CN116032614A - Container network micro-isolation method, device, equipment and medium - Google Patents
Container network micro-isolation method, device, equipment and medium Download PDFInfo
- Publication number
- CN116032614A CN116032614A CN202211709792.0A CN202211709792A CN116032614A CN 116032614 A CN116032614 A CN 116032614A CN 202211709792 A CN202211709792 A CN 202211709792A CN 116032614 A CN116032614 A CN 116032614A
- Authority
- CN
- China
- Prior art keywords
- isolation
- network
- container
- resource object
- pod
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Abstract
The embodiment of the invention discloses a container network micro-isolation method, a device, equipment and a medium, wherein the method comprises the following steps: monitoring preset key information of dynamic changes of each POD resource object in the target cluster, and generating a corresponding target network isolation strategy according to the preset key information and a preset initial container isolation strategy; transmitting preset key information and a target network isolation policy into a corresponding node proxy container, wherein the target network isolation policy is used as a target network isolation policy of IPTables of each POD resource object; when each POD resource object has traffic data entering the corresponding POD network naming space or leaving, filtering the traffic data according to the target network isolation strategy to realize container network isolation. The technical scheme of the embodiment of the invention solves the problem that the existing method for realizing the micro-isolation of the container network does not have universality, and realizes the network isolation method with universality at the POD granularity level.
Description
Technical Field
The embodiment of the invention relates to the technical field of computers, in particular to a container network micro-isolation method, device, equipment and medium.
Background
At present, in cloud services, services are provided for tenants by taking a single container instance as a unit, and in order to ensure the security of the services, more fine granularity is required to realize the micro isolation of the container network.
In the prior art, the micro isolation of the container is mostly realized by realizing the micro isolation of the network based on ebpf (Extended Berkeley Packet Filter) mode or by IPTABLES on the host. However, the two main implementation methods either have requirements on kernel versions of the operating system, or cannot be suitable for network micro-isolation of some network plug-ins, and have no versatility.
Disclosure of Invention
The embodiment of the invention provides a container network micro-isolation method, device, equipment and medium, which are used for providing a network isolation method with universality at the POD granularity level.
In a first aspect, an embodiment of the present invention provides a container network micro-isolation method, where the method includes:
monitoring preset key information of dynamic changes of each POD resource object in a target cluster, and generating a corresponding target network isolation strategy according to the preset key information and a preset initial container isolation strategy;
transmitting the preset key information and the target network isolation policy into a corresponding node proxy container as a target network isolation policy of IPTables of each POD resource object;
when the flow data of each POD resource object enters the corresponding POD network name space or leaves, the flow data is filtered according to the target network isolation strategy, and the container network isolation is realized.
In a second aspect, an embodiment of the present invention provides a container network micro-isolation device, including:
the resource object information acquisition module is used for monitoring preset key information of dynamic changes of each POD resource object in the target cluster and generating a corresponding target network isolation strategy according to the preset key information and a preset initial container isolation strategy;
the network isolation policy updating module is used for sending the preset key information and the target network isolation policy into a corresponding node proxy container to serve as a target network isolation policy of IPTables of each POD resource object;
and the network isolation module is used for filtering the flow data according to the target network isolation policy when the flow data of each POD resource object enters the corresponding POD network naming space or leaves, so as to realize container network isolation.
In a third aspect, an embodiment of the present invention further provides a computer apparatus, including:
one or more processors;
a memory for storing one or more programs;
the one or more programs, when executed by the one or more processors, cause the one or more processors to implement the container network micro-isolation method as provided by any embodiment of the present invention.
In a fourth aspect, embodiments of the present invention further provide a computer readable storage medium having stored thereon a computer program which, when executed by a processor, implements a container network micro-isolation method as provided by any embodiment of the present invention.
The embodiments of the above invention have the following advantages or benefits:
according to the embodiment of the invention, the container is taken as isolation granularity, preset key information of dynamic change of each POD resource object in the target cluster is monitored, and a corresponding target network isolation strategy is generated according to the preset key information and a preset initial container isolation strategy; transmitting preset key information and a target network isolation policy into a corresponding node proxy container, wherein the target network isolation policy is used as a target network isolation policy of IPTables of each POD resource object; when each POD resource object has traffic data entering the corresponding POD network naming space or leaving, filtering the traffic data according to the target network isolation strategy to realize container network isolation. The technical scheme of the embodiment of the invention solves the problem that the existing method for realizing the micro isolation of the container network does not have universality, and realizes the network isolation method with universality at the POD granularity level, and the method is not limited by kernel versions and the type of network plug-ins used.
Drawings
FIG. 1 is a flow chart of a method for micro-isolation of a container network according to an embodiment of the present invention;
FIG. 2 is a flow chart of a method for micro-isolation of a container network according to an embodiment of the present invention;
FIG. 3 is a schematic diagram of a process for implementing micro-isolation of a container network in one example provided by an embodiment of the present invention;
fig. 4 is a schematic structural diagram of a container network micro-isolation device according to an embodiment of the present invention;
fig. 5 is a schematic structural diagram of a computer device according to an embodiment of the present invention.
Detailed Description
The invention is described in further detail below with reference to the drawings and examples. It is to be understood that the specific embodiments described herein are merely illustrative of the invention and are not limiting thereof. It should be further noted that, for convenience of description, only some, but not all of the structures related to the present invention are shown in the drawings.
Fig. 1 is a flowchart of a container network micro-isolation method provided by an embodiment of the present invention, where the embodiment may be suitable for a scenario of guaranteeing security of a cloud native container network and performing container network micro-isolation. The method may be performed by a container network micro-isolator, which may be implemented in hardware and/or software, configured in a computer device or server.
As shown in fig. 1, the container network micro-isolation method comprises the following steps:
s110, monitoring preset key information of dynamic changes of POD resource objects in a target cluster, and generating a corresponding target network isolation strategy according to the preset key information and a preset initial container isolation strategy.
A target cluster may be understood as a cluster of containers that require network security management. The POD resource objects are the smallest work schedule elements in the target cluster, each POD resource object containing one or more containers. The containers in the POD resource object as a whole are scheduled to run on a node. And taking the POD resource object as an information monitoring object, namely, acquiring related information of the container network isolation with the finest granularity.
The preset key information includes unique identification information of the POD resource object and network connection information thereof, such as network connection attributes and network configuration information of network ports, network IP addresses, domain names and the like. The network configuration information in the preset key information may be initial configuration information of each POD resource object, or updated network configuration information that continuously changes in dynamic changes of the network. When any information item in the preset key information changes, the preset key information can be monitored to update the POD resource object.
The method comprises the steps of presetting an initial container isolation strategy, namely a container isolation strategy preset by a system manager related to the initial container isolation strategy, namely a corresponding rule for filtering flow data. Further, generating a corresponding target network isolation policy according to the preset key information and the preset initial container isolation policy, namely integrating the information such as the identification information and the network configuration of the POD resource object in the preset key information according to a preset isolation policy format to serve as final computer identifiable policy content. When the preset key information or the preset initial container isolation policy is changed, the information is calculated and integrated again to obtain an updated target network isolation policy.
And S120, sending the preset key information and the target network isolation policy into a corresponding node proxy container, and taking the target network isolation policy as the target network isolation policy of IPTables of each POD resource object.
When preset key information and a target network isolation strategy are sent, data transmission can be achieved through a GRPC (google Remote Procedure Call Protocol) protocol. The node Agent (Agent) container receives the corresponding data and stores the data in a preset data management storage space (DataManager). Therefore, the target network isolation policy data can be written into IPTables modules of different containers related in the policy in the form of IPTables links, so that the target network isolation policy data can be used as the target network isolation policy of the IPTables of each POD resource object, namely, the network isolation policy of the POD resource object is written into the network naming space where the POD resource object is located.
And S130, when the flow data of each POD resource object enters the corresponding POD network naming space or leaves, filtering the flow data according to the target network isolation policy to realize container network isolation.
Specifically, when an access flow enters a network stack in a container of one POD resource object, the IPTables module filters an access flow data through a corresponding target network isolation policy by using a flow INPUT link (INPUT link). When a container application in one POD resource object needs to access an external application, after traffic data leaves from the application, filtering of a traffic OUTPUT (OUTPUT) link is performed before the traffic data leaves from an access target application, so that network isolation among containers is realized.
According to the technical scheme, the container is used as isolation granularity, preset key information of dynamic change of each POD resource object in the target cluster is monitored, and a corresponding target network isolation strategy is generated according to the preset key information and a preset initial container isolation strategy; transmitting preset key information and a target network isolation policy into a corresponding node proxy container, wherein the target network isolation policy is used as a target network isolation policy of IPTables of each POD resource object; when each POD resource object has traffic data entering the corresponding POD network naming space or leaving, filtering the traffic data according to the target network isolation strategy to realize container network isolation. The technical scheme of the embodiment of the invention solves the problem that the existing method for realizing the micro isolation of the container network does not have universality, and realizes the network isolation method with universality at the POD granularity level, and the method is not limited by kernel versions and the type of network plug-ins used.
Fig. 2 is a flowchart of a container network micro-isolation method according to an embodiment of the present invention, which further describes a process of generating a container resource object identifier and a process of performing inter-container network isolation based on a specific network isolation policy based on the above embodiment. The method may be performed by a container network micro-isolator, which may be implemented in hardware and/or software, configured in a computer device or server.
As shown in fig. 2, the container network micro-isolation method includes:
s210, generating the identification information of each POD resource object according to a preset identification generation strategy according to the original label of each POD resource object.
The identity information (identity) is an abstraction of each POD resource object, and is an identity for the POD with the same original label (label), so as to indicate the identity of the POD resource object, and the POD resource object is used in the whole cluster management architecture. The original label (label) is a label carried by each POD, or a customized unique label can be used to combine the label with a namespace, so that the name space from which the related resource object data originates can be indicated.
S220, acquiring a plurality of pieces of preset attribute information of each POD resource object in the target cluster, and extracting identification information and network configuration information in the plurality of pieces of preset attribute information as the preset key information.
The multiple preset attribute information refers to all the attribute information which can be queried of each POD resource object, and the full quantity of attribute information is obtained when each POD resource object is monitored. The preset key information is the attribute information related to network filtering, such as network connection attribute and network configuration information of network ports, network IP addresses, domain names and the like, which are extracted from the total attribute information, so that the pressure of data transmission in the early network isolation policy transmission process can be reduced.
S230, generating a corresponding target network isolation strategy according to the preset key information and a preset initial container isolation strategy.
The method comprises the steps of presetting an initial container isolation strategy, namely a container isolation strategy preset by a system manager related to the initial container isolation strategy, namely a corresponding rule for filtering flow data. Further, generating a corresponding target network isolation policy according to the preset key information and the preset initial container isolation policy, namely integrating the information such as the identification information and the network configuration of the POD resource object in the preset key information according to a preset isolation policy format to serve as final computer identifiable policy content. When the preset key information or the preset initial container isolation policy changes, the information is calculated and integrated again, and the updated target network isolation policy is obtained for caching.
S240, matching the target key information in the flow data with preset key information in the target network isolation policy, and filtering the flow data according to a matching result.
Specifically, when an access flow enters a network stack in a container of one POD resource object, the IPTables module filters an access flow data through a corresponding target network isolation policy by using a flow INPUT link (INPUT link). When a container application in one POD resource object needs to access an external application, after traffic data leaves from the application, filtering of a traffic OUTPUT (OUTPUT) link is performed before the traffic data leaves from an access target application, so that network isolation among containers is realized.
Further, filtering traffic data in the INPUT and OUTPUT links may specifically include the following processes:
1. when the state value (state) of the traffic data packet is the RELATED or ESTABLISHED field, the access traffic is directly received (ACCEPT), and the data packet with the TCP connection being successfully ESTABLISHED can not pass the following network isolation Policy (Policy) link
2. When the traffic packet status value (state) is INVALID, the data packet is directly Discarded (DROP).
3. Marking network traffic as 0xfffdffff is considered that the traffic begins executing network rules.
And then traffic filtering is performed according to the corresponding traffic entry (ingress) network isolation rule. Specifically, matching can be performed according to the IP address corresponding to the traffic packet and the corresponding access white list, and Mark is 0x10000 if matching is successful. When the matching Mark value is 0x10000, the link can be returned (RETURN) after the matching is successful, the data packet is accepted, and when the unmatched Mark value is 0x10000, the current data packet is discarded. In addition, other custom network isolation policies can be added between the RETURN link and the DROP link for traffic filtering.
According to the technical scheme, the container is used as isolation granularity, preset key information of dynamic change of each POD resource object in the target cluster is monitored, and a corresponding target network isolation strategy is generated according to the preset key information and a preset initial container isolation strategy; transmitting preset key information and a target network isolation policy into a corresponding node proxy container, wherein the target network isolation policy is used as a target network isolation policy of IPTables of each POD resource object; when each POD resource object has traffic data entering the corresponding POD network naming space or leaving, filtering the traffic data according to the target network isolation strategy to realize container network isolation. The technical scheme of the embodiment of the invention solves the problem that the existing method for realizing the micro isolation of the container network does not have universality, and realizes the network isolation method with universality at the POD granularity level, and the method is not limited by kernel versions and the type of network plug-ins used.
Fig. 3 is a flowchart of a container network micro-isolation method according to an embodiment of the present invention, which further describes a process of implementing container network micro-isolation by cooperation between each functional module of a multi-cluster management system in a specific example based on the above embodiment.
As shown in fig. 3, the container network micro-isolation method comprises the following processes:
specifically, the multi-cluster management system monitors information of the POD resource objects by a plurality of controllers of a control layer, and performs integration calculation on a specific container network isolation strategy, and the specific process is as follows:
the identify information acquisition controller listens to and organizes all Pod resource objects on the current cluster, and creates identify and simplefypod resources for these Pod resource objects. The Identity resource refers to identification information of the Pod resource object and the attribute information of the whole quantity. The simpleyPod resource value is preset key information extracted from the Identity resource.
After the IdentityMaintain controller obtains the creation, update and deletion events of the Pod resource object, corresponding simpleyPod information is created or updated in the local cache, and corresponding data is filled in according to the identification information of the POD. For the newly created Pod resource object, the Identity needs to be searched according to the label (original label) of the Pod, if the Identity exists, the state is updated, and if the Identity does not exist, the Identity resource needs to be created to the api-server (application interface service). The identity field of the SimplifyPod resource is supplemented with a name and stored in a cache. Events of Identity and simpleypod are issued to Agent node Agent. Transmitting the full information when the Agent establishes connection with the control layer for the first time or reestablishes connection with the control layer; when the change (creation, update and deletion) of the resource is issued to the Agent for updating, a mode of issuing the increment information is adopted.
The two controllers, preNetworkPolicyMalintai controller and NetworkPolicyMalintai controller, are used to manage the calculation and update of the network isolation policy.
Specifically, the PreNetworkPolicyMaintain controller is responsible for monitoring the Identity resources, when the Identity resources are changed, the NetworkPolicy resources defined before are recalculated, rules are recalculated for the NetworkPolicy resources, and calculated contents are stored in a cache in the form of PrenetworkPolicy resources. PreNetworkPolicyMaintai controller will send the operation performed by itself to the Agent via GRPC protocol. The NetworkPolicy controller is responsible for monitoring the PodPolicy resources, calculating rules for the PodPolicy resources, and storing the calculated contents in the cache in the form of the predencarpium resources.
The PreNetworkPolicy is a policy resource of cache, and is used for caching the preprocessed PodPolicy resource, and the PodPolicy produces the PreNetworkPolicy with the format through a corresponding controller. The network policy is a network policy which is introduced by kubernetes and is in accordance with the cloud native thought, podPolicy resources are proposed according to the native network policy, the resources of the PodPolicy resources are basically consistent with those of the native network policy, a user can modify one native network policy into the PodPolicy to use the network policy by modifying apiVersion like the network policy, and the network isolation policy is finely classified into a network isolation policy of POD resource objects. PodPolicy will divide rules generated by PodPolicy into traffic (ACCESS) and reject (DROP) according to Agent's whitelist pattern. PodPolicy selects the identities containing these labelranges according to labels given by the resource selector, and will take effect on these identities as rules.
In the example, a corresponding controller takes a container as isolation granularity, preset key information of dynamic change of each POD resource object in a target cluster is monitored, and a corresponding target network isolation strategy is generated according to the preset key information and a preset initial container isolation strategy; transmitting preset key information and a target network isolation policy into a corresponding node proxy container, wherein the target network isolation policy is used as a target network isolation policy of IPTables of each POD resource object; when each POD resource object has traffic data entering the corresponding POD network naming space or leaving, filtering the traffic data according to the target network isolation strategy to realize container network isolation. The technical scheme of the embodiment of the invention solves the problem that the existing method for realizing the micro isolation of the container network does not have universality, and realizes the network isolation method with universality at the POD granularity level, and the method is not limited by kernel versions and the type of network plug-ins used.
Fig. 4 is a schematic structural diagram of a container network micro-isolation device provided by the embodiment of the present invention, where the embodiment may be suitable for ensuring the security of a cloud primary container network and performing the micro-isolation of the container network, and the device may be implemented by software and/or hardware, and integrated in a computer device with an application development function.
As shown in fig. 4, the container network micro-isolation device includes: a resource object information acquisition module 310, a network quarantine policy update module 320, and a network quarantine module 330.
The resource object information obtaining module 310 is configured to monitor preset key information of dynamic changes of each POD resource object in the target cluster, and generate a corresponding target network isolation policy according to the preset key information and a preset initial container isolation policy; the network isolation policy updating module 320 is configured to send the preset key information and the target network isolation policy to a corresponding node proxy container, where the target network isolation policy is the target network isolation policy of iptabs of each POD resource object; and the network isolation module 330 is configured to filter the traffic data according to the target network isolation policy when the traffic data of each POD resource object enters the corresponding POD network namespace or leaves, so as to implement container network isolation.
According to the technical scheme, the container is used as isolation granularity, preset key information of dynamic change of each POD resource object in the target cluster is monitored, and a corresponding target network isolation strategy is generated according to the preset key information and a preset initial container isolation strategy; transmitting preset key information and a target network isolation policy into a corresponding node proxy container, wherein the target network isolation policy is used as a target network isolation policy of IPTables of each POD resource object; when each POD resource object has traffic data entering the corresponding POD network naming space or leaving, filtering the traffic data according to the target network isolation strategy to realize container network isolation. The technical scheme of the embodiment of the invention solves the problem that the existing method for realizing the micro isolation of the container network does not have universality, and realizes the network isolation method with universality at the POD granularity level, and the method is not limited by kernel versions and the type of network plug-ins used.
In an alternative embodiment, the resource object information obtaining module 310 is specifically configured to:
acquiring a plurality of pieces of preset attribute information of each POD resource object in a target cluster;
and extracting identification information and network configuration information in the plurality of pieces of preset attribute information to serve as the preset key information.
In an alternative embodiment, the container network micro-isolation device further includes an identification information generation module for:
before acquiring multiple pieces of preset attribute information of each POD resource object in a target cluster, generating the identification information of each POD resource object according to a preset identification generation strategy according to an original label of each POD resource object.
In an alternative embodiment, the network isolation policy updating module 320 is specifically configured to:
and converting the preset key information and the initial container isolation strategy into a target network isolation strategy containing a preset key word information format.
In an alternative embodiment, the resource object information obtaining module 310 is specifically configured to:
when any state change occurs in creation, updating or deletion of each POD resource object in the target cluster, preset key information of the POD resource object with the state change is obtained.
In an alternative embodiment, the network isolation module 330 is specifically configured to:
and matching the target key information in the flow data with preset key information in the target network isolation strategy, and filtering the flow data according to a matching result.
In an alternative embodiment, the network isolation module 330 may be further configured to:
generating a white list IP set based on preset key information in a target network isolation policy of IPTables of each POD resource object;
and matching the target key information in the flow data with the IP information in the white list IP set, and filtering the flow data according to a matching result.
The container network micro-isolation device provided by the embodiment of the invention can execute the container network micro-isolation method provided by any embodiment of the invention, and has the corresponding functional modules and beneficial effects of the execution method.
Fig. 5 is a schematic structural diagram of a computer device according to an embodiment of the present invention. Fig. 5 illustrates a block diagram of an exemplary computer device 12 suitable for use in implementing embodiments of the present invention. The computer device 12 shown in fig. 5 is merely an example and should not be construed as limiting the functionality and scope of use of embodiments of the present invention. The computer device 12 may be any terminal device with computing power, such as an intelligent controller, a server, a mobile phone, and the like.
As shown in FIG. 5, the computer device 12 is in the form of a general purpose computing device. Components of computer device 12 may include, but are not limited to: one or more processors or processing units 16, a system memory 28, a bus 18 that connects the various system components, including the system memory 28 and the processing units 16.
The system memory 28 may include computer system readable media in the form of volatile memory, such as Random Access Memory (RAM) 30 and/or cache memory 32. The computer device 12 may further include other removable/non-removable, volatile/nonvolatile computer system storage media. By way of example only, storage system 34 may be used to read from or write to non-removable, nonvolatile magnetic media (not shown in FIG. 5, commonly referred to as a "hard disk drive"). Although not shown in fig. 5, a magnetic disk drive for reading from and writing to a removable non-volatile magnetic disk (e.g., a "floppy disk"), and an optical disk drive for reading from or writing to a removable non-volatile optical disk (e.g., a CD-ROM, DVD-ROM, or other optical media) may be provided. In such cases, each drive may be coupled to bus 18 through one or more data medium interfaces. The system memory 28 may include at least one program product having a set (e.g., at least one) of program modules configured to carry out the functions of the embodiments of the invention.
A program/utility 40 having a set (at least one) of program modules 42 may be stored in, for example, system memory 28, such program modules 42 including, but not limited to, an operating system, one or more application programs, other program modules, and program data, each or some combination of which may include an implementation of a network environment. Program modules 42 generally perform the functions and/or methods of the embodiments described herein.
The computer device 12 may also communicate with one or more external devices 14 (e.g., keyboard, pointing device, display 24, etc.), one or more devices that enable a user to interact with the computer device 12, and/or any devices (e.g., network card, modem, etc.) that enable the computer device 12 to communicate with one or more other computing devices. Such communication may occur through an input/output (I/O) interface 22. Moreover, computer device 12 may also communicate with one or more networks such as a Local Area Network (LAN), a Wide Area Network (WAN) and/or a public network, such as the Internet, through network adapter 20. As shown, network adapter 20 communicates with other modules of computer device 12 via bus 18. It should be appreciated that although not shown in fig. 5, other hardware and/or software modules may be used in connection with computer device 12, including, but not limited to: microcode, device drivers, redundant processing units, external disk drive arrays, RAID systems, tape drives, data backup storage systems, and the like.
The processing unit 16 executes various functional applications and data processing by running programs stored in the system memory 28, for example, implementing the container network micro-isolation method provided by the embodiment of the present invention, the method includes:
monitoring preset key information of dynamic changes of each POD resource object in a target cluster, and generating a corresponding target network isolation strategy according to the preset key information and a preset initial container isolation strategy;
transmitting the preset key information and the target network isolation policy into a corresponding node proxy container as a target network isolation policy of IPTables of each POD resource object;
when the flow data of each POD resource object enters the corresponding POD network name space or leaves, the flow data is filtered according to the target network isolation strategy, and the container network isolation is realized.
The present embodiment also provides a computer readable storage medium having stored thereon a computer program which when executed by a processor implements a container network micro isolation method as provided by any embodiment of the present invention, comprising:
monitoring preset key information of dynamic changes of each POD resource object in a target cluster, and generating a corresponding target network isolation strategy according to the preset key information and a preset initial container isolation strategy;
transmitting the preset key information and the target network isolation policy into a corresponding node proxy container as a target network isolation policy of IPTables of each POD resource object;
when the flow data of each POD resource object enters the corresponding POD network name space or leaves, the flow data is filtered according to the target network isolation strategy, and the container network isolation is realized.
The computer storage media of embodiments of the invention may take the form of any combination of one or more computer-readable media. The computer readable medium may be a computer readable signal medium or a computer readable storage medium. The computer readable storage medium may be, for example, but not limited to: an electrical, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or a combination of any of the foregoing. More specific examples (a non-exhaustive list) of the computer-readable storage medium would include the following: an electrical connection having one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In this document, a computer readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device.
The computer readable signal medium may include a propagated data signal with computer readable program code embodied therein, either in baseband or as part of a carrier wave. Such a propagated data signal may take any of a variety of forms, including, but not limited to, electro-magnetic, optical, or any suitable combination of the foregoing. A computer readable signal medium may also be any computer readable medium that is not a computer readable storage medium and that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device.
Program code embodied on a computer readable medium may be transmitted using any appropriate medium, including but not limited to: wireless, wire, fiber optic cable, RF, etc., or any suitable combination of the foregoing.
Computer program code for carrying out operations of the present invention may be written in one or more programming languages, including an object oriented programming language such as Java, smalltalk, C ++ and conventional procedural programming languages, such as the "C" programming language or similar programming languages. The program code may execute entirely on the user's computer, partly on the user's computer, as a stand-alone software package, partly on the user's computer and partly on a remote computer or entirely on the remote computer or server. In the case of a remote computer, the remote computer may be connected to the user's computer through any kind of network, including a Local Area Network (LAN) or a Wide Area Network (WAN), or may be connected to an external computer (for example, through the Internet using an Internet service provider).
It will be appreciated by those of ordinary skill in the art that the modules or steps of the invention described above may be implemented in a general purpose computing device, they may be centralized on a single computing device, or distributed over a network of computing devices, or they may alternatively be implemented in program code executable by a computer device, such that they are stored in a memory device and executed by the computing device, or they may be separately fabricated as individual integrated circuit modules, or multiple modules or steps within them may be fabricated as a single integrated circuit module. Thus, the present invention is not limited to any specific combination of hardware and software.
Note that the above is only a preferred embodiment of the present invention and the technical principle applied. It will be understood by those skilled in the art that the present invention is not limited to the particular embodiments described herein, but is capable of various obvious changes, rearrangements and substitutions as will now become apparent to those skilled in the art without departing from the scope of the invention. Therefore, while the invention has been described in connection with the above embodiments, the invention is not limited to the embodiments, but may be embodied in many other equivalent forms without departing from the spirit or scope of the invention, which is set forth in the following claims.
Claims (10)
1. A method of micro-isolation of a container network, comprising:
monitoring preset key information of dynamic changes of each POD resource object in a target cluster, and generating a corresponding target network isolation strategy according to the preset key information and a preset initial container isolation strategy;
transmitting the preset key information and the target network isolation policy into a corresponding node proxy container as a target network isolation policy of IPTables of each POD resource object;
when the flow data of each POD resource object enters the corresponding POD network name space or leaves, the flow data is filtered according to the target network isolation strategy, and the container network isolation is realized.
2. The method according to claim 1, wherein the dynamically changing preset key information of each POD resource object in the monitoring target cluster includes:
acquiring a plurality of pieces of preset attribute information of each POD resource object in a target cluster;
and extracting identification information and network configuration information in the plurality of pieces of preset attribute information to serve as the preset key information.
3. The method according to claim 2, wherein before acquiring the plurality of pieces of preset attribute information of each POD resource object in the target cluster, the method further comprises:
and generating the identification information of each POD resource object according to a preset identification generation strategy according to the original label of each POD resource object.
4. The method of claim 1, wherein generating and presetting an initial container quarantine policy according to the preset critical information into a corresponding target network quarantine policy comprises:
and converting the preset key information and the initial container isolation strategy into a target network isolation strategy containing a preset key word information format.
5. The method according to claim 1, wherein the dynamically changing preset key information of each POD resource object in the monitoring target cluster includes:
when any state change occurs in creation, updating or deletion of each POD resource object in the target cluster, preset key information of the POD resource object with the state change is obtained.
6. The method of claim 1, wherein the filtering the traffic data according to the target network isolation policy comprises:
and matching the target key information in the flow data with preset key information in the target network isolation strategy, and filtering the flow data according to a matching result.
7. The method of claim 6, wherein the method further comprises:
generating a white list IP set based on preset key information in a target network isolation policy of IPTables of each POD resource object;
and matching the target key information in the flow data with the IP information in the white list IP set, and filtering the flow data according to a matching result.
8. A container network micro-isolation device, comprising:
the resource object information acquisition module is used for monitoring preset key information of dynamic changes of each POD resource object in the target cluster and generating a corresponding target network isolation strategy according to the preset key information and a preset initial container isolation strategy;
the network isolation policy updating module is used for sending the preset key information and the target network isolation policy into a corresponding node proxy container to serve as a target network isolation policy of IPTables of each POD resource object;
and the network isolation module is used for filtering the flow data according to the target network isolation policy when the flow data of each POD resource object enters the corresponding POD network naming space or leaves, so as to realize container network isolation.
9. A computer device, the computer device comprising:
one or more processors;
a memory for storing one or more programs;
the one or more programs, when executed by the one or more processors, cause the one or more processors to implement the container network micro isolation method of any of claims 1-7.
10. A computer readable storage medium having stored thereon a computer program, which when executed by a processor implements the container network micro-isolation method of any of claims 1-7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211709792.0A CN116032614A (en) | 2022-12-29 | 2022-12-29 | Container network micro-isolation method, device, equipment and medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211709792.0A CN116032614A (en) | 2022-12-29 | 2022-12-29 | Container network micro-isolation method, device, equipment and medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN116032614A true CN116032614A (en) | 2023-04-28 |
Family
ID=86070270
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202211709792.0A Pending CN116032614A (en) | 2022-12-29 | 2022-12-29 | Container network micro-isolation method, device, equipment and medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN116032614A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN117112632A (en) * | 2023-10-23 | 2023-11-24 | 北京纷扬科技有限责任公司 | Isolation method, device and storage medium for preventing data impact |
-
2022
- 2022-12-29 CN CN202211709792.0A patent/CN116032614A/en active Pending
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN117112632A (en) * | 2023-10-23 | 2023-11-24 | 北京纷扬科技有限责任公司 | Isolation method, device and storage medium for preventing data impact |
| CN117112632B (en) * | 2023-10-23 | 2024-01-12 | 北京纷扬科技有限责任公司 | Isolation method, device and storage medium for preventing data impact |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN109428922B (en) | Subscription and publishing method and server | |
| CN108462760A (en) | Electronic device, cluster access domain name automatic generation method and storage medium | |
| CN113709810B (en) | Method, equipment and medium for configuring network service quality | |
| US20220179711A1 (en) | Method For Platform-Based Scheduling Of Job Flow | |
| CN114911598A (en) | Task scheduling method, device, equipment and storage medium | |
| CN113361913A (en) | Communication service arranging method, device, computer equipment and storage medium | |
| CN116032614A (en) | Container network micro-isolation method, device, equipment and medium | |
| CN113204425A (en) | Method and device for process management internal thread, electronic equipment and storage medium | |
| CN107092494B (en) | Method and device for accessing APK (android Package) resource | |
| CN108111513B (en) | Data management method, device, medium and electronic equipment applied to front-end device | |
| CN115580497A (en) | Data transmission control method and equipment in container environment and storage medium | |
| CN116185578A (en) | Scheduling method of computing task and executing method of computing task | |
| CN115617511A (en) | Resource data processing method and device, electronic equipment and storage medium | |
| CN115442129A (en) | Method, device and system for managing cluster access authority | |
| CN112291212B (en) | Static rule management method and device, electronic equipment and storage medium | |
| CN116841720A (en) | Resource allocation method, apparatus, computer device, storage medium and program product | |
| CN114070889A (en) | Configuration method, traffic forwarding method, device, storage medium, and program product | |
| CN113760318A (en) | Information processing method, information processing apparatus, server, and storage medium | |
| CN113726885A (en) | Method and device for adjusting flow quota | |
| CN112380411A (en) | Sensitive word processing method and device, electronic equipment, system and storage medium | |
| CN110688201A (en) | Log management method and related equipment | |
| CN115277408B (en) | Agent configuration information updating method, device, equipment and storage medium | |
| CN115080229A (en) | Resource object management method and device | |
| CN108363619B (en) | Service flow control method, server, and computer-readable storage medium | |
| CN116112336A (en) | Alarm data processing method and device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |