CN116318992A - Blacklist control method and device of cloud native kubernetes network - Google Patents
Blacklist control method and device of cloud native kubernetes network Download PDFInfo
- Publication number
- CN116318992A CN116318992A CN202310269579.0A CN202310269579A CN116318992A CN 116318992 A CN116318992 A CN 116318992A CN 202310269579 A CN202310269579 A CN 202310269579A CN 116318992 A CN116318992 A CN 116318992A
- Authority
- CN
- China
- Prior art keywords
- network
- access control
- resource
- network access
- container
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 46
- 230000001360 synchronised effect Effects 0.000 claims abstract description 10
- 230000001960 triggered effect Effects 0.000 claims abstract description 9
- 230000004044 response Effects 0.000 claims abstract description 7
- 238000001914 filtration Methods 0.000 claims description 18
- 238000004590 computer program Methods 0.000 claims description 16
- 230000004048 modification Effects 0.000 claims description 10
- 238000012986 modification Methods 0.000 claims description 10
- 230000008859 change Effects 0.000 claims description 8
- 238000012217 deletion Methods 0.000 claims description 8
- 230000037430 deletion Effects 0.000 claims description 8
- 230000008676 import Effects 0.000 claims description 6
- 238000012216 screening Methods 0.000 claims description 5
- 238000007792 addition Methods 0.000 description 8
- 238000004891 communication Methods 0.000 description 8
- 238000012545 processing Methods 0.000 description 8
- 238000010586 diagram Methods 0.000 description 7
- 230000006870 function Effects 0.000 description 7
- 230000008569 process Effects 0.000 description 5
- 238000013473 artificial intelligence Methods 0.000 description 3
- 230000003287 optical effect Effects 0.000 description 3
- 238000005516 engineering process Methods 0.000 description 2
- 230000003993 interaction Effects 0.000 description 2
- 241000322338 Loeseliastrum Species 0.000 description 1
- 230000009471 action Effects 0.000 description 1
- 238000003491 array Methods 0.000 description 1
- 230000008901 benefit Effects 0.000 description 1
- 230000001413 cellular effect Effects 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 230000001788 irregular Effects 0.000 description 1
- 239000004973 liquid crystal related substance Substances 0.000 description 1
- 238000010801 machine learning Methods 0.000 description 1
- 239000013307 optical fiber Substances 0.000 description 1
- 239000004065 semiconductor Substances 0.000 description 1
- 230000001953 sensory effect Effects 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
- 230000000007 visual effect Effects 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/101—Access control lists [ACL]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02D—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
- Y02D30/00—Reducing energy consumption in communication networks
- Y02D30/50—Reducing energy consumption in communication networks in wire-line communication networks, e.g. low power modes or reduced link rate
Landscapes
- Engineering & Computer Science (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The embodiment of the invention discloses a blacklist control method and device of a cloud native kubernetes network. The specific implementation mode of the method comprises the following steps: importing a configuration file for interacting with the API service node to obtain container resources and network access control custom resources; receiving an event synchronized by an API service node, wherein the event is triggered by the API service node according to the changes of a preset container resource and a network access control custom resource; acquiring an IP list according to the container resources and the network access control custom resources; generating a blacklist according to the IP list; in response to receiving the blacklisted data, the data is discarded. The embodiment realizes blacklist management and configuration schemes of kubernetes cloud native.
Description
Technical Field
The embodiment of the disclosure relates to the technical field of computers, in particular to a blacklist control method and device of a cloud native kubernetes network.
Background
Cloud native kubernetes provides powerful container orchestration capabilities, opens a network interface, and supports custom flexible container networks. In kubernetes network schemes, each pod (container) has an independent IP address, the pods operate in a flat network, and the containers are directly connected. CNI (Container Network Interface) defines an interface specification for a container network that can be configured by custom cni plug-ins.
The common network access control modes include a white list and a black list. The white list is used to release the IP address + port that is accessible and the black list is used to disable the IP address + port that is not accessible.
The existing cloud native k8s can realize the white list function by means of network policy and a network plug-in (calico and the like). However, k8s lacks definition and implementation of the network blacklist and does not have the user blacklist function.
Disclosure of Invention
The embodiment of the disclosure provides a blacklist control method and device of a cloud native kubernetes network.
In a first aspect, an embodiment of the present disclosure provides a blacklist control method of a cloud native kubernetes network, including: importing a configuration file for interacting with the API service node to obtain container resources and network access control custom resources; receiving an event synchronized by the API service node, wherein the event is triggered by the API service node according to the changes of a pre-configured container resource and a network access control custom resource; acquiring an IP list according to the container resource and the network access control custom resource; generating a blacklist according to the IP list; in response to receiving data conforming to the blacklist, the data is discarded.
In some embodiments, the network access control custom resource comprises a network segment type, and the matching parameters of the network access control custom resource of the network segment type comprise: network protocol, source IP network segment, source port, destination IP network segment and destination port; and the obtaining the IP list according to the container resource and the network access control custom resource includes: and if the event is a network access control custom resource event and the network access control custom resource is a network segment type, arranging a flow filter screen segment and a port rule according to a network protocol, a source IP network segment, a source port, a destination IP network segment and a destination port.
In some embodiments, the network access control custom resource comprises a container type, and the matching parameters of the network access control custom resource for the container type comprise: the label selector, the incoming direction network segment and the port, the outgoing direction network segment and the port; and the obtaining the IP list according to the container resource and the network access control custom resource includes: if the event is a network access control custom resource event and the network access control custom resource is a container type, screening a target container from the container resource according to the tag selector; and arranging the outlet flow filter screen segments and the port rules according to the inlet direction network segments and the port, the outlet direction network segments and the port of the target container.
In some embodiments, the network access control custom resource comprises a container type, and the matching parameters of the network access control custom resource for the container type comprise: the label selector, the incoming direction network segment and the port, the outgoing direction network segment and the port; and the obtaining the IP list according to the container resource and the network access control custom resource includes: if the event is a container resource event, checking whether the matching parameters of the network access control custom resource can be matched with the tag selector to analyze the target container; and if the flow filter screen sections and the port rules can be arranged according to the inlet direction network section and the port, the outlet direction network section and the port of the target container.
In some embodiments, the generating a blacklist from the IP list includes: generating a custom chain according to the name space and the name of the network access control list; configuring a filtering rule of the custom chain; generating a five-tuple according to the IP list; and matching the filtering rule with the five-tuple to execute a discarding operation.
In some embodiments, the configuring the filtering rules of the custom chain includes: and configuring the custom chain to jump from the input position and the forwarding position.
In some embodiments, the changes include additions, modifications, deletions.
In a second aspect, an embodiment of the present disclosure provides a blacklist control apparatus of a cloud native kubernetes network, including: an importing unit configured to import a configuration file for interacting with the API service node to obtain the container resource and the network access control custom resource; a synchronization unit configured to receive an event synchronized by the API service node, wherein the event is triggered by the API service node according to a change in a preconfigured container resource and a network access control custom resource; an obtaining unit configured to obtain an IP list according to the container resource and the network access control custom resource; a generation unit configured to generate a blacklist from the IP list; and a filtering unit configured to discard the data in response to receiving the data conforming to the blacklist.
In some embodiments, the network access control custom resource comprises a network segment type, and the matching parameters of the network access control custom resource of the network segment type comprise: network protocol, source IP network segment, source port, destination IP network segment and destination port; and the acquisition unit is further configured to: and if the event is a network access control custom resource event and the network access control custom resource is a network segment type, arranging a flow filter screen segment and a port rule according to a network protocol, a source IP network segment, a source port, a destination IP network segment and a destination port.
In some embodiments, the network access control custom resource comprises a container type, and the matching parameters of the network access control custom resource for the container type comprise: the label selector, the incoming direction network segment and the port, the outgoing direction network segment and the port; and the acquisition unit is further configured to: if the event is a network access control custom resource event and the network access control custom resource is a container type, screening a target container from the container resource according to the tag selector; and arranging the outlet flow filter screen segments and the port rules according to the inlet direction network segments and the port, the outlet direction network segments and the port of the target container.
In some embodiments, the network access control custom resource comprises a container type, and the matching parameters of the network access control custom resource for the container type comprise: the label selector, the incoming direction network segment and the port, the outgoing direction network segment and the port; and the acquisition unit is further configured to: if the event is a container resource event, checking whether the matching parameters of the network access control custom resource can be matched with the tag selector to analyze the target container; and if the flow filter screen sections and the port rules can be arranged according to the inlet direction network section and the port, the outlet direction network section and the port of the target container.
In some embodiments, the generating unit is further configured to: generating a custom chain according to the name space and the name of the network access control list; configuring a filtering rule of the custom chain; generating a five-tuple according to the IP list; and matching the filtering rule with the five-tuple to execute a discarding operation.
In some embodiments, the generating unit is further configured to: and configuring the custom chain to jump from the input position and the forwarding position.
In some embodiments, the changes include additions, modifications, deletions.
In a third aspect, embodiments of the present disclosure provide an electronic device for blacklist control of a cloud native kubernetes network, comprising: one or more processors; storage means having stored thereon one or more computer programs which, when executed by the one or more processors, cause the one or more processors to implement the method of any of the first aspects.
In a fourth aspect, embodiments of the present disclosure provide a computer-readable medium having a computer program stored thereon, wherein the computer program, when executed by a processor, implements the method according to any of the first aspects.
It should be understood that the description in this section is not intended to identify key or critical features of the embodiments of the disclosure, nor is it intended to be used to limit the scope of the disclosure. Other features of the present disclosure will become apparent from the following specification.
Drawings
Other features, objects and advantages of the present disclosure will become more apparent upon reading of the detailed description of non-limiting embodiments, made with reference to the following drawings:
FIG. 1 is an exemplary system architecture diagram in which an embodiment of the present disclosure may be applied;
FIG. 2 is a flow chart of one embodiment of a blacklist control method of a cloud native kubernetes network according to the present disclosure;
3a-3b are schematic diagrams of application scenarios of a blacklist control method of a cloud native kubernetes network according to the present disclosure;
FIG. 4 is a schematic diagram of the structure of one embodiment of a blacklist control device of a cloud native kubernetes network according to the present disclosure;
fig. 5 is a schematic diagram of a computer system suitable for use in implementing embodiments of the present disclosure.
Detailed Description
The present disclosure is described in further detail below with reference to the drawings and examples. It is to be understood that the specific embodiments described herein are merely illustrative of the invention and are not limiting of the invention. It should be noted that, for convenience of description, only the portions related to the present invention are shown in the drawings.
It should be noted that, without conflict, the embodiments of the present disclosure and features of the embodiments may be combined with each other. The present disclosure will be described in detail below with reference to the accompanying drawings in conjunction with embodiments.
FIG. 1 illustrates an exemplary system architecture of an embodiment of a blacklist control method of or blacklist control apparatus of a cloud native kubernetes network to which the present disclosure may be applied
As shown in fig. 1, the system architecture is divided into two parts, a control plane and a data plane. The control plane includes an apiserver (API service node) and a network acl CRD (network access control custom resource), where the apiserver is a management platform owned by the kubernetes network, and may register and manage a pod resource (set information such as IP and tag of a pod). The data plane includes aclcontroller, iptables, ipset, the aclcon is a blacklisted controller (i.e., plug-in) designed for this application, and iptables, ipset is the existing firewall's own module.
The iptables can make up rules into a list, implement an absolute detailed access control function, work in user space, define the tools of the rules, and are not firewalls per se. The rules they define can let netfilters in kernel space read and implement letting firewalls work. The place where the kernel is placed must be a specific location and must be where the tcp/ip protocol stack passes. Where this tcp/ip protocol stack must go through, where the read rules can be implemented is called netfilter.
When a host receives a data packet, the data packet is processed in the kernel space, if the destination address is found to be self, the data packet is transmitted to the user space to be processed by a corresponding application program, and if the destination address is found not to be self, the data packet is discarded or forwarded. Netfilter determines the data to be left according to rules defined by iptables.
The principle of the iptables realizing the firewall function is as follows: five key places in the packet passing through the kernel are PREROUTING, INPUT, OUTPUT, FORWARD, POSTROUTING, called hook functions, and the software in the user space, i.e. iptables, can write rules at these 5 places, and process the passing packet, where the rules are generally defined as "if the packet header meets such conditions, then process the packet.
However, in iptables, rules for multiple iptables are written if multiple IP addresses are to be matched (these IPs are irregular), and performance is severely impacted if several hundred or even thousands of IP addresses need to be matched. There is then ipset. The ipset is greatly improved in this respect, and most importantly, in terms of structure and rule lookup, the ipset pair performance is always stable at a relative value when the above situation occurs. The addition of ipset will make it easier to manage the blacklist.
The NetworkAcl CRD (customresource definition) defines the structure of the blacklist in k8s, and the aclcon plug-in is used to parse the CR resources configured by the user into the network configuration of the data plane.
A new CRD (CustomResourceDefinition) structure supporting blacklists defines NetworkAcl as follows:
wherein the Type field is a NetworkAcl Type supporting two types ("cidr, i.e., segment Type" and "pod, i.e., container Type"): cidr represents that the blacklist matching parameter is a network segment, and all traffic conforming to the rule of the corresponding network segment and the port is forbidden; the pod represents that the blacklist matching parameter is pod label, and only the pod containing the matching label uses the blacklist to disable the outgoing/incoming traffic.
CidrBlackListspec is the matching parameter in cidr mode, and the matching information is five tuples (source IP network segment, source port, destination IP network segment, destination port, network protocol).
PodLackListSpec is the matching parameter in the pod mode, the matching information is the podSelect, and Ingress and Egress access restrictions are applied to the pod that matches the label.
It should be noted that, the blacklist control method of the cloud native kubernetes network provided by the embodiment of the present disclosure is generally executed by the aclcon controller, and accordingly, the blacklist control device of the cloud native kubernetes network is generally set in the aclcon controller.
It should be understood that the numbers of apiserver and aclcon controllers in fig. 1 are merely illustrative. There may be any number of terminal devices, networks, and servers, as desired for implementation.
With continued reference to fig. 2, a flow 200 of one embodiment of a blacklist control method for a cloud native kubernetes network according to the present disclosure is shown. The blacklist control method of the cloud native kubernetes network comprises the following steps:
In this embodiment, the execution body of the blacklist control method of the cloud native kubernetes network (for example, the aclcon controller shown in fig. 1) may download the configuration file through a wired connection manner or a wireless connection manner, such as kubeconfig. 3 a. The configuration file is configured to interact with the API service node to obtain container resources and network access control custom resources. The aclcon controller can acquire container resources and network access control custom resources in a list (full) or watch (incremental) manner. The container resources may include information such as labels, IP addresses, etc. The network access control custom resource (NetworkAclCR) may include information such as type, matching parameters of the blacklist, etc. Specific data structures are as described above, where the Type field is a Type of NetworkAcl supporting two types ("cidr" and "pod"): cidr represents that the blacklist matching parameter is a network segment, and all traffic conforming to the rule of the corresponding network segment and the port is forbidden; the pod represents that the blacklist matching parameter is pod label, and only the pod containing the matching label uses the blacklist to disable the outgoing/incoming traffic.
CidrBlackListspec is the matching parameter in cidr mode, and the matching information is five tuples (source IP network segment, source port, destination IP network segment, destination port, network protocol).
PodLackListSpec is the matching parameter in the pod mode, the matching information is the podSelect, and Ingress and Egress access restrictions are applied to the pod that matches the label.
In this embodiment, the event is triggered by the API service node according to a change in the preconfigured container resources and the network access control custom resources.
Changes may include addition, modification, deletion of container resources, or addition, modification, deletion of network access control custom resources. For example, the cluster expands, the number of containers increases, triggering an increase event of container resources. The API service node will send event sync to the aclcon.
If the user edits the network access control custom resource, a network access control custom resource event is triggered. The API service node will send event sync to the aclcon.
And 203, acquiring an IP list according to the container resources and the network access control custom resources.
In this embodiment, when an event is received, it is indicated that the container resource and the network access control custom resource change, and then the IP address in the updated network access control custom resource is obtained, or the label of the updated container resource obtains the IP address matched with the label selector of the network access control custom resource.
In this embodiment, the blacklist may be generated using existing iptables and ipset modules. Or the blacklist may be generated using only the iptables module.
In step 205, data is discarded in response to receiving blacklisted data.
In this embodiment, the blacklist may filter data according to the IP address quintuple (source IP network segment, source port, destination IP network segment, destination port, network protocol), and the data matching the blacklist is discarded.
The method provided by the embodiment of the disclosure provides a k8s self-defined network acl blacklist access controller, and realizes dynamic configuration of the cluster network blacklist.
In some optional implementations of this embodiment, the network access control custom resource includes a network segment type, and the matching parameters of the network access control custom resource of the network segment type include: network protocol, source IP network segment, source port, destination IP network segment and destination port; and
the obtaining the IP list according to the container resource and the network access control custom resource includes:
and if the event is a network access control custom resource event and the network access control custom resource is a network segment type, arranging a flow filter screen segment and a port rule according to a network protocol, a source IP network segment, a source port, a destination IP network segment and a destination port.
The data structure of the matching parameters of the network access control custom resource of the network segment type is as follows:
the network access control custom resource of the Cidr type can configure iptables and ipset rules directly on the data plane.
In some optional implementations of this embodiment, the network access control custom resource includes a container type, and the matching parameters of the network access control custom resource of the container type include: the label selector, the incoming direction network segment and the port, the outgoing direction network segment and the port; and
the obtaining the IP list according to the container resource and the network access control custom resource includes:
if the event is a network access control custom resource event and the network access control custom resource is a container type, screening a target container from the container resource according to the tag selector;
and arranging the outlet flow filter screen segments and the port rules according to the inlet direction network segments and the port, the outlet direction network segments and the port of the target container.
The data structure of the matching parameters of the network access control custom resource of the container type is as follows:
the type is pod, and list all pods conforming to the label selector acquire an IP list and complete the configuration of the data planes iptables and iptet.
In some optional implementations of this embodiment, the network access control custom resource includes a container type, and the matching parameters of the network access control custom resource of the container type include: the label selector, the incoming direction network segment and the port, the outgoing direction network segment and the port; and
the obtaining the IP list according to the container resource and the network access control custom resource includes:
if the event is a container resource event, checking whether the matching parameters of the network access control custom resource can be matched with the tag selector to analyze the target container;
and if the flow filter screen sections and the port rules can be arranged according to the inlet direction network section and the port, the outlet direction network section and the port of the target container.
The Aclcontractor receives the pod event synchronized by the k8s apiserver, and checks whether the matched label selector in the NetworkAcl CR can analyze the pod, if so, the configuration of the data planes iptables and the iptet is completed.
In some optional implementations of this embodiment, the generating a blacklist according to the IP list includes: generating a custom chain according to the name space and the name of the network access control list; configuring a filtering rule of the custom chain; generating a five-tuple according to the IP list; and matching the filtering rule with the five-tuple to execute a discarding operation. Custom chains (chain) are generated from the namespaces and names of NetworkAcl, with configuration to jump from INPUT and FORWARD, and also configuration to jump at PREROUTING, INPUT, OUTPUT, FORWARD, POSTROUTING. And then performing drop operation by matching the corresponding 5-tuple.
In some optional implementations of this embodiment, the configuring the filtering rule of the custom chain includes: and configuring the custom chain to jump from the input position and the forwarding position. Configuration jumps from INPUT and FORWARD.
In some alternative implementations of the present embodiment, the changes include additions, modifications, deletions. Each change changes the IP address in the blacklist and thus a blacklist update needs to be triggered on the change.
With continued reference to fig. 3a-3b, fig. 3a-3b are schematic diagrams of application scenarios of a blacklist control method of a cloud native kubernetes network according to the present embodiment. The specific process of the flow is described as follows:
aclcontroller initiates import of kubeconfig file, interacts with k8s apiserver, list/watch pod resource and NetworkAcl CR resource.
2. And the user performs addition, deletion and modification check on the network Acl CR to realize network acl configuration.
The Aclcontractor receives a k8s api synchronous networkAcl CR event, and different processing flows are carried out according to whether the type of CR is pod or cidr. If the type is cidr, directly configuring iptables and ipset rules on the data surface; the types are pod, all the list are pod which accords with the label selector, the IP list is obtained, and the configuration of the data planes iptables and the ipset is completed.
And 4, the Aclcontroller receives a pod event synchronized by the k8s apiserver, and reversely checks whether the matched label selector in the Network CR can analyze the pod, and if so, completing the configuration of the data planes iptables and the iptet.
As shown in FIG. 3b, the data plane uses iptables and ipset modules to complete the acl configuration. And generating a custom chain (chain) according to the namespaces and names of the NetworkAcl, performing jump from the INPUT and the FORWARD by configuration, and executing drop operation by matching with the corresponding 5-tuple. The forbidden segments in the ingress direction are configured in ingress-src-pool and ingress-dst-pool, and the forbidden segments in the egress direction are configured in egress-src-pool and egress-dst-pool. Examples are as follows:
ipset create test1-ingress-src-pool hash:net
ipset add test1-ingress-src-pool 10.0.0.0/24
ipset create test1-ingress-dst-pool hash:net
ipset add test1-ingress-dst-pool 172.16.0.0/24
iptables-N TEST_CHAIN
iptables-A INPUT-j TEST_CHAIN
iptables-A FORWARD-j TEST_CHAIN
iptables-A TEST_CHAIN-m set--match-set test1-ingress-src-pool src-m set--match-set test1-ingress-dst-pool dst-j DROP
this example enables disabling traffic to access the source network segment 10.0.0.0/24 to the destination network segment 172.16.0.0/24.
With further reference to fig. 4, as an implementation of the method shown in the foregoing fig. s, the disclosure provides an embodiment of a blacklist control apparatus of a cloud native kubernetes network, where the embodiment of the apparatus corresponds to the embodiment of the method shown in fig. 2, and the apparatus may be specifically applied in various electronic devices.
As shown in fig. 4, the blacklist control apparatus 400 of the cloud native kubernetes network of the present embodiment includes: an import unit 401, a synchronization unit 402, an acquisition unit 403, a generation unit 404, and a filtering unit 405. Wherein, the importing unit 401 is configured to import a configuration file for interacting with the API service node to obtain the container resource and the network access control custom resource; a synchronization unit 402 configured to receive an event synchronized by the API service node, wherein the event is triggered by the API service node according to a change in a preconfigured container resource and a network access control custom resource; an obtaining unit 403 configured to obtain an IP list according to the container resource and the network access control custom resource; a generating unit 404 configured to generate a blacklist from the IP list; a filtering unit 405 configured to discard the data in response to receiving data conforming to the blacklist.
In this embodiment, specific processes of the import unit 401, the synchronization unit 402, the acquisition unit 403, the generation unit 404, and the filtering unit 405 of the blacklist control apparatus 400 of the cloud native kubernetes network may refer to steps 201, 202, 203, 204, and 205 in the corresponding embodiment of fig. 2.
In some optional implementations of this embodiment, the network access control custom resource includes a network segment type, and the matching parameters of the network access control custom resource of the network segment type include: network protocol, source IP network segment, source port, destination IP network segment and destination port; and the acquisition unit 403 is further configured to: and if the event is a network access control custom resource event and the network access control custom resource is a network segment type, arranging a flow filter screen segment and a port rule according to a network protocol, a source IP network segment, a source port, a destination IP network segment and a destination port.
In some optional implementations of this embodiment, the network access control custom resource includes a container type, and the matching parameters of the network access control custom resource of the container type include: the label selector, the incoming direction network segment and the port, the outgoing direction network segment and the port; and the acquisition unit 403 is further configured to: if the event is a network access control custom resource event and the network access control custom resource is a container type, screening a target container from the container resource according to the tag selector; and arranging the outlet flow filter screen segments and the port rules according to the inlet direction network segments and the port, the outlet direction network segments and the port of the target container.
In some optional implementations of this embodiment, the network access control custom resource includes a container type, and the matching parameters of the network access control custom resource of the container type include: the label selector, the incoming direction network segment and the port, the outgoing direction network segment and the port; and the acquisition unit 403 is further configured to: if the event is a container resource event, checking whether the matching parameters of the network access control custom resource can be matched with the tag selector to analyze the target container; and if the flow filter screen sections and the port rules can be arranged according to the inlet direction network section and the port, the outlet direction network section and the port of the target container.
In some optional implementations of the present embodiment, the generating unit 404 is further configured to: generating a custom chain according to the name space and the name of the network access control list; configuring a filtering rule of the custom chain; generating a five-tuple according to the IP list; and matching the filtering rule with the five-tuple to execute a discarding operation.
In some embodiments, the generating unit 404 is further configured to: and configuring the custom chain to jump from the input position and the forwarding position.
In some embodiments, the changes include additions, modifications, deletions.
It should be noted that, in the technical solution of the present disclosure, the related aspects of collecting, updating, analyzing, processing, using, transmitting, storing, etc. of the personal information of the user all conform to the rules of the related laws and regulations, and are used for legal purposes without violating the public order colloquial. Necessary measures are taken for the personal information of the user, illegal access to the personal information data of the user is prevented, and the personal information security, network security and national security of the user are maintained.
According to an embodiment of the disclosure, the disclosure further provides an electronic device, a readable storage medium.
An electronic device, comprising: one or more processors; storage means having stored thereon one or more computer programs which, when executed by the one or more processors, cause the one or more processors to implement the method described in flow 200 or 400.
A computer readable medium having stored thereon a computer program, wherein the computer program when executed by a processor implements the method of flow 200.
Fig. 5 illustrates a schematic block diagram of an example electronic device 500 that may be used to implement embodiments of the present disclosure. Electronic devices are intended to represent various forms of digital computers, such as laptops, desktops, workstations, personal digital assistants, servers, blade servers, mainframes, and other appropriate computers. The electronic device may also represent various forms of mobile devices, such as personal digital processing, cellular telephones, smartphones, wearable devices, and other similar computing devices. The components shown herein, their connections and relationships, and their functions, are meant to be exemplary only, and are not meant to limit implementations of the disclosure described and/or claimed herein.
As shown in fig. 5, the apparatus 500 includes a computing unit 501 that can perform various suitable actions and processes according to a computer program stored in a Read Only Memory (ROM) 502 or a computer program loaded from a storage unit 508 into a Random Access Memory (RAM) 503. In the RAM 503, various programs and data required for the operation of the device 500 can also be stored. The computing unit 501, ROM 502, and RAM 503 are connected to each other by a bus 504. An input/output (I/O) interface 505 is also connected to bus 504.
Various components in the device 500 are connected to the I/O interface 505, including: an input unit 506 such as a keyboard, a mouse, etc.; an output unit 507 such as various types of displays, speakers, and the like; a storage unit 508 such as a magnetic disk, an optical disk, or the like; and a communication unit 509 such as a network card, modem, wireless communication transceiver, etc. The communication unit 509 allows the device 500 to exchange information/data with other devices via a computer network such as the internet and/or various telecommunication networks.
The computing unit 501 may be a variety of general and/or special purpose processing components having processing and computing capabilities. Some examples of computing unit 501 include, but are not limited to, a Central Processing Unit (CPU), a Graphics Processing Unit (GPU), various specialized Artificial Intelligence (AI) computing chips, various computing units running machine learning model algorithms, a Digital Signal Processor (DSP), and any suitable processor, controller, microcontroller, etc. The computing unit 501 performs the respective methods and processes described above, such as the blacklist control method of the cloud native kubernetes network. For example, in some embodiments, the blacklist control method of the cloud native kubernetes network may be implemented as a computer software program tangibly embodied on a machine-readable medium, such as the storage unit 508. In some embodiments, part or all of the computer program may be loaded and/or installed onto the device 500 via the ROM 502 and/or the communication unit 509. When the computer program is loaded into RAM 503 and executed by the computing unit 501, one or more steps of the blacklist control method of the cloud native kubernetes network described above may be performed. Alternatively, in other embodiments, the computing unit 501 may be configured to perform the blacklist control method of the cloud native kubernetes network in any other suitable way (e.g. by means of firmware).
Various implementations of the systems and techniques described here above may be implemented in digital electronic circuitry, integrated circuit systems, field Programmable Gate Arrays (FPGAs), application Specific Integrated Circuits (ASICs), application Specific Standard Products (ASSPs), systems On Chip (SOCs), load programmable logic devices (CPLDs), computer hardware, firmware, software, and/or combinations thereof. These various embodiments may include: implemented in one or more computer programs, the one or more computer programs may be executed and/or interpreted on a programmable system including at least one programmable processor, which may be a special purpose or general-purpose programmable processor, that may receive data and instructions from, and transmit data and instructions to, a storage system, at least one input device, and at least one output device.
Program code for carrying out methods of the present disclosure may be written in any combination of one or more programming languages. These program code may be provided to a processor or controller of a general purpose computer, special purpose computer, or other programmable data processing apparatus such that the program code, when executed by the processor or controller, causes the functions/operations specified in the flowchart and/or block diagram to be implemented. The program code may execute entirely on the machine, partly on the machine, as a stand-alone software package, partly on the machine and partly on a remote machine or entirely on the remote machine or server.
In the context of this disclosure, a machine-readable medium may be a tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device. The machine-readable medium may be a machine-readable signal medium or a machine-readable storage medium. The machine-readable medium may include, but is not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any suitable combination of the foregoing. More specific examples of a machine-readable storage medium would include an electrical connection based on one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing.
To provide for interaction with a user, the systems and techniques described here can be implemented on a computer having: a display device (e.g., a CRT (cathode ray tube) or LCD (liquid crystal display) monitor) for displaying information to a user; and a keyboard and pointing device (e.g., a mouse or trackball) by which a user can provide input to the computer. Other kinds of devices may also be used to provide for interaction with a user; for example, feedback provided to the user may be any form of sensory feedback (e.g., visual feedback, auditory feedback, or tactile feedback); and input from the user may be received in any form, including acoustic input, speech input, or tactile input.
The systems and techniques described here can be implemented in a computing system that includes a background component (e.g., as a data server), or that includes a middleware component (e.g., an application server), or that includes a front-end component (e.g., a user computer having a graphical user interface or a web browser through which a user can interact with an implementation of the systems and techniques described here), or any combination of such background, middleware, or front-end components. The components of the system can be interconnected by any form or medium of digital data communication (e.g., a communication network). Examples of communication networks include: local Area Networks (LANs), wide Area Networks (WANs), and the internet.
The computer system may include a client and a server. The client and server are typically remote from each other and typically interact through a communication network. The relationship of client and server arises by virtue of computer programs running on the respective computers and having a client-server relationship to each other. The server may be a server of a distributed system or a server that incorporates a blockchain. The server can also be a cloud server, or an intelligent cloud computing server or an intelligent cloud host with artificial intelligence technology. The server may be a server of a distributed system or a server that incorporates a blockchain. The server can also be a cloud server, or an intelligent cloud computing server or an intelligent cloud host with artificial intelligence technology.
It should be appreciated that various forms of the flows shown above may be used to reorder, add, or delete steps. For example, the steps recited in the present disclosure may be performed in parallel or sequentially or in a different order, provided that the desired results of the technical solutions of the present disclosure are achieved, and are not limited herein.
The above detailed description should not be taken as limiting the scope of the present disclosure. It will be apparent to those skilled in the art that various modifications, combinations, sub-combinations and alternatives are possible, depending on design requirements and other factors. Any modifications, equivalent substitutions and improvements made within the spirit and principles of the present disclosure are intended to be included within the scope of the present disclosure.
Claims (10)
1.A blacklist control method of a cloud native kubernetes network comprises the following steps:
importing a configuration file for interacting with the API service node to obtain container resources and network access control custom resources;
receiving an event synchronized by the API service node, wherein the event is triggered by the API service node according to the changes of a pre-configured container resource and a network access control custom resource;
acquiring an IP list according to the container resource and the network access control custom resource;
generating a blacklist according to the IP list;
in response to receiving data conforming to the blacklist, the data is discarded.
2. The method of claim 1, wherein the network access control custom resource comprises a network segment type, and the matching parameters of the network access control custom resource of the network segment type comprise: network protocol, source IP network segment, source port, destination IP network segment and destination port; and
the obtaining the IP list according to the container resource and the network access control custom resource includes:
and if the event is a network access control custom resource event and the network access control custom resource is a network segment type, arranging a flow filter screen segment and a port rule according to a network protocol, a source IP network segment, a source port, a destination IP network segment and a destination port.
3. The method of claim 1, wherein the network access control custom resource comprises a container type, and the matching parameters of the network access control custom resource for the container type comprise: the label selector, the incoming direction network segment and the port, the outgoing direction network segment and the port; and
the obtaining the IP list according to the container resource and the network access control custom resource includes:
if the event is a network access control custom resource event and the network access control custom resource is a container type, screening a target container from the container resource according to the tag selector;
and arranging the outlet flow filter screen segments and the port rules according to the inlet direction network segments and the port, the outlet direction network segments and the port of the target container.
4. The method of claim 1, wherein the network access control custom resource comprises a container type, and the matching parameters of the network access control custom resource for the container type comprise: the label selector, the incoming direction network segment and the port, the outgoing direction network segment and the port; and
the obtaining the IP list according to the container resource and the network access control custom resource includes:
if the event is a container resource event, checking whether the matching parameters of the network access control custom resource can be matched with the tag selector to analyze the target container;
and if the flow filter screen sections and the port rules can be arranged according to the inlet direction network section and the port, the outlet direction network section and the port of the target container.
5. The method of claim 1, wherein the generating a blacklist from the IP list comprises:
generating a custom chain according to the name space and the name of the network access control list;
configuring a filtering rule of the custom chain;
generating a five-tuple according to the IP list;
and matching the filtering rule with the five-tuple to execute a discarding operation.
6. The method of claim 5, wherein the configuring the filtering rules of the custom chain comprises:
and configuring the custom chain to jump from the input position and the forwarding position.
7. The method of any one of claims 1-6, the change comprising an addition, a modification, a deletion.
8. A blacklist control device of a cloud native kubernetes network, comprising:
an importing unit configured to import a configuration file for interacting with the API service node to obtain the container resource and the network access control custom resource;
a synchronization unit configured to receive an event synchronized by the API service node, wherein the event is triggered by the API service node according to a change in a preconfigured container resource and a network access control custom resource;
an obtaining unit configured to obtain an IP list according to the container resource and the network access control custom resource;
a generation unit configured to generate a blacklist from the IP list;
and a filtering unit configured to discard the data in response to receiving the data conforming to the blacklist.
9. An electronic device for blacklist control of a cloud native kubernetes network, comprising:
one or more processors;
a storage device having one or more computer programs stored thereon,
when executed by the one or more processors, causes the one or more processors to implement the method of any of claims 1-7.
10. A computer readable medium having stored thereon a computer program, wherein the computer program, when executed by a processor, implements the method of any of claims 1-7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310269579.0A CN116318992A (en) | 2023-03-15 | 2023-03-15 | Blacklist control method and device of cloud native kubernetes network |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310269579.0A CN116318992A (en) | 2023-03-15 | 2023-03-15 | Blacklist control method and device of cloud native kubernetes network |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN116318992A true CN116318992A (en) | 2023-06-23 |
Family
ID=86823728
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202310269579.0A Pending CN116318992A (en) | 2023-03-15 | 2023-03-15 | Blacklist control method and device of cloud native kubernetes network |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN116318992A (en) |
-
2023
- 2023-03-15 CN CN202310269579.0A patent/CN116318992A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10341296B2 (en) | Firewall configured with dynamic collaboration from network services in a virtual network environment | |
| US10187306B2 (en) | System and method for improved service chaining | |
| US9455888B2 (en) | Application topology based on network traffic | |
| CN106878194B (en) | Message processing method and device | |
| US10476629B2 (en) | Performing upper layer inspection of a flow based on a sampling rate | |
| US20160285825A1 (en) | Virtual firewall load balancer | |
| US9009782B2 (en) | Steering traffic among multiple network services using a centralized dispatcher | |
| CN114041276A (en) | Security policy enforcement and visibility for network architectures that mask external source addresses | |
| US20210312472A1 (en) | Method and system for prediction of smart contract violation using dynamic state space creation | |
| US20120266186A1 (en) | Providing inter-platform application launch in context | |
| CN113709810A (en) | Method, device and medium for configuring network service quality | |
| CN113595927A (en) | Method and device for processing mirror flow in bypass mode | |
| CN114124822B (en) | Message matching processing device and method | |
| KR20120062174A (en) | Apparatus and method for dynamic processing a variety of characteristics packet | |
| US11743236B2 (en) | Generating an application-based proxy auto configuration | |
| US9667533B2 (en) | Creating and utilizing customized network applications | |
| CN116055586B (en) | Fragment message matching method, router and storage medium | |
| CN114338529B (en) | Five-tuple rule matching method and device | |
| CN115865802A (en) | Virtual instance flow mirroring method and device, virtual machine platform and storage medium | |
| CN116318992A (en) | Blacklist control method and device of cloud native kubernetes network | |
| CN115834229A (en) | Message security detection method, device and storage medium | |
| CN113452663B (en) | Network Service Control Based on Application Characteristics | |
| US10645121B1 (en) | Network traffic management based on network entity attributes | |
| CN116260855B (en) | Communication method, communication device, electronic equipment and storage medium | |
| CN114363257B (en) | Five-tuple matching method and device for tunnel message |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |