CN118295774B - Kubernetes resource anti-false-deletion protection method and system - Google Patents

Kubernetes resource anti-false-deletion protection method and system Download PDF

Info

Publication number
CN118295774B
CN118295774B CN202410726871.5A CN202410726871A CN118295774B CN 118295774 B CN118295774 B CN 118295774B CN 202410726871 A CN202410726871 A CN 202410726871A CN 118295774 B CN118295774 B CN 118295774B
Authority
CN
China
Prior art keywords
resource
resources
general
deletion
annotation
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202410726871.5A
Other languages
Chinese (zh)
Other versions
CN118295774A (en
Inventor
石瑞雪
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Lexun Technology Co ltd
Original Assignee
Beijing Lexun Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Lexun Technology Co ltd filed Critical Beijing Lexun Technology Co ltd
Priority to CN202410726871.5A priority Critical patent/CN118295774B/en
Publication of CN118295774A publication Critical patent/CN118295774A/en
Application granted granted Critical
Publication of CN118295774B publication Critical patent/CN118295774B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Landscapes

  • Information Retrieval, Db Structures And Fs Structures Therefor (AREA)

Abstract

The invention discloses a Kubernetes resource anti-false-deletion protection method and a system, which relate to the technical field of resource false-deletion protection, and are used for acquiring the number of historical protection control parameters, the idle rate and the resource association index of each general resource in a current application scene, dividing all the general resources into a mark set and a general set according to the comparison result of a grading score and a scoring threshold, annotating and marking the resources in a core set and the mark set, judging whether the current resource deletion is allowed or not according to metadata information by a web-hook anti-false-deletion program when a protection system receives a resource deletion request, and feeding back the judgment result to a user. The protection system can intercept unexpected deletion operation under the condition of artificially deleting K8s resources by mistake, and automatically marks and protects core resources, so that the running stability of the Kubernetes platform is greatly improved.

Description

Kubernetes resource anti-false-deletion protection method and system
Technical Field
The invention relates to the technical field of resource false-deletion protection, in particular to a method and a system for protecting Kubernetes resources from false deletion.
Background
Kubernetes (often referred to simply as K8 s) is an open-source container orchestration and management platform for automated deployment, extension, and management of containerized applications that provides a reliable and extensible platform that enables developers to easily manage and run containerized applications across multiple hosts, the resources in Kubernetes being used to describe and configure the needs and limitations of the application.
As shown in fig. 3: defining a Deployment resource, wherein information such as a running container mirror image, a copy number and the like is specified, creating corresponding Pods on a K8s node by the Deployment-Controller according to the definition, continuously monitoring the Pods, and if a certain Pod is abnormally exited, re-creating a Pod by the Deployment-Controller to ensure that the actual state of the system is consistent with the 'expected state' (8 copies) defined by the user;
It can be seen that the "expected state" of a resource directly affects the true state of the resource within k8s, and that once someone is operating Kubernetes, doing something unexpected by mistake, such as deleting Deployment the resource, or adjusting replicas (copy number) of Deployment resource to 0, will directly result in a large number of Pod being deleted, causing a very large risk of stability.
Based on the method, the invention provides a method and a system for preventing the false deletion of the Kubernetes resources, which can intercept unexpected deletion operation under the condition of artificially deleting the K8s resources by mistake, and automatically mark annotation and protect the core resources in the Kubernetes, thereby greatly improving the running stability of the Kubernetes platform.
Disclosure of Invention
The invention aims to provide a Kubernetes resource anti-false-deletion protection method and system, which are used for solving the defects in the background technology.
In order to achieve the above object, the present invention provides the following technical solutions: a Kubernetes resource anti-false-deletion protection method, the protection method comprising the steps of:
The protection system acquires all resource types in the Kubernetes platform, divides the resources into initial core resources and general resources according to the importance of the resources to the Kubernetes platform, and divides all the initial core resources into a core set;
acquiring the historical protection control parameter quantity, the idle rate and the resource association index of each general resource of the Kubernetes platform in the current application scene, carrying out normalization processing on the protection control parameter quantity, the idle rate and the resource association index, comprehensively calculating the protection control parameter quantity, the idle rate and the resource association index after normalization processing through a fusion algorithm, and generating a grading score for each general resource;
Dividing all general resources into a mark set and a general set according to the comparison result of the grading score and the scoring threshold, and annotating and marking the resources in the core set and the mark set;
the method comprises the steps of carrying out dynamic set division on general resources at regular intervals, carrying out annotation release or annotation marking on the general resources according to set division results, and storing annotation processing results into metadata of the resources;
When the protection system receives a resource deletion request, metadata of the deleted resource is obtained from the request, the web-hook anti-misoperation program judges whether to allow current resource deletion or not according to metadata information, and the judgment result is fed back to a user.
In a preferred embodiment, the number of protection control parameters, the idle rate and the resource association index are normalized, and the normalized number of protection control parameters, idle rate and resource association index are comprehensively calculated by a fusion algorithm to generate a grading score for each general resource, which comprises the following steps:
The protection system carries out normalization processing on the number of the protection control parameters, the idle rate and the resource association index, maps the value ranges of the number of the protection control parameters, the idle rate and the resource association index to be between [0,1] and acquires the normalization value of the number of the protection control parameters, the normalization value of the idle rate and the normalization value of the resource association index; the computational expression of the ranking score is: In which, in the process, For the purpose of grading the score of the grade,For the normalization of the number of control parameters,The values are normalized for the resource-associated index,For the normalized value of the idle rate,Respectively the weights of the control parameter quantity normalization value, the resource association index normalization value and the idle rate normalization value, and. In a preferred embodiment, all the general resources are respectively classified into a label set and a general set according to the comparison result of the grading score and the grading threshold, comprising the following steps:
comparing the obtained grading scores with a preset scoring threshold value, wherein the scoring threshold value is used for judging the comprehensive importance of the resources in the Kubernetes platform;
If the grading score of the resource is larger than or equal to the scoring threshold, judging that the comprehensive importance of the resource in the Kubernetes platform is large, marking the resource into a marking set, and if the grading score of the resource is smaller than the scoring threshold, judging that the comprehensive importance of the resource in the Kubernetes platform is small, marking the resource into a general set.
In a preferred embodiment, annotating the tags for both the core set and the resources in the tag set, comprising the steps of:
The protection system marks annotation on the resources in the core set and the mark set to identify that the resources belong to the resources to be protected, wherein the annotation comprises a key and a value, and the resources cannot be changed in a Kubernetes platform after the key of the resource annotation is determined;
If the resource with the annotation needs to be deleted, the deletion of the resource can be continued after the annotation is deleted.
In a preferred embodiment, when the protection system receives a resource deletion request, metadata of a deleted resource is obtained from the request, and the web-hook anti-false deletion program judges whether to allow deletion of the current resource according to metadata information, and feeds back a judgment result to a user, including the following steps:
The web-hook anti-false deleting program acquires the metadata of the deleted resource and analyzes whether the resource metadata has annotation marks or not; if the resource metadata has an annotation mark, acquiring whether the resource annotation has a deletion instruction, if so, deleting the resource by the web-hook anti-false deletion program, and if not, not performing the resource deletion operation by the web-hook anti-false deletion program; if the resource metadata has no annotation mark, judging whether the resource metadata is deleted with the highest authority, if so, deleting the resource by the web-hook anti-false deleting program, and if not, not performing the resource deleting operation by the web-hook anti-false deleting program; and feeding back the operation result of the resource to the user.
In a preferred embodiment, dynamic set partitioning is performed on a general resource periodically, annotation canceling or annotation marking is performed on the general resource according to a set partitioning result, and an annotation processing result is stored in metadata of the resource, and the method comprises the following steps:
The method comprises the steps of periodically obtaining the grading scores of the general resources, dividing the general resources into mark sets and general sets according to the comparison results of the grading scores and the grading thresholds, traversing the annotation states of the general resources in the mark sets, annotating the general resource marks if the annotation states of the general resources in the mark sets are not annotated, traversing the annotation states of the general resources in the general sets, deleting the general resource marks if the annotation states of the general resources in the general sets are annotated, and storing annotation processing results in metadata of the resources. In a preferred embodiment, the logic for obtaining the resource association index is: resource setting Has the following componentsIndividual direct child resourcesThen by recursive computationTo find the association index of all child resourcesIs the function expression:
In the method, in the process of the invention, Represents the resource-related index(s),Representing resourcesIs a function of the number of direct child resources,Representing resourcesIs the first of (2)Individual direct child resourcesIs a correlation index of (a). In a preferred embodiment, the idle rate calculation logic is: acquiring the total historical operation time of the Kubernetes platform, acquiring the unused total time of the resource history, and obtaining the idle rate by comparing the unused total time of the resource history with the historical total operation time of the Kubernetes platform, wherein the expression is as follows:
In the method, in the process of the invention, In order for the idle rate to be a good,For the total duration of the resource history unused,The total run length is the Kubernetes platform history. In a preferred embodiment, the logic for obtaining the number of protection control parameters is: and obtaining Finalizers number and RBAC role number in the resource metadata, and adding Finalizers number and RBAC role number to obtain the number of protection control parameters.
The Kubernetes resource anti-false-deletion protection system comprises a resource dividing module, a data acquisition module, a secondary dividing module, an annotation marking module and a deletion judging module;
the resource dividing module: acquiring all resource types in the Kubernetes platform, dividing the resources into initial core resources and general resources according to the importance of the resources to the Kubernetes platform, and dividing all the initial core resources into a core set;
and a data acquisition module: acquiring the historical protection control parameter quantity, the idle rate and the resource association index of each general resource of the Kubernetes platform in the current application scene, carrying out normalization processing on the protection control parameter quantity, the idle rate and the resource association index, comprehensively calculating the protection control parameter quantity, the idle rate and the resource association index after normalization processing through a fusion algorithm, and generating a grading score for each general resource;
And a secondary dividing module: dividing all general resources into a mark set and a general set respectively according to the comparison result of the grading score and the scoring threshold;
An annotation tag module: annotating and marking the resources in the core set and the mark set, wherein the marked resources are the resources to be protected, namely the marked resources can be deleted in a specific mode, dynamic set division is regularly carried out on the general resources, annotation release or annotation marking is carried out on the general resources according to set division results, and annotation processing results are stored in metadata of the resources;
And a deletion judging module: when a resource deletion request is received, metadata of the deleted resource is obtained from the request, the web-hook anti-misoperation program judges whether to allow current resource deletion or not according to metadata information, and the judgment result is fed back to a user.
In the technical scheme, the invention has the technical effects and advantages that:
According to the method, the number of the historical protection control parameters, the idle rate and the resource association index of each general resource in the current application scene of the Kubernetes platform are obtained, all the general resources are respectively divided into a mark set and a general set according to the comparison result of the grading score and the grading threshold, annotation marks are carried out on the resources in the core set and the mark set, when a protection system receives a resource deletion request, metadata of the deleted resources are obtained from the request, a web-hook anti-misoperation program judges whether the current resource deletion is allowed or not according to metadata information, and the judgment result is fed back to a user. The protection system can intercept unexpected deletion operation under the condition of artificially deleting K8s resources by mistake, and automatically mark annotation and protection are carried out on core resources in the Kubernetes, so that the running stability of the Kubernetes platform is greatly improved.
Drawings
In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the drawings required for the embodiments will be briefly described below, and it is apparent that the drawings in the following description are only some embodiments described in the present application, and other drawings may be obtained according to these drawings for a person having ordinary skill in the art.
FIG. 1 is a flow chart of the method of the present invention.
FIG. 2 is a flow chart of the web-hook anti-false-deletion procedure of the present invention.
FIG. 3 is a schematic diagram of the effect of "expected states" in Kubernetes on resources.
Detailed Description
For the purpose of making the objects, technical solutions and advantages of the embodiments of the present invention more apparent, the technical solutions of the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings in the embodiments of the present invention, and it is apparent that the described embodiments are some embodiments of the present invention, but not all embodiments of the present invention. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.
The resources in Kubernetes are used to describe and configure the needs and limitations of the application so that the scheduler can efficiently manage and allocate these resources. The following are the common resource types in Kubernetes:
pod: pod is the smallest scheduling unit in Kubernetes, which may contain one or more containers. Pod is the most basic unit of resources for combining and sharing computing resources.
Node: node (Node) is a working Node in a Kubernetes cluster, which may be a physical machine or a virtual machine. Each Node has certain computing resources, such as CPU and memory, for running and hosting Pod.
Name-space: name-space is one mechanism for logically isolating and grouping resources within a cluster. Through namespaces, different resources can be partitioned into different namespaces to realize isolation, management and control of the resources.
Deployment: deployment is a resource type for defining and managing deployment of Pod. It specifies the number of copies of the Pod that need to be run, the container image, the resource requirements, etc., and how to upgrade and expand the Pod.
Service: service is a type of resource that provides stable network access and Service discovery. Service encapsulates a set of Pod in a virtual network and provides them with unique virtual IP addresses for other services or external user access.
In addition, kubernetes also supports other resource types, such as Con-fig-Map, secrets (keys and credentials), persistence-Volume, etc., for managing and configuring other resources required by the application.
By defining and managing these resources, kubernetes provides a flexible and powerful way to deploy, schedule, and manage applications to efficiently utilize computing resources and achieve high availability, scalability, and fault tolerance.
In Kubernetes, annography is a mechanism for adding metadata to objects (e.g., pod, service, deployment, etc.). Annotations are in the form of key-value pairs for providing additional information about an object that may be of significance to a particular tool, controller or operation, but are not critical to Kubernetes itself.
Example 1: referring to fig. 1, the protection method for preventing erroneous deletion of Kubernetes resources in this embodiment includes the following steps:
The method comprises the steps that a protection system obtains all resource types in a Kubernetes platform, divides the resources into initial core resources and general resources according to the importance of the resources on the Kubernetes platform, divides all the initial core resources into a core set, obtains the historical protection control parameter quantity, the idle rate and the resource association index of each general resource of the Kubernetes platform in a current application scene, normalizes the protection control parameter quantity, the idle rate and the resource association index, comprehensively calculates the normalized protection control parameter quantity, the idle rate and the resource association index through a fusion algorithm, generates a grading score for each general resource, divides all the general resources into a mark set and a general set according to the comparison result of the grading score and a grading threshold, annotates the resources in the core set and the mark set, namely, the annotated resources need to be protected, the marked resources need a specific mode to be deleted, regularly carries out dynamic set division on the general resources, annotates or marks on the general resources according to a set division result, and stores the processing result into metadata of the resources;
because the Kubernetes platform has different judgment on core resources in different application scenes, wherein the resources on which the Kubernetes platform needs to depend run are initial core resources (namely, the lack of such resources can cause the Kubernetes platform to be unable to run), and the resources marked into the mark set belong to important resources in the current application scene;
On the Kubernetes platform to which the protected resource belongs, an anti-mispriming web-hook is deployed to intercept operations related to deleting the resource, and Validate-Delete-Operation of the anti-mispriming web-hook is called once the operations to Delete the resource are initiated, wherein the main flow is as follows:
When the protection system receives a resource deletion request, metadata of the deleted resource is obtained from the request, the web-hook anti-misoperation program judges whether to allow current resource deletion or not according to metadata information, and the judgment result is fed back to a user.
According to the method, the number of the historical protection control parameters, the idle rate and the resource association index of each general resource in the current application scene of the Kubernetes platform are obtained, all the general resources are respectively divided into a mark set and a general set according to the comparison result of the grading score and the grading threshold, annotation marks are carried out on the resources in the core set and the mark set, when a protection system receives a resource deletion request, metadata of the deleted resources are obtained from the request, a web-hook anti-misoperation program judges whether the current resource deletion is allowed or not according to metadata information, and the judgment result is fed back to a user. The protection system can intercept unexpected deletion operation under the condition of artificially deleting K8s resources by mistake, and automatically mark annotation and protection are carried out on core resources in the Kubernetes, so that the running stability of the Kubernetes platform is greatly improved.
Example 2: the protection system acquires all resource types in the Kubernetes platform, divides the resources into initial core resources and general resources according to the importance of the resources to the Kubernetes platform, and divides all the initial core resources into a core set, comprising the following steps:
Using KubernetesAPI or kubectl-api-resources commands to obtain all available resource types in the cluster;
The importance criteria for a resource are typically defined in terms of the following parameters:
APIGroup and Kind, core resources typically belong to a core API set (e.g., "v 1") rather than an extended API set;
Annotations and Labels core resources have specific notes or tags to identify the importance or indelibility of the core resources, usually tags preset by developers, namely, the lack of the resources can cause the Kubernetes platform to be inoperable;
The names and namespaces of certain resources may suggest their importance. For example, a resource in Kubernetes whose name contains the prefix "kube-" is typically a core resource;
By examining the creator information for a resource, for example, the resource created by the Kubernetes system component may be a core resource;
the above only provides some definitions of the core resources by the Kubernetes platform under the general condition, and in different application scenarios, the definition of the core resources by the Kubernetes platform also includes other conditions, such as RBAC authority setting, etc., which are not described herein in detail;
A core set is created and initial core resources are added to the core set. These resources may be tagged with a tag (labels) or comment (annotations), which is added to each initial core resource, identifying it as a core resource.
Acquiring the historical protection control parameter quantity, the idle rate and the resource association index of each general resource of the Kubernetes platform in the current application scene, carrying out normalization processing on the protection control parameter quantity, the idle rate and the resource association index, comprehensively calculating the protection control parameter quantity, the idle rate and the resource association index after normalization processing through a fusion algorithm, and generating a grading score for each general resource, wherein the method comprises the following steps of:
The acquisition logic of the number of the protection control parameters is as follows: obtaining Finalizers number and RBAC role number in the resource metadata, and adding Finalizers number to the RBAC role number to obtain the number of protection control parameters;
The more the number Finalizers plus the number of RBAC roles is used for obtaining the number of protection control parameters, the more important the control parameters of the resource are, which shows that the more important the resource is in the Kubernetes platform, specifically:
The number Finalizers and the number of RBAC roles are added, and the resulting number of protection control parameters can be used to evaluate the importance of the resource in the Kubernetes platform. The greater the number of protection control parameters, the greater the protection level and access control complexity of the resource, generally meaning that the resource is more important in the Kubernetes platform;
Finalizers quantity Finalizers is a mechanism to ensure that certain cleanup operations are performed before the resource is deleted. The greater the number Finalizers of a resource, the greater the number of operations that need to be performed before the resource is deleted, indicating that the resource has more dependencies on the system, or that its deletion has more subsequent impact.
RBAC role number RBAC (role based access control) role number reflects how many different roles have authority to operate on the resource. A greater number of RBAC roles means that more users and services rely on the resource, indicating that it is of higher importance. The idle rate calculation logic is as follows: acquiring the total historical operation time of the Kubernetes platform, acquiring the unused total time of the resource history, and obtaining the idle rate by comparing the unused total time of the resource history with the historical total operation time of the Kubernetes platform, wherein the expression is as follows:
In the method, in the process of the invention, In order for the idle rate to be a good,For the total duration of the resource history unused,The total run length is the Kubernetes platform history.
The idle rate is obtained by comparing the total unused duration of the resource history with the total historical operation duration of the Kubernetes platform, and the smaller the idle rate is, the higher the use frequency of the resource in the Kubernetes platform is, namely the more important the resource in the Kubernetes platform is, specifically:
The smaller the idle rate means the higher the frequency of use of the resource in the Kubernetes platform, as it means the lower proportion of time the resource is not used in its lifetime. In such cases, resources are frequently used, which may play a critical role in the operation and functionality of the Kubernetes platform, and thus their importance in the Kubernetes platform is relatively high.
In particular, a smaller idle rate means that the resources are active most of the time, frequently used by Kubernetes platforms or applications. This may indicate that the resource is responsible for critical business functions or services and may be relied upon by multiple applications or services. Conversely, if the idleness of the resource is high, i.e., the resource is idle for a majority of the time and rarely used, it may be a resource of some auxiliary nature, and the operation of the entire Kubernetes platform is not so critical. The acquisition logic of the resource association index is as follows: resource settingHas the following componentsIndividual direct child resourcesThen by recursive computationTo find the association index of all child resourcesIs the function expression:
In the method, in the process of the invention, Represents the resource-related index(s),Representing resourcesIs a function of the number of direct child resources,Representing resourcesIs the first of (2)Individual direct child resourcesIs a correlation index of (a). We recommend protection from parent resources, layer by layer, up to target resources, such as:
Crd- > Cr: the protection CR (CustomResource) preferably protects the CRD first, otherwise after the CRD is deleted, the corresponding CR is recovered.
Name-space- > Deployment/Statefulset: protection Deployment, preferably, the Name-space to which Deployment belongs is protected first. Otherwise deleting the Name-space will reclaim all resources under the Name-space.
Meanwhile, it is considered that the Pod is not directly protected, and normal rolling upgrade can be affected. For example, deployment rolling upgrades create new Pod, delete old Pod, protect Pod, possibly resulting in upgrade failure.
Taking the above example as an example:
in Kubernetes, the hierarchical relationship of resources can be represented as follows:
CRD(Custom-Resource-Definition)->CR(Custom-Resource);
Name-space->Deployment/Stateful-Set->Replica-Set->Pod;
Name-space->Service;
Name-space->Con-fig-Map/Secret。
The Association Index (AI) of each resource is the sum of the number of all its immediate child resources, and if a resource has no child resources, then its Association Index is 1.
Calculating the association index layer by layer:
Pods:AI(Pod)=1
Replica-Sets: AI (Replica-Set) =Σai (Pod), i.e. the sum of the association indices of all its direct sub-Pod.
Deployments: AI (Deployment) = Σai (Replica-Set), i.e. the sum of the association indices of all its direct children Replica-Set.
Stateful-Sets: AI (Stateful-Set) =Σai (Pod), i.e. the sum of the association indices of all its direct sub-Pod.
Name-space:AI(Name-space)=ΣAI(Deployment)+ΣAI(Stateful-Set)+ΣAI(Service)+ΣAI(Con-fig-Map)+ΣAI(Secret);
Association index of CRD and CR;
AI (CR) =1, since CR has no child resources;
AI (CRD) =Σai (CR), i.e. the sum of the association indices of all its direct sub-Custom-Resource.
Thus, the greater the resource association index value of a resource in the Kubernetes platform, the greater the importance of that resource.
Carrying out normalization processing on the number of the protection control parameters, the idle rate and the resource association index, comprehensively calculating the number of the protection control parameters, the idle rate and the resource association index after normalization processing through a fusion algorithm, and generating a grading score for each general resource, wherein the method comprises the following steps:
In summary, in the present application, it is necessary to maximize the number of protection control parameters and the resource association index of the resource, and minimize the idle rate of the resource to calculate the hierarchical score of the resource;
The protection system carries out normalization processing on the number of the protection control parameters, the idle rate and the resource association index, maps the value ranges of the number of the protection control parameters, the idle rate and the resource association index to be between [0,1] and acquires the normalization value of the number of the protection control parameters, the normalization value of the idle rate and the normalization value of the resource association index; the computational expression of the ranking score is: In which, in the process, For the purpose of grading the score of the grade,For the normalization of the number of control parameters,The values are normalized for the resource-associated index,For the normalized value of the idle rate,Respectively the weights of the control parameter quantity normalization value, the resource association index normalization value and the idle rate normalization value, and. And respectively dividing all the general resources into a mark set and a general set according to the comparison result of the grading score and the scoring threshold, wherein the method comprises the following steps:
the calculation logic of the grading score shows that the larger the grading score of the resource is, the larger the comprehensive importance of the resource in the Kubernetes platform is, so that the obtained grading score is compared with a preset grading threshold value, and the grading threshold value is used for judging whether the comprehensive importance of the resource in the Kubernetes platform is large or small;
If the grading score of the resource is larger than or equal to the scoring threshold, judging that the comprehensive importance of the resource in the Kubernetes platform is large, marking the resource into a marking set, and if the grading score of the resource is smaller than the scoring threshold, judging that the comprehensive importance of the resource in the Kubernetes platform is small, marking the resource into a general set.
Annotating and marking resources in the core set and the mark set, wherein the annotating and marking the resources in the core set and the mark set comprises the following steps:
Since the resources in the core set and the tag set are relatively important resources for the Kubernetes platform, to further protect such resources, the protection system needs to make specific annotations (actions) on such resources to identify that the resource belongs to the resource that needs to be protected; the section is composed of a key and a value, for example: the key may be specified as: inf-webhook-server. Infcs. Tob +. product-protected-by-inf. Once the key is determined, it cannot be changed (including deleting and modifying the resource content) in the Kubernetes platform, and the protection system determines whether the deletion of the resource needs interception by identifying whether the resource has a specific key.
In the present application, the key is fixed as inf-webhook-server.
The value may be arbitrarily specified. However, in order to better locate the problem, the value is suggested as some meaningful names, which is convenient for locating the problem and searching the log; the configuration of annotation values for Kubernetes platform resources may be accomplished by the following commands :kubectl-annotate-$resourceKind-$resourceName-inf-webhook-server.infcs.tob/product-protected-by-inf=$value,, among others: the actual values are replaced by $ resourceKind, $ resourceName, $ value.
For a resource that completes an annotation, the resource cannot be deleted as long as the annotation is maintained, and only if the annotation is deleted, the resource can be deleted:
Deleting the annotation, only adding "-" after the name of the annotation;
Kubectl-annotate-$resourceKind-$resourceName-inf-webhook-server.infcs.tob/product-protected-by-inf-.
therefore, if the resource with the annotation needs to be deleted, the deletion of the resource can be continued after the annotation is deleted, and the protection of the core resource is further improved.
The method comprises the steps of carrying out dynamic set division on the general resources at regular intervals, carrying out annotation release or annotation marking on the general resources according to set division results, and storing annotation processing results into metadata of the resources, wherein the method comprises the following steps:
since the application scenes of the Kubernetes platform in different periods may be different, the protection system needs to dynamically divide the general resources in a set at regular intervals, and the initial core resources are the system resources of the Kubernetes platform, so that the dynamic management is not performed;
The method comprises the steps of periodically obtaining the grading scores of the general resources, dividing the general resources into mark sets and general sets according to the comparison results of the grading scores and the grading thresholds, traversing the annotation states of the general resources in the mark sets, annotating the general resource marks if the annotation states of the general resources in the mark sets are not annotated, traversing the annotation states of the general resources in the general sets, deleting the general resource marks if the annotation states of the general resources in the general sets are annotated, and storing annotation processing results in metadata of the resources.
When the protection system receives a resource deletion request, metadata of a deleted resource is obtained from the request, the web-hook anti-false deletion program judges whether to allow current resource deletion or not according to metadata information, and feeds back a judgment result to a user, and the method comprises the following steps:
as shown in fig. 2: the web-hook anti-false deleting program acquires the metadata of the deleted resource and analyzes whether the resource metadata has annotation marks or not; if the resource metadata has an annotation mark, acquiring whether the resource annotation has a deletion instruction, if so, deleting the resource by the web-hook anti-false deletion program, and if not, not performing the resource deletion operation by the web-hook anti-false deletion program; if the resource metadata has no annotation mark, judging whether the resource metadata is deleted with the highest authority, if so, deleting the resource by the web-hook anti-false deleting program, and if not, not performing the resource deleting operation by the web-hook anti-false deleting program; and feeding back the operation result of the resource to the user.
Example 3: the Kubernetes resource anti-false-deletion protection system comprises a resource dividing module, a data acquisition module, a secondary dividing module, an annotation marking module and a deletion judging module;
The resource dividing module: acquiring all resource types in the Kubernetes platform, dividing the resources into initial core resources and general resources according to the importance of the resources to the Kubernetes platform, dividing all the initial core resources into a core set, transmitting a resource division result to a data acquisition module, and transmitting the core set to an annotation mark module;
And a data acquisition module: acquiring the historical protection control parameter quantity, the idle rate and the resource association index of each general resource in the current application scene of the Kubernetes platform, carrying out normalization processing on the protection control parameter quantity, the idle rate and the resource association index, comprehensively calculating the normalized protection control parameter quantity, the normalized idle rate and the normalized resource association index through a fusion algorithm, generating a grading grade for each general resource, and sending the grading grade to a secondary dividing module;
and a secondary dividing module: dividing all general resources into a mark set and a general set according to the comparison result of the grading score and the scoring threshold, and transmitting the set division result to an annotation mark module;
an annotation tag module: annotating and marking the resources in the core set and the mark set, wherein the marked resources are resources to be protected, namely the marked resources can be deleted in a specific mode, dynamic set division is regularly carried out on general resources, annotation release or annotation marking is carried out on the general resources according to set division results, annotation processing results are stored in metadata of the resources, and resource metadata information is sent to a deletion judging module;
And a deletion judging module: when a resource deletion request is received, metadata of the deleted resource is obtained from the request, the web-hook anti-misoperation program judges whether to allow current resource deletion or not according to metadata information, and the judgment result is fed back to a user.
The above formulas are all formulas with dimensions removed and numerical values calculated, the formulas are formulas with a large amount of data collected for software simulation to obtain the latest real situation, and preset parameters in the formulas are set by those skilled in the art according to the actual situation.
It should be understood that the term "and/or" is merely an association relationship describing the associated object, and means that three relationships may exist, for example, a and/or B may mean: there are three cases, a alone, a and B together, and B alone, wherein a, B may be singular or plural. In addition, the character "/" herein generally indicates that the associated object is an "or" relationship, but may also indicate an "and/or" relationship, and may be understood by referring to the context.
It should be understood that, in various embodiments of the present application, the sequence numbers of the foregoing processes do not mean the order of execution, and the order of execution of the processes should be determined by the functions and internal logic thereof, and should not constitute any limitation on the implementation process of the embodiments of the present application.
Those of ordinary skill in the art will appreciate that the various illustrative elements and algorithm steps described in connection with the embodiments disclosed herein may be implemented as electronic hardware, or combinations of computer software and electronic hardware. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the solution. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present application. It will be clear to those skilled in the art that, for convenience and brevity of description, specific working procedures of the above-described systems, apparatuses and units may refer to corresponding procedures in the foregoing method embodiments, and are not repeated herein.
The foregoing is merely illustrative of the present application, and the present application is not limited thereto, and any person skilled in the art will readily recognize that variations or substitutions are within the scope of the present application. Therefore, the protection scope of the present application shall be subject to the protection scope of the claims.

Claims (8)

1. A Kubernetes resource anti-false-deletion protection method is characterized in that: the protection method comprises the following steps:
The protection system acquires all resource types in the Kubernetes platform, divides the resources into initial core resources and general resources according to the importance of the resources to the Kubernetes platform, and divides all the initial core resources into a core set;
acquiring the historical protection control parameter quantity, the idle rate and the resource association index of each general resource of the Kubernetes platform in the current application scene, carrying out normalization processing on the protection control parameter quantity, the idle rate and the resource association index, comprehensively calculating the protection control parameter quantity, the idle rate and the resource association index after normalization processing through a fusion algorithm, and generating a grading score for each general resource;
Dividing all general resources into a mark set and a general set according to the comparison result of the grading score and the scoring threshold, and annotating and marking the resources in the core set and the mark set;
the method comprises the steps of carrying out dynamic set division on general resources at regular intervals, carrying out annotation release or annotation marking on the general resources according to set division results, and storing annotation processing results into metadata of the resources;
When the protection system receives a resource deletion request, metadata of a deleted resource is obtained from the request, the web-hook anti-misoperation program judges whether to allow the current resource to be deleted according to metadata information, and the judgment result is fed back to a user;
Carrying out normalization processing on the number of the protection control parameters, the idle rate and the resource association index, comprehensively calculating the number of the protection control parameters, the idle rate and the resource association index after normalization processing through a fusion algorithm, and generating a grading score for each general resource, wherein the method comprises the following steps:
The protection system carries out normalization processing on the number of the protection control parameters, the idle rate and the resource association index, maps the value ranges of the number of the protection control parameters, the idle rate and the resource association index to be between [0,1] and acquires the normalization value of the number of the protection control parameters, the normalization value of the idle rate and the normalization value of the resource association index;
the computational expression of the ranking score is: In which, in the process, For the purpose of grading the score of the grade,For the normalization of the number of control parameters,The values are normalized for the resource-associated index,For the normalized value of the idle rate,Respectively the weights of the control parameter quantity normalization value, the resource association index normalization value and the idle rate normalization value, and
The logic for acquiring the resource association index is as follows: resource settingHas the following componentsIndividual direct child resourcesThen by recursive computationTo find the association index of all child resourcesIs the function expression: In the method, in the process of the invention, Represents the resource-related index(s),Representing resourcesIs a function of the number of direct child resources,Representing resourcesIs the first of (2)Individual direct child resourcesIs a correlation index of (a).
2. The Kubernetes resource anti-false-deletion protection method as set forth in claim 1, wherein the method is characterized in that: and respectively dividing all the general resources into a mark set and a general set according to the comparison result of the grading score and the scoring threshold, wherein the method comprises the following steps:
comparing the obtained grading scores with a preset scoring threshold value, wherein the scoring threshold value is used for judging the comprehensive importance of the resources in the Kubernetes platform;
If the grading score of the resource is larger than or equal to the scoring threshold, judging that the comprehensive importance of the resource in the Kubernetes platform is large, marking the resource into a marking set, and if the grading score of the resource is smaller than the scoring threshold, judging that the comprehensive importance of the resource in the Kubernetes platform is small, marking the resource into a general set.
3. The Kubernetes resource anti-false-deletion protection method as set forth in claim 2, wherein the method is characterized in that: annotating and marking resources in the core set and the mark set, wherein the annotating and marking the resources in the core set and the mark set comprises the following steps:
The protection system marks annotation on the resources in the core set and the mark set to identify that the resources belong to the resources to be protected, wherein the annotation comprises a key and a value, and the resources cannot be changed in a Kubernetes platform after the key of the resource annotation is determined;
If the resource with the annotation needs to be deleted, the deletion of the resource can be continued after the annotation is deleted.
4. The Kubernetes resource anti-false-deletion protection method of claim 3, wherein the method is characterized in that: when the protection system receives a resource deletion request, metadata of a deleted resource is obtained from the request, the web-hook anti-false deletion program judges whether to allow current resource deletion or not according to metadata information, and feeds back a judgment result to a user, and the method comprises the following steps:
The web-hook anti-false deleting program acquires the metadata of the deleted resource and analyzes whether the resource metadata has annotation marks or not; if the resource metadata has an annotation mark, acquiring whether the resource annotation has a deletion instruction, if so, deleting the resource by the web-hook anti-false deletion program, and if not, not performing the resource deletion operation by the web-hook anti-false deletion program; if the resource metadata has no annotation mark, judging whether the resource metadata is deleted with the highest authority, if so, deleting the resource by the web-hook anti-false deleting program, and if not, not performing the resource deleting operation by the web-hook anti-false deleting program; and feeding back the operation result of the resource to the user.
5. The Kubernetes resource anti-false-deletion protection method as set forth in claim 4, wherein the method is characterized in that: the method comprises the steps of carrying out dynamic set division on the general resources at regular intervals, carrying out annotation release or annotation marking on the general resources according to set division results, and storing annotation processing results into metadata of the resources, wherein the method comprises the following steps:
The method comprises the steps of periodically obtaining the grading scores of the general resources, dividing the general resources into mark sets and general sets according to the comparison results of the grading scores and the grading thresholds, traversing the annotation states of the general resources in the mark sets, annotating the general resource marks if the annotation states of the general resources in the mark sets are not annotated, traversing the annotation states of the general resources in the general sets, deleting the general resource marks if the annotation states of the general resources in the general sets are annotated, and storing annotation processing results in metadata of the resources.
6. The Kubernetes resource anti-false-deletion protection method as set forth in claim 5, wherein the method is characterized in that: the idle rate calculation logic is as follows: acquiring the total historical operation time of the Kubernetes platform, acquiring the unused total time of the resource history, and obtaining the idle rate by comparing the unused total time of the resource history with the historical total operation time of the Kubernetes platform, wherein the expression is as follows:
In the method, in the process of the invention, In order for the idle rate to be a good,For the total duration of the resource history unused,The total run length is the Kubernetes platform history.
7. The Kubernetes resource anti-false-deletion protection method as set forth in claim 6, wherein the method is characterized in that: the logic for acquiring the number of the protection control parameters is as follows: and obtaining Finalizers number and RBAC role number in the resource metadata, and adding Finalizers number and RBAC role number to obtain the number of protection control parameters.
8. A Kubernetes resource anti-false-deletion protection system for implementing the protection method of any one of claims 1-7, characterized in that: the system comprises a resource dividing module, a data acquisition module, a secondary dividing module, an annotation marking module and a deletion judging module;
the resource dividing module: acquiring all resource types in the Kubernetes platform, dividing the resources into initial core resources and general resources according to the importance of the resources to the Kubernetes platform, and dividing all the initial core resources into a core set;
and a data acquisition module: acquiring the historical protection control parameter quantity, the idle rate and the resource association index of each general resource of the Kubernetes platform in the current application scene, carrying out normalization processing on the protection control parameter quantity, the idle rate and the resource association index, comprehensively calculating the protection control parameter quantity, the idle rate and the resource association index after normalization processing through a fusion algorithm, and generating a grading score for each general resource;
And a secondary dividing module: dividing all general resources into a mark set and a general set respectively according to the comparison result of the grading score and the scoring threshold;
An annotation tag module: annotating and marking the resources in the core set and the mark set, wherein the marked resources are the resources to be protected, namely the marked resources can be deleted in a specific mode, dynamic set division is regularly carried out on the general resources, annotation release or annotation marking is carried out on the general resources according to set division results, and annotation processing results are stored in metadata of the resources;
And a deletion judging module: when a resource deletion request is received, metadata of the deleted resource is obtained from the request, the web-hook anti-misoperation program judges whether to allow current resource deletion or not according to metadata information, and the judgment result is fed back to a user.
CN202410726871.5A 2024-06-06 2024-06-06 Kubernetes resource anti-false-deletion protection method and system Active CN118295774B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202410726871.5A CN118295774B (en) 2024-06-06 2024-06-06 Kubernetes resource anti-false-deletion protection method and system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202410726871.5A CN118295774B (en) 2024-06-06 2024-06-06 Kubernetes resource anti-false-deletion protection method and system

Publications (2)

Publication Number Publication Date
CN118295774A CN118295774A (en) 2024-07-05
CN118295774B true CN118295774B (en) 2024-08-30

Family

ID=91674696

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202410726871.5A Active CN118295774B (en) 2024-06-06 2024-06-06 Kubernetes resource anti-false-deletion protection method and system

Country Status (1)

Country Link
CN (1) CN118295774B (en)

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114281476A (en) * 2021-12-21 2022-04-05 中国—东盟信息港股份有限公司 Kubernetes cloud native cluster resource deletion protection method, device, equipment and storage medium
CN114595035A (en) * 2022-03-08 2022-06-07 浪潮云信息技术股份公司 Method for realizing customized scheduling and deletion protection of container resources based on Webhook technology

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10958654B1 (en) * 2018-06-28 2021-03-23 Amazon Technologies, Inc. Resource deletion protection service
US20230101973A1 (en) * 2021-09-30 2023-03-30 Juniper Networks, Inc. Protecting instances of resources of a container orchestration platform from unintentional deletion
CN117032878A (en) * 2023-07-21 2023-11-10 浪潮云信息技术股份公司 Method for protecting budget PPB of container in K8S

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114281476A (en) * 2021-12-21 2022-04-05 中国—东盟信息港股份有限公司 Kubernetes cloud native cluster resource deletion protection method, device, equipment and storage medium
CN114595035A (en) * 2022-03-08 2022-06-07 浪潮云信息技术股份公司 Method for realizing customized scheduling and deletion protection of container resources based on Webhook technology

Also Published As

Publication number Publication date
CN118295774A (en) 2024-07-05

Similar Documents

Publication Publication Date Title
US9787706B1 (en) Modular architecture for analysis database
US20180210801A1 (en) Container monitoring method and apparatus
EP3069228B1 (en) Partition-based data stream processing framework
EP3069495B1 (en) Client-configurable security options for data streams
CN110661658B (en) Node management method and device of block chain network and computer storage medium
US10007585B2 (en) Fault-tolerant methods, systems and architectures for data storage, retrieval and distribution
CA2929777A1 (en) Managed service for acquisition, storage and consumption of large-scale data streams
CN102272736B (en) Improving scale between consumer systems and producer systems of resource monitoring data
US11159553B2 (en) Determining exploit prevention using machine learning
JP2014529142A (en) Managing object life in a cyclic graph
CN113297031B (en) Container group protection method and device in container cluster
US11132126B1 (en) Backup services for distributed file systems in cloud computing environments
US20130111018A1 (en) Passive monitoring of virtual systems using agent-less, offline indexing
WO2013061213A1 (en) Passive monitoring of virtual systems using extensible indexing
CN111240806A (en) Distributed container mirror image construction scheduling system and method
CN112199200B (en) Resource scheduling method and device, computer equipment and storage medium
CN112035063B (en) Cloud platform-based hard disk and file system thermal expansion method
US20130185763A1 (en) Distributed processing system, distributed processing method and computer-readable recording medium
CN118295774B (en) Kubernetes resource anti-false-deletion protection method and system
US7441252B2 (en) Cache control device, and method and computer program for the same
CN116185889A (en) Memory optimization method based on object hiding, intelligent terminal and storage medium
US8656410B1 (en) Conversion of lightweight object to a heavyweight object
CN111400100A (en) Management method and system for distributed software backup
US11687269B2 (en) Determining data copy resources
CN113448493A (en) Method, electronic device and computer program product for backing up data

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant