CN118114214B - Method, device and computer equipment for Pod executing privileged user command in Kubernetes - Google Patents
Method, device and computer equipment for Pod executing privileged user command in Kubernetes Download PDFInfo
- Publication number
- CN118114214B CN118114214B CN202410533954.2A CN202410533954A CN118114214B CN 118114214 B CN118114214 B CN 118114214B CN 202410533954 A CN202410533954 A CN 202410533954A CN 118114214 B CN118114214 B CN 118114214B
- Authority
- CN
- China
- Prior art keywords
- container
- node
- privileged
- container group
- command
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 57
- 238000004590 computer program Methods 0.000 claims description 19
- 239000008186 active pharmaceutical agent Substances 0.000 description 31
- 238000010586 diagram Methods 0.000 description 9
- 230000006870 function Effects 0.000 description 6
- 238000012545 processing Methods 0.000 description 3
- 230000007547 defect Effects 0.000 description 2
- 238000002955 isolation Methods 0.000 description 2
- 238000009517 secondary packaging Methods 0.000 description 2
- 238000003491 array Methods 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000004422 calculation algorithm Methods 0.000 description 1
- 238000004891 communication Methods 0.000 description 1
- 230000007812 deficiency Effects 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 235000019800 disodium phosphate Nutrition 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 238000010926 purge Methods 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
- 238000012795 verification Methods 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/31—User authentication
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/604—Tools and structures for managing or administering access control systems
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- General Engineering & Computer Science (AREA)
- Computer Hardware Design (AREA)
- Software Systems (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- General Health & Medical Sciences (AREA)
- Bioethics (AREA)
- Health & Medical Sciences (AREA)
- Automation & Control Theory (AREA)
- Storage Device Security (AREA)
Abstract
The invention discloses a method, a device and computer equipment for Pod executing privileged user command in Kubernetes. The method comprises the following steps: acquiring a node where a target container group is located; scheduling the privileged container group container onto the corresponding node using the node selection attribute; executing the command into the node namespace in the privileged container group container; acquiring target container group information under a node naming space; the command is executed with a privileged user identity under the node namespace using the command line tool of the container runtime. The method of the embodiment of the invention can solve the problem that the current container group does not support the switching to the privileged user identity to execute the command.
Description
Technical Field
The invention relates to the technical field of a privileged user command execution method, in particular to a method, a device and computer equipment for executing a privileged user command in Kubernetes through Pod.
Background
Kubernetes is an open-source container orchestration engine aimed at supporting automated deployment and management of large-scale scalable containerized applications. As a de facto standard in the cloud native world, it provides powerful container orchestration and scheduling functions. In Kubernetes, a container group is the smallest scheduling unit that can contain multiple application containers.
In the container group, containers are created based on mirroring. Once the container is started using the mirror, some commands typically need to be executed within the container to further configure the application environment. However, there are limitations to exec command functions in the kubectl tool provided by Kubernetes today: the command can be executed only with the default user authority of the current container, and the operation which can be completed only by the privilege authority can not be executed by directly switching to the superuser with the highest authority. Thus, in some cases, if the highest-authority operation is required to be performed within the container, the current kubectl exec command may not be able to meet the requirement, and the user may need to implement the required privileged operation by other means or tools, where kubectl tool is a command line tool provided by Kubernete and communicating with the Kubernetes control plane through the Kubernetes API, which may be simply referred to as a command line tool.
Therefore, there is a need to devise a new method to overcome the problem that the current container group does not support switching to privileged user identity execution commands.
Disclosure of Invention
It is an object of the present invention to overcome the deficiencies of the prior art and to provide a method, apparatus and computer device for Pod execution of privileged user commands in Kubernetes.
In order to achieve the above purpose, the present invention adopts the following technical scheme: a method of Pod executing a privileged user command in Kubernetes, comprising:
Acquiring a node where a target container group is located;
scheduling the privileged container group container onto the corresponding node using the node selection attribute;
executing the command into the node namespace in the privileged container group container;
acquiring target container group information under a node naming space;
Executing the command with the privileged user identity under the node namespace using a command line tool at the container runtime;
the privileged container group container is a container created on a node using a Kubernetes API server, and in the creation process, the node selection attribute of the privileged container group container is set as a label of the node where the target container group is located.
The further technical scheme is as follows: the scheduling of the privileged container group container onto the corresponding node using the node selection attribute includes:
The node selection attribute is read by a scheduler, and the privileged container group is scheduled to be contained on the node where the target container group is located in compliance with the node selection attribute.
The further technical scheme is as follows: the target container group information includes the container group name and the container runtime used.
The further technical scheme is as follows: the obtaining the target container group information under the node name space comprises the following steps:
Target container group information is obtained under the node namespace using a Kubernetes API server.
The further technical scheme is as follows: the executing of commands with privileged user identities using command line tools at container runtime under node namespaces includes:
And selecting a corresponding container command line tool under the node name space according to the used container runtime in the target container group information, and executing the command with the highest authority.
The further technical scheme is as follows: the method further comprises the following steps after the command is executed with the privileged user identity by using a command line tool of the container runtime under the node name space:
and after the execution of the privilege user identity execution command is finished, the privilege container group container is cleared.
The further technical scheme is as follows: after the execution of the privilege user identity execution command is finished, the privilege container group container is cleared, and the privilege container group container comprises:
After the execution of the privileged user identity execution command is finished, the privileged container group container is cleared by using the Kubernetes API server.
The present invention also provides an apparatus for Pod executing privileged user commands in Kubernetes, comprising:
The node acquisition unit is used for acquiring the node where the target container group is located;
a scheduling unit for scheduling the privilege container set containers onto the corresponding nodes using the node selection attribute;
a space entry unit for executing a command entry node namespace in a privileged container group container;
The information acquisition unit is used for acquiring the information of the target container group under the node name space;
an execution unit for executing the command with a privileged user identity using a command line tool at the time of container run under the node namespace;
the privileged container group container is a container created on a node using a Kubernetes API server, and in the creation process, the node selection attribute of the privileged container group container is set as a label of the node where the target container group is located.
The invention also provides a computer device which comprises a memory and a processor, wherein the memory stores a computer program, and the processor realizes the method when executing the computer program.
Compared with the prior art, the invention has the beneficial effects that: the invention uses node selection property to dispatch the privilege container group container to the corresponding node, and executes command in the privilege container group container to enter the node name space, and obtains the information of the target container group under the node name space, and uses command line tool when the container runs to execute command with privilege user identity, thus solving the problem that the current container group does not support switching to privilege user identity executing command.
The invention is further described below with reference to the drawings and specific embodiments.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings required for the description of the embodiments will be briefly described below, and it is obvious that the drawings in the following description are some embodiments of the present invention, and other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
FIG. 1 is a flow chart of a method for Pod executing a privileged user command in Kubernetes according to an embodiment of the present invention;
FIG. 2 is a flow chart of a method for Pod executing privileged user commands in Kubernetes according to another embodiment of the invention;
FIG. 3 is a schematic block diagram of a device for Pod executing privileged user commands in Kubernetes provided by an embodiment of the invention;
FIG. 4 is a schematic block diagram of a device for Pod execution of privileged user commands in Kubernetes provided by another embodiment of the invention;
FIG. 5 is a schematic block diagram of a computer device provided by an embodiment of the present invention;
fig. 6 is a schematic structural diagram of Kubernetes resource according to an embodiment of the present invention.
Detailed Description
The following description of the embodiments of the present invention will be made clearly and fully with reference to the accompanying drawings, in which it is evident that the embodiments described are some, but not all embodiments of the invention. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.
It should be understood that the terms "comprises" and "comprising," when used in this specification and the appended claims, specify the presence of stated features, integers, steps, operations, elements, and/or components, but do not preclude the presence or addition of one or more other features, integers, steps, operations, elements, components, and/or groups thereof.
It is also to be understood that the terminology used in the description of the invention herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the invention. As used in this specification and the appended claims, the singular forms "a," "an," and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise.
It should be further understood that the term "and/or" as used in the present specification and the appended claims refers to any and all possible combinations of one or more of the associated listed items, and includes such combinations.
Referring to fig. 1, fig. 1 is a schematic flow chart of a method for Pod executing a privileged user command in Kubernetes according to an embodiment of the invention. This method of Pod executing privileged user commands in Kubernetes is applied in a server. Referring to fig. 6, fig. 6 is a schematic structural diagram of a Kubernetes resource according to an embodiment of the present invention, where a caller obtains information of a target container set through a Kubernetes API server; creating a privilege container set container on the node, ensuring that the namespace of the node can be accessed; the privileged container group enters the name space of the node, selects the corresponding container command line tool, and executes the command with the highest authority; after the command is executed, the caller clears the privilege container set through the Kubernetes API server, and releases the resource. The command is executed by the privileged user identity in any container group, the defect that the kubectl tool carried by the Kubernetes cannot switch the user identity for execution is overcome, an operator does not need to carry out secondary packaging on the execution authority of the container mirror image again, and the burden of the operator is reduced.
Fig. 1 is a flow chart of a method for Pod executing a privileged user command in Kubernetes according to an embodiment of the present invention. As shown in fig. 1, the method includes the following steps S110 to S150.
S110, acquiring the node where the target container group is located.
In this embodiment, the target container group refers to a container group resource that needs to execute a command with privileged user rights.
The caller inquires the detailed information of the target container group through the Kubernetes API server, wherein the detailed information comprises the names, namespaces and the like of the container group; the current scheduling condition of the container group can be found in the container group information, including the information of the Node where the container group is located; the identification information such as the name or ID of the node where the target container group is located can be obtained through the scheduling condition in the container group information; the acquired node information is ensured to be accurate and matched with the actual situation in the Kubernetes cluster; and using the obtained node information of the target container group to subsequently create a privilege container group container and performing related operations to ensure that the privilege container group can be correctly scheduled to the target node.
S120, using the node selection attribute to schedule the privilege container set container to the corresponding node.
In this embodiment, the privileged container set container refers to a container set resource in which PRIVILEGED attribute, hostPID attribute, hostNetwork attribute, hostIPC attribute are all set to true in Kubernetes, where PRIVILEGED attribute is a privileged attribute and HostPID attribute is a host process privileged attribute; hostNetwork attributes are host network privilege attributes; hostIPC attributes are host IPC namespace privilege attributes.
The customized privileged container group container is dispatched to the node containing the target container group by the node selection attribute. The node selection attribute is meta-information of the container group resource, from which the scheduler will schedule the container group to the specified node.
For the above-mentioned privilege container group container, when creating the privilege container group container, mainly a caller uses the Kubernetes API server to create a privilege container group container on a node. The node selection attribute of the privileged container group container is set to the label of the node where the target container group is located, ensuring that the privileged container group container is scheduled on the same node. Meanwhile, the PRIVILEGED attribute, hostPID attribute, hostNetwork attribute, and HostIPC attribute of the privilege container set container are all set to true to ensure that the namespace of the node can be accessed.
S130, executing a command in a privilege container group container to enter a node namespace.
In this embodiment, the node Namespace refers to a Linux system Namespace (Namespace) of a node where the target container group is located, which is a technology for implementing resource isolation by a Linux system kernel.
In addition, the command executed by the entering node namespace is a nsenter namespace switch command in the Linux system that supports specifying a namespace process ID to execute the command under the entering namespace.
Executing a command inside the privilege container group container, and entering a Linux system name space of a node where the target container group is located, namely a node name space. This node namespace is a resource isolation technique implemented by the Linux system kernel.
Specifically, command nsenter-t 1-m-u-n-i is used inside the privileged container group container to enter the namespace with ID 1, i.e., the namespace of the node, in order to access the node resources.
S140, acquiring target container group information under the node name space.
In this embodiment, the target container group information includes node information, a container group name, and a container runtime used. The container runtime used herein refers to a container engine, such as Docker, containerd, that implements the Container Runtime Interface (CRI) specification.
Specifically, the caller uses the Kubernetes API server to obtain the target container group information under the node namespace. The container PID of the target container group container may be obtained using a command line tool corresponding to the container runtime.
In the node namespaces, related information of the target container group is acquired. This typically involves using a command line tool at the corresponding container runtime to obtain the container process ID of the container group container.
S150, executing the command with the privileged user identity by using a command line tool of the container runtime under the node name space.
In this embodiment, the corresponding container command line tool is selected under the node namespace according to the container runtime used in the target container group information, and the command is executed with the highest authority.
Privileged users refer to the highest authority user with user ID of 0 on Linux system
Specifically, the privileged container group selects the corresponding container command line tool based on the container runtime for the node. If it is a Docker, use Docker exec-it-u 0 command; if containerd, then the nerdctl exec-Namespace=k8s.io-it-u 0 command is used. The above commands are used in the node namespaces, and the required commands are executed with the highest rights in the corresponding container.
The method of the embodiment realizes the flow of operating the privilege command in the Kubernetes cluster, and ensures the safety and the controllability.
For example: assuming that a container group, named target-container group, is running on a node, privileged user commands need to be executed on that node.
First, the caller obtains the information of the target-container group, including the node and the container runtime used, through the Kubernetes API server.
According to the acquired information, the caller creates a privileged container group container, sets the node selection attribute as a label of the node where the target container group is located, and ensures that the privileged container group can be dispatched to the same node.
The privileged container group container enters the namespace of the node and uses the command line tool (such as Docker or containerd) at the container runtime to execute the command with the privileged user identity.
After the privileged user command is executed, the caller clears the privileged container group container through the Kubernetes API server to release the resource.
The method of implementation uses the privileged user identity to execute the command in any container group, overcomes the defect that the kubectl tool carried by Kubernetes can not switch the user identity to execute, ensures that an operator does not need to re-package the execution authority of the container mirror image for the second time, and reduces the burden of the operator; mainly for several reasons:
Scheduling the privileged container group container onto the corresponding node using the node selection attribute: by the method, the privileged container group can be ensured to be dispatched to the node where the target container group is located, so that the privileged command can be executed on the same node, and the limitation that kubectl tools cannot directly switch user identity execution commands is overcome.
The privileged container group container is created on a node using a Kubernetes API server: this ensures that the privileged container group container can execute commands on the node with the privileged user identity without having to repackage the container image or modify the rights settings.
Acquiring target container group information under a node namespace and executing a command with a privileged user identity using a command line tool at container runtime: these steps ensure that privileged users can execute commands at the node level without being limited by the normal container group user rights.
By combining the above, the method of the embodiment utilizes the characteristics of Kubernetes and APIs, and by operating at the node level, the function of executing the command with the privileged user identity in any container group is realized, thereby overcoming the limit of kubectl tools, avoiding secondary packaging of the container mirror image authority, and reducing the burden of operators.
According to the method for Pod executing the privileged user command in the Kubernetes, the problem that the current container group does not support switching to the privileged user identity executing command is solved by acquiring the node where the target container group is located, scheduling the privileged container group container to the corresponding node by using the node selection attribute, enabling the executing command in the privileged container group container to enter the node naming space, acquiring the target container group information under the node naming space, and using the command line tool when the container runs to execute the command in the privileged user identity.
Fig. 2 is a flow chart of a method for Pod execution of privileged user commands in Kubernetes according to another embodiment of the invention. As shown in fig. 2, the method of executing a privileged user command in Kubernetes by Pod of the present embodiment includes steps S210 to S260. Steps S210 to S250 are similar to steps S110 to S150 in the above embodiment, and are not described herein. Step S260 added in the present embodiment is described in detail below.
S260, when the execution of the privilege user identity execution command is finished, the privilege container group container is cleared.
Specifically, after the execution of the privileged user identity execution command is completed, the privileged container group container is cleared by using the Kubernetes API server.
The method comprises the following steps:
After the privileged user has executed the command, a script or program is written that includes logic to delete the privileged container group container using the Kubernetes API.
In a script or program, it is necessary to use the Kubernetes API access credential (such as Service Account Token) for rights verification and call the interface to delete the set of containers in the Kubernetes API. This script or program can be written using a language such as Python, go, etc.
In an API request to delete a container group, the name and namespace of the privilege container group container needs to be specified to ensure that only the target privilege container group container is deleted.
Executing the script or program, a request to delete the privileged container group container is sent through the Kubernetes API server.
When the Kubernetes API server receives the request, it performs a delete operation and clears the privileged container group container, freeing up resources.
Through the steps, the function of clearing the privilege container group container by using the Kubernetes API server after the execution of the command by the privileged user is completed can be realized. Thus, the resources can be cleaned in time after the privileged operation is executed, and the safety and the neatness of the system are maintained.
Fig. 3 is a schematic block diagram of a device 300 for Pod execution of privileged user commands in Kubernetes provided by an embodiment of the invention. As shown in fig. 3, the present invention also provides a device 300 for Pod execution of privileged user commands in Kubernetes, corresponding to the above method of Pod execution of privileged user commands in Kubernetes. The apparatus 300 for Pod executing privileged user commands in Kubernetes, which may be configured in a server, includes means for executing the above-described method for Pod executing privileged user commands in Kubernetes. Specifically, referring to fig. 3, the apparatus 300 for Pod executing a privileged user command in Kubernetes includes a node acquiring unit 301, a scheduling unit 302, a space entering unit 303, an information acquiring unit 304, and an executing unit 305.
A node obtaining unit 301, configured to obtain a node where the target container group is located; a scheduling unit 302, configured to schedule the privilege container set container onto a corresponding node using the node selection attribute; a space entry unit 303 for executing a command into the node namespace in the privileged container group container; an information acquisition unit 304, configured to acquire target container group information under a node namespace; an execution unit 305 for executing commands with privileged user identities under the node namespaces using the command line tool of the container runtime; the privileged container group container is a container created on a node using a Kubernetes API server, and in the creation process, the node selection attribute of the privileged container group container is set as a label of the node where the target container group is located.
In an embodiment, the scheduling unit 302 is configured to read a node selection attribute by a scheduler, and schedule the privileged container group onto the node where the target container group is located according to the node selection attribute.
In an embodiment, the information obtaining unit 304 is configured to obtain the target container group information under the node namespaces using a Kubernetes API server.
In an embodiment, the executing unit 305 is configured to select a corresponding container command line tool under a node namespace according to a container runtime used in the target container group information, and execute the command with the highest authority.
Fig. 4 is a schematic block diagram of a device 300 for Pod execution of privileged user commands in Kubernetes, provided in another embodiment of the invention. As shown in fig. 4, the apparatus 300 of the present embodiment in which Pod executes a privileged user command in Kubernetes is added with the purge unit 306 on the basis of the above embodiment.
And the clearing unit 306 is configured to clear the privileged container group container after the privileged user identity execution command is executed.
In one embodiment, the clearing unit 306 is configured to clear the privileged container group container by using the Kubernetes API server after the privileged user identity execution command is completed.
It should be noted that, as will be clearly understood by those skilled in the art, the specific implementation process of the apparatus 300 and the units for performing the privileged user command by Pod in Kubernetes may refer to the corresponding description in the foregoing method embodiments, and for convenience and brevity of description, the description is omitted here.
The apparatus 300 for Pod execution of privileged user commands in Kubernetes described above may be implemented in the form of a computer program that may be run on a computer device as shown in fig. 5.
Referring to fig. 5, fig. 5 is a schematic block diagram of a computer device according to an embodiment of the present application. The computer device 500 may be a server, where the server may be a stand-alone server or may be a server cluster formed by a plurality of servers.
With reference to FIG. 5, the computer device 500 includes a processor 502, memory, and a network interface 505 connected by a system bus 501, where the memory may include a non-volatile storage medium 503 and an internal memory 504.
The non-volatile storage medium 503 may store an operating system 5031 and a computer program 5032. The computer program 5032 includes program instructions that, when executed, cause the processor 502 to perform a method of Pod execution of privileged user commands in Kubernetes.
The processor 502 is used to provide computing and control capabilities to support the operation of the overall computer device 500.
The internal memory 504 provides an environment for the execution of a computer program 5032 in the non-volatile storage medium 503, which computer program 5032, when executed by the processor 502, causes the processor 502 to perform a method of Pod execution of privileged user commands in Kubernetes.
The network interface 505 is used for network communication with other devices. It will be appreciated by those skilled in the art that the architecture shown in fig. 5 is merely a block diagram of some of the architecture relevant to the present inventive arrangements and is not limiting of the computer device 500 to which the present inventive arrangements may be implemented, as a particular computer device 500 may include more or fewer components than shown, or may combine some of the components, or have a different arrangement of components.
Wherein the processor 502 is configured to execute a computer program 5032 stored in a memory to implement the steps of:
Acquiring a node where a target container group is located; scheduling the privileged container group container onto the corresponding node using the node selection attribute; executing the command into the node namespace in the privileged container group container; acquiring target container group information under a node naming space; the command is executed with a privileged user identity under the node namespace using the command line tool of the container runtime.
The privilege container group container is a container created on a node by using a Kubernetes API server, and in the creation process, the node selection attribute of the privilege container group container is set as a label of the node where the target container group is located.
The target container group information includes the container group name and the container runtime used.
In one embodiment, when the step of using the node selection attribute to schedule the privilege container set container to the corresponding node is implemented by the processor 502, the following steps are specifically implemented:
The node selection attribute is read by a scheduler, and the privileged container group is scheduled to be contained on the node where the target container group is located in compliance with the node selection attribute.
In one embodiment, when the step of obtaining the target container group information under the node namespace is implemented by the processor 502, the following steps are specifically implemented:
Target container group information is obtained under the node namespace using a Kubernetes API server.
In one embodiment, the processor 502, when implementing the command line tool in the container runtime under the node namespace, performs the command steps with privileged user identities, specifically implements the following steps:
And selecting a corresponding container command line tool under the node name space according to the used container runtime in the target container group information, and executing the command with the highest authority.
In one embodiment, after implementing the command line tool at the node namespace using the container runtime, executing the command step with the privileged user identity, the processor 502 also implements the steps of:
and after the execution of the privilege user identity execution command is finished, the privilege container group container is cleared.
In one embodiment, when the step of clearing the privileged container group container after the execution of the privileged user identity execution command is completed is implemented by the processor 502, the following steps are specifically implemented:
After the execution of the privileged user identity execution command is finished, the privileged container group container is cleared by using the Kubernetes API server.
It should be appreciated that in embodiments of the present application, the Processor 502 may be a central processing unit (Central Processing Unit, CPU), the Processor 502 may also be other general purpose processors, digital signal processors (DIGITAL SIGNAL processors, DSPs), application SPECIFIC INTEGRATED Circuits (ASICs), off-the-shelf Programmable gate arrays (Field-Programmable GATE ARRAY, FPGA) or other Programmable logic devices, discrete gate or transistor logic devices, discrete hardware components, or the like. Wherein the general purpose processor may be a microprocessor or the processor may be any conventional processor or the like.
Those skilled in the art will appreciate that all or part of the flow in a method embodying the above described embodiments may be accomplished by computer programs instructing the relevant hardware. The computer program comprises program instructions, and the computer program can be stored in a storage medium, which is a computer readable storage medium. The program instructions are executed by at least one processor in the computer system to implement the flow steps of the embodiments of the method described above.
Accordingly, the present invention also provides a storage medium. The storage medium may be a computer readable storage medium. The storage medium stores a computer program which, when executed by a processor, causes the processor to perform the steps of:
Acquiring a node where a target container group is located; scheduling the privileged container group container onto the corresponding node using the node selection attribute; executing the command into the node namespace in the privileged container group container; acquiring target container group information under a node naming space; the command is executed with a privileged user identity under the node namespace using the command line tool of the container runtime.
The privilege container group container is a container created on a node by using a Kubernetes API server, and in the creation process, the node selection attribute of the privilege container group container is set as a label of the node where the target container group is located.
The target container group information includes the container group name and the container runtime used.
In one embodiment, when the processor executes the computer program to implement the step of using the node selection attribute to schedule the privileged container group container to the corresponding node, the processor specifically implements the steps of:
The node selection attribute is read by a scheduler, and the privileged container group is scheduled to be contained on the node where the target container group is located in compliance with the node selection attribute.
In one embodiment, when the processor executes the computer program to implement the step of obtaining the target container group information under the node namespace, the following steps are specifically implemented:
Target container group information is obtained under the node namespace using a Kubernetes API server.
In one embodiment, the processor, when executing the computer program to implement the command line tool when running using a container under a node namespace, performs the command steps with privileged user identities, specifically performs the steps of:
And selecting a corresponding container command line tool under the node name space according to the used container runtime in the target container group information, and executing the command with the highest authority.
In one embodiment, the processor, after executing the computer program to implement the command line tool at run-time using the container under the node namespace, performs the command steps with privileged user identities, further implements the steps of:
and after the execution of the privilege user identity execution command is finished, the privilege container group container is cleared.
In one embodiment, when the processor executes the computer program to implement the step of clearing the privileged container group container after the privileged user identity execution command is executed, the method specifically includes the steps of:
After the execution of the privileged user identity execution command is finished, the privileged container group container is cleared by using the Kubernetes API server.
The storage medium may be a U-disk, a removable hard disk, a Read-Only Memory (ROM), a magnetic disk, or an optical disk, or other various computer-readable storage media that can store program codes.
Those of ordinary skill in the art will appreciate that the elements and algorithm steps described in connection with the embodiments disclosed herein may be embodied in electronic hardware, in computer software, or in a combination of the two, and that the elements and steps of the examples have been generally described in terms of function in the foregoing description to clearly illustrate the interchangeability of hardware and software. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the solution. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present invention.
In the several embodiments provided by the present invention, it should be understood that the disclosed apparatus and method may be implemented in other manners. For example, the device embodiments described above are merely illustrative. For example, the division of each unit is only one logic function division, and there may be another division manner in actual implementation. For example, multiple units or components may be combined or may be integrated into another system, or some features may be omitted, or not performed.
The steps in the method of the embodiment of the invention can be sequentially adjusted, combined and deleted according to actual needs. The units in the device of the embodiment of the invention can be combined, divided and deleted according to actual needs. In addition, each functional unit in the embodiments of the present invention may be integrated in one processing unit, or each unit may exist alone physically, or two or more units may be integrated in one unit.
The integrated unit may be stored in a storage medium if implemented in the form of a software functional unit and sold or used as a stand-alone product. Based on such understanding, the technical solution of the present invention is essentially or a part contributing to the prior art, or all or part of the technical solution may be embodied in the form of a software product stored in a storage medium, comprising several instructions for causing a computer device (which may be a personal computer, a terminal, a network device, etc.) to perform all or part of the steps of the method according to the embodiments of the present invention.
While the invention has been described with reference to certain preferred embodiments, it will be understood by those skilled in the art that various changes and substitutions of equivalents may be made and equivalents will be apparent to those skilled in the art without departing from the scope of the invention. Therefore, the protection scope of the invention is subject to the protection scope of the claims.
Claims (9)
1. A method of pod execution of privileged user commands in Kubernetes comprising:
Acquiring a node where a target container group is located;
scheduling the privileged container group container onto the corresponding node using the node selection attribute;
executing the command into the node namespace in the privileged container group container;
acquiring target container group information under a node naming space;
Executing the command with the privileged user identity under the node namespace using a command line tool at the container runtime;
the privileged container group container is a container created on a node using a Kubernetes API server, and in the creation process, the node selection attribute of the privileged container group container is set as a label of the node where the target container group is located.
2. The method of executing privileged user commands in Kubernetes Pod of claim 1, wherein the scheduling privileged container group containers onto a corresponding node using node selection attributes comprises:
The node selection attribute is read by a scheduler, and the privileged container group is scheduled to be contained on the node where the target container group is located in compliance with the node selection attribute.
3. The method of executing privileged user commands in Kubernetes of claim 1, wherein the target container group information comprises a container group name and a container runtime used.
4. The method of executing privileged user commands in Kubernetes Pod of claim 1, wherein the obtaining target container group information under the node namespace comprises:
Target container group information is obtained under the node namespace using a Kubernetes API server.
5. The method of executing privileged user commands in Kubernetes Pod of claim 1, wherein the executing commands with privileged user identities using a command line tool of a container runtime under a node namespace comprises:
And selecting a corresponding container command line tool under the node name space according to the used container runtime in the target container group information, and executing the command with the highest authority.
6. The method of executing privileged user commands in Kubernetes of claim 5, wherein the executing commands with privileged user identities using a command line tool of a container runtime under a node namespace further comprises:
and after the execution of the privilege user identity execution command is finished, the privilege container group container is cleared.
7. The method for Pod execution of privileged user commands in Kubernetes of claim 6, wherein the clearing the privileged container group container after execution of the privileged user identity execution command is complete comprises:
After the execution of the privileged user identity execution command is finished, the privileged container group container is cleared by using the Kubernetes API server.
8. An apparatus for Pod execution of privileged user commands in Kubernetes, comprising:
The node acquisition unit is used for acquiring the node where the target container group is located;
a scheduling unit for scheduling the privilege container set containers onto the corresponding nodes using the node selection attribute;
a space entry unit for executing a command entry node namespace in a privileged container group container;
The information acquisition unit is used for acquiring the information of the target container group under the node name space;
an execution unit for executing the command with a privileged user identity using a command line tool at the time of container run under the node namespace;
The privilege container group container is a container created on a node by using a Kubernetes API server, and in the creation process, the node selection attribute of the privilege container group container is set as a label of the node where the target container group is located.
9. A computer device, characterized in that it comprises a memory on which a computer program is stored and a processor which, when executing the computer program, implements the method according to any of claims 1-7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202410533954.2A CN118114214B (en) | 2024-04-30 | 2024-04-30 | Method, device and computer equipment for Pod executing privileged user command in Kubernetes |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202410533954.2A CN118114214B (en) | 2024-04-30 | 2024-04-30 | Method, device and computer equipment for Pod executing privileged user command in Kubernetes |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN118114214A CN118114214A (en) | 2024-05-31 |
| CN118114214B true CN118114214B (en) | 2024-07-26 |
Family
ID=91208880
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202410533954.2A Active CN118114214B (en) | 2024-04-30 | 2024-04-30 | Method, device and computer equipment for Pod executing privileged user command in Kubernetes |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN118114214B (en) |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114846448A (en) * | 2020-01-09 | 2022-08-02 | 思科技术公司 | Providing multiple namespace support to applications in containers under KUBERNETES |
| CN117940921A (en) * | 2021-09-13 | 2024-04-26 | 西门子股份公司 | Performing privileged operations in a container |
Family Cites Families (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| EP3522013B1 (en) * | 2018-02-01 | 2020-04-01 | Siemens Aktiengesellschaft | Method and system for migration of containers in a container orchestration platform between compute nodes |
| CN115509676A (en) * | 2021-06-22 | 2022-12-23 | 华为云计算技术有限公司 | Container set deployment method and device |
| CN115408100A (en) * | 2022-07-21 | 2022-11-29 | 天翼云科技有限公司 | Container cluster scheduling method, device, equipment and storage medium |
-
2024
- 2024-04-30 CN CN202410533954.2A patent/CN118114214B/en active Active
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114846448A (en) * | 2020-01-09 | 2022-08-02 | 思科技术公司 | Providing multiple namespace support to applications in containers under KUBERNETES |
| CN117940921A (en) * | 2021-09-13 | 2024-04-26 | 西门子股份公司 | Performing privileged operations in a container |
Also Published As
| Publication number | Publication date |
|---|---|
| CN118114214A (en) | 2024-05-31 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11422844B1 (en) | Client-specified network interface configuration for serverless container management service | |
| CN105656646B (en) | A kind of dispositions method and device of Virtual NE | |
| WO2020181813A1 (en) | Task scheduling method based on data processing and related device | |
| CN109995859A (en) | A kind of dispatching method, dispatch server and computer readable storage medium | |
| US9204460B2 (en) | Methods and systems for a generic multi-radio access technology | |
| EP3913859A1 (en) | Vnf life cycle management method and apparatus | |
| US10318347B1 (en) | Virtualized tasks in an on-demand network code execution system | |
| CN106874089B (en) | A kind of processing method, device and the mobile terminal of application program self-starting | |
| CN112333096A (en) | Micro-service traffic scheduling method and related components | |
| CN110012062B (en) | Multi-computer-room task scheduling method and device and storage medium | |
| CN106953746A (en) | Clustered node upgrade-system and method | |
| CN112698952A (en) | Unified management method and device for computing resources, computer equipment and storage medium | |
| CN106874048B (en) | A kind of processing method, device and the mobile terminal of application program self-starting | |
| WO2022267646A1 (en) | Pod deployment method and apparatus | |
| US10884788B2 (en) | On-demand code execution with limited memory footprint | |
| CN111698281B (en) | Resource downloading method and device, electronic equipment and storage medium | |
| CN112395736A (en) | Parallel simulation job scheduling method of distributed interactive simulation system | |
| CN114296953B (en) | Multi-cloud heterogeneous system and task processing method | |
| EP3724776A1 (en) | Method, function manager and arrangement for handling function calls | |
| CN108958933B (en) | Configuration parameter updating method, device and equipment of task executor | |
| CN118114214B (en) | Method, device and computer equipment for Pod executing privileged user command in Kubernetes | |
| CN114006815B (en) | Automatic deployment method and device for cloud platform nodes, nodes and storage medium | |
| US8555285B2 (en) | Executing a general-purpose operating system as a task under the control of a real-time operating system | |
| CN114911538B (en) | Starting method of running system and computing equipment | |
| CN113687919B (en) | Control method, device, equipment and storage medium for micro-service management |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |