CN117834222A - WAF rule configuration method and device in K8S system - Google Patents
WAF rule configuration method and device in K8S system Download PDFInfo
- Publication number
- CN117834222A CN117834222A CN202311771175.8A CN202311771175A CN117834222A CN 117834222 A CN117834222 A CN 117834222A CN 202311771175 A CN202311771175 A CN 202311771175A CN 117834222 A CN117834222 A CN 117834222A
- Authority
- CN
- China
- Prior art keywords
- waf
- service
- template
- rule
- input
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 38
- 238000012986 modification Methods 0.000 claims description 17
- 230000004048 modification Effects 0.000 claims description 17
- 230000015654 memory Effects 0.000 claims description 12
- 238000002347 injection Methods 0.000 description 24
- 239000007924 injection Substances 0.000 description 24
- 238000010586 diagram Methods 0.000 description 10
- 238000004590 computer program Methods 0.000 description 6
- 238000004891 communication Methods 0.000 description 4
- 238000011161 development Methods 0.000 description 2
- 230000000694 effects Effects 0.000 description 2
- 238000005516 engineering process Methods 0.000 description 2
- 238000013507 mapping Methods 0.000 description 2
- 230000008569 process Effects 0.000 description 2
- 238000012545 processing Methods 0.000 description 2
- 238000013515 script Methods 0.000 description 2
- 239000000243 solution Substances 0.000 description 2
- 239000008186 active pharmaceutical agent Substances 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000003993 interaction Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
Landscapes
- Information Retrieval, Db Structures And Fs Structures Therefor (AREA)
Abstract
The application provides a method and a device for configuring WAF rules in a K8S system. The K8S system includes an entry component and at least one K8S cluster. The ingress component is for traffic management of at least one K8S cluster. At least one K8S cluster is used to provide at least one type of service. The method comprises the following steps: acquiring a first input aiming at a first service, wherein the first service is any service provided by at least one K8S cluster, and the first input is used for indicating a first service type corresponding to the first service; acquiring a first template corresponding to a first service type, wherein the first template comprises at least one WAF rule; the portal component is configured according to at least one WAF rule. By the method and the device, the WAF rule is efficiently configured.
Description
Technical Field
The present application relates to the field of cloud computing, and in particular, to a method and apparatus for configuring WAF (web application firewall, global wide area network application firewall) rules in a K8S (Kubernates) system.
Background
With the development of communication technology and the increase of computing power, more and more services are deployed in the cloud. At this time, a service is provided for the user through a cloud computing manner. In some scenarios, the deployment of containers may be implemented using a K8S system. A wide variety of services can be deployed within the large number of containers of the K8S system.
How to implement efficient configuration of WAF rules in K8S system is a urgent problem to be solved.
Disclosure of Invention
The application provides a WAF rule configuration method and device in a K8S system, so that efficient configuration of WAF rules is realized.
The technical scheme of the application is realized as follows:
in a first aspect, the present application provides a method for configuring WAF rules in a K8S system. The K8S system includes an entry component and at least one K8S cluster. The ingress component is for traffic management of at least one K8S cluster. At least one K8S cluster is used to provide at least one type of service. The method comprises the following steps: acquiring a first input aiming at a first service, wherein the first service is any service provided by at least one K8S cluster, and the first input is used for indicating a first service type corresponding to the first service; acquiring a first template corresponding to a first service type, wherein the first template comprises at least one WAF rule; the portal component is configured according to at least one WAF rule.
In some possible implementations, configuring the entry component according to at least one WAF rule may include: converting the at least one WAF rule into annotation information for the entry component; the annotation information is configured to the portal component.
In some possible embodiments, the above method may further comprise: obtaining a second input, wherein the second input is used for indicating modification of the first template; according to the second input, at least one of the following operations is performed on the first template: adding WAF rules, deleting WAF rules, and modifying WAF rules.
In some possible embodiments, the above method may further comprise: obtaining a third input, wherein the third input comprises at least one WAF rule corresponding to the first service type; a first template corresponding to a first service type is generated based on at least one WAF rule.
In a second aspect, the present application provides a device for configuring WAF rules in a K8S system. The K8S system includes an entry component and at least one K8S cluster. The ingress component is for traffic management of at least one K8S cluster. At least one K8S cluster is used to provide at least one type of service. The device comprises an acquisition module, a template management module and a rule management module. The acquisition module is used for acquiring a first input aiming at a first service. The first service is any service provided by at least one K8S cluster, and the first input is used for indicating a first service type corresponding to the first service. The template management module is used for acquiring a first template corresponding to the first service type. The first template includes at least one WAF rule. The rule management module is used for configuring the entry component according to at least one WAF rule.
In some possible implementations, the rule management module may be configured to: converting the at least one WAF rule into annotation information for the entry component; the annotation information is configured to the portal component.
In some possible implementations, the acquisition module may also be used to acquire the second input. The second input is used to indicate a modification to the first template. The template management module may be further configured to, based on the second input, at least one of: adding WAF rules; deleting WAF rules; the WAF rules are modified.
In some possible implementations, the acquisition module may also be configured to acquire the third input. The third input includes at least one WAF rule corresponding to the first service type. The template management module may be further configured to generate a first template corresponding to the first service type based on the at least one WAF rule.
In a third aspect, the present application provides an electronic device. The electronic device includes a memory and a processor. The memory is used to store executable instructions. The processor, when executing executable instructions stored in the memory, implements the method as described in any of the first aspect and embodiments thereof.
In a fourth aspect, the present application provides a storage medium. The storage medium has stored thereon executable instructions. The executable instructions, when executed by a processor, implement the method as described in any of the first aspect and embodiments thereof.
In a fifth aspect, the present application provides a computer program. The computer program includes code. The code, when executed by a computer, implements a method as described in any of the first aspect and its embodiments.
The application has the following beneficial effects:
in the present application, respective templates may be set for different service types, and a WAF rule for each service type is included in the template corresponding to the service type. In this way, when a K8S cluster for providing a service is deployed in the K8S system, a WAF rule can be configured for an entry component to the K8S cluster directly using a template corresponding to a service type of the service. Therefore, for the K8S cluster of the existing service type, the autonomous configuration of the WAF rule of the entry component can be realized based on the template, the configuration flow is simplified, the unified configuration of the service of the same service type is realized, and then the efficient configuration of the WAF rule is realized.
Drawings
Fig. 1 is a schematic diagram of the architecture of a K8S cluster.
Fig. 2 is a schematic structural diagram of a K8S system according to an embodiment of the present application.
Fig. 3 is a flowchart of a first embodiment of a method for configuring WAF rules in a K8S system according to an embodiment of the present application.
Fig. 4 is a flowchart of a second embodiment of a method for configuring WAF rules in a K8S system according to an embodiment of the present application.
Fig. 5 is a flowchart of a third embodiment of a method for configuring WAF rules in a K8S system according to an embodiment of the present application.
Fig. 6 is a schematic structural diagram of a WAF rule configuration device in a K8S system according to an embodiment of the present application.
Fig. 7 is a schematic diagram of a specific implementation of configuring WAF rules for a K8S system according to an embodiment of the present application.
Fig. 8 is a schematic structural diagram of an electronic device according to an embodiment of the present application.
Detailed Description
In order to make the objects, technical solutions and advantages of the embodiments of the present application more apparent, the embodiments of the present application will be described in further detail with reference to the accompanying drawings. The described embodiments should not be considered as limiting the present application. All other embodiments, which can be made by those skilled in the art without the inventive effort, are intended to be within the scope of the present application.
In the following description, reference is made to "an embodiment," "some embodiments," etc., which describe a subset of all possible embodiments. It is to be understood that "an embodiment," "some embodiments," can be the same subset or different subsets of all possible embodiments, and can be combined with one another without conflict.
In the following description, the terms "first/second/third" are merely used to distinguish between similar objects and do not represent a particular ordering of objects. It is to be understood that the "first/second/third" may be interchanged with one another in the specific order or sequence, as permitted, to enable embodiments of the present application described herein to be implemented in other than those illustrated or described herein.
Unless defined otherwise, all technical and scientific terms used herein have the same meaning as commonly understood by one of ordinary skill in the art to which this application belongs. The terminology used herein is for the purpose of describing embodiments of the present application only and is not intended to be limiting of the present application.
With the development of communication technology and the increase of computing power, more and more services are deployed in the cloud. At this time, a service is provided for the user through a cloud computing manner. In some scenarios, the deployment of containers may be implemented using a K8S system. K8S is an open-source container orchestration engine. The K8S may be used to manage containerized applications on multiple hosts in a cloud platform with the goal of making deploying containerized applications simple and efficient. In K8S, multiple containers may be created, each of which may have one application instance running therein. And the management, discovery and access of the group of application examples are realized through a built-in load balancing strategy.
Fig. 1 is a schematic diagram of the architecture of a K8S cluster. As shown in fig. 1, the K8S cluster 100 may include a Master (Master) component 110 and a plurality of Node (Node) components 120.
The master component 110 is used to provide management and control of the K8S cluster 100. The master component 110 includes a Scheduler (Scheduler) 111, a Controller (Controller-Manager) 112, and an application interface Server (Api-Server) 113. The scheduler 111 is used for scheduling of the container group (Pod) 123. Specifically, the scheduler 111 is used to select nodes for the newly created container group 123. The controller 112 is a background thread in the K8S cluster 100 that handles regular tasks. The controller 112 may include a node controller, a task controller, and the like. The application interface server 113 is used for processing application interface requests. The resource request and/or call operations for the K8S cluster 100 are implemented through an application interface provided by the application interface server.
The node component 120 is operative to provide a K8S runtime environment, and to maintain a container group 123. Node components 120 include a proxy component 121, a kubelet component 122, one or more container groups 123. Proxy component 121 is used to maintain network rules on the host and perform connection forwarding to implement the service abstraction of K8S cluster 100. Specifically, the proxy component 121 may load balance traffic destined for a service (service) to a corresponding container group 123 by maintaining network rules. kubelet component 122, acting as a node proxy, can monitor the container group 123 that has been assigned to node component 120. The Kubelet component 122 may be responsible for management of the lifecycle of the container group 123, and reporting the running state of the host. The container group 123 is the smallest unit that can be created and managed in the K8S cluster 100.
One container group 123 may include one or more containers 123C. A container 123C may have a process and may run an application. One container group 123 may have one or more processes.
In some embodiments, the K8S cluster may also include an etcd component 130. The etcd component 130 is a storage system in the K8S cluster 100. The etcd component 130 is used to save data in the K8S cluster 100. For example, the etcd component 130 may be operative to store resource object information (e.g., information of the container group 123). In some embodiments, the etcd component 130 may be located internal and/or external to the master component 110.
In some embodiments, the K8S cluster 100 may also include one or more plugins 140. Plug-in 140 may include a domain name system (domain name system, DNS) plug-in, a network plug-in, a User Interface (UI) plug-in, a kubctl plug-in, and the like. DNS plug-ins may be used to provide domain name resolution within the K8S cluster 100. The network plug-in may be used to enable inter-container group network communication across hosts within the K8S cluster 100. The UI plugin may be used to provide a graphical interface to facilitate status information viewing of the K8S cluster 100. kubectl plug-in is used as a command line tool to communicate with the control plane of the K8S cluster 100 through an application interface.
In a K8S cluster, one service may correspond to one or more container groups 123. The nature of the service is that the resource objects are the container groups 123 corresponding to the service. An access entry may be defined by the service. Through the access entry, an application instance on a container 123C in the container group 123 corresponding to the service can be accessed. In other words, a service may be considered a collection of one or more container groups 123.
Since the K8S cluster can provide a wide variety of services, WAF rules need to be configured for the services of the K8S cluster to protect the services from attack. How to implement efficient configuration of WAF rules in K8S system is a urgent problem to be solved.
Fig. 2 is a schematic structural diagram of a K8S system according to an embodiment of the present application. As shown in fig. 2, the K8S system 200 in the embodiment of the present application includes a rule configuration component 201, an entry component 202, and at least one K8S cluster 203.
At least one K8S cluster 203 is used to provide one or more services. For example, one K8S cluster 203 may be used to provide one service and two other K8S clusters 203 may be used to provide another service. Because each K8S cluster 203 includes one or more container groups, each service may be a collection of one or more container groups in at least one K8S cluster 203.
The portal component 202 may be for traffic management of at least one K8S cluster 203 providing a first service. More specifically, the portal component 202 is an external access portal of at least one K8S cluster 203. At the same time, the portal component 202 also has the effect of achieving load balancing among the container groups in the at least one K8S cluster 203. The inlet assembly 202 may have WAF functionality. For example, the WAF component may be integrated with the inlet component 202.
In some embodiments, the portal component 202 may be an Ingress (or referred to as an Ingress resource). Ingress is an abstraction of the reverse proxy in the K8S system. Mapping rules may be established in the Ingress. These mapping rules may be converted to a configuration of nmginx to provide services to the outside. Nginx is a high performance HTTP and reverse proxy web server.
Rule configuration component 201 is operative to configure WAF rules for entry component 202. For example, rule configuration component 201 may configure WAF rules for the entry component 202 corresponding to at least one K8S cluster 203 based on input for (e.g., an administrator).
Based on the K8S system shown in fig. 2, the embodiment of the present application provides a method for configuring WAF rules in the K8S system.
Fig. 3 is a flowchart of a first embodiment of a method for configuring WAF rules in a K8S system according to an embodiment of the present application. As shown in fig. 3, the configuration method includes steps S310 to S330.
In step S310, a first input is acquired.
Here, the first input is for indicating a first service type of the first service. In other words, the first input may be an input for the first service.
In some embodiments, at least one K8S cluster may be provided with one or more services. The one or more services may belong to one or more service types. In other words, at least one K8S cluster may provide at least one type of service. The one or more services may include a first service. The service type of the first service may be one of the one or more service types. The first service may then be any service provided by the at least one K8S cluster.
In some embodiments, the first input may be obtained through a UI interface. Specifically, to configure WAF rules for an entry component of at least one K8S cluster, a first input of a user may be received in a UI interface.
In some embodiments, the first input may include indication information of the first service type. In an example, a user may select a first service type of a first service in a list of services of a UI interface. In some cases, the service list may include one or more service types for which WAF rules have been configured. In some cases, the service list may include one or more preset service types. In an example, the user may manually enter the service type of the first service in a text box of the UI interface. At this time, the service type manually input by the user may be matched with the service type in the service list. If the matching is successful, determining that the matched service type is the first service type of the first service. In this way, the first input obtained through the UI interface may include the indication information of the first service type.
In some embodiments, the service types include, but are not limited to, video services, browsing services, computing services, software services, hypertext preprocessor (Hypertext Preprocessor, PHP) services.
In some embodiments, the first input may further comprise at least one of: indication information of the first service, indication information of at least one K8S cluster, indication information of the portal component. The indication information of the first service may be used to indicate the first service. The indication information of the at least one K8S cluster may be used to indicate the at least one K8S cluster providing the first service. The indication information of the portal component may be used to indicate the portal component corresponding to the at least one K8S cluster.
In step S320, a first template corresponding to a first service type is acquired.
Here, the first template includes at least one WAF rule.
The first template is a WAF rule template for a first service type. The first template includes one or more WAF rules. The WAF rules in the first template are applicable to services of the first service type. Because the first service belongs to the first service type, the first template is applicable to the first service.
In some embodiments, step S320 may be implemented as: the first template is obtained from a template storage module. In this case, the first template may be stored in the template storage module. The template storage module may be implemented by a memory. According to the indication information of the first service type in the first input, a first template corresponding to the first service type can be obtained from a template storage module. It is understood that at least one template may be stored in the template storage module. Each template stored in the template storage module corresponds to a different service type.
In some embodiments, step S320 may be implemented as: the first template is obtained according to WAF rules for a second service having a first service type. In this case, according to the indication information of the first service type in the first input, the second service which has been configured and has the first service type can be found. Thereafter, the first template may be obtained according to WAF rules of the second service.
In an example, the first service type may be a PHP service. In this case, the first template for the PHP service may include, for example, the following WAF rules:
(1) Frequency limitation rule: the frequency restriction rule is used to restrict the frequency of requests for a first service by a source internet protocol (Internet protocol, IP) address. For example, the frequency limitation rule may take the value of: 1 per second, i.e. one source IP address is allowed to initiate a request to the first service every second.
(2) SQL injection rules: structured query language (Structured Query Language, SQL) injection rules are used to indicate whether to turn on SQL injection recognition. For example, the SQL injection rule may be true (true), which indicates that SQL injection recognition is turned on; the SQL injection rule may be false in value, indicating that SQL injection recognition is turned off. For example, the value of the SQL injection rule can be "1", which means that SQL injection recognition is started; the SQL injection rule may take a value of "0", which indicates that SQL injection recognition is turned off.
(3) ShellSlock rule: the ShellSlock rule is used to indicate whether ShellSlock identification is on. For example, if the value of the ShellSlock rule is true, it indicates that ShellSlock identification is turned on; the value of the ShellSlock rule may be false, indicating that ShellShellSlock identification is turned off. For example, the value of the ShellSlock rule may be "1", which indicates that ShellSlock identification is turned on; the value of the ShellSlock rule may be "0", which indicates that ShellSlock identification is turned off.
(4) PHP vulnerability identification rules: the PHP vulnerability identification rule is used for indicating whether PHP vulnerability identification is started. For example, if the value of the PHP vulnerability identification rule may be true, it indicates that PHP vulnerability identification is turned on; the PHP vulnerability recognition rule may be false, which indicates that PHP vulnerability recognition is turned off. For example, the PHP vulnerability identification rule may have a value of "1", which indicates that PHP vulnerability identification is turned on; the PHP vulnerability identification rule may have a value of "0", which indicates that PHP vulnerability identification is turned off.
It should be noted that WAF rules in different templates related to different service types may be identical, partially identical, or completely different, which is not specifically limited in the embodiments of the present application.
In step S330, the ingress component is configured according to at least one WAF rule.
Specifically, the WAF in the portal component is configured according to the WAF rules in the first template.
In some embodiments, the WAF rules in the first template need to be transformed to fit into the portal component. In this case, step S330 may be implemented by the following two steps.
In a first step, at least one WAF rule is converted into annotation information for the entry component.
Here, WAF rules in the first template may be converted to annotation information applicable to the portal component. The annotation information may be used to configure the portal component.
In some embodiments, the entry component may be Ingress, and the WAF rules are converted to notes (notes).
In a second step, annotation information is configured to the entry component.
Here, annotation information derived based on WAF rules may be sent to the portal component to enable configuration of the portal component.
Through the above steps S310 to S330, the portal component may be configured with a first template for a first service of a first service type.
Fig. 4 is a flowchart of a second embodiment of a method for configuring WAF rules in a K8S system according to an embodiment of the present application. As shown in fig. 4, the configuration method may include step S410 and step S420.
In step S410, a second input is acquired.
Here, the second data is used to indicate a modification to the first template.
In some embodiments, the second input may be obtained through a UI interface. Specifically, a second input of the user may be received in the UI interface.
In some embodiments, the second input may include indication information of the first service type. In an example, a user may select a first service type of a first service in a list of services of a UI interface. In some cases, the service list may include one or more service types for which WAF rules have been configured. In some cases, the service list may include one or more preset service types. In an example, the user may manually enter the service type of the first service in a text box of the UI interface. At this time, the service type manually input by the user may be matched with the service type in the service list. If the matching is successful, determining that the matched service type is the first service type of the first service. In this way, the first input obtained through the UI interface may include the indication information of the first service type.
In some embodiments, the second data may include modification information. The modification information is used to indicate a modification operation to the first template. The modification information may include at least one of: operation object, operation type, operation value.
The operation object is a WAF rule for which the operation is modified. In one example, the operand may be a WAF rule that is already in the first template. In an example, the operand may be a WAF rule not present in the first template.
The operation type is a type of modification operation performed on the first template. In some embodiments, the modifying operation performed on the first model may include at least one of: adding WAF rules, deleting WAF rules, and modifying WAF rules. In an example, for a WAF rule that is already in the first template, the operation type of the modifying operation may be deleting the WAF rule or modifying the WAF rule. In an example, for WAF rules not in the first template, the operation type of the modify operation may be to add a WAF rule.
The operation value is a value of an operation object subjected to the modification operation. The operation value may be, for example: 1 time/second, 1, 0, true, false. Of course, the operation value may be other values, which are not particularly limited in the embodiment of the present application.
In step S420, a modification operation is performed on the first template according to the second input.
Here, after the second input is obtained, the first template may be modified according to the second input.
In some embodiments, WAF rules may be added in the first template. In an example, the value of the added WAF rule may be the operational value in the second input. In an example, the second input may not include an operation value therein. At this time, the value of the added WAF rule may be a default value.
In some embodiments, the WAF rules in the first template may be modified. In one example, the value of the WAF rule may be modified to the operational value in the second input. In an example, the second input may not include an operation value therein. At this time, the value of the WAF rule may be modified to a default value.
In some embodiments, WAF rules in the first template may be deleted. In one example, the WAF rule indicated by the second input may be deleted from the first template. It will be appreciated that in some cases all WAF rules in the first template may be deleted based on the second input. This corresponds to deleting the first template.
Through the above steps S410 and S420, the first template may be modified for the first service of the first service type.
In some embodiments, steps S410 and S420 may be performed during the execution of steps S310 to S330. For example, after steps S310 and S320 are performed to acquire the first template, steps S410 and S420 may be performed to modify the first template. Thereafter, step S330 may be performed to configure the portal component using the modified first template.
In some embodiments, steps S410 and S420 may be performed independently of steps S310 to S330. In this case, by performing steps S410 and S420, only the first template may be modified.
Fig. 5 is a flowchart of a third embodiment of a method for configuring WAF rules in a K8S system according to an embodiment of the present application. As shown in fig. 5, the configuration method may include steps S510 to S530.
In step S510, a third input is acquired.
Here, the third input is used to indicate that the first template is generated.
In some embodiments, the third input may be obtained through a UI interface. Specifically, a third input of the user may be received in the UI interface.
In some embodiments, the third input may include indication information of the first service type. In an example, a user may select a first service type in a service list of a UI interface. In an example, the user may manually enter the first service type in a text box of the UI interface, and the third input obtained through the UI interface may include information indicative of the first service type.
In some embodiments, the third input may include at least one WAF rule. The at least one WAF rule is associated with a first service type and may be used to compose a first template.
In step S520, at least one WAF rule is determined based on the third input.
Here, at least one WAF rule in the third input may be obtained.
In step S530, a first template is generated based on at least one rule.
Here, at least one rule may be encapsulated in a predetermined format to obtain the first template.
Through the above steps S510 to S530, a first template may be generated for a first service type.
In some embodiments, steps S510 to S530 may be performed prior to steps S310 to S330. In this case, by performing steps S510 to S530, a first template can be obtained; thereafter, by performing steps S310 to S330, the portal component of the first service may be configured using the first template.
In the embodiment of the application, respective templates may be set for different service types, and the template corresponding to each service type includes a WAF rule for the service type. In this way, when a K8S cluster for providing a service is deployed in the K8S system, a WAF rule can be configured for an entry component to the K8S cluster directly using a template corresponding to a service type of the service. Therefore, for the K8S cluster of the existing service type, the autonomous configuration of the WAF rule of the entry component can be realized based on the template, the configuration flow is simplified, the unified configuration of the service of the same service type is realized, and then the efficient configuration of the WAF rule is realized.
Based on the same inventive concept, the embodiment of the application provides a configuration device of WAF rules in a K8S system. Fig. 6 is a schematic structural diagram of a WAF rule configuration device in a K8S system according to an embodiment of the present application. As shown in fig. 6, the configuration apparatus 600 includes an acquisition module 610, a template management module 620, and a rule management module 630. The acquisition module 610 is configured to acquire a first input for a first service of the at least one service. The first service is any service provided by at least one K8S cluster. The first input is for indicating a first service type of the at least one service type corresponding to the first service. The template management module 620 is configured to obtain a first template corresponding to a first service type. The first template includes at least one WAF rule. The rule management module 630 is configured to configure the ingress component according to at least one WAF rule.
In some possible implementations, the rule management module 630 may be configured to: converting the at least one WAF rule into annotation information for the entry component; the annotation information is configured to the portal component.
In some possible implementations, the acquisition module 610 may be configured to: a second input is obtained. The second input is used to indicate a modification to the first template. The template management module 620 may be configured to: according to the second input, at least one of the following operations is performed on the first template: adding WAF rules; deleting WAF rules; the WAF rules are modified.
In some possible implementations, the acquisition module 610 may be configured to: a third input is obtained. The third input includes at least one WAF rule corresponding to the first service type. The template management module 620 may be configured to generate a first template corresponding to the first service type based on the at least one WAF rule.
It should be noted that, the configuration device of the WAF rule in the K8S system shown in fig. 6 may be implemented by the rule configuration component in fig. 2. Each of the acquisition module 610, the template management module 620, and the rule management module 630 may be part of a rule configuration component. In some embodiments, the rule configuration component may be deployed within a container group or container of the K8S cluster, and each of the acquisition module 610, the template management module 620, and the rule management module 630 may be deployed within one or more containers. Of course, the rule configuration component may also be implemented independently of the K8S cluster, which is not specifically limited in the embodiments of the present application.
In order to enhance understanding of the technical solutions in the embodiments of the present application, a flow of configuring WAF rules for a K8S system is exemplarily described below with reference to a specific embodiment. Fig. 7 is a schematic diagram of a specific implementation of configuring WAF rules for a K8S system according to an embodiment of the present application. In fig. 7, the acquisition module may be a UI interface and the portal component may be Ingress. The Ingress may provide traffic management for multiple K8S clusters.
The UI interface may serve as an interface between the administrator and the K8S system. In other words, the UI interface may be used to obtain an administrator's input (e.g., first input, second input, third input). On the one hand, through the UI interface, an administrator can perform operations such as adding, modifying and deleting on the WAF template. On the other hand, through the UI interface, an administrator can configure a template for the service, and the WAF rule in the template is converted into an annotation of Ingress; thereafter, the rule management module is notified to configure notes to the Ingress.
The template management module may be used to manage the templates of the WAF. In some embodiments, the template management module may manage the template as follows: obtaining templates, adding templates, deleting templates, modifying templates (including adding WAF rules, deleting WAF rules, modifying WAF rules), and saving templates.
The template storage module may be used to store templates. In some embodiments, the template storage module may be implemented by a database. The template management module can store the template in the template storage module through interaction with the template storage module, and can acquire the template from the template storage module.
The rule management module may be configured to manage WAF rules of Ingress. In some embodiments, the rule management module may perform operations such as adding, modifying, deleting, etc. to WAF rules of Ingress. Each WAF rule may have a name and/or an identification. In an example, the name may be a string used to understand WAF rules. In one example, the identification may be used to identify WAF rules. In an example, the name and/or identification of the WAF rule may be unique. That is, different WAF rules may have different names and/or identifications. It will be appreciated that different WAF rules may refer to different rules, or may refer to different values of the same rule.
In some embodiments, the available WAF rules may include at least:
(1) Number limitation rule: the number limiting rule is used to limit the number of accesses over a period of time based on the source IP address. Specifically, if the number of accesses from a source IP address reaches a maximum value specified by a number limiting rule over a period of time, subsequent accesses from the source IP address are denied. In one example, the "period of time" may be 1 second, 1 minute, 1 hour, 1 day, etc.
(2) Frequency limitation rule: the frequency limitation rule is used to limit the access frequency according to the source IP address. Specifically, if the number of accesses from the source IP address reaches the maximum value specified by the frequency limit rule in one cycle, the subsequent access from the source IP address is denied until the next cycle starts to reopen the access. In an example, a "period" may be 1 second, 1 minute, 1 hour, 1 day, etc.
(3) SQL injection rules: the SQL injection rule is used to indicate whether to turn on SQL injection recognition. In the case of opening SQL injection recognition, if the URL (Uniform Resource Locator) is determined to be SQL injection, then access is denied. In an example, the SQL injection rule can be a configuration provided by ModSecurity for SQL injection.
(4) ShellSlock rule: the ShellSlock rule is used to indicate whether SQL injection recognition is to be turned on. In the case of opening the SQL injection recognition, if the URL requested by the access is judged as SQL injection, the access is denied. In an example, the ShellSlock rule may be a configuration provided by ModSecurity for ShellSlock.
(5) RFI/REC rules: the RFI/REC rules are used to indicate whether SQL injection recognition is turned on. In the case of opening the SQL injection recognition, if the URL requested by the access is judged as SQL injection, the access is denied. In an example, the ShellSlock rule may be a configuration provided by ModSecurity for RFI/REC.
(6) PHP vulnerability identification rules: the PHP vulnerability identification rule is used for indicating whether PHP vulnerability identification is started.
(7) Other rules: other rules include, for example, other configurations provided by ModSecurity.
The Ingress may include an Ingress component and an Ingress controller component. The access component is used to define forwarding rules for access requests to services. An input controller (input-controller) component user realizes forwarding processing according to forwarding rules in the input component. One entry may be deployed for each K8S cluster in a deployment (deployment) manner of K8S. In this way, each Ingress deployed may get a VIP (virtual IP) address.
In some embodiments, one specific implementation of the Ingress controller component may be an Ingress Nginx controller. The Ingress ng ix controller may act as a reverse proxy to direct external traffic into the K8S cluster, thereby enabling exposing the services of the K8S cluster to the outside (e.g., internet users). In this way, services within the K8S cluster may be directly accessed through the network. The Ingress Nginx controller may send a user's request to a service resource of a specified service based on a DNS name or URL.
In some embodiments, the entry may identify annotations configured in the entry, thereby enabling identification of WAF rules, modification of the Nginx configuration, and the like. Thereafter, the Ingress may send an annotation to the Ingress Nginx controller to enable configuration of the WAF.
In some embodiments, the specific operation of the Ingress controller is as follows:
(1) The Ingress controller may dynamically obtain changes in Ingress rules (i.e., annotations of Ingress) in the K8S cluster by interacting with the API of the K8S cluster. Then, the Ingress controller may forward the request from the user to the corresponding service in the K8S cluster according to the Ingress rule.
(2) The Ingress rule defines the correspondence between domain names and services in the K8S cluster. Thus, according to the Nginx configuration template in the Ingress controller, the Nginx configuration corresponding to the Ingress rule is generated.
(3) The Ingress controller may dynamically write the generated nginnx configuration into a container group corresponding to the Ingress controller. The set of containers has an Ngnix service running therein. The Ingress controller may write the nginix configuration into the configuration file of Ngnix in the container group. After the Ngnix reloads, the Ngnix configuration may take effect.
In this way, the Ingress controller can implement a service resource that sends a user's request to a specified service based on a DNS name or URL. Further, dynamic request distribution and domain name resolution are achieved.
The user may access services in the K8S cluster through the domain name. Specifically, the domain name may be resolved to VIP of the Ingress controller, and then the user' S request is forwarded to the corresponding application in the K8S cluster through the Ingress controller.
The plurality of K8S clusters are cluster 1, cluster 2, … …, and cluster N, respectively. Here, N is a positive integer. Each cluster may have an Ingress Nginx controller deployed thereon. In one example, at least one service may be deployed on one K8S cluster. In one example, multiple K8S clusters may deploy the same service.
In some embodiments, the first input may be obtained through a UI interface. According to the first input, the template management module may obtain a first template corresponding to the first service type from the template storage module. The rule management module may configure the Ingress according to at least one WAF rule in the first template.
In some embodiments, the second input may be obtained through a UI interface. Based on the second input, the template management module may retrieve the first template from the template storage module and modify the first template. In some cases, the rule management module may configure the Ingress according to at least one WAF rule in the modified first template. In some cases, the template management module may save the modified first template to the template storage module. It will be appreciated that the modified first template may be independent of the first template prior to modification. At this time, the modified first template may be referred to as a second template. In some cases, the modified first template may replace the first template before modification. At this point, the modified first template may be regarded as a new first template.
In some embodiments, the third input may be obtained through a UI interface. Based on the third input, the template management module may determine at least one WAF rule and generate a first template based on the at least one WAF rule.
Based on the same inventive concept, the embodiment of the application provides an electronic device. Fig. 8 is a block diagram of an electronic device in an embodiment of the present application. As shown in fig. 8, the electronic device 800 includes a memory 801 and a processor 802. The memory 801 is used to store executable instructions. The processor 802 is configured to implement the method for configuring WAF rules in the K8S system according to the embodiment of the present application when executing the executable instructions stored in the memory.
Based on the same inventive concept, embodiments of the present application provide a computer program product or a computer program. The computer program product or computer program includes computer instructions. The computer instructions are stored in a computer storage medium. The processor of the computer device reads the computer instructions from the computer storage medium, and the processor executes the computer instructions, so that the computer device executes the method for configuring the WAF rule in the K8S system in the embodiment of the application.
Based on the same inventive concept, the embodiments of the present application provide a storage medium storing executable instructions. The storage medium has stored therein executable instructions. The executable instructions, when executed by the processor, cause the processor to perform the method of configuring WAF rules in the K8S system of embodiments of the present application.
In some embodiments, the computer storage medium may be a non-volatile computer storage medium, such as FRAM, ROM, PROM, EPROM, EEPROM, flash memory, magnetic surface memory, optical disk, or CD-ROM; but may be a variety of devices including one or any combination of the above memories.
In some embodiments, the executable instructions may be in the form of programs, software modules, scripts, or code, written in any form of programming language (including compiled or interpreted languages, or declarative or procedural languages), and they may be deployed in any form, including as stand-alone programs or as modules, components, subroutines, or other units suitable for use in a computing environment.
As an example, the executable instructions may, but need not, correspond to files in a file system, may be stored as part of a file that holds other programs or data, for example, in one or more scripts in a hypertext markup language (HTML, hyper Text Markup Language) document, in a single file dedicated to the program in question, or in multiple coordinated files (e.g., files that store one or more modules, sub-programs, or portions of code).
As an example, executable instructions may be deployed to be executed on one computing device or on multiple computing devices located at one site or, alternatively, distributed across multiple sites and interconnected by a communication network.
It should be noted that, in the embodiment of the present application, the terms "service" and "service" are not distinguished, and may be replaced with each other.
The foregoing is merely exemplary embodiments of the present application and is not intended to limit the scope of the present application. Any modifications, equivalent substitutions, improvements, etc. that are within the spirit and scope of the present application are intended to be included within the scope of the present application.
Claims (10)
1. A configuration method of a global wide area network application firewall, WAF, rule in a K8S system, wherein the K8S system comprises an ingress component and at least one K8S cluster, the ingress component is used for traffic management of the at least one K8S cluster, and the at least one K8S cluster is used for providing at least one type of service;
characterized in that the method comprises:
acquiring a first input aiming at a first service, wherein the first service is any service provided by the at least one K8S cluster, and the first input is used for indicating a first service type corresponding to the first service;
acquiring a first template corresponding to the first service type, wherein the first template comprises at least one WAF rule;
the entry component is configured according to the at least one WAF rule.
2. The method of claim 1, wherein configuring the entry component according to the at least one WAF rule comprises:
converting the at least one WAF rule into annotation information for the entry component;
the annotation information is configured to the portal component.
3. The method according to claim 1 or 2, characterized in that the method further comprises:
Obtaining a second input, wherein the second input is used for indicating modification of the first template;
performing at least one of the following operations on the first template according to the second input: adding WAF rules, deleting WAF rules, and modifying WAF rules.
4. The method according to claim 1 or 2, characterized in that the method further comprises:
obtaining a third input, wherein the third input comprises at least one WAF rule corresponding to the first service type;
a first template corresponding to the first service type is generated based on the at least one WAF rule.
5. A configuration device for applying firewall WAF rules in a global wide area network in a K8S system, wherein the K8S system comprises an ingress component and at least one K8S cluster, the ingress component is used for traffic management of the at least one K8S cluster, and the at least one K8S cluster is used for providing at least one type of service;
characterized in that the device comprises:
the system comprises an acquisition module, a first service selection module and a second service selection module, wherein the acquisition module is used for acquiring a first input aiming at a first service, the first service is any service provided by the at least one K8S cluster, and the first input is used for indicating a first service type corresponding to the first service;
The template management module is used for acquiring a first template corresponding to the first service type, wherein the first template comprises at least one WAF rule;
and the rule management module is used for configuring the entry component according to the at least one WAF rule.
6. The apparatus of claim 5, wherein the rule management module is to:
converting the at least one WAF rule into annotation information for the entry component;
the annotation information is configured to the portal component.
7. The apparatus of claim 5 or 6, wherein the obtaining module is further configured to obtain a second input, wherein the second input is configured to indicate a modification to the first template;
wherein the template management module is further configured to perform at least one of the following operations on the first template according to the second input: adding WAF rules, deleting WAF rules, and modifying WAF rules.
8. The apparatus of claim 5 or 6, wherein the obtaining module is further configured to obtain a third input, wherein the third input includes at least one WAF rule corresponding to the first service type;
Wherein, the template management module is further used for: a first template corresponding to the first service type is generated based on the at least one WAF rule.
9. An electronic device, the electronic device comprising:
a processor;
a memory for storing executable instructions;
wherein the processor, when executing the executable instructions stored in the memory, implements the method of any one of claims 1 to 4.
10. A storage medium having stored thereon executable instructions which when executed by a processor implement the method of any of claims 1 to 4.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311771175.8A CN117834222A (en) | 2023-12-21 | 2023-12-21 | WAF rule configuration method and device in K8S system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311771175.8A CN117834222A (en) | 2023-12-21 | 2023-12-21 | WAF rule configuration method and device in K8S system |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN117834222A true CN117834222A (en) | 2024-04-05 |
Family
ID=90512873
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202311771175.8A Pending CN117834222A (en) | 2023-12-21 | 2023-12-21 | WAF rule configuration method and device in K8S system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN117834222A (en) |
-
2023
- 2023-12-21 CN CN202311771175.8A patent/CN117834222A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US9621592B2 (en) | System and method for software defined deployment of security appliances using policy templates | |
| CN102185900B (en) | Application service platform system and method for developing application services | |
| US9916137B2 (en) | Rest service source code generation | |
| EP3502896A1 (en) | Generation of an adapters configuration user interface | |
| US20080235506A1 (en) | Method, system, and product for identifying provisioning operations via planning methods | |
| US20060265469A1 (en) | XML based scripting framework, and methods of providing automated interactions with remote systems | |
| CN111371679A (en) | Method for realizing API gateway based on kubernets and Kong | |
| Da Silva et al. | Internet of things out of the box: using TOSCA for automating the deployment of IoT environments | |
| US20120110545A1 (en) | Abstracting transformation for model driven architecture | |
| CN113301116A (en) | Cross-network communication method, device, system and equipment for microservice application | |
| CN113885849B (en) | Application development method and device based on industrial internet platform and terminal equipment | |
| Saatkamp et al. | An approach to automatically detect problems in restructured deployment models based on formalizing architecture and design patterns | |
| US11552868B1 (en) | Collect and forward | |
| CN117032668A (en) | Processing method, device, system and platform of visual rule engine | |
| Russell et al. | The vine toolkit: A java framework for developing grid applications | |
| CN113568758B (en) | GPU resource pooling method, system, device and computer readable storage medium | |
| US11018938B1 (en) | Auditing metadata representation of a cloud-computing platform based datacenter | |
| Saatkamp et al. | An Approach to Determine & Apply Solutions to Solve Detected Problems in Restructured Deployment Models using First-order Logic. | |
| JP5209058B2 (en) | Methods for creating software components | |
| CN116566656A (en) | Resource access method, device, equipment and computer storage medium | |
| CN117834222A (en) | WAF rule configuration method and device in K8S system | |
| Ma et al. | Model-based management of service composition | |
| Bossardt et al. | Chameleon: Realizing automatic service composition for extensible active routers | |
| Keller et al. | Desktop grids opening up to unicore | |
| van Gurp et al. | Service grid variability realization |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |