundary and the container security protection policy to a risk detector.
Wherein the security policer maintains a plurality of container security policies of different security levels.
In an alternative embodiment, the security policer maintains three security levels of container security policies, including a mandatory mode, a full detection mode, and a normal detection mode, with different modes for securing against differently color marked containers.
Wherein the security level of the forced mode is higher than that of the complete detection mode and the normal detection mode.
In the embodiments of the present disclosure, for ease of understanding, the description will take as an example that the containers in the target container cluster contain the first trusted type, the second trusted type, and the third trusted type.
The network risk level of the container corresponding to the first trusted type is higher than that of the container corresponding to the second trusted type, and the network risk level of the container corresponding to the second trusted type is higher than that of the container corresponding to the third trusted type.
Because the network risk level of the container corresponding to the first trusted type is higher than that of the container corresponding to the second trusted type, and the network risk level of the container corresponding to the second trusted type is higher than that of the container corresponding to the third trusted type, the container corresponding to the first trusted type can be configured in a higher container security protection policy, the container corresponding to the second trusted type is configured in a medium container security protection policy, and the container corresponding to the third trusted type is configured in a lower container security protection policy, so that differential security protection of the containers in the target container cluster is realized.
Specifically, the container corresponding to the first trusted type may be applied to the security protection policy of the forced mode, the container corresponding to the second trusted type may be applied to the security protection policy of the complete detection mode, and the container corresponding to the third trusted type may be applied to the security protection policy of the normal detection mode.
The forced mode security protection policy corresponds to the overall risk detection policy for the containers in the target container cluster.
The security protection policy for the complete detection mode corresponds to a partial risk detection policy for a container in the target container cluster.
The security protection policy of the normal detection mode corresponds to a small number of risk detection policies for containers in the target container cluster.
For example, if the total security protection policies for the containers in the target container cluster are 100, all security protection policies may be applied to the containers corresponding to the first trusted type, part of the security protection policies (e.g. 80) may be applied to the containers corresponding to the second trusted type, and a small amount of security protection policies (e.g. 20) may be applied to the containers corresponding to the third trusted type, so as to implement that different security protection policies are respectively configured for the containers corresponding to different trusted types.
For ease of understanding, with continued reference to fig. 2, since the nodes corresponding to containers a, C, D are all marked black, a forced mode security protection policy may be configured for containers a, C, D.
The node corresponding to the container B is marked gray, and a security protection strategy of a complete detection mode can be configured for the container B.
The node corresponding to the container E is marked as white, and a security protection strategy in a common detection mode can be configured for the container E.
In addition, to secure the containers in the target container cluster, in an alternative embodiment, when the risk detector detects a container security risk event, the trusted boundary learner may be notified to dynamically adjust the trusted network boundary based on the risk information of the container security risk event related to the container.
The container security risk event refers to accessing the target container cluster through an illegal way, for example, the container security risk event may be a bounce shell alarm or the like.
In the embodiment of the disclosure, after the risk detector detects the container security risk event, determining a container (i.e. a target container) with the container security risk event, determining a container with a network relation with the target container in the network access relation topological graph, and dynamically adjusting the trusted network boundary for the target container and the container with the network relation with the target container.
Continuing with the example of fig. 2, if it is determined that the container E has a container security risk event, since the trusted type identifier corresponding to the container E is white, the corresponding network risk level is low, and therefore, when it is determined that the container E has a container security risk event, the corresponding network risk level of the container E is correspondingly increased, and the trusted type identifier corresponding to the container E may be changed to gray.
Similarly, if it is determined that the container B has a container security risk event, since the trusted type identifier corresponding to the container B is gray, the corresponding network risk level belongs to medium, and accordingly, when it is determined that the container B has a container security risk event, the network risk level corresponding to the container B is increased, and the trusted type identifier corresponding to the container B may be changed to black.
If it is determined that the container a has a container security risk event, since the trusted type identifier corresponding to the container a is black and the corresponding network risk level is already a higher network risk level, when it is determined that the container a has a container security risk event, the container security risk event can be blocked directly, so that the security of the container a is ensured.
S103: and carrying out safety protection on the containers in each trusted network boundary based on the container safety protection policy corresponding to each trusted network boundary through the risk detector.
The risk detector is used for differentially selecting security strategies of different levels to carry out regulation calculation based on the system events acquired by the container event acquirer, so as to finish security risk detection of the container.
In an optional implementation manner, a risk detector receives the system event collected by the container event collector, determines a target container related to the system event, queries a policy rule cache list pushed by a security policy device, selects a container security protection policy corresponding to the target container, calculates rules of the system event through a rule detection engine, determines whether the system event has security risk, and performs security protection on the target container based on the container security protection policy corresponding to the target container.
The system events may include, among other things, system call events, file read-write events, process execution events, network events, and the like.
The policy rule cache list stores the corresponding relation between each trusted network boundary and the container security protection policy.
In the embodiment of the disclosure, if the rule detection engine calculates the rule of the system event and determines that the system event has a security risk, a security alarm is generated.
In addition, in order to further ensure the security of the containers in the target container cluster, the embodiments of the present disclosure may also dynamically adjust the trusted network boundary. In an alternative embodiment, the asset probe monitors asset changes of the container orchestration system corresponding to the target container cluster, and when the container asset in the target container cluster changes, the trusted boundary learner is notified to dynamically adjust the trusted network boundary based on the asset changes.
Wherein the assets of the container orchestration system comprise containers in the target container cluster and network access rights for the containers.
In embodiments of the present disclosure, upon determining that there is a change in the number of containers in the target container cluster and/or a change in the network access rights for the containers, the trusted boundary learner is notified to dynamically adjust the trusted network boundary based on the asset change.
In particular, the change in the number of containers in the target container cluster and the change in the network access rights for the containers may be determined in a variety of ways.
In an alternative implementation manner, whether the number of the containers in the target container cluster is changed or not and whether the network access rights of the containers are changed or not can be judged in a dynamic monitoring mode.
In the embodiment of the disclosure, the asset probe device can be communicated with an interface provided by the Kubernetes container asset arrangement system to dynamically monitor whether the number of containers in the target container cluster is changed or not and whether the network access rights of the containers are changed or not, so that after the number of the containers in the target container cluster is determined to be changed and the network access rights of the containers are determined to be changed, the trusted boundary learner is informed to dynamically adjust the trusted network boundary based on the asset change.
In another alternative embodiment, whether the number of containers in the target container cluster is changed and whether the network access rights of the containers are changed may also be determined in a full-scale synchronization manner.
In the embodiment of the disclosure, the number of containers in the container cluster and the network access rights of the containers may be collected according to a preset cycle frequency, so that the collected number of containers in the container cluster and the network access rights of the containers are compared with the number of containers in the container cluster and the network access rights of the containers stored in advance, whether the number of containers in the target container cluster is changed or not and whether the network access rights of the containers are changed or not are determined, and thus, after the change of the number of containers in the target container cluster and the change of the network access rights of the containers are determined, the trusted boundary learner is notified to dynamically adjust the trusted network boundary based on the asset change.
It should be noted that, after determining that there is a change in the number of containers in the target container cluster or a change in the network access rights of the containers, the manner of updating the containers in the respective trusted network boundaries may be referred to the above description.
In the container environment security protection method provided by the embodiment of the disclosure, a plurality of trusted network boundaries corresponding to a target container cluster are generated according to a network access relationship among containers in the target container cluster, wherein different trusted network boundaries are respectively provided with different levels of trusted types, the trusted types are determined based on network access rights supported by the containers in the corresponding trusted network boundaries, a container security protection policy is respectively configured for each trusted network boundary through a security policy device based on the trusted types of each trusted network boundary, and the corresponding relationship between each trusted network boundary and the container security protection policy is pushed to a risk detector, wherein the security policy device maintains a plurality of container security protection policies with different security levels, and security protection is performed for the containers in each trusted network boundary through the risk detector based on the container security protection policy corresponding to each trusted network boundary. It can be seen that the embodiments of the present disclosure are capable of generating a plurality of trusted network boundaries based on the network access relationships between containers in a target container cluster and the network access rights supported by the containers, and implementing differentiated security protection for the containers in the target container cluster based on the trusted network boundaries.
For further understanding of the method for protecting the environment of the container provided by the embodiment of the disclosure, the embodiment of the disclosure also provides a method for protecting the environment of the container.
The method for protecting the container environment provided by the embodiment of the disclosure is applied to a system for protecting the container environment, as shown in fig. 3, fig. 3 is a schematic structural diagram of protecting the container environment provided by the embodiment of the disclosure, and the system 300 for protecting the container environment includes a Kubernetes container asset arrangement system, an asset probe, a container event collector, a risk detector, a security policy device and a trusted boundary learner.
In particular, the Kubernetes container asset orchestration system is used to orchestrate and manage containers in a target container cluster.
The asset probe is configured to communicate with an interface provided by the Kubernetes container asset orchestration system and to monitor asset changes of the container orchestration system corresponding to the target container cluster.
The container event collector is used for collecting network events and system events of containers in the target container cluster.
The risk detector is used for differentially selecting different container safety protection strategies based on the system events acquired by the container event acquirer and performing regular calculation so as to finish the safety protection of the containers in the target container cluster.
The security policy is used for using different levels of container security protection policies for container differentiation in the target container cluster according to the established trusted network boundary.
The trusted boundary learner is used for performing risk assessment on containers in the target container cluster and constructing a network trusted boundary.
As shown in fig. 3, the trusted boundary learner constructs a network access relationship topological graph corresponding to the target container cluster according to the network data in the network event acquired by the container event acquirer, marks corresponding trusted types for nodes in the network access relationship topological graph according to the network access rights supported by the containers in the target container cluster acquired by the asset probe, divides the trusted network boundary according to the trusted types of the nodes in the network access relationship topological graph, and sends the constructed trusted network boundary to the security policy.
After receiving the trusted network boundary constructed by the trusted boundary learner, the security policy device configures different container security protection policies for containers in different trusted network boundaries, and pushes the corresponding relation between each trusted network boundary and the container security protection policies to the risk detector.
After receiving the corresponding relation between each trusted network boundary sent by the security policy device and the container security protection policy, the risk detector determines a target container related to the system event based on the system event collected by the container event collector, queries a policy rule cache list pushed by the security policy device, selects a container security protection policy corresponding to the target container, and carries out rule calculation on the system event through a rule detection engine to determine whether the system event has security risk, so that the trusted boundary learner reconstructs a network trusted boundary when determining that the system event has security risk occurrence alarm.
Based on the above method embodiments, the present disclosure further provides a container environment safety protection device, referring to fig. 4, which is a schematic structural diagram of the container environment safety protection device provided by the embodiment of the present disclosure, where the device includes:
the boundary generation module 401 is configured to generate a plurality of trusted network boundaries corresponding to a target container cluster according to a network access relationship between containers in the target container cluster; the method comprises the steps that different trusted network boundaries are respectively provided with different levels of trusted types, and the trusted types are determined based on network access rights supported by containers in the corresponding trusted network boundaries;
The policy configuration module 402 is configured to configure, by the security policy device, a container security protection policy for each trusted network boundary based on a trusted type of each trusted network boundary, and push a correspondence between each trusted network boundary and the container security protection policy to the risk detector; wherein the security policy maintains a plurality of container security policies of different security levels;
and the security protection module 403 is configured to perform security protection on the containers within each trusted network boundary based on the container security protection policy corresponding to each trusted network boundary through the risk detector.
In an alternative embodiment, the boundary generation module includes:
the data receiving sub-module is used for receiving the network data acquired by the container event acquirer and constructing a network access relation topological graph corresponding to the target container cluster according to the network data; nodes in the network access relation topological graph represent containers, and connection relations among the nodes represent access relations among the containers;
the node labeling sub-module is used for labeling corresponding trusted types for nodes in the network access relation topological graph according to the network access rights supported by the containers in the target container cluster;
The boundary dividing sub-module is used for dividing the boundary of the trusted network according to the trusted type of the node in the network access relation topological graph; nodes within the same trusted network boundary have the same trusted type.
In an alternative embodiment, the node labeling submodule is specifically configured to:
adopting a three-color marking algorithm to mark the colors of nodes in the network access relation topological graph based on the network access rights supported by the containers in the target container cluster; different colors identify different trusted types.
In an alternative embodiment, the security policer maintains a container security policy with three security levels, including a mandatory mode, a full detection mode, and a normal detection mode; different modes are used to protect against containers marked with different colors.
In an alternative embodiment, the apparatus further comprises:
and the first boundary adjustment module is used for notifying the trusted boundary learner to dynamically adjust the trusted network boundary based on the risk information of the container related to the container security risk event when the risk detector detects the container security risk event.
In an alternative embodiment, the safety protection module includes:
The event receiving sub-module is used for receiving the system event acquired by the container event acquirer through the risk detector and determining a target container related to the system event;
the list query sub-module is used for querying a policy rule cache list pushed by the security policy ware and selecting a container security protection policy corresponding to the target container;
and the rule calculation sub-module is used for carrying out rule calculation on the system event through a rule detection engine, judging whether the system event has a safety risk or not, and carrying out safety protection on the target container based on a container safety protection policy corresponding to the target container.
In an alternative embodiment, the apparatus further comprises:
the asset monitoring module is used for monitoring asset changes of the container arranging system corresponding to the target container cluster through the asset probe; wherein the assets of the container orchestration system comprise containers in the target container cluster and network access rights for the containers;
and the second boundary adjusting module is used for notifying a trusted boundary learner to dynamically adjust a trusted network boundary based on the asset change when the container asset in the target container cluster changes.
In the container environment safety protection device provided by the embodiment of the disclosure, a plurality of trusted network boundaries corresponding to a target container cluster are generated according to a network access relationship among containers in the target container cluster, wherein different trusted network boundaries are respectively provided with different levels of trusted types, the trusted types are determined based on network access rights supported by the containers in the corresponding trusted network boundaries, a container safety protection policy is respectively configured for each trusted network boundary through a safety policy device based on the trusted types of each trusted network boundary, and the corresponding relationship between each trusted network boundary and the container safety protection policy is pushed to a risk detector, wherein the safety policy device maintains a plurality of container safety protection policies with different safety levels, and safety protection is performed for the containers in each trusted network boundary through the risk detector based on the container safety protection policy corresponding to each trusted network boundary. It can be seen that the embodiments of the present disclosure are capable of generating a plurality of trusted network boundaries based on the network access relationships between containers in a target container cluster and the network access rights supported by the containers, and implementing differentiated security protection for the containers in the target container cluster based on the trusted network boundaries.
In addition to the above methods and apparatuses, the embodiments of the present disclosure further provide a computer readable storage medium, where instructions are stored, when the instructions are executed on a terminal device, to cause the terminal device to implement the container environment security protection method according to the embodiments of the present disclosure.
In addition, the embodiment of the disclosure further provides a container environment safety protection device, which is shown in fig. 5, and may include:
a processor 501, a memory 502, an input device 503 and an output device 504. The number of processors 501 in the container environmental security guard may be one or more, one processor being an example in fig. 5. In some embodiments of the present disclosure, the processor 501, memory 502, input device 503, and output device 504 may be connected by a bus or other means, with bus connections being exemplified in fig. 5.
In particular, in this embodiment, the processor 501 loads executable files corresponding to the processes of one or more application programs into the memory 502 according to the following instructions, and the processor 501 executes the application programs stored in the memory 502, so as to implement the various functions of the above-mentioned container environment safety protection device.
It should be noted that in this document, relational terms such as "first" and "second" and the like are used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Moreover, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising one … …" does not exclude the presence of other like elements in a process, method, article, or apparatus that comprises the element.
The foregoing is merely a specific embodiment of the disclosure to enable one skilled in the art to understand or practice the disclosure. Various modifications to these embodiments will be readily apparent to those skilled in the art, and the generic principles defined herein may be applied to other embodiments without departing from the spirit or scope of the disclosure. Thus, the present disclosure is not intended to be limited to the embodiments shown and described herein but is to be accorded the widest scope consistent with the principles and novel features disclosed herein.
Claims (10)
1. A method of protecting a container from environmental security, the method comprising:
generating a plurality of trusted network boundaries corresponding to a target container cluster according to a network access relation among containers in the target container cluster; the method comprises the steps that different trusted network boundaries are respectively provided with different levels of trusted types, and the trusted types are determined based on network access rights supported by containers in the corresponding trusted network boundaries;
based on the credible type of each credible network boundary, respectively configuring a container safety protection strategy for each credible network boundary through a safety strategy device, and pushing the corresponding relation between each credible network boundary and the container safety protection strategy to a risk detector; wherein the security policy maintains a plurality of container security policies of different security levels;
And carrying out safety protection on the containers in each trusted network boundary based on the container safety protection strategy corresponding to each trusted network boundary through the risk detector.
2. The method of claim 1, wherein the generating a plurality of trusted network boundaries corresponding to the target container cluster according to the network access relationships among the containers in the target container cluster comprises:
receiving network data acquired by a container event collector, and constructing a network access relation topological graph corresponding to the target container cluster according to the network data; nodes in the network access relation topological graph represent containers, and connection relations among the nodes represent access relations among the containers;
labeling corresponding trusted types for nodes in the network access relation topological graph according to the network access rights supported by containers in the target container cluster;
dividing the boundary of the trusted network according to the trusted type of the node in the network access relation topological graph; nodes within the same trusted network boundary have the same trusted type.
3. The method according to claim 1, wherein labeling the corresponding trusted type for the node in the network access relationship topology according to the network access rights supported by the container in the target container cluster comprises:
Adopting a three-color marking algorithm to mark the colors of nodes in the network access relation topological graph based on the network access rights supported by the containers in the target container cluster; different colors identify different trusted types.
4. A method according to claim 3, wherein the security policer maintains a container security policy with three security levels, including a mandatory mode, a full detection mode, and a normal detection mode; different modes are used to protect against containers marked with different colors.
5. The method according to claim 1, wherein the method further comprises:
and when the risk detector detects a container security risk event, notifying a trusted boundary learner to dynamically adjust a trusted network boundary based on risk information of the container related to the container security risk event.
6. The method of claim 1, wherein securing the containers within each trusted network boundary by the risk detector based on the container security policy corresponding to each trusted network boundary comprises:
receiving a system event acquired by a container event acquirer through the risk detector, and determining a target container related to the system event;
Inquiring a policy rule cache list pushed by the security policy ware, and selecting a container security protection policy corresponding to the target container;
and carrying out rule calculation on the system event through a rule detection engine, judging whether the system event has a safety risk, and carrying out safety protection on the target container based on a container safety protection policy corresponding to the target container.
7. The method according to claim 1, wherein the method further comprises:
monitoring asset changes of a container orchestration system corresponding to the target container cluster through an asset probe; wherein the assets of the container orchestration system comprise containers in the target container cluster and network access rights for the containers;
upon a change in a container asset in the target container cluster, notifying a trusted boundary learner to dynamically adjust a trusted network boundary based on the asset change.
8. A container environmental safety shield apparatus, the apparatus comprising:
the boundary generation module is used for generating a plurality of trusted network boundaries corresponding to the target container cluster according to the network access relation among the containers in the target container cluster; the method comprises the steps that different trusted network boundaries are respectively provided with different levels of trusted types, and the trusted types are determined based on network access rights supported by containers in the corresponding trusted network boundaries;
The policy configuration module is used for respectively configuring a container security protection policy for each trusted network boundary based on the trusted type of each trusted network boundary through the security policy device and pushing the corresponding relation between each trusted network boundary and the container security protection policy to the risk detector; wherein the security policy maintains a plurality of container security policies of different security levels;
and the security protection module is used for performing security protection on the containers in each trusted network boundary based on the container security protection policy corresponding to each trusted network boundary through the risk detector.
9. A computer readable storage medium, characterized in that the computer readable storage medium has stored therein instructions, which when run on a terminal device, cause the terminal device to implement the method of any of claims 1-7.
10. A container environmental safety protection apparatus, comprising: a memory, a processor, and a computer program stored on the memory and executable on the processor, the processor implementing the method of any one of claims 1-7 when the computer program is executed.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211686599.XA CN116015875A (en) | 2022-12-26 | 2022-12-26 | Container environment safety protection method, device, equipment and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211686599.XA CN116015875A (en) | 2022-12-26 | 2022-12-26 | Container environment safety protection method, device, equipment and storage medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN116015875A true CN116015875A (en) | 2023-04-25 |
Family
ID=86037616
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202211686599.XA Pending CN116015875A (en) | 2022-12-26 | 2022-12-26 | Container environment safety protection method, device, equipment and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN116015875A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN117319054A (en) * | 2023-08-11 | 2023-12-29 | 北京宝联之星科技股份有限公司 | Intelligent network security function management method and system based on container technology |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20190199688A1 (en) * | 2017-12-26 | 2019-06-27 | Qadium, Inc. | Autonomous alerting based on defined categorizations for network space and network boundary changes |
| CN110851241A (en) * | 2019-11-20 | 2020-02-28 | 杭州安恒信息技术股份有限公司 | Safety protection method, device and system for Docker container environment |
| US20210136117A1 (en) * | 2019-11-04 | 2021-05-06 | ColorTokens, Inc. | Method and system for providing a complete traceability of changes incurred in a security policy |
| CN113572838A (en) * | 2021-07-22 | 2021-10-29 | 北京金山云网络技术有限公司 | Network access method, device, equipment and medium based on Kubernetes |
| CN114024767A (en) * | 2021-11-25 | 2022-02-08 | 郑州信大信息技术研究院有限公司 | Password-defined network security system construction method, system architecture and data forwarding method |
-
2022
- 2022-12-26 CN CN202211686599.XA patent/CN116015875A/en active Pending
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20190199688A1 (en) * | 2017-12-26 | 2019-06-27 | Qadium, Inc. | Autonomous alerting based on defined categorizations for network space and network boundary changes |
| US20210136117A1 (en) * | 2019-11-04 | 2021-05-06 | ColorTokens, Inc. | Method and system for providing a complete traceability of changes incurred in a security policy |
| CN110851241A (en) * | 2019-11-20 | 2020-02-28 | 杭州安恒信息技术股份有限公司 | Safety protection method, device and system for Docker container environment |
| CN113572838A (en) * | 2021-07-22 | 2021-10-29 | 北京金山云网络技术有限公司 | Network access method, device, equipment and medium based on Kubernetes |
| CN114024767A (en) * | 2021-11-25 | 2022-02-08 | 郑州信大信息技术研究院有限公司 | Password-defined network security system construction method, system architecture and data forwarding method |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN117319054A (en) * | 2023-08-11 | 2023-12-29 | 北京宝联之星科技股份有限公司 | Intelligent network security function management method and system based on container technology |
| CN117319054B (en) * | 2023-08-11 | 2024-05-17 | 北京宝联之星科技股份有限公司 | Intelligent network security function management method and system based on container technology |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US12003524B2 (en) | Cloud-based cybersecurity management of hierarchical network groups | |
| US6292798B1 (en) | Method and system for controlling access to data resources and protecting computing system resources from unauthorized access | |
| US8813225B1 (en) | Provider-arbitrated mandatory access control policies in cloud computing environments | |
| US9083748B2 (en) | Modelling network to assess security properties | |
| CN110858833B (en) | Access control policy configuration method, device and system and storage medium | |
| US20160344772A1 (en) | Modelling network to assess security properties | |
| EP1750394B1 (en) | Autonomous policy discovery | |
| US20050132215A1 (en) | Dynamic delegation method and device using the same | |
| CN112818309A (en) | Method and device for controlling data access authority and storage medium | |
| US8095959B2 (en) | Method and system for integrating policies across systems | |
| US20100281060A1 (en) | Type system for access control lists | |
| Banuri et al. | An Android runtime security policy enforcement framework | |
| US20160337164A1 (en) | Efficient access control for trigger events in sdn | |
| US7120698B2 (en) | Access control for an e-commerce application | |
| US11637864B2 (en) | Hardening of cloud security policies | |
| Amthor et al. | Automated cyber threat sensing and responding: integrating threat intelligence into security-policy-controlled systems | |
| CN108763951A (en) | A kind of guard method of data and device | |
| CN116015875A (en) | Container environment safety protection method, device, equipment and storage medium | |
| US12107896B2 (en) | Automating trust in software upgrades | |
| CN107566375B (en) | Access control method and device | |
| CN112241533A (en) | Method and system for providing safety information of application container for industrial boundary equipment | |
| CN117319077B (en) | Network security emergency linkage system and method | |
| Jiang et al. | OZTrust: An O-RAN Zero-Trust Security System | |
| Ruland et al. | Access control in safety critical environments | |
| CN101571858B (en) | Method and device for setting and checking security of a plurality of objects |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |