CN117319021A

CN117319021A - Authorization method, device and equipment for container cloud platform built based on k8s

Info

Publication number: CN117319021A
Application number: CN202311233393.6A
Authority: CN
Inventors: 龚庆祥
Original assignee: China United Network Communications Group Co Ltd; Unicom Digital Technology Co Ltd; Unicom Cloud Data Co Ltd
Current assignee: China United Network Communications Group Co Ltd; Unicom Digital Technology Co Ltd; Unicom Cloud Data Co Ltd
Priority date: 2023-09-21
Filing date: 2023-09-21
Publication date: 2023-12-29

Abstract

The application provides an authorization method, device and equipment of a container cloud platform built based on k8 s. The container cloud platform comprises at least two clusters, and the method comprises the following steps: acquiring an identification of a first user to be authorized and resource authorization information of the first user; the resource authorization information comprises a cluster identifier, a name space identifier and a resource operation type set; determining a first authorized custom resource of the first user according to the identification of the first user, the cluster identification, the name space identification and the resource operation type set; and authorizing the resource operation authority of the first user according to the first authorized custom resource, and storing the resource operation authority information. According to the method, the safety of the container cloud platform is improved.

Description

Authorization method, device and equipment for container cloud platform built based on k8s

Technical Field

The application relates to the technical field of data processing, in particular to an authorization method, device and equipment of a container cloud platform built based on k8 s.

Background

Kubernetes is abbreviated as k8s, is an open source application for managing containerization on multiple hosts in a cloud platform, and the purpose of k8s is to enable the application deploying containerization to be simple and efficient, and k8s provides functions of application deployment, planning, updating, maintenance and the like. The k8s can be utilized to automatically manage the containerized workload and service, thereby solving the management problem of containers among multiple hosts. The current native k8s can not provide multi-cluster management, and only can carry out authority management on a single cluster so as to ensure the security of the cluster. However, at present, k8s has a great number of multi-cluster use requirements, and when multi-cluster management is performed through a multi-cluster management platform, authority management cannot be performed on multiple cluster accesses and resource operations, so that security risks exist.

Therefore, how to perform rights management on access and resource operation of multiple clusters of a container cloud platform built based on k8s is a problem to be solved.

Disclosure of Invention

The application provides an authorization method, device and equipment for a container cloud platform built based on k8s, which are used for solving the technical problem of how to conduct authority management on access and resource operation of a plurality of clusters of the container cloud platform built based on k8 s.

In a first aspect, the present application provides an authorization method for a container cloud platform built based on k8s, where the container cloud platform includes at least two clusters, the method includes:

acquiring an identification of a first user to be authorized and resource authorization information of the first user; the resource authorization information comprises a cluster identifier, a name space identifier and a resource operation type set;

determining a first authorized custom resource of the first user according to the identification of the first user, the cluster identification, the name space identification and the resource operation type set;

and authorizing the resource operation authority of the first user according to the first authorized custom resource, and storing the resource operation authority information.

Optionally, the determining the first authorized custom resource of the first user according to the identification of the first user, the cluster identification, the namespace identification, and the set of resource operation types includes:

acquiring a preset resource operation configuration resource set, wherein each preset resource operation configuration resource comprises at least one resource operation type set;

judging whether the preset resource operation configuration resource set comprises a target preset resource operation configuration resource corresponding to the resource operation type set or not;

if so, acquiring the identification of the operation configuration resource of the target preset resource;

and determining a first authorized custom resource of the first user according to the identification of the first user, the cluster identification, the name space identification and the identification of the target preset resource operation configuration resource.

Optionally, if the preset resource operation configuration resource set does not include the target preset resource operation configuration resource corresponding to the resource operation type set, the method includes:

determining a target resource object of the resource operation according to the resource operation type set;

acquiring a second authorized custom resource according to the cluster identifier, the resource operation type set and the target resource object;

And according to the second authorized custom resource, the target preset resource operation configuration resource is newly established.

acquiring a target resource operation type included in the resource operation type set;

and determining a target preset resource operation configuration resource corresponding to the target resource operation type according to the target resource operation type and the preset resource operation configuration resource set.

Optionally, the method further comprises:

acquiring a resource operation request of a second user, wherein the resource operation request comprises a user certificate, a resource operation object and a resource operation type of the second user;

authenticating the second user according to the user certificate of the second user;

if the user certificate passes the authentication, determining the resource operation authority information of the second user according to the identification of the second user included in the user certificate of the second user;

authenticating the resource operation request according to the resource operation object, the resource operation type and the resource operation authority information of the second user;

And if the resource operation authentication passes, according to the resource operation object, the resource operation request is proxied to the cluster where the resource operation object is located to perform resource operation.

Optionally, before the resource operation request is proxied to the cluster where the resource operation object is located according to the resource operation object to perform resource operation, the method further includes:

obtaining a cluster operation type from the resource operation request, wherein the cluster operation type comprises single cluster operation and multi-cluster operation;

if the cluster operation type is single cluster operation, the resource operation request is proxied to a single cluster control component to perform resource operation on a first target cluster;

and if the cluster operation type is multi-cluster operation, the resource operation request is proxied to a multi-cluster control component so as to perform resource operation on a plurality of second target clusters.

Optionally, the method further comprises:

recording the authentication result of the user certificate and/or the authentication result of the resource operation and the resource operation of the second user;

and if the authentication of the user certificate fails, or the authentication of the resource operation fails, or the resource operation of the second user has an abnormal operation event, outputting alarm information.

In a second aspect, the present application provides an authorization device for a container cloud platform built based on k8s, the container cloud platform including at least two clusters, the device comprising:

the system comprises an acquisition module, a first user authentication module and a second user authentication module, wherein the acquisition module is used for acquiring an identification of a first user to be authorized and resource authorization information of the first user; the resource authorization information comprises a cluster identifier, a name space identifier and a resource operation type set;

the processing module is used for determining a first authorized custom resource of the first user according to the identification of the first user, the cluster identification, the name space identification and the resource operation type set;

and the control module is used for authorizing the resource operation authority of the first user according to the first authorized custom resource and storing the resource operation authority information.

In a third aspect, the present application provides an electronic device, comprising: a processor, a communication interface, and a memory; the processor is respectively in communication connection with the communication interface and the memory;

the memory stores computer-executable instructions;

the communication interface performs communication interaction with external equipment;

the processor executes computer-executable instructions stored by the memory to implement the method of any one of the first aspects.

In a fourth aspect, the present application provides a computer-readable storage medium having stored therein computer-executable instructions for implementing the method of authorizing a container cloud platform built based on k8s as in any one of the first aspects when executed by a processor.

In a fifth aspect, the present application provides a computer program product for implementing the method of authorizing a container cloud platform built based on k8s according to any one of the first aspects when executed by a processor.

According to the authorization method, the device and the equipment for the container cloud platform built based on k8s, through obtaining the identification of the first user to be authorized and the resource authorization information of the first user, the first authorization custom resource of the first user is determined according to the identification, the cluster identification, the name space identification and the resource operation type set of the first user, the resource operation authority of the first user is authorized according to the first authorization custom resource, and the resource operation authority information is stored, so that the function of limiting the access and the resource operation authority of the user by the multi-cluster management platform of the container cloud platform based on k8s is realized, and the safety of the container cloud platform is improved.

Drawings

The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate embodiments consistent with the application and together with the description, serve to explain the principles of the application.

FIG. 1 is a schematic diagram of a request entry agent layer component according to an embodiment of the present application;

fig. 2 is a flow diagram of an authorization method of a container cloud platform built based on k8s according to an embodiment of the present application;

fig. 3 is a flow chart of another authorization method of a container cloud platform built based on k8s according to an embodiment of the present application;

fig. 4 is a flow chart of another authorization method of a container cloud platform built based on k8s according to an embodiment of the present application;

fig. 5 is a flow chart of an authorization method of a container cloud platform built based on k8s according to an embodiment of the present application;

fig. 6 is a flow chart of an authorization method of a container cloud platform built based on k8s according to an embodiment of the present application;

fig. 7 is a flow chart of an authorization method of a container cloud platform built based on k8s according to an embodiment of the present application;

fig. 8 is a schematic structural diagram of an authorization device of a container cloud platform built based on k8s according to an embodiment of the present application;

Fig. 9 is a schematic structural diagram of an electronic device according to an embodiment of the present application.

Specific embodiments thereof have been shown by way of example in the drawings and will herein be described in more detail. These drawings and the written description are not intended to limit the scope of the inventive concepts in any way, but to illustrate the concepts of the present application to those skilled in the art by reference to specific embodiments.

Detailed Description

Reference will now be made in detail to exemplary embodiments, examples of which are illustrated in the accompanying drawings. When the following description refers to the accompanying drawings, the same numbers in different drawings refer to the same or similar elements, unless otherwise indicated. The implementations described in the following exemplary examples are not representative of all implementations consistent with the present application. Rather, they are merely examples of apparatus and methods consistent with some aspects of the present application as detailed in the accompanying claims.

It should be noted that, the user information (including but not limited to user equipment information, user personal information, etc.) and the data (including but not limited to data for analysis, stored data, presented data, etc.) referred to in the present application are information and data authorized by the user or fully authorized by each party, and the collection, use and processing of the related data need to comply with the related laws and regulations and standards, and provide corresponding operation entries for the user to select authorization or rejection.

Currently, according to the k8s official large-scale cluster notice, the limit of the k8s cluster is that the number of nodes is not more than 5000, the number of Pod of each node is not more than 110, i.e. the total number of Pod of the k8s cluster is not more than 150000, and the total number of containers is not more than 300000. Due to the above capacity limitations of k8s clusters, there is some traffic that needs to be deployed over a large number of k8s clusters, so that a large number of k8s clusters need to be managed through multi-cluster management.

In order to implement multi-cluster management of k8s, multi-cluster management platforms, such as rancher, karmada, kubesphere, clusternet, are available on the market, and the multi-cluster management platform is used to perform multi-cluster management on k8 s. Taking karmada as an example, karmada is a k8s management system capable of running cloud-native applications across multiple k8s clusters and clouds, by using k8s native APIs and providing advanced scheduling functionality.

Currently, k8s can control the authority of a user to access a cluster by loading a kubeconfig configuration file identifying the default configuration format of the official kubecdel and using cluster information and user authentication information in the configuration file. In the multi-cluster management platform such as karmada, as long as the accessed user has the proxy authority of the cluster managed by the multi-cluster management platform, the manager user who proxies to the cluster can interact with the resources in the cluster, that is, the multi-cluster management platform does not provide the authority management functions of accessing and operating the plurality of clusters, so that the problem that the access range and the resource operation range of the user cannot be controlled is caused, and the problem of greater security exists.

In view of this, the application provides an authorization method of a container cloud platform based on k8s, which determines the authorized custom resources of a user by acquiring the resource authorization information of the user capable of accessing a cluster, and authorizes the resource operation authority of the user according to the authorized custom resources, so that when the user accesses the cluster, the access and the resource operation authority of the user are limited by the resource operation authority information, thereby improving the security of the container cloud platform.

The execution body of the method and the device requests the portal agent layer assembly for the container cloud platform providing unified authentication, authorization and security audit functions for multi-cluster operation, and the container cloud platform corresponding to the portal agent layer assembly comprises at least two clusters. Fig. 1 is a schematic structural diagram of a request entry agent layer component according to an embodiment of the present application. As shown in fig. 1, the modified-apiserver component may include: the system comprises a request classification module, an authentication module, an authorization module, an audit module and an agent module.

The request classification module is used for classifying operation types of users making access requests, wherein the operation types can comprise single-cluster operation, multi-cluster operation and error operation. The type of operation may be determined by an identification in the access request, for example, by an identification in a uniform resource location system (Uniform Resource Locator, URL) of the access request, illustratively, by URL prefix distinction, the user may indicate a single cluster operation on cluster a by modifying the value of the cluster [0]. Cluster. Server in the access request kubeconfig. for different operation types, e.g., https:// detected-apiserver/clusters/cluster a; https:// altered-ap-server/multicluster indicates that multi-cluster operations are to be performed using custom resources (Custom Resource Definition, CRD) of the multi-cluster management platform. And the request classification module is used for proxy the access request to the corresponding access path through the multi-cluster management platform according to the classification of the operation type of the user.

The authentication module is used for authenticating the legitimacy of the user sending the access request, and only the access request of the legal user is allowed to be proxied.

The authorization module is used for authorizing the access rights and the resource operation rights of the legal user.

The audit module is used for recording the cluster operation of the user, and is convenient for security backtracking and examination.

The proxy module is used for proxy the access and resource operation requests of the users to the corresponding paths and the corresponding clusters through different components of the multi-cluster management platform.

The following describes the technical solutions of the present application and how the technical solutions of the present application solve the above technical problems in detail with specific embodiments. The following embodiments may be combined with each other, and the same or similar concepts or processes may not be described in detail in some embodiments. Embodiments of the present application will be described below with reference to the accompanying drawings.

Fig. 2 is a flow chart of an authorization method of a container cloud platform built based on k8s according to an embodiment of the present application. As shown in fig. 2, the method may include:

s201, obtaining an identification of a first user to be authorized and resource authorization information of the first user.

Wherein the resource authorization information includes a cluster identifier, a namespace identifier, and a set of resource operation types. The identification may be, for example, a name of the user, an account number, or other identification that uniquely characterizes the user's identity, etc. The cluster identifier characterizes the identifier of a cluster which can be accessed and operated by the first user, the name space identifier characterizes the identifier of a name space which can be accessed and operated by the user in the cluster, the cluster can comprise a plurality of name spaces, and the user can only have the access and the resource operation authority of part of name controls. The set of resource operation types includes operation types that the user has in a namespace that has access and resource operation rights, and may be, for example, get, list, watch in k8 s.

The identification of the first user may be obtained by including a token or a user certificate represented by the user in a kubeconfig configuration file of the user, and the resource authorization information of the first user may be determined according to actual requirements, which is not limited in this application.

S202, determining a first authorized custom resource of the first user according to the identification of the first user, the cluster identification, the name space identification and the resource operation type set.

The first authorized custom resource comprises an identification of a first user, a cluster identification, a name space identification and a resource operation type set, and is used for representing which name space in which cluster can be subjected to which resource operation by the first user. The first authorized custom resource is a resource that can be identified by the native k8 s.

Illustratively, the first authorized custom resource rb1 of the first user may be as follows:

the apiVersion characterizes that the first authorized custom resource belongs to a RABC interface in a selected-apiserver component, and the kined is the name of the resource operation type set, namely multiclusterRolebinding, and the selected-apiserver in labels is nalespace; the extended-apiserver.io/nalspecific: ns1 characterizes the operational rights of namespace-scope resources such as pod, deployments under the ns1 namespace in cluster1, which are authorized to users with a User name User 1. Wherein the set of resource operation types, multiClusterRoleBinder, may characterize which resource operations are specifically included with the user, e.g., get, list, watch operations on pod resources, etc.

The parameters of ns1 in labels can be modified to enable the first authorized custom resource to point to different namespaces, and the parameters of cluster1 in the nacispace can be modified to enable the first authorized custom resource to point to different clusters, so that the first user can authorize which namespaces in which clusters are subjected to which resource operations.

Illustratively, the first authorized custom resource rb2 of the first user may be as follows:

wherein, the detected-apiserver in labels is a cluster; the "extended-apiserver:" "characterizes cluster-wide resources such as storageclasses, persistentvolumes under all namespaces in cluster1, and the operational rights of all namespace-wide resources, to the extent that a User with a User name User1 is authorized. Wherein the set of resource operation types, multiClusterRoleBinder, may characterize which resource operations are specifically included with the user, e.g., get, list, watch operations on pod resources, etc.

S203, authorizing the resource operation authority of the first user according to the first authorized user-defined resource, and storing the resource operation authority information.

And storing the first authorized custom resources into an authorization module in the encrypted-apiserver component so as to be convenient for verifying the user through the first authorized custom resources when receiving an access or resource operation request sent by the user and determining whether the user has corresponding resource operation rights.

Optionally, an index of resource operation authority information can be created according to the clusters and namespaces, so that first authorized custom resources corresponding to all resource operations of a namespace under a certain cluster can be quickly retrieved. Illustratively, the index may be as shown in Table 1 below:

TABLE 1

Cluster	Namespaces	Resource operation type set	User' s
				cluster1	ns1	rb2	User 1, user 3
cluster1	ns2	rb2	User 1, user 2
				cluster2	ns1	rb1	User 3
……	……	……	……

According to the method provided by the embodiment of the application, the first authorized custom resources of the first user are determined according to the identification, the cluster identification, the name space identification and the resource operation type set of the first user by acquiring the identification of the first user to be authorized and the resource authorization information of the first user, and the resource operation authority of the first user is authorized according to the first authorized custom resources, and the resource operation authority information is stored, so that the function of limiting the access and the resource operation authority of the user by the multi-cluster management platform of the container cloud platform based on k8s is realized, and the security of the container cloud platform is improved.

Next, a detailed description will be given of how the aforementioned step S202 determines the first authorized user-defined resource of the first user according to the identifier of the first user, the cluster identifier, the namespace identifier, and the set of resource operation types.

Fig. 3 is a flow chart of another authorization method of a container cloud platform built based on k8s according to an embodiment of the present application. As shown in fig. 3, the foregoing step S202 may include:

S301, acquiring a preset resource operation configuration resource set.

Wherein each preset resource operation configuration resource comprises at least one resource operation type set. The preset resource operation configuration resource set is an existing resource operation configuration resource set in the generated-apiserver component, and the preset resource operation configuration resource set can be set according to actual requirements, which is not limited in this application. For example, the preset resource operation configuration resource may include a get operation, a preset resource operation configuration resource may include a list operation, a preset resource operation configuration resource may include a watch operation, or a set of preset resource operation configuration resources may include a plurality of operations as described above.

The extended-apiserver component may directly extract the set of preset resource operation configuration resources from a storage location where the set of preset resource operation configuration resources is stored.

S302, judging whether a preset resource operation configuration resource set comprises a target preset resource operation configuration resource corresponding to the resource operation type set.

One possible implementation manner is to match the name of the preset resource operation configuration resource in the preset resource operation configuration resource set with the name of the resource operation type set, and if so, the preset resource operation configuration resource set is characterized to comprise a target preset resource operation configuration resource corresponding to the resource operation type set; if the set of the preset resource operation configuration resources cannot be matched, the set of the preset resource operation configuration resources is characterized to not comprise target preset resource operation configuration resources corresponding to the set of the resource operation types.

In another possible implementation manner, matching is performed according to an operation type of a preset resource operation configuration resource in a preset resource operation configuration resource set and an operation type of the resource operation type set, and if matching is performed, the preset resource operation configuration resource set is characterized to comprise a target preset resource operation configuration resource corresponding to the resource operation type set; if the set of the preset resource operation configuration resources cannot be matched, the set of the preset resource operation configuration resources is characterized to not comprise target preset resource operation configuration resources corresponding to the set of the resource operation types.

S303, if so, acquiring the identification of the operation configuration resource of the target preset resource.

The identifier of the target preset resource operation configuration resource may be, for example, a name of the target preset resource operation configuration resource, and when it is determined that the target preset resource operation configuration resource exists, for example, the operation type of the target preset resource operation configuration resource includes performing get, list, watch resource operation on the pod resource, and the identifier r1 of the target preset resource operation configuration resource is read.

S304, determining a first authorized custom resource of the first user according to the identification of the first user, the cluster identification, the name space identification and the identification of the target preset resource operation configuration resource.

And generating the first authorized custom resource in the step S202 according to the identification of the first user, the cluster identification, the name space identification and the identification of the target preset resource operation configuration resource. The identifier of the target preset resource operation configuration resource is configured in roleRef to characterize the target preset resource operation configuration resource corresponding to the first authorized user-defined resource.

Next, a case where the target preset resource operation configuration resource corresponding to the set of resource operation types is not included in the preset resource operation configuration resource set will be described. When the preset resource operation configuration resource set does not include the target preset resource operation configuration resource corresponding to the resource operation type set, the target preset resource operation configuration resource can be obtained by newly establishing a mode of the target preset resource operation configuration resource and a mode of obtaining the target preset resource operation configuration resource according to the existing multiple preset resource operation configuration resource by splicing.

Method 1: and (5) newly establishing a target preset resource operation configuration resource.

Fig. 4 is a flow chart of an authorization method of a container cloud platform built based on k8s according to an embodiment of the present application. As shown in fig. 4, if the set of preset resource operation configuration resources does not include the target preset resource operation configuration resource corresponding to the set of resource operation types, the method may include:

S401, determining a target resource object of the resource operation according to the resource operation type set.

The target resource object may include a namespace or a cluster. According to the resource operation type set, the identification of a target resource object to be operated in the resource operation type set, such as namespaces ns1, ns2, ns3, etc., or clusters cluster1, cluster2, cluster3, etc., is obtained. And determining the target resource object of the resource operation according to the identification of the target resource object.

S402, obtaining a second authorized custom resource according to the cluster identifier, the resource operation type set and the target resource object.

The second authorized and customized resource comprises the cluster identifier, the resource operation type set and the target resource object, and is used for representing which resource operation can be performed on which target resource object in which cluster by the second authorized and customized resource. The second authorized custom resource is a resource that the native k8s can identify.

Illustratively, the second authorized custom resource r1 may be as follows:

the name: r1 characterizes the identification of the second authorized and customized resource, and the name space: cluster1 characterizes the second authorized and customized resource to operate on the resources of all namespaces under the cluster1, resource: the [ (points "] characterizes the operation resource as a pod resource, and the verbs: [" get "," list "," watch "] characterizes the second authorized custom resource authorized resource operation as including get, list, watch three operation types.

S403, creating the operation configuration resource of the target preset resource according to the second authorized user-defined resource.

And building the target preset resource operation configuration resource in the preset resource operation configuration resource set according to the second authorized user-defined resource, so that the corresponding authorized operation can be directly carried out by directly calling the identifier r1 of the target preset resource operation configuration resource in the subsequent use.

Method 2: and determining a target preset resource operation configuration resource corresponding to the target resource operation type according to the target resource operation type and the preset resource operation configuration resource set.

Fig. 5 is a flow chart of an authorization method of a container cloud platform built based on k8s according to an embodiment of the present application. As shown in fig. 5, if the set of preset resource operation configuration resources does not include the target preset resource operation configuration resource corresponding to the set of resource operation types, the method may include:

s501, acquiring a target resource operation type included in the resource operation type set.

And acquiring all the resource operation types included in the resource operation type set as target resource operation types. Illustratively, the set of resource operation types includes get, list, watch operation types, and the target resource operation type is a get operation type, a list operation type, and a watch operation type.

S502, determining a target preset resource operation configuration resource corresponding to the target resource operation type according to the target resource operation type and the preset resource operation configuration resource set.

According to the target resource operation type, searching whether preset resource operation configuration resources only including get operation type, list operation type or watch operation type exist in a preset resource operation configuration resource set, or searching whether preset resource operation configuration resources including any two operation types exist, if the existing preset resource operation configuration resources can splice all target resource operation types required by the resource operation type set through a plurality of preset resource operation configuration resources, a plurality of second authorized custom resources including the preset resource operation configuration resources can be created to achieve the same function of the resource operation type set.

According to the method provided by the embodiment of the invention, whether the preset resource operation configuration resource set comprises the target preset resource operation configuration resource corresponding to the resource operation type set is judged, if yes, the target preset resource operation configuration resource is obtained, if no, the function of the target preset resource operation configuration resource is realized by newly building or splicing the existing preset resource operation configuration resource, so that the function of determining the first authorized custom resource of the first user is realized, the function of limiting the access and resource operation authority of the user by the multi-cluster management platform of the k8 s-based container cloud platform is realized, and the security of the container cloud platform is improved.

Next, a detailed description will be given of a method of authenticating a resource operation request of a user. Fig. 6 is a flow chart of an authorization method of a container cloud platform built based on k8s according to an embodiment of the present application. As shown in fig. 6, the method may further include:

s601, acquiring a resource operation request of a second user.

The resource operation request comprises a user certificate of the second user, a resource operation object and a resource operation type. The second user may be the first user, or any user that can access any cluster in the multi-cluster management platform of the container cloud platform.

The second user can access the fedrified-apiserver component by directly loading kubeconfig configuration file to request to execute single-cluster resource operation or multi-cluster resource operation. The extended-apiserver component receives the resource operation request of the second user.

S602, authenticating the second user according to the user certificate of the second user.

The user credentials of the second user are contained in the kubeconfig profile described above, and the identity of the second user is present in the user credentials. And the detected-apiserver component authenticates the second user through the identification of the second user and determines whether the second user is a legal user of the target cluster corresponding to the resource operation request.

The detected-apiserver component can match the identification of the second user with a legal user identification list of the target cluster, and if the matching is successful, the authentication is passed.

S603, if the user certificate passes authentication, determining resource operation authority information of the second user according to the identification of the second user included in the user certificate of the second user.

And the detected-apiserver component queries all resource operation authority information included in the target cluster according to the identification of the second user included in the user certificate of the second user, and determines resource operation authority information corresponding to the identification of the second user from the resource operation authority information.

The query manner may be, for example, a manner of matching all the resource operation authority information in the cluster one by one, or may be that a namespace corresponding to the resource operation request is determined through an index, and resource operation authority information corresponding to the identifier of the second user is searched from the resource operation authority information corresponding to the namespace.

S604, authenticating the resource operation request according to the resource operation object, the resource operation type and the resource operation authority information of the second user.

The resource operation object and the resource operation type of the request are obtained from the resource operation request of the second user, and the resource operation request is authenticated by comparing the resource operation object and the resource operation type included in the resource operation authority information of the second user.

If the resource operation object and the resource operation type in the resource operation request of the second user are the same as the resource operation object and the resource operation type included in the resource operation authority information of the second user, the comparison is successful, and the authentication is passed; if the resource operation object and the resource operation type in the resource operation request of the second user are different from the resource operation object and the resource operation type included in the resource operation authority information of the second user, the comparison fails, and the authentication does not pass. For multi-cluster operation, all target clusters of the resource operation request operation need to be extracted, and traversal authentication is performed on the target clusters.

S605, if the resource operation authentication passes, the resource operation request is proxied to the cluster where the resource operation object is located according to the resource operation object to perform the resource operation.

If the resource operation object is a name space, determining a cluster in which the name space is located, and if the resource operation object is a cluster, directly determining the cluster to which the agent is to be proxied. And according to the resource operation object, the proxy module of the selected-apiserver component proxies the resource operation request under the cluster to perform the operation on the cluster-scope resource or the operation on the namespace-scope resource.

In addition, before the resource operation request is proxied to the cluster where the resource operation object is located to perform the resource operation, the method may further include a step of classifying the resource operation request. Fig. 7 is a flow chart of an authorization method of a container cloud platform built based on k8s according to an embodiment of the present application. As shown in fig. 7, before the resource operation request is proxied to the cluster where the resource operation object is located for performing the resource operation, the method may further include:

s701, obtaining the cluster operation type from the resource operation request.

The cluster operation type comprises single cluster operation and multi-cluster operation.

The request classification module classifies the operation types of the resource operation requests according to the operation types, wherein the operation types can comprise single-cluster operation, multi-cluster operation and error operation. The type of operation may be determined by an identification in the access request, for example, by an identification in a uniform resource location system (Uniform Resource Locator, URL) of the access request, illustratively, by URL prefix distinction, the user may indicate a single cluster operation on cluster a by modifying the value of the cluster [0]. Cluster. Server in the access request kubeconfig. for different operation types, e.g., https:// detected-apiserver/clusters/cluster a; https:// altered-ap-server/multicluster indicates that multi-cluster operations are to be performed using custom resources (Custom Resource Definition, CRD) of the multi-cluster management platform.

S702, if the cluster operation type is single cluster operation, the resource operation request is proxied to the single cluster control component to perform resource operation on the first target cluster.

Taking karmada as an example of a multi-cluster management platform, a differentiated-apiserver component processes a user single-cluster operation, and a resource operation request is proxied to a karmada aggregated-apiserver component. The component ultimately proxies the request directly to the kube-apiserver of the target cluster with the system: masters user group identity preset by karmada.

S703, if the cluster operation type is multi-cluster operation, the resource operation request is proxied to the multi-cluster control component to perform resource operation on the plurality of second target clusters.

Taking the multi-cluster management platform as karmada as an example, the differentiated-apiserver component processes user multi-cluster operations, and resource operation requests are proxied to the karmada-apiserver component. The component directly processes the multi-cluster resources (including the karmada CRD resources) and finally completes the multi-cluster resource arrangement through the cooperation of other components of the karmada system.

It should be appreciated that the step of classifying the resource operation request may be performed before or after the user is authenticated by the user certificate. If the step of classifying the resource operation request is performed after the user is authenticated through the user certificate, the resource operation request is classified first, the cluster operation type of the resource operation request is determined, and for the resource operation request of single cluster operation, the operations of single cluster authentication, audit and the like are performed through the single cluster operation interface; for a resource operation request of multi-cluster operation, traversing a plurality of clusters needing to be operated through a multi-cluster operation interface, and sequentially carrying out operations such as authentication, audit and the like of each cluster.

Optionally, after the authentication is completed, the delayed-apiserver component may further record, through an audit module, a result of authentication of the user certificate, and/or a result of authentication of the resource operation, and a resource operation of the second user. The recorded information can be recorded in an operation log so as to facilitate subsequent security backtracking and auditing. The audit module may be of plug-in design. Implementations of the optional plug-ins include, but are not limited to, stdout log output, k8s event generation, 3.Database record, etc., which may be referred to in the art, and this application is not limiting. For multi-cluster operation, the auditing module needs to extract all target clusters of the resource operation request operation, and perform traversal audit on the target clusters.

By way of example, taking a k8s event mode for audit as an example, alarm information can be output for abnormal multi-cluster operation events in combination with an open-source kube-event. For example, if the authentication of the user certificate fails, or the authentication of the resource operation fails, or an abnormal operation event exists in the resource operation of the second user, the alarm information is output. The alert information may be output to the cluster administrator user's electronic device, or the container cloud platform administrator user's electronic device, or the like.

According to the method provided by the embodiment of the application, the legitimacy of the second user and the legitimacy of the resource operation request are authenticated, the resource operation request of the authenticated second user is proxied into the corresponding cluster to operate by classifying the resource operation request, and the operation log is recorded by the audit module, so that the safety backtracking is facilitated, and the safety of the resource operation and access of the container cloud platform is further improved.

Fig. 8 is a schematic structural diagram of an authorization device of a container cloud platform based on k8s construction according to an embodiment of the present application. The container cloud platform comprises at least two clusters, as shown in fig. 8, the authorization device of the container cloud platform built based on k8s may comprise: the acquisition module 11, the processing module 12 and the control module 13. In one possible implementation manner, the method may further include: an output module 14.

The obtaining module 11 is configured to obtain an identifier of a first user to be authorized, and resource authorization information of the first user. The resource authorization information includes a cluster identification, a namespace identification, and a set of resource operation types.

A processing module 12, configured to determine a first authorized custom resource of the first user according to the identifier of the first user, the cluster identifier, the namespace identifier, and the set of resource operation types.

And the control module 13 is used for authorizing the resource operation authority of the first user according to the first authorized custom resource and storing the resource operation authority information.

In one possible implementation manner, the processing module 12 is specifically configured to obtain a set of preset resource operation configuration resources, where each preset resource operation configuration resource includes at least one set of resource operation types. Judging whether the preset resource operation configuration resource set comprises a target preset resource operation configuration resource corresponding to the resource operation type set. If so, acquiring the identification of the operation configuration resource of the target preset resource. And determining a first authorized custom resource of the first user according to the identification of the first user, the cluster identification, the name space identification and the identification of the target preset resource operation configuration resource.

If the set of preset resource operation configuration resources does not include the target preset resource operation configuration resources corresponding to the set of resource operation types, optionally, the processing module 12 is specifically configured to determine the target resource object of the resource operation according to the set of resource operation types. And acquiring a second authorized custom resource according to the cluster identifier, the resource operation type set and the target resource object. And creating the operation configuration resource of the target preset resource according to the second authorized user-defined resource.

Alternatively, the processing module 12 is specifically configured to obtain the target resource operation type included in the set of resource operation types. And determining a target preset resource operation configuration resource corresponding to the target resource operation type according to the target resource operation type and the preset resource operation configuration resource set.

In any of the above implementations, the obtaining module 11 is further configured to obtain a resource operation request of the second user, where the resource operation request includes a user certificate, a resource operation object, and a resource operation type of the second user. The processing module 12 is further configured to authenticate the second user according to a user certificate of the second user. If the user certificate passes the authentication, the resource operation authority information of the second user is determined according to the identification of the second user included in the user certificate of the second user. And authenticating the resource operation request according to the resource operation object, the resource operation type and the resource operation authority information of the second user. And if the authentication of the resource operation passes, according to the resource operation object, the resource operation request is proxied to the cluster where the resource operation object is located to perform the resource operation.

In this implementation manner, optionally, before the resource operation request is proxied to the cluster where the resource operation object is located according to the resource operation object, the obtaining module 11 is further configured to obtain a cluster operation type from the resource operation request, where the cluster operation type includes a single cluster operation and a multiple cluster operation. The control module 12 is further configured to proxy the resource operation request to the single-cluster control component to perform the resource operation on the first target cluster if the cluster operation type is single-cluster operation, and proxy the resource operation request to the multi-cluster control component to perform the resource operation on the plurality of second target clusters if the cluster operation type is multi-cluster operation.

Wherein the optional processing module 12 is further configured to record a result of authentication of the user certificate, and/or a result of authentication of the resource operation, and a resource operation of the second user. If the authentication of the user certificate fails, or the authentication of the resource operation fails, or there is an abnormal operation event in the resource operation of the second user, the output module 14 is configured to output alarm information.

The authorization device of the container cloud platform based on k8s can execute the authorization method of the container cloud platform based on k8s in the method embodiment, and the implementation principle and the technical effect are similar and are not repeated here.

Fig. 9 is a schematic structural diagram of an electronic device according to an embodiment of the present application. The electronic device is configured to execute the foregoing authorization method of the container cloud platform built based on k8s, for example, the foregoing terminal device deployed with the encrypted-apiserver component may be the foregoing terminal device. As shown in fig. 9, the electronic device 900 may include: at least one processor 901, a memory 902, a communication interface 903.

A memory 902 for storing programs. In particular, the program may include program code including computer-operating instructions.

The memory 902 may include high-speed RAM memory or may further include non-volatile memory (non-volatile memory), such as at least one disk memory.

The processor 901 is configured to execute computer-executable instructions stored in the memory 902 to implement the methods described in the foregoing method embodiments. The processor 901 may be a CPU, or an application specific integrated circuit (Application Specific Integrated Circuit, abbreviated as ASIC), or one or more integrated circuits configured to implement embodiments of the present application.

The processor 901 may communicate with external devices, such as the aforementioned user's terminal devices, via the communication interface 903. In a specific implementation, if the communication interface 903, the memory 902, and the processor 901 are implemented independently, the communication interface 903, the memory 902, and the processor 901 may be connected to each other and perform communication with each other through buses. The bus may be an industry standard architecture (Industry Standard Architecture, abbreviated ISA) bus, an external device interconnect (Peripheral Component, abbreviated PCI) bus, or an extended industry standard architecture (Extended Industry Standard Architecture, abbreviated EISA) bus, among others. Buses may be divided into address buses, data buses, control buses, etc., but do not represent only one bus or one type of bus.

Alternatively, in a specific implementation, if the communication interface 903, the memory 902, and the processor 901 are integrated on a chip, the communication interface 903, the memory 902, and the processor 901 may complete communication through internal interfaces.

The present application also provides a computer-readable storage medium, which may include: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a random access Memory (RAM, random Access Memory), a magnetic disk or an optical disk, etc., in which program codes may be stored, and in particular, the computer-readable storage medium stores program instructions for the methods in the above embodiments.

The present application also provides a program product comprising execution instructions stored in a readable storage medium. The at least one processor of the computing device may read the execution instructions from the readable storage medium, the execution instructions being executable by the at least one processor to cause the computing device to implement the above-described authorization method of the container cloud platform built based on k8 s.

Finally, it should be noted that: the above embodiments are only for illustrating the technical solution of the present application, and not for limiting the same; although the present application has been described in detail with reference to the foregoing embodiments, it should be understood by those of ordinary skill in the art that: the technical scheme described in the foregoing embodiments can be modified or some or all of the technical features thereof can be replaced by equivalents; such modifications and substitutions do not depart from the spirit of the corresponding technical solutions from the scope of the technical solutions of the embodiments of the present application.

Claims

1. An authorization method of a container cloud platform built based on k8s, wherein the container cloud platform comprises at least two clusters, the method comprising:

2. The method of claim 1, wherein the determining the first authorized custom resource for the first user based on the identification of the first user, the cluster identification, the namespace identification, and the set of resource operation types comprises:

3. The method of claim 2, wherein if the set of preset resource operation configuration resources does not include the target preset resource operation configuration resource corresponding to the set of resource operation types, comprising:

4. The method of claim 2, wherein if the set of preset resource operation configuration resources does not include the target preset resource operation configuration resource corresponding to the set of resource operation types, comprising:

5. The method of any one of claims 1-4, further comprising:

6. The method of claim 5, further comprising, prior to said brokering the resource operation request to the cluster in which the resource operation object resides according to the resource operation object:

7. The method as recited in claim 6, further comprising:

8. An authorization device of a container cloud platform built based on k8s, characterized in that the container cloud platform comprises at least two clusters, the device comprising:

9. An electronic device, comprising: the processor is respectively in communication connection with the communication interface and the memory;

the memory stores computer-executable instructions;

the processor executes computer-executable instructions stored in the memory to implement the method of any one of claims 1-7.

10. A computer readable storage medium having stored therein computer executable instructions which when executed by a processor are adapted to carry out the method of any one of claims 1 to 7.