CN116488945B - Container network isolation method and system - Google Patents
Container network isolation method and system Download PDFInfo
- Publication number
- CN116488945B CN116488945B CN202310733631.3A CN202310733631A CN116488945B CN 116488945 B CN116488945 B CN 116488945B CN 202310733631 A CN202310733631 A CN 202310733631A CN 116488945 B CN116488945 B CN 116488945B
- Authority
- CN
- China
- Prior art keywords
- network
- pod
- nfqueue
- data packet
- container
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000002955 isolation Methods 0.000 title claims abstract description 22
- 238000012544 monitoring process Methods 0.000 claims abstract description 30
- 238000000034 method Methods 0.000 claims abstract description 20
- 230000008859 change Effects 0.000 claims abstract description 18
- 230000000694 effects Effects 0.000 claims description 5
- 238000013507 mapping Methods 0.000 claims description 5
- 238000004364 calculation method Methods 0.000 claims description 3
- 238000004590 computer program Methods 0.000 claims 1
- 230000008676 import Effects 0.000 abstract 1
- 238000012545 processing Methods 0.000 description 4
- 238000004891 communication Methods 0.000 description 3
- 238000010200 validation analysis Methods 0.000 description 3
- 238000012423 maintenance Methods 0.000 description 2
- 230000007246 mechanism Effects 0.000 description 2
- 241000322338 Loeseliastrum Species 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000000903 blocking effect Effects 0.000 description 1
- 210000004027 cell Anatomy 0.000 description 1
- 238000006243 chemical reaction Methods 0.000 description 1
- 210000004081 cilia Anatomy 0.000 description 1
- 238000010586 diagram Methods 0.000 description 1
- 238000001914 filtration Methods 0.000 description 1
- 230000006870 function Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 230000008569 process Effects 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
- H04L63/0263—Rule management
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/20—Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
- G06F16/22—Indexing; Data structures therefor; Storage structures
- G06F16/2228—Indexing structures
- G06F16/2255—Hash tables
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/20—Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
- G06F16/24—Querying
- G06F16/245—Query processing
- G06F16/2455—Query execution
- G06F16/24552—Database cache management
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
- H04L63/0236—Filtering by address, protocol, port number or service, e.g. IP-address or URL
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
- H04L63/0245—Filtering by information in the payload
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/40—Network security protocols
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- General Engineering & Computer Science (AREA)
- Signal Processing (AREA)
- Theoretical Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- Databases & Information Systems (AREA)
- Data Mining & Analysis (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Software Systems (AREA)
- Business, Economics & Management (AREA)
- General Business, Economics & Management (AREA)
- Computational Linguistics (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The application discloses a container network isolation method and a system, wherein the method comprises the following steps: creating a custom Network Policy resource under k8s, and filling in k8s kind, namespace and name which are effective to realize effective to the corresponding pod; in a user mode program, monitoring Network Policy resource change, and issuing an iptables nfqueue rule to an effective pod kernel Network protocol stack; the iptables nfqueue rule is added at a first position after the flow is popped, and is used for intercepting a data packet sent from an application program in a container; in the user mode program, the intercepted data packet is acquired, and after analysis is completed, the analyzed treatment result is returned to nfqueue. The application uses nfqueue in iptables to import handshake packet flow in kernel mode into user mode, and realizes treatment of data packet according to redefined Network Policy custom resource.
Description
Technical Field
The scheme relates to the technical field of data security, in particular to a container network isolation method and system.
Background
The container Network isolation generally uses Network Policy of k8s to implement Network access control policies at port level for IP Network segments, namespaces and applications (Pod) for the push traffic and push traffic of the target Pod.
The Network Policy of K8s has strong customization, but needs to be configured with label for use, so that the configuration is not humanized, the readability is poor, and the maintenance is difficult. Meanwhile, only one Network Policy is defined, so that actual Network isolation cannot be finished, and a Policy controller (Policy Controller) is also required for implementing policies. The Policy controller must be provided by a third party Network component, and open source items such as Calico, cilium, weave-net all support the implementation of Network Policy.
Disclosure of Invention
The present application addresses at least one of the above-mentioned shortcomings by providing a method of network isolation of containers.
A method of vessel network isolation comprising the steps of:
creating a custom Network Policy resource under k8s, and filling in k8s kind, namespace and name which are effective to realize effective to the corresponding pod;
in a user mode program, monitoring Network Policy resource change, and issuing an iptables nfqueue rule to an effective pod kernel Network protocol stack;
the iptables nfqueue rule is added at a first position after the flow is popped, and is used for intercepting a data packet sent from an application program in a container;
in the user mode program, the intercepted data packet is acquired, and after analysis is completed, the analyzed treatment result is returned to nfqueue.
The method for monitoring the Network Policy resource change comprises the following steps:
and monitoring the change of the Network Policy, acquiring updated Network Policy resources when the Network Policy is changed, converting the currently received Network Policy resources into a source address IP, a destination address IP and a destination address port which act, and writing the source address IP, the destination address port and the destination address port into a local cache.
The method for monitoring the Network Policy resource change and issuing the iptables nfqueue rule to the effective pod kernel Network protocol stack comprises the following steps:
obtaining the pid of the pod container which is filled in the Network Policy and needs to be validated, obtaining Network namespace fd by calculation,
the iptables nfqueue rule is issued into network namespace of the corresponding pod container according to network namespace fd.
As a preferred aspect, a container network isolation method further includes: all pod are managed uniformly by epoll, network namespace fd of all pod which are in effect with the rule is added to epoll,
and after the epoll monitors an event, reading the popped data packet in the pod.
As a preferred solution, the local cache is a hash multidimensional cache,
the storing by the hash multidimensional cache includes: the source address IP, the destination address IP and the policy list carrying the priority have a mapping relation with the source address IP, the destination address IP and the destination address ports extracted from the intercepted data packet, and different policies are corresponding to different destination address ports.
As a preferred solution, in a user mode program, the method for acquiring the intercepted data packet and returning the analyzed disposition result to nfqueue after completing the analysis includes:
and responding to a new event at a first position after the traffic is popped, intercepting a data packet, analyzing information carried by the data packet and comprising a source address IP, a destination address IP and a destination address port, mapping the information to a hash multidimensional cache, finding out a corresponding strategy, and judging how to dispose.
In order to solve at least one of the above disadvantages, the present application provides a container network isolation system, which comprises the following structures:
the Network Policy unit is used for filling k8s of valid kined, naspace and name of Network Policy resources under k8s to realize the validation of corresponding pod;
the Policy monitoring unit is used for monitoring Network Policy resource change in a user state program and issuing an iptables nfqueue rule to an effective pod kernel Network protocol stack;
the iptables nfqueue rule is added at a first position after the flow is popped, and is used for intercepting a data packet sent from an application program in a container;
the event monitoring and handling unit is used for acquiring the intercepted data packet in the user state program, and returning the analyzed handling result to nfqueue after the analysis is completed.
As a preferred scheme, the container network isolation system further comprises a hash multidimensional cache unit which is in communication connection with the user mode program;
the hash multidimensional buffer memory unit comprises a one-dimensional memory module, a two-dimensional memory module and a three-dimensional memory module,
the hash key of the one-dimensional storage module comprises a source address IP, the hash key of the two-dimensional storage module comprises a destination address IP, the three-dimensional storage module comprises a strategy list carrying priority, and different destination address ports correspond to different strategies.
As a preferred solution, the container network isolation system further comprises a unified management unit, which is communicatively connected to each validated pod, for unified management of all the pods validated with rules.
The beneficial effects are that: (1) According to the scheme, nfqueue in iptables is used, handshake packet flow in a kernel mode is imported into a user mode, and treatment of a data packet is achieved according to redefined Network Policy custom resources. The network isolation of the resources in the K8s is flexibly realized, the operation and maintenance cost and the management cost of the isolated resources of the container network are reduced, and all mainstream container network cni plug-ins can be compatible.
(2) The scheme has excellent compatibility. According to the scheme, the pop traffic is controlled, after the data packet is changed after the cni and network proxy are passed through the middle of the common push traffic, the pop traffic can acquire the original data packet of the container network, the iptables nfqueue rule is added at the first position after the traffic is popped, the influence of any other rule cannot be caused, and even the rule that the container network plug-in cni is added inside is adopted, so that the scheme has very good compatibility and is suitable for all cni known at present in the practical process.
(3) Creating Network Policy resources, and filling out k8s of valid keys, namespace and name to realize the validation of the corresponding pod. The label configuration is not required to be concerned, label is not required to be filled in, and the rule readability is higher.
Drawings
In order to more clearly illustrate the embodiments of the application or the technical solutions of the prior art, the drawings which are used in the description of the embodiments or the prior art will be briefly described, it being obvious that the drawings in the description below are only some embodiments of the application, and that other drawings can be obtained according to these drawings without inventive faculty for a person skilled in the art.
FIG. 1 is an overall flow chart of a container network isolation method;
fig. 2 is a schematic diagram of a hash multidimensional cache cell.
Detailed Description
The present application will be described in further detail with reference to the following examples, which are illustrative of the present application and are not intended to limit the present application thereto.
Name interpretation: the iptables, netflter/iptables (simply referred to as iptables) constitute a packet-passing firewall under the Linux platform. The iptables are internally provided with 4 tables, namely a flite table, a nat table, a mangle table and a raw table, which are respectively used for realizing packet filtering, network address conversion, packet reconstruction (modification) and data tracking processing.
Example 1: a container network isolation system comprising the structure of:
the Network Policy unit is used for filling k8s kined, naspace and name which are effective in the custom Network Policy resource under k8s so as to realize the effective on the corresponding pod;
the Policy monitoring unit is used for monitoring Network Policy resource change in a user state program and issuing an iptables nfqueue rule to an effective pod kernel Network protocol stack;
the iptables nfqueue rule is added at a first position after the flow is popped, and is used for intercepting a data packet sent from an application program in a container;
the event monitoring and handling unit is used for acquiring the intercepted data packet in the user state program, and returning the analyzed handling result to nfqueue after the analysis is completed.
On the architecture of k8s, the master node is provided with an Api-server, can receive yaml of the newly defined Network Policy, and stores the yaml into the Api-server. I.e. create a new Network Policy CRD.
The kernel and the user state program use nfnetlink protocol for communication, when a data packet is put into a queue, the kernel sends a message in nfnetlink format to a socket, the message contains data packet data and related information, and the user state program can acquire the message by reading the socket.
And distributing a Daemoset Agent program for monitoring the Api-server on each node, and monitoring the change of the Network Policy in the Api-server to take effect of the new rule of the Network Policy.
The policy monitoring unit is executed under a user mode program, and a k8s Daemoset controller is used to enable each k8s node to start a user mode program for user mode processing. The user state program monitors the Network Policy resource change of the cluster. By means of the k8s index mechanism, list/watch Network Policy resource changes.
As a preferable scheme, the timing monitoring unit is configured to perform full synchronization in the maximum synchronization time and incremental synchronization in the minimum synchronization time.
For a new Network Policy CRD corresponding effective pod created, the iptables rule needs to be added in pod network namespace as follows:
iptables –t raw –I OUTPUT 1 –p tcp –syn –j NFQUEUE –queue–num=1 –queue–bypass;
that is, the rule is added to the nfilter raw table OUTPUT chain, and the first position after the container network enters the nfilter is the position with the highest priority among all the nfilter rules, and the first position that the nfilter rule chain passes when popping out corresponds to the first position that the traffic is sent out from the application program in the container, so that the traffic can be intercepted by the nfqueue, and the traffic cannot be influenced by any other rule, even if the container network plug-in cni adds the rule inside, so that the scheme has very good compatibility.
The event monitoring and processing unit is used for monitoring nfnetlink socket, obtaining the data packet of the pop which takes effect of the rule in the user state, analyzing the data packet, judging whether the release is blocked or not, or generating an alarm event.
After analyzing the intercepted and acquired data packet, the user mode program obtains the basic information of the data packet according to the payload character array in the data packet, wherein the basic information comprises a source address IP, a destination address IP and a destination address port. And traversing each Network Policy CRD strategy according to the obtained data packet basic information, judging whether the port is in the strategy, and if so, validating the corresponding strategy.
As a preferred solution, the container network isolation system further comprises a unified management unit, which is communicatively connected to each validated pod, for unified management of all the pods validated with rules.
Starting epoll, adding network namespace fd of all regular pod into epoll, uniformly managing all pod by epoll, and intercepting all data packets flowing out of regular pod by event monitoring and handling unit through socket.
As a preferred scheme, the container network isolation system further comprises a hash multidimensional cache unit, as shown in fig. 2, and the hash multidimensional cache unit is in communication connection with the user state program; the hash multidimensional cache unit comprises a one-dimensional storage module, a two-dimensional storage module and a three-dimensional storage module; the hash key of the one-dimensional storage module comprises a source address IP, the hash key of the two-dimensional storage module comprises a destination address IP, the three-dimensional storage module comprises a strategy list carrying priority, and different destination address ports correspond to different strategies.
In the same cluster in k8s, service and instance pod responsible for instance forwarding are provided with globally unique IP, corresponding controller names are filled in CRDs, the names are used for accessing k8s-apiserver to obtain the IP of corresponding resources, and when updated resources are monitored, the updated resources are finally converted into the form of IP after being processed by a program and stored in a local multidimensional hash cache.
Example 2: a method for isolating a network of containers, as shown in fig. 1, comprising the steps of:
creating a custom Network Policy resource under k8s, and filling in k8s kind, namespace and name which are effective to realize effective to the corresponding pod;
in a user mode program, monitoring Network Policy resource change, and issuing an iptables nfqueue rule to an effective pod kernel Network protocol stack;
the iptables nfqueue rule is added at a first position after the flow is popped, and is used for intercepting a data packet sent from an application program in a container;
in the user mode program, the intercepted data packet is acquired, and after analysis is completed, the analyzed treatment result is returned to nfqueue.
The method for monitoring the Network Policy resource change comprises the following steps:
and monitoring the change of the Network Policy, acquiring updated Network Policy resources when the Network Policy is changed, converting the currently received Network Policy resources into a source address IP, a destination address IP and a destination address port which act, and writing the source address IP, the destination address port and the destination address port into a local cache.
The method for monitoring the Network Policy resource change and issuing the iptables nfqueue rule to the effective pod kernel Network protocol stack comprises the following steps:
the pid of the pod container which is filled in the Network Policy and needs to be validated is obtained, network namespace fd is obtained through calculation, and the iptables nfqueue rule is issued to Network namespace of the corresponding pod container according to Network namespace fd.
As a preferred solution, the local cache is a hash multidimensional cache, and the storing through the hash multidimensional cache includes: the source address IP, the destination address IP and the policy list carrying the priority have a mapping relation with the source address IP, the destination address IP and the destination address ports extracted from the intercepted data packet, and different policies are corresponding to different destination address ports.
As a preferred option, all pod are managed uniformly by epoll, network namespace fd of all rule-validated pod is added to epoll,
and after the epoll monitors an event, reading the popped data packet in the pod.
Further, a complete container network isolation method flow is provided.
A new network Policy CRD is created and the validation of the pod under the controller is accomplished by filling in the validated k8s keys, naspace and name inside this new CRD.
The user-state program is started up,
monitoring the update of Network Policy resources through a k8s client; namely, calling the change of the k8s index mechanism list/watch Network Policy resource;
when the Network Policy resource is updated, acquiring an updated Network Policy, converting the updated Network Policy into a source address IP, a destination address IP and a destination address port which act, and writing the source address IP, the destination address port and the destination address port into a local cache;
in other words, in the user state program, the change of Network Policy is subscribed, the user state cache is updated, and the cache adopts a hash multidimensional cache, so that the method is used for judging the treatment result of the flow under the time complexity of O (1) in the user state, the overall operation efficiency is improved, and the influence on the pod flow QPS after the rule is added is reduced.
Obtaining the pid of a container needing to be validated in the Network Policy, wherein the pid is obtained through a runtime interface and Network namespace fd through unix.open ("/proc/pid/ns/net");
after network namespace fd is obtained, the rule is issued into network namespace of the container through the fd obtained; simultaneously adding the obtained fd into epoll;
when the epoll monitors that fd has a new event (a new pop flow) and then reads a data packet, basic information of the data packet is obtained; the data packet comprises a source address IP, a destination address IP and a destination address port, after the data packet is mapped to the hash multidimensional cache, a corresponding strategy is found from the hash multidimensional cache, how to treat the data packet is judged, and a treatment result comprises blocking and releasing or an alarm event is generated; and sending the treatment result back to nfqueue through socket to realize the treatment result.
When a user mode program analyzes a data packet, it needs to organize a message in nfnetlink format, where the message includes an index number of the data packet in a queue, and then sends the message to a socket. Considering that the user mode program needs all the pod of the Network Policy to be validated on one node, all the sockets are processed by using epoll.
In the scheme, the data packet to be monitored and intercepted is a handshake flow packet.
The integrated units, if implemented in the form of software functional units and sold or used as stand-alone products, may be stored in a readable storage medium. Based on such understanding, the technical solution of the embodiments of the present application may be essentially or a part contributing to the prior art or all or part of the technical solution may be embodied in the form of a software product stored in a storage medium, including several instructions for causing a device (which may be a single-chip microcomputer, a chip or the like) or a processor (processor) to perform all or part of the steps of the container network isolation method according to the embodiments of the present application. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a random access Memory (Random Access Memory, RAM), a magnetic disk, or an optical disk, or other various media capable of storing program codes.
An electronic device comprising a computer storage medium and a processor, the memory for storing one or more computer instructions, wherein the one or more computer instructions are executable by the processor to implement the container network isolation method.
In the several embodiments provided by the present application, it should be understood that the disclosed apparatus and method may be implemented in other manners. For example, the apparatus embodiments described above are merely illustrative, e.g., the division of the units or units is merely a logical function division, and there may be additional divisions when actually implemented, e.g., multiple units or components may be combined or integrated into another apparatus, or some features may be omitted or not performed.
The units may or may not be physically separate, and the components shown as units may be one physical unit or a plurality of physical units, may be located in one place, or may be distributed in a plurality of different places. Some or all of the units may be selected according to actual needs to achieve the purpose of the solution of this embodiment.
In addition, each functional unit in the embodiments of the present application may be integrated in one processing unit, or each unit may exist alone physically, or two or more units may be integrated in one unit. The integrated units may be implemented in hardware or in software functional units.
The foregoing is merely illustrative of specific embodiments of the present application, and the scope of the present application is not limited thereto, but any changes or substitutions within the technical scope of the present application should be covered by the scope of the present application. Therefore, the protection scope of the present application shall be subject to the protection scope of the claims.
Claims (10)
1. A method of isolating a network of containers, comprising the steps of:
creating a custom Network Policy resource under k8s, and filling k8s kind, namespace and name which are effective to realize effective to the corresponding pod without filling label;
in a user mode program, monitoring Network Policy resource change, and issuing an iptables nfqueue rule to an effective pod kernel Network protocol stack;
the iptables nfqueue rule is added in an nfilter raw table OUTPUT chain to intercept a data packet sent from an application program in a container;
in the user mode program, the intercepted data packet is acquired, and after analysis is completed, the analyzed treatment result is returned to nfqueue.
2. The method for isolating a container Network according to claim 1, wherein the monitoring Network Policy resource changes comprises the steps of:
and monitoring the change of the Network Policy, acquiring updated Network Policy resources when the Network Policy is changed, converting the currently received Network Policy resources into a source address IP, a destination address IP and a destination address port which act, and writing the source address IP, the destination address port and the destination address port into a local cache.
3. The method for isolating a container Network according to claim 1, wherein the method for monitoring Network Policy resource changes and issuing iptables nfqueue rules into an active pod kernel Network protocol stack comprises:
obtaining the pid of the pod container which is filled in the Network Policy and needs to be validated, obtaining Network namespace fd by calculation,
the iptables nfqueue rule is issued into network namespace of the corresponding pod container according to network namespace fd.
4. A method of isolating a network of containers as defined in claim 1, further comprising: all pod are managed uniformly by epoll, network namespace fd of all pod which are in effect with the rule is added to epoll,
and after the epoll monitors an event, reading the popped data packet in the pod.
5. The method of claim 2, wherein the local cache is a hash multidimensional cache,
the storing by the hash multidimensional cache includes: the source address IP, the destination address IP and the policy list carrying the priority have a mapping relation with the source address IP, the destination address IP and the destination address ports extracted from the intercepted data packet, and different policies are corresponding to different destination address ports.
6. The method for isolating a container network according to claim 5, wherein the method for obtaining the intercepted data packet in the user mode program and returning the analyzed disposition result to nfqueue after the analysis is completed comprises:
and responding to a new event at a first position after the traffic is popped, intercepting a data packet, analyzing information carried by the data packet and comprising a source address IP, a destination address IP and a destination address port, mapping the information to a hash multidimensional cache, finding out a corresponding strategy, and judging how to dispose.
7. A container network isolation system comprising the structure of:
the Network Policy unit is used for filling k8s of valid k8s of keys, namespace and name in order to realize the effect of corresponding pod without filling label;
the Policy monitoring unit is used for monitoring Network Policy resource change in a user state program and issuing an iptables nfqueue rule to an effective pod kernel Network protocol stack;
the iptables nfqueue rule is added in an nfilter raw table OUTPUT chain to intercept a data packet sent from an application program in a container;
the event monitoring and handling unit is used for acquiring the intercepted data packet in the user state program, and returning the analyzed handling result to nfqueue after the analysis is completed.
8. The system of claim 7, further comprising a hash multidimensional caching unit communicatively coupled to the user mode program;
the hash multidimensional buffer memory unit comprises a one-dimensional memory module, a two-dimensional memory module and a three-dimensional memory module,
the hash key of the one-dimensional storage module comprises a source address IP, the hash key of the two-dimensional storage module comprises a destination address IP, the three-dimensional storage module comprises a strategy list carrying priority, and different destination address ports correspond to different strategies.
9. The container network quarantine system of claim 7, further comprising a unified management unit communicatively coupled to each validated pod for unified management of all validated pods.
10. A computer storage medium, characterized in that it stores a computer program, which is called by a processor to implement a container network isolation method according to any of claims 1-6.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202310733631.3A CN116488945B (en) | 2023-06-20 | 2023-06-20 | Container network isolation method and system |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202310733631.3A CN116488945B (en) | 2023-06-20 | 2023-06-20 | Container network isolation method and system |
Publications (2)
Publication Number | Publication Date |
---|---|
CN116488945A CN116488945A (en) | 2023-07-25 |
CN116488945B true CN116488945B (en) | 2023-09-15 |
Family
ID=87227197
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202310733631.3A Active CN116488945B (en) | 2023-06-20 | 2023-06-20 | Container network isolation method and system |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN116488945B (en) |
Citations (10)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN105100038A (en) * | 2015-01-23 | 2015-11-25 | 般固(北京)科技股份有限公司 | Method and system for using NFQUEUE mechanism to realize gateway |
CN109996307A (en) * | 2017-12-29 | 2019-07-09 | 华为技术有限公司 | A kind of data routing method and terminal |
CN113608824A (en) * | 2021-06-28 | 2021-11-05 | 济南浪潮数据技术有限公司 | Cluster external service access control method, system, device and readable storage medium |
CN114338405A (en) * | 2021-12-31 | 2022-04-12 | 中电福富信息科技有限公司 | Method and system for realizing cloud platform tenant-level network policy configuration based on Kubernetes |
CN115580497A (en) * | 2022-12-09 | 2023-01-06 | 江苏博云科技股份有限公司 | Data transmission control method and equipment in container environment and storage medium |
CN115622748A (en) * | 2022-09-26 | 2023-01-17 | 苏州思萃工业互联网技术研究所有限公司 | Container-based network security implementation system and method |
CN115658220A (en) * | 2022-10-13 | 2023-01-31 | 深信服科技股份有限公司 | Data processing method, equipment and computer readable storage medium |
CN115913778A (en) * | 2022-12-27 | 2023-04-04 | 天翼云科技有限公司 | Network strategy updating method, system and storage medium based on sidecar mode |
EP4160408A1 (en) * | 2021-10-04 | 2023-04-05 | Juniper Networks, Inc. | Network policy generation for continuous deployment |
CN116226855A (en) * | 2022-12-07 | 2023-06-06 | 航天科工网络信息发展有限公司 | Cluster vulnerability scanning, configuration auditing and monitoring alarm method and device |
Family Cites Families (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US11870642B2 (en) * | 2021-10-04 | 2024-01-09 | Juniper Networks, Inc. | Network policy generation for continuous deployment |
-
2023
- 2023-06-20 CN CN202310733631.3A patent/CN116488945B/en active Active
Patent Citations (10)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN105100038A (en) * | 2015-01-23 | 2015-11-25 | 般固(北京)科技股份有限公司 | Method and system for using NFQUEUE mechanism to realize gateway |
CN109996307A (en) * | 2017-12-29 | 2019-07-09 | 华为技术有限公司 | A kind of data routing method and terminal |
CN113608824A (en) * | 2021-06-28 | 2021-11-05 | 济南浪潮数据技术有限公司 | Cluster external service access control method, system, device and readable storage medium |
EP4160408A1 (en) * | 2021-10-04 | 2023-04-05 | Juniper Networks, Inc. | Network policy generation for continuous deployment |
CN114338405A (en) * | 2021-12-31 | 2022-04-12 | 中电福富信息科技有限公司 | Method and system for realizing cloud platform tenant-level network policy configuration based on Kubernetes |
CN115622748A (en) * | 2022-09-26 | 2023-01-17 | 苏州思萃工业互联网技术研究所有限公司 | Container-based network security implementation system and method |
CN115658220A (en) * | 2022-10-13 | 2023-01-31 | 深信服科技股份有限公司 | Data processing method, equipment and computer readable storage medium |
CN116226855A (en) * | 2022-12-07 | 2023-06-06 | 航天科工网络信息发展有限公司 | Cluster vulnerability scanning, configuration auditing and monitoring alarm method and device |
CN115580497A (en) * | 2022-12-09 | 2023-01-06 | 江苏博云科技股份有限公司 | Data transmission control method and equipment in container environment and storage medium |
CN115913778A (en) * | 2022-12-27 | 2023-04-04 | 天翼云科技有限公司 | Network strategy updating method, system and storage medium based on sidecar mode |
Non-Patent Citations (1)
Title |
---|
毕小红 ; 刘渊 ; 陈飞 ; .微服务应用平台的网络性能研究与优化.计算机工程.2017,(05),全文. * |
Also Published As
Publication number | Publication date |
---|---|
CN116488945A (en) | 2023-07-25 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US11997143B2 (en) | Managing communications among virtual machine nodes of a network service provider | |
WO2023087938A1 (en) | Data processing method, programmable network card device, physical server, and storage medium | |
CN103403707B (en) | The system and method exchanged for database proxy request | |
CA2136921C (en) | Automatic conversion process and module for porting telecommunication applications from the pct/ip network onto the osi-co network | |
US20020156831A1 (en) | Automated provisioning of computing networks using a network database data model | |
US9043895B2 (en) | Reverse proxy database system and method | |
US9847903B2 (en) | Method and apparatus for configuring a communication system | |
CN111884917A (en) | Gateway system based on micro service and gateway dynamic routing method | |
MXPA04011271A (en) | Security-related programming interface. | |
US20140280778A1 (en) | Tracking Network Packets Across Translational Boundaries | |
US11983220B2 (en) | Key-value storage for URL categorization | |
EP4209905A1 (en) | Service mesh system employing microservice, and service governance method | |
US20220070222A1 (en) | Securing network resources from known threats | |
CN109688153A (en) | Use threat detection on the zero of host application/program to user agent mapping | |
US20230350966A1 (en) | Communicating url categorization information | |
WO2024082990A1 (en) | Network system, service mesh configuration method, storage medium, and electronic device | |
CN115242882A (en) | Method and device for accessing k8s container environment based on transport layer route | |
CN116488945B (en) | Container network isolation method and system | |
EP2139193B1 (en) | A method of performing data mediation, and an associated computer program product, data mediation device and information system | |
US20230418940A1 (en) | Antivirus scanning architecture for uploaded files | |
US8484702B2 (en) | Managing logical sockets | |
CN102932487B (en) | Data processing method and system | |
CN105978957A (en) | Public network IP sharing method suitable for multiple tenants of cloud data center and device | |
CN109167846A (en) | A kind of distribution method and device of communication port | |
RU2820803C1 (en) | Method and system for tunneling traffic in distributed network |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant | ||
PE01 | Entry into force of the registration of the contract for pledge of patent right | ||
PE01 | Entry into force of the registration of the contract for pledge of patent right |
Denomination of invention: A container network isolation method and system Granted publication date: 20230915 Pledgee: Bank of Shanghai Limited by Share Ltd. Hangzhou branch Pledgor: HANGZHOU MOAN TECHNOLOGY CO.,LTD. Registration number: Y2024980020983 |