KR102606713B1 - Apparatus, method, system and program for integrated security control for monitoring Kubernetes cluster - Google Patents

Abstract

The present disclosure relates to an integrated security control device for monitoring a Kubernetes cluster, collecting events occurring in the Kubernetes cluster through the communication unit, monitoring the collected events based on security rules, and If an abnormality is determined as a result of monitoring, the connection path of the attack destination from the attack source for the abnormality can be traced based on the connection path stored in the storage unit.

Description

Integrated security control system, device, method and program for monitoring Kubernetes cluster {Apparatus, method, system and program for integrated security control for monitoring Kubernetes cluster}

This disclosure relates to an integrated security control system, and more specifically, to an integrated security control system for monitoring a Kubernetes cluster.

Since the Fourth Industrial Revolution, numerous Internet of Things (IoT) devices, such as connected cars and home appliances, have been used to process large amounts of information.

However, there are resource limitations of physical servers in processing the collected information, and isolated resources must be allocated for each application running on the server.

To meet these requirements, service orchestration over multiple servers with virtualized applications was considered a realistic solution, specifically, each application on a server can be abstracted into virtualization technologies such as virtual machines (VMs) and containers.

Service orchestration can provide scalability for each service by dynamically allocating more resources according to the needs of multiple servers, and among various orchestration platforms, Kubernetes provides automatic deployment, scaling, and management of containerized applications. It is one of the new open source-based container orchestration platforms that allows

Kubernetes provides a framework for easily packaging and running applications in containers and running distributed systems elastically.

Additionally, Kubernetes automates the routine operational tasks of managing the containers that make up the software needed to run an application, using built-in commands to deploy the application, rolling out changes to the application, and adapting to changing needs. You can perform a variety of tasks, including scaling the application to fit your needs.

Unlike existing networks, in a network overlaid with a Kubernetes cluster, instances of applications are placed on an abstracted platform called Kubernetes, and when node failure or scaling occurs, they are scheduled on other nodes, and the worker nodes themselves are abstracted and the application Monitoring is not taking place properly because it is not clear where it will be deployed.

Accordingly, it is necessary to operate a security control system by applying a method different from the conventional network monitoring method to the Kubernetes environment, but this technology is not currently available to the public.

Republic of Korea Patent No. 10-2114339

The purpose of the embodiment disclosed in this disclosure is to provide an integrated security control system for monitoring a Kubernetes cluster.

The problems to be solved by the present disclosure are not limited to the problems mentioned above, and other problems not mentioned can be clearly understood by those skilled in the art from the description below.

An integrated security control device for monitoring a Kubernetes cluster according to an embodiment of the present disclosure to solve the above-described problem includes: a communication unit; A storage unit storing information on each of the components having a hierarchical structure in a Kubernetes cluster to which one or more instructions and an overlay network are applied, the hierarchical structure, and a connection path between the components according to the hierarchical structure; and one or more processors that execute the instructions stored in the storage unit, wherein the processor collects events occurring in the Kubernetes cluster through the communication unit and monitors the collected events based on security rules. And, if an abnormality is determined as a result of the monitoring, the connection path of the attack destination from the attack source for the abnormality can be traced based on the connection path stored in the storage unit.

In addition, the processor identifies the port for the first configuration in the first pod in which the anomaly symptom was detected as the attack source, and the port for the second configuration in the second pod in which the anomaly symptom was detected as the attack destination. Identify the configurations included in the first path of the router from the first pod based on the connection path according to the hierarchical structure of the configurations in the Kubernetes cluster stored in the storage unit, and identify the configurations included in the first path of the router. It is possible to identify connection paths between devices, identify components included in the second path of the second pod from the router, and identify connection paths between the identified components.

In addition, the configurations included in the first path include the first veth (Virtual Ethernet Devices), the first CNI, the first NAT (Network Address Translation), and the first eth0 to which the first pod belongs, and in the second path Included configurations may include a second veth (Virtual Ethernet Devices), a second CNI, a second NAT (Network Address Translation), and a second eth0 to which the second pod belongs.

In addition, based on the connection path stored in the storage unit, the processor determines the connection path of the first CNI from the first veth (Virtual Ethernet Devices) to which the first pod belongs, and the first Network Address (NAT) from the first CNI. Translation)'s connection path, the connection path of the first eth0 from the first NAT, the connection path of the router from the first eth0, the connection path of the second eth0 from the router, the connection path of the second NAT from the second eth0, The connection path of the second CNI can be identified from the second NAT, and the connection path of the second veth to which the second pod belongs can be identified from the second CNI.

In addition, the storage unit stores predetermined instructions to check information on pods, containers, and namespaces within the Kubernetes cluster and information on configurations within the Kubernetes cluster, and the processor stores a predetermined command at a preset time. Each time, information on components within the Kubernetes cluster can be checked using the predetermined command, and information stored in the storage unit can be updated.

Additionally, the processor may check information (e.g., addresses) of eth0, flannel, and cni in the Kubernetes cluster using the predetermined command.

Additionally, the processor may detect deletion of an existing pod or creation of a new pod in the Kubernetes cluster based on the collected event, and update data in the storage unit based on the detected result.

In addition, when an existing pod in the Kubernetes cluster is deleted or a new pod is created, the processor provides information about the hierarchical structure stored in the storage unit and the connection path between components according to the hierarchical structure. Based on this, data in the storage unit can be updated.

Additionally, when a connection attempt exceeding a preset first number for a connection path or configuration within the Kubernetes cluster is detected, the processor may determine the connection attempt as an abnormality symptom.

In addition, the first number of times is set for each connection path between the components having a hierarchical structure within the Kubernetes cluster, and the processor performs the connection attempt based on the first number of times set for each connection path. It can be judged as an abnormality sign.

In addition, the processor may calculate a security risk based on the identified attack source, attack destination, and configurations on the connection path included in the attack destination from the attack source and the number of connection attempts for the abnormality symptom. .

Additionally, when an attempt to access data larger than a preset first size is detected in excess of a second preset number of times for the connection path or configuration within the Kubernetes cluster, the access attempt may be determined to be an abnormality sign.

In addition, the processor assigns a monitoring weight to an access path having an access path related to the specific pod with respect to a specific pod in which an abnormality symptom is detected, and changes the monitoring period based on the assigned monitoring weight. At least one operation of changing the number of times or changing the first size can be performed.

In addition, the integrated security control method for monitoring a Kubernetes cluster according to an embodiment of the present disclosure to solve the above-described problem is a method performed by an integrated security control device in a Kubernetes cluster. collecting events that occur; Monitoring the collected events based on security rules; If an abnormality is determined as a result of the monitoring, tracking the connection path from the attack source to the attack destination for the abnormality based on the connection path stored in a storage unit, wherein the storage unit is a Kubernetes cluster to which an overlay network is applied. Information on each of the components having the hierarchical structure, the hierarchical structure, and the connection path between the components according to the hierarchical structure are stored.

In addition to this, a computer program stored in a computer-readable recording medium for execution to implement the present disclosure may be further provided.

In addition, a computer-readable recording medium recording a computer program for executing a method for implementing the present disclosure may be further provided.

According to the means for solving the above-described problem of the present disclosure, the effect of providing an integrated security control system for monitoring a Kubernetes cluster is provided.

The effects of the present disclosure are not limited to the effects mentioned above, and other effects not mentioned may be clearly understood by those skilled in the art from the description below.

Figure 1 is a block diagram of an integrated security control device for monitoring a Kubernetes cluster according to an embodiment of the present disclosure.
Figure 2 is an example diagram of a Kubernetes cluster.
Figure 3 is a diagram illustrating a Kubernetes cluster to which an overlay network is applied.
Figure 4 is a flowchart of an integrated security control method for monitoring a Kubernetes cluster according to an embodiment of the disclosure.
Figure 5 is a diagram illustrating the identification of the locations of the attack source and attack destination for detected abnormalities.
FIG. 6 is a diagram illustrating identifying the access path from the attack source to the attack destination based on the location identified and the access path stored in the storage as shown in FIG. 5.
Figure 7 is an example diagram comparing the control range of the existing control system and the control system of the integrated security control device for monitoring a Kubernetes cluster according to an embodiment of the present disclosure.

Like reference numerals refer to like elements throughout this disclosure. The present disclosure does not describe all elements of the embodiments, and general content or overlapping content between the embodiments in the technical field to which the present disclosure pertains is omitted. The term 'unit, module, member, block' used in the specification may be implemented as software or hardware, and depending on the embodiment, a plurality of 'unit, module, member, block' may be implemented as a single component, or It is also possible for a single 'part, module, member, or block' to contain multiple components. Throughout the specification, when a part is said to be "connected" to another part, this refers not only to cases where it is directly connected, but also to other parts. , includes cases of indirect connection, and indirect connection includes connection through a wireless communication network.

Additionally, when a part "includes" a certain component, this means that it may further include other components, rather than excluding other components, unless specifically stated to the contrary.

Throughout the specification, when a member is said to be located “on” another member, this includes not only cases where a member is in contact with another member, but also cases where another member exists between the two members.

Terms such as first and second are used to distinguish one component from another component, and the components are not limited by the above-mentioned terms.

Singular expressions include plural expressions unless the context clearly makes an exception.

The identification code for each step is used for convenience of explanation. The identification code does not explain the order of each step, and each step may be performed differently from the specified order unless a specific order is clearly stated in the context. there is.

Hereinafter, the operating principle and embodiments of the present disclosure will be described with reference to the attached drawings.

In this specification, the 'integrated security control device according to the present disclosure' includes all various devices that can perform computational processing and provide results to the user. For example, the integrated security control device according to the present disclosure may include all of a computer, a server device, and a portable terminal, or may take the form of any one.

Here, the computer may include, for example, a laptop, desktop, laptop, tablet PC, slate PC, etc. equipped with a web browser.

The server device is a server that processes information by communicating with external devices, and may include an application server, computing server, database server, file server, game server, mail server, proxy server, and web server.

The portable terminal is, for example, a wireless communication device that guarantees portability and mobility, such as PCS, GSM, PDC (Personal Digital Cellular), PHS (Personal Handyphone System), PDA (Personal Digital Assistant), IMT (International Mobile Telecommunication) -2000, CDMA (Code Division Multiple Access)-2000, W-CDMA (W-Code Division Multiple Access), WiBro (Wireless Broadband Internet) terminal, Smart Phone, etc. All types of handheld bases It may include wireless communication devices and wearable devices such as watches, rings, bracelets, anklets, necklaces, glasses, contact lenses, or head-mounted-device (HMD).

Functions related to artificial intelligence according to the present disclosure are operated through a processor and a storage unit. The processor may consist of one or multiple processors. At this time, one or more processors may be a general-purpose processor such as a CPU, AP, or DSP (Digital Signal Processor), a graphics-specific processor such as a GPU or VPU (Vision Processing Unit), or an artificial intelligence-specific processor such as an NPU. One or more processors control input data to be processed according to predefined operation rules or artificial intelligence models stored in the storage unit. Alternatively, when one or more processors are dedicated artificial intelligence processors, the artificial intelligence dedicated processors may be designed with a hardware structure specialized for processing a specific artificial intelligence model.

Predefined operation rules or artificial intelligence models are characterized by being created through learning. Here, being created through learning means that the basic artificial intelligence model is learned using a large number of learning data by a learning algorithm, thereby creating a predefined operation rule or artificial intelligence model set to perform the desired characteristics (or purpose). It means burden. This learning may be accomplished in the device itself that performs the artificial intelligence according to the present disclosure, or may be accomplished through a separate server and/or system. Examples of learning algorithms include supervised learning, unsupervised learning, semi-supervised learning, or reinforcement learning, but are not limited to the examples described above.

An artificial intelligence model may be composed of multiple neural network layers. Each of the plurality of neural network layers has a plurality of weights, and neural network calculation is performed through calculation between the calculation result of the previous layer and the plurality of weights. Multiple weights of multiple neural network layers can be optimized by the learning results of the artificial intelligence model. For example, during the learning process, a plurality of weights may be updated so that the loss or cost value obtained from the artificial intelligence model is reduced or minimized. Artificial neural networks may include deep neural networks (DNN), such as Convolutional Neural Network (CNN), Deep Neural Network (DNN), Recurrent Neural Network (RNN), Restricted Boltzmann Machine (RBM), Deep Belief Network (DBN), Bidirectional Recurrent Deep Neural Network (BRDNN), or deep Q-network, etc., but are not limited to the examples described above.

According to an exemplary embodiment of the present disclosure, a processor may implement artificial intelligence. Artificial intelligence refers to a machine learning method based on artificial neural networks that allows machines to learn by imitating human biological neurons. Methodology of artificial intelligence includes supervised learning, in which the answer (output data) to the problem (input data) is determined by providing input data and output data together as training data according to the learning method, and only input data is provided without output data. Unsupervised learning, in which the solution (output data) to the problem (input data) is not determined, and rewards are given from the external environment whenever an action is taken in the current state, learning is directed to maximizing these rewards. It can be divided into reinforcement learning. In addition, artificial intelligence methodologies can be divided according to the architecture, which is the structure of the learning model. The architecture of widely used deep learning technology can be divided into convolutional neural networks, recurrent neural networks, transformers, and generative adversarial neural networks.

The device may include an artificial intelligence model. An artificial intelligence model may be a single artificial intelligence model or may be implemented as multiple artificial intelligence models. Artificial intelligence models may be composed of neural networks (or artificial neural networks) and may include statistical learning algorithms that mimic biological neurons in machine learning and cognitive science. A neural network can refer to an overall model in which artificial neurons (nodes), which form a network through the combination of synapses, change the strength of the synapse connection through learning and have problem-solving capabilities. Neurons in a neural network can contain combinations of weights or biases. A neural network may include one or more layers consisting of one or more neurons or nodes. By way of example, a device may include an input layer, a hidden layer, and an output layer. The neural network that makes up the device can infer the result to be predicted from arbitrary input by changing the weights of neurons through learning.

The processor creates a neural network, trains or learns a neural network, performs operations based on received input data, generates information signals based on the results, or retrains the neural network. Neural network models include CNN, R-CNN, RPN, RNN, S-DNN, S-SDNN, Deconvolution Network, DBN, RBM, Fully Convolutional Network, LSTM Network, Classification such as GoogleNet, AlexNet, VGG Network, etc. It may include, but is not limited to, various types of models such as Network. The processor may include one or more processors to perform operations according to the models of the neural network. For example, a neural network is a deep neural network. It can be included.

Neural networks include CNN, RNN, perceptron, multi-layer perceptron, FF (Feed Forward), RBF (Radial Basis Network), DFF (Deep Feed Forward), LSTM (Long Short Term Memory), GRU (Gated Recurrent Unit), AE ( Auto Encoder), VAE (Variational Auto Encoder), DAE (Denoising Auto Encoder), SAE (Sparse Auto Encoder), MC (Markov Chain), HN (Hopfield Network), BM (Boltzmann Machine), RBM (Restricted Boltzmann Machine), Depp Belief Network (DBN), Deep Convolutional Network (DCN), Deconvolutional Network (DN), Deep Convolutional Inverse Graphics Network (DCIGN), Generative Adversarial Network (GAN), Liquid State Machine (LSM), Extreme Learning Machine (ELM), It may include Echo State Network (ESN), Deep Residual Network (DRN), Differential Neural Computer (DNC), Neural Turning Machine (NTM), Capsule Network (CN), Kohonen Network (KN), and Attention Network (AN). Those skilled in the art will understand that it is not limited to this and may include any neural network.

According to an exemplary embodiment of the present disclosure, the processor may support a Convolution Neural Network (CNN), a Region with Convolution Neural Network (R-CNN), a Region Proposal Network (RPN), a Recurrent Neural Network (RNN), such as GoogleNet, AlexNet, VGG Network, etc. ), S-DNN (Stacking-based deep Neural Network), S-SDNN (State-Space Dynamic Neural Network), Deconvolution Network, DBN (Deep Belief Network), RBM (Restrcted Boltzman Machine), Fully Convolutional Network, LSTM (Long Short-Term Memory) Network, Classification Network, Generative Modeling, eXplainable AI, Continual AI, Representation Learning, AI for Material Design, BERT for natural language processing, SP-BERT, MRC/QA, Text Analysis, Dialog System, GPT-3 , GPT-4, Visual Analytics for vision processing, Visual Understanding, Video Synthesis, and Anomaly Detection, Prediction, Time-Series Forecasting, Optimization, Recommendation, and Data Creation for ResNet data intelligence. , but is not limited to this. Hereinafter, embodiments of the present disclosure will be described in detail with reference to the attached drawings.

Figure 1 is a block diagram of an integrated security control device 100 for monitoring a Kubernetes cluster 200 according to an embodiment of the present disclosure.

However, in some embodiments, the integrated security control device 100 may include fewer or more components than those shown in FIG. 1 .

In the embodiment below, the integrated security control device 100 for monitoring the Kubernetes cluster 200 is referred to as the integrated security control device 100.

Referring to FIG. 1, the integrated security control device 100 for monitoring the Kubernetes cluster 200 according to an embodiment of the present disclosure includes a processor 110, a communication unit 120, and a storage unit 130. .

The integrated security control device 100 according to an embodiment of the present disclosure may be configured to include a server device 100 and may be an integrated security control server for monitoring the Kubernetes cluster 200.

However, in some embodiments, the integrated security control device 100 may include fewer or more components than those shown in FIG. 1 .

The integrated security control device 100 includes one or more processors 110 that execute instructions stored in the storage unit 130.

The processor 110 uses a storage unit 130 to store data about an algorithm for controlling the operation of components within the device 100 or a program that reproduces the algorithm, and the data stored in the storage unit 130. It may be implemented with at least one processor 110 that performs the above-described operations. At this time, the storage unit 130 and the processor 110 may each be implemented as separate chips. Alternatively, the storage unit 130 and the processor 110 may be implemented as a single chip.

In addition, the processor 110 may control any one or a combination of the components described above in order to implement various embodiments according to the present disclosure described in the drawings below on the device 100.

In addition to operations related to the application program, the processor 110 may generally control the overall operation of the device 100. The processor 110 can provide or process appropriate information or functions to the user by processing signals, data, information, etc. input or output through the components discussed above, or by running an application program stored in the storage unit 130. .

Additionally, the processor 110 may control at least some of the components of the device 100 to run an application program stored in the storage unit 130. Furthermore, the processor 110 may operate in combination with at least two or more of the components included in the device 100 in order to run the application program.

The communication unit 120 may include one or more modules that connect the integrated security control device 100 to one or more networks.

The communication unit 120 may include one or more components that enable communication with an external device, for example, at least one of a broadcast reception module, a wired communication module, a wireless communication module, a short-range communication module, and a location information module. It can be included.

Wired communication modules include various wired communication modules such as Local Area Network (LAN) modules, Wide Area Network (WAN) modules, or Value Added Network (VAN) modules, as well as USB (Universal Serial Bus) modules. ), HDMI (High Definition Multimedia Interface), DVI (Digital Visual Interface), RS-232 (recommended standard 232), power line communication, or POTS (plain old telephone service).

In addition to Wi-Fi modules and WiBro (Wireless broadband) modules, wireless communication modules include GSM (global System for Mobile Communication), CDMA (Code Division Multiple Access), WCDMA (Wideband Code Division Multiple Access), and UMTS (universal mobile telecommunications system). ), TDMA (Time Division Multiple Access), LTE (Long Term Evolution), 4G, 5G, 6G, etc. may include a wireless communication module that supports various wireless communication methods.

The wireless communication module may include a wireless communication interface including an antenna and a transmitter that transmits communication signals. In addition, the wireless communication module may further include a signal conversion module that modulates a digital control signal output from the processor 110 through a wireless communication interface into an analog wireless signal under the control of the processor 110.

The short-range communication module is for short-range communication and includes Bluetooth®, RFID (Radio Frequency Identification), Infrared Data Association (IrDA), UWB (Ultra-Wideband), ZigBee, and NFC ( Near Field Communication), Wi-Fi (Wireless-Fidelity), Wi-Fi Direct, and Wireless USB (Wireless Universal Serial Bus) technology can be used to support short-distance communication.

The storage unit 130 can store data supporting various functions of the device 100. The storage unit 130 may store a number of application programs (application programs or applications) running on the device 100, data for operating the device 100, and commands. At least some of these application programs may exist for the basic functions of the device 100. Meanwhile, the application program may be stored in the storage unit 130, installed in the device 100, and driven to perform an operation (or function) by the processor 110.

The storage unit 130 can store data supporting various functions of the device 100 and a program for the operation of the processor 110, and can store input/output data (e.g., music files, still images, etc.). , videos, etc.) can be stored, and a plurality of application programs (application programs or applications) running on the device 100, data for operation of the device 100, and commands can be stored. At least some of these applications may be downloaded from an external server via wireless communication.

The storage unit 130 is of a flash memory type, hard disk type, solid state disk type, SDD type (Silicon Disk Drive type), and multimedia card micro type. card micro type), card type memory (e.g. SD or XD memory, etc.), random access memory (RAM), static random access memory (SRAM), read-only memory (ROM), EEPROM (electrically It may include at least one type of storage medium among erasable programmable read-only memory (PROM), programmable read-only memory (PROM), magnetic memory, magnetic disk, and optical disk. Additionally, the storage unit 130 is separate from the device 100, but may be a database connected by wire or wirelessly.

Additionally, the storage unit 130 may include a plurality of processes for the integrated security control device 100.

Figure 2 is an example diagram of a Kubernetes cluster 200.

Figure 3 is a diagram illustrating a Kubernetes cluster 200 to which an overlay network is applied.

First, with reference to FIG. 2, the Kubernetes cluster 200 will be briefly described.

The Master Node is a system that controls the entire Kubernetes cluster 200. The Master Node manages Kubernetes through the API SERVER, and all configurations communicate through the API SERVER.

Master node includes API SERVER, etcd, Kube-Scheduler, and Kube-Controller.

API SERVER receives requests from clients such as kubectl and constructs API objects.

API SERVER is a configuration that all configurations within Kubernetes use to call each other. It can process requests from internal modules as well as requests from kubectl, check permissions, and reject requests. API SERVER can also serve as a debugger to check the logs of containers running on a node.

etcd is a server that acts as a database for the Kubernetes cluster 200 and can store data about all settings and status of the cluster.

etcd is a database where information about each component in the cluster is stored in key-value format.

Kube-Scheduler is the scheduler in Kubernetes and selects the node on which the newly created pod will run. Scheduling means determining the node on which to run a pod.

The Kube-Scheduler is responsible for allocating each resource, such as pods and services, to the appropriate node. It determines which node to run the pod on, and the pod placed on the node is created as a container by the kubelet of each node. .

Kube-Controller is responsible for managing controllers such as ReplicaSet and Deployment in Kubernetes and assigning them to appropriate nodes, and executes commands such as pod replication and deployment to each controller.

Worker Node is a configuration that receives commands from the master node and creates and services actual workload.

Worker nodes are virtual machines or physical servers where actual containers are created. Each server can be labeled to define its purpose, and API SERVER requests can be made through kubelet.

Worker nodes can include kubelet, kube-proxy, Container Runtime, Addons, and cAdvisor.

Kubelet is an agent deployed on a node and is responsible for communicating with the API SERVER of the master node.

Kubelet receives commands to be executed from the API SERVER of the master node, executes the worker node, and transmits the status of the worker node to the master node.

Kubelet continuously monitors whether the container operates normally and periodically communicates with the API SERVER to exchange necessary information between the master and the node. (e.g. node status information, resource usage, etc.)

Kube-proxy manages the network connected to the pods assigned to the node, proxying traffic coming to the node to the appropriate container, and managing network communication between the node and the master node.

Kube-proxy allows a separate virtual network to operate within the cluster, forwards TCP, UDP, and SCTP streams, and can provide services by grouping multiple pods in a round-robin format.

Kube-proxy can manage communications by routing, load balancing, and proxying traffic coming into a node to appropriate containers.

Container Runtime actually runs containers deployed through pods. A representative example of container runtimes is Docker, and other runtimes such as God and runc are also supported.

Addons are pods that run necessary functions within the cluster.

cAdvisor is a node's monitoring agent that collects status information of containers running on the node and delivers it to the master node's API SERVER.

In Kubernetes, kubectl is a command line interface (CLI) for manipulating the Kubernetes cluster 200.

A pod is the minimum unit that runs a container in the Kubernetes cluster 200, and a pod includes one or multiple containers.

And, containers belonging to a specific pod run on the same node. In other words, pods do not exist on different nodes, but on one node.

This Kubernetes cluster 200 is a container orchestration platform that is used to deploy, scale, and manage containerized applications. Since Kubernetes provides scalability, reliability, and flexibility in a large-scale distributed system, it is used in security control systems, etc. It can also be very useful.

Referring to FIG. 3, a Kubernetes cluster 200 to which an overlay network is applied is illustrated.

A Pod contains at least one container, and containers within a Pod can share a network with only port information.

Containers within a Pod share the veth (Virtual Ethernet Devices) network.

Inside the container, things like web servers operate, and they leave logs of the results of their operations.

Network namespaces operate independently until they are connected to each other. At this time, the role of connecting network namespaces is a virtual device called veth (Virtual Ethernet).

Because both ends of a veth can be connected to different network namespaces or devices, it is also called a veth pair.

Kubernetes provides a very basic and simple network plugin called kubenet. However, this network plugin does not implement advanced features such as cross-node networking or network policy settings. Therefore, a separate network plug-in that complies with the CNI (Container Network Interface) specifications must be used.

One of the characteristics of Pods is that each Pod has a unique IP address. (This is the virtual network interface veth described above.)

Therefore, each Pod can communicate with each other using a unique IP address through a network interface configured with kubenet or CNI.

In order for pods on different nodes among multiple worker nodes to communicate with each other, they communicate through a router.

Because Pods are basically something that can be easily replaced, a Kubernetes system cannot be built durably using a Pod to Pod Network alone.

CNI (Container Network Interface) is networking for Linux containers and is a standard for creating plug-ins that can control networking between containers. As the development of containers accelerates, it is said that it was created to provide a common interface to avoid the various ways of implementing the network layer between the container runtime and orchestrator being separated and developing in their own way. It is used as a de facto standard for interfaces.

Inside the Kubernetes Cluster, multiple containers are repeatedly created, deleted, and restored by the Master Node, and as a result, each container is not fixed and reallocation occurs frequently.

To solve these characteristics, Kubernetes Cluster consists of a virtual network. Basically, the kube-proxy of the Worker Node manages the network, but various network-related addons are provided to create a more efficient network environment, including Ingress, Flannel, and ACI. , Calico, Canal, Cilium, CNI-Genie, Contiv, Multus, NSX-T, Nuage, Romana, and Weave Net.

In order to complete communication between pods on different nodes, a CNI that provides related functions is required, and Flannel is one of the representative types of CNI.

Flannel is an overlay network designed for Kubernetes and provides the simplest and easiest way to configure an L3 network.

The Flannel network model runs as a daemon set, and Flannel pods can run as many nodes as there are nodes.

An underlay network refers to a physical infrastructure using actual equipment, and the elements that make up the physical infrastructure are used in a comprehensive sense that includes network equipment, security equipment, and servers that provide services.

An overlay network is another network built on top of an existing network, a virtual network made up of separate nodes and logical links on top of the existing network, and the network of nodes is combined into one network. Recognizing it as a network can be called an overlay.

Additionally, an overlay network performs end-to-end communication using network virtualization technology based on physical infrastructure, and can be expressed as a tunnel configuration.

CNI can recognize and communicate with physically separated node networks as if they were one network, and the node's container network configuration is ultimately a virtual network, and physically separated virtual networks must operate like one virtual network.

NAT is Network Address Translation, which converts a private IP into a public IP.

eth0 is the physical network interface, the first Ethernet card installed in the Linux system, and the container can communicate with the outside through veth and eth0.

A namespace can be said to provide a way to logically divide resources.

In the Kubernetes environment, it is logically organized based on nodes, and NameSpace is a group that binds Kubernetes objects.

A pod is the smallest manageable deployment unit in Kubernetes, and a pod contains containers. A container can be thought of as an app inside a pod.

For example, if Company A's homepage is running in a Kubernetes environment, Company A becomes a NameSpace, a pod exists within it, and the web server in the pod operates as a container.

The device 100 according to an embodiment of the present disclosure is for monitoring an infrastructure called Kubernetes, and network information such as network interface (veth) and port may be essential.

The configuration (object) in the Kubernetes cluster 200 is not limited to pods, and there are various configurations such as label, deployment, statefulset, veth, and eth0.

To distinguish these configurations, Kubernetes provides and uses a namespace. That is, in Kubernetes, a namespace is a logical separation unit within the Kubernetes cluster 200, and objects within the cluster are logically separated through the namespace.

Namespace logically separates and groups API objects on Kubernetes.

Namespace can manage rights for logical groups and limit resources such as CPU and memory.

The unit of namespace is determined according to the user's purpose. There is no exact right answer. For example, you can decide which logical unit to classify into, as shown in the following example.

In an embodiment of the present disclosure, the integrated security control device 100 essentially requires container information, pod information, and namespace information within the Kubernetes cluster 200 for security control, and details regarding this will be described later.

Figure 4 is a flowchart of an integrated security control method for monitoring a Kubernetes cluster according to an embodiment of the disclosure.

Figure 5 is a diagram illustrating the identification of the locations of the attack source and attack destination for detected abnormalities.

FIG. 6 is a diagram illustrating identifying the access path from the attack source to the attack destination based on the location identified and the access path stored in the storage as shown in FIG. 5.

In an embodiment of the present disclosure, the integrated security control device 100 collects events occurring in the Kubernetes cluster 200 through the communication unit 120, and monitors the collected events based on preset security rules.

And, if the integrated security control device 100 determines that there is an abnormality in the monitored asset as a result of monitoring, it tracks the access path from the attack source to the attack destination for the abnormality based on the access path stored in the storage unit 130. do.

The processor 110 can identify the attack source and attack destination using correlation analysis and search of logs and events.

More specifically, when network traffic (bps) is greater than a threshold at a specific point in time, the processor 110 can identify the attack source and attack destination by checking logs and events at that point in time.

The storage unit 130 of the integrated security control device 100 contains information about each component having a hierarchical structure in the Kubernetes cluster 200 to which the overlay network is applied, the hierarchical structure, and components according to the hierarchical structure. The connection paths between them are stored.

In an embodiment of the present disclosure, configurations (objects) within the Kubernetes cluster 200 may include Router, eth0, NAT, Flannel, CNI, veth, POD, Container, etc., and each configuration (object) is a different configuration. and has a hierarchical structure. That is, the storage unit 130 stores information about the configurations within the Kubernetes cluster 200 as well as the hierarchical structure between each configuration and other configurations.

For example, if the first veth has a hierarchical structure with the first CNI, the first CNI has a hierarchical structure with the first NAT, and the first NAT has a hierarchical structure with the first eth0, The processor 110 may recognize (identify) the hierarchical structure for each configuration, and may identify that the first veth and the second CNI do not have a hierarchical structure.

With reference to FIG. 4, an integrated security control method for monitoring the Kubernetes cluster 200 according to an embodiment of the present disclosure will be described.

The processor 110 collects events occurring in the Kubernetes cluster 200. (S100)

The processor 110 collects events occurring in the Kubernetes cluster 200 that runs the workload by placing containers in pods and running them on nodes through the communication unit 120.

More specifically, the Kubernetes cluster 200 includes a master node and at least one worker node assigned to the master node, and each worker node includes a Kubelet.

More specifically, the processor 110 collects events occurring in the Kubernetes cluster 200 through the Kubelet of the worker node.

In one embodiment, the storage unit 130 may store an event classification algorithm, and the processor 110 may automatically classify events collected from the Kubernetes cluster 200 using the event classification algorithm.

The processor 110 monitors events collected from the Kubernetes cluster 200 based on security rules. (S200)

The processor 110 detects abnormalities as a result of monitoring the S200. (S300)

This??, security rules (security policies) may be set according to the client's security assets, and depending on the security rules, the monitoring cycle and severity may be different, and the criteria for determining abnormalities may be different.

In addition, in the embodiment of the present disclosure, the integrated security control device 100 can use a pre-trained artificial intelligence model for security control, and the artificial intelligence model learns security rules and flexibly applies the security rules depending on the situation to automatically This allows security control and monitoring to be carried out.

The processor 110 identifies the attack source and attack destination based on events related to abnormalities. (S400)

The processor 110 tracks the connection path from the attack source to the attack destination for detected abnormalities based on the connection path stored in the storage unit 130. (S500)

If an abnormality is detected and it is determined that it is a security attack, the processor 110 can identify the source and destination of the attack based on the collected events, and Kubernetes as shown in FIG. 5 based on the information stored in the storage. It is possible to identify the addresses of the attack source and attack destination within the cluster. At this time, the information used is information about the addresses of components (objects) within the Kubernetes cluster.

In addition, since the addresses of components (objects) within the Kubernetes cluster are stored in the storage unit and information about the connection path according to the hierarchical structure between the components is stored, the processor 110 is an attack source as shown in FIG. 6. All paths from the attack destination can be identified.

S500 will be described in detail with reference to FIG. 6.

FIG. 7 is an example diagram comparing the control range of the control system 10 of the integrated security control device 100 for monitoring the Kubernetes cluster 200 according to the embodiment of the present disclosure with that of the existing control system.

The pod of the attack starting point shown in FIG. 6 is referred to as the first pod, the configuration (object) corresponding to the attack starting point within the first pod is referred to as the first configuration, and the veth to which the first pod belongs is referred to as the first veth and the first pod. The Flannel and CNI that have a connection path with 1 veth are referred to as the 1st Flannel and the 1st CNI, the NAT that has a connection path with the 1st Flannel and the 1st CNI is referred to as 1st NAT, and the eth0 that has a connection path with the 1st NAT is referred to as 1st Flannel and 1st CNI. Let it be referred to as 1st eth0.

The pod of the attack destination shown in FIG. 6 is referred to as the second pod, the configuration (object) corresponding to the attack destination within the second pod is referred to as the second configuration, and the veth to which the second pod belongs is referred to as the second veth and the second pod. 2 Flannel and CNI with a connection path with veth are referred to as the 2nd Flannel and 2nd CNI, NAT with a connection path with the 2nd Flannel and 2nd CNI is referred to as 2nd NAT, and eth0 with a connection path with the 2nd NAT is referred to as 2nd Flannel and 2nd CNI. Let it be referred to as 2nd eth0.

The processor 110 recognizes the port for the first configuration in the first pod in which an abnormality symptom was detected as the attack source, and identifies the port for the second configuration in the second pod in which the abnormality symptom was detected as the attack destination.

In an embodiment of the present disclosure, the attack origin is illustrated as the first container in the first pod and the attack destination is illustrated as the second container in the second pod through FIG. 6. However, this is an example for explanation only and the attack origin and attack destination must be containers. It is not limited to.

The processor 110 identifies the configurations included in the first path of the router from the first pod based on the connection path according to the hierarchical structure of the configurations in the Kubernetes cluster 200 stored in the storage unit 130. And, the connection path between the identified components can be identified.

The processor 110 identifies the configurations included in the second path of the router from the second pod based on the connection path according to the hierarchical structure of the configurations in the Kubernetes cluster 200 stored in the storage unit 130. And, the connection path between the identified components can be identified.

Configurations included in the first path include the first veth (Virtual Ethernet Devices) to which the first pod belongs, the first CNI, the first NAT (Network Address Translation), and the first eth0.

Configurations included in the second path include the second veth (Virtual Ethernet Devices) to which the second pod belongs, the second CNI, the second NAT (Network Address Translation), and the second eth0.

Based on the connection path stored in the storage unit 130, the processor 110 determines the connection path of the first CNI from the first veth (Virtual Ethernet Devices) to which the first pod belongs, and the first NAT from the first CNI ( Network Address Translation) connection path, the connection path of the first eth0 from the first NAT, the connection path of the router from the first eth0, the connection path of the second eth0 from the router, the connection of the second NAT from the second eth0 The path, the connection path of the second CNI from the second NAT, and the connection path of the second veth to which the second pod belongs from the second CNI can be identified.

Additionally, the storage unit 130 stores predetermined commands to check information about pods, containers, and namespaces within the Kubernetes cluster 200 and information about components within the Kubernetes cluster 200.

In one embodiment, the device 100 can obtain network interface information by entering “ifconfig -1” on the container node, and in detail, can obtain information on the addresses of eth0, Flannel, cni0, veth, and Iface. You can check the namespace name and pod name to connect to the pod. Additionally, the device 100 can connect to the Pod by entering “kubectl exec -it pod name -n namespace name -bash” and check the IP information of the Pod by entering “ifconfig -a” in the Pod.

The processor 110 uses predetermined instructions at preset times to check information on components (objects) within the Kubernetes cluster 200 and updates information stored in the storage unit 130.

More specifically, the processor 110 verifies information on components (objects) within the Kubernetes cluster 200 using predetermined instructions at preset times. And, if the confirmed information is different from the information stored in the storage unit 130, the processor 110 reflects deleted information, changed information, or newly created information.

In an embodiment of the present disclosure, the integrated security control device 100 provides information (e.g., location, address) about the configurations (objects) within the Kubernetes cluster 200 and the hierarchical structure between each configuration (object). The access path is stored, and the stored information can be updated at preset times (cycles) through the above operation (process).

At this time, the command may be a predetermined command to check information about pods, containers, and namespaces within the Kubernetes cluster 200 and information about components (objects) within the Kubernetes cluster 200.

The processor 110 can check information (e.g., addresses) of eth0, flannel, and cni in the Kubernetes cluster 200 using the predetermined command.

In addition, the processor 110 can detect the deletion of an existing pod or the creation of a new pod within the Kubernetes cluster 200 based on events collected from the Kubernetes cluster 200, and based on the detected results, Data stored in the storage unit 130 can be updated. At this time, the data to be updated refers to data related to the pod.

In one embodiment, when an existing pod in the Kubernetes cluster 200 is deleted or a new pod is created, the processor 110 deletes the hierarchical structure stored in the storage unit 130 and the configuration according to the hierarchical structure ( Data stored in the storage unit 130 can be updated based on information about the connection path between objects.

When a connection attempt exceeding a preset first number is detected for a connection path or configuration (object) within the Kubernetes cluster 200, the processor 110 may determine the connection attempt to be an abnormality symptom.

In one embodiment, the first number of times may be set for each connection path between the components (objects) having a hierarchical structure within the Kubernetes cluster 200. Specifically, this means that the first number of times may be different depending on the connection path.

The processor 110 may determine the connection attempt as an abnormality symptom based on the first number of times set for each connection path.

In one embodiment, a security priority may be set for each configuration (object) within the Kubernetes cluster 200, and a security priority may be set for each connection path.

In one embodiment, the processor 110 may use an artificial intelligence model to calculate the security importance of each connection path based on the security importance set for the configuration (object) within the Kubernetes cluster 200.

The processor 110 may calculate the security risk based on the identified attack source, attack destination, and configuration (objects) on the connection path included in the attack destination from the attack source and the number of connection attempts for abnormal signs.

At this time, the processor 110 may calculate the security risk by considering the security importance set for the attack destination, the attack source, and the configurations on the connection path included in the attack destination from the attack source. In other words, even attacks with the same number of access attempts may result in different security risks depending on the security importance of the asset.

In one embodiment, the processor 110 detects a data access attempt of a preset size or larger than the preset second number for the connection path or configuration (object) within the Kubernetes cluster 200, and performs the corresponding connection attempt. can be judged as an abnormality symptom.

In one embodiment, the processor 110 may assign monitoring weights to a configuration and access path with respect to a specific pod in which an anomaly symptom is detected, and a connection path related to the specific pod. And, the processor 110 changes the monitoring cycle based on the assigned monitoring weight, changes the first number of times, which is a standard for determining an abnormality, or changes the first size (data capacity), which is a standard for determining an abnormality. At least one operation to change the size can be performed.

In one embodiment, the processor 110 may receive at least one security keyword from a security control manager according to a security control trend, and the pre-trained artificial intelligence model may input the security keyword into the Kubernetes cluster 200. The security importance of each component (object) can be calculated, and the security importance of each connection path can be calculated based on the calculated results. As a result, the artificial intelligence model can modify the security rules for the configuration (object) and connection paths within the Kubernetes cluster 200, which is the first number, second number, or first size (data capacity) mentioned above. A change to at least one of the sizes may be applied.

That is, the security manager can input keywords related to trends and issues related to security control into the integrated security device 100, the processor 110 inputs the keywords into the artificial intelligence model, and the artificial intelligence model responds to the input keywords. Accordingly, the security importance is calculated for the configuration within the Kubernetes cluster 200 and the connection paths between the configurations, and the security for the configuration (object) and connection paths within the Kubernetes cluster 200 is based on the calculated security importance. Rules can be modified.

In one embodiment, the processor 110 may determine an abnormality symptom based on Equation 1. At this time, unit time may be defined as 1 second, 1 minute, 1 hour, etc.

In one embodiment, the processor 110 may determine an abnormality symptom based on Equation 2. At this time, unit time may be defined as 1 second, 1 minute, 1 hour, etc.

At this time, a preset value may be applied to k1.

At this time, preset values may be applied to i and k2.

Therefore, the security manager can achieve the effect of having the artificial intelligence model of the integrated security control device 100 change security rules simply by entering keywords related to trends and issues related to security control.

Referring to FIG. 7, it is possible to compare how the control system 10 of the integrated security control device 100 for monitoring the Kubernetes cluster 200 according to an embodiment of the present disclosure differs from the existing control system.

In an additional embodiment, the processor 110 may detect an event in which a data change occurs in the container image through collected events.

The processor 110 can check the definition included in the change and check whether the confirmed definition is a previously agreed upon definition.

More specifically, the processor 110 may request the Kubelet to collect a first definition of the existing state of the container image from the API SERVER and receive the first definition collected from the Kubelet.

Next, the processor 110 may check changes to the container image based on the first definition and a second definition including the changes to the container image.

The second definition is a definition regarding the changed contents of the container image after the container image is changed, and the first definition is a definition before the container image is changed.

More specifically, the processor 110 requests a yaml file for the container image stored in etcd, where cluster information of the Kubernetes cluster 200 is stored, through Kubelet.

And, the processor 110 can check the second definition through the yaml file of the container image.

When the processor 110 saves the yaml for the container image, it stores or updates the revision.

More specifically, the processor 110 stores the revision when first storing the yaml for the container image and then updates the revision whenever data changes to the container image.

In other words, the server can detect all data changes in the container image through the above process and check the change history/items.

In order for the server to transmit control signals to Kubernetes and receive status information, a client can be installed and operated inside the worker node of Kubernetes.

The processor 110 communicates with the kubelet through a client, and the kubelet can communicate with the API SERVER to operate the Kubernetes cluster 200 or monitor its operating status.

The method according to an embodiment of the present disclosure described above may be implemented as a program (or application) and stored in a medium in order to be executed in combination with a server, which is hardware.

The above-mentioned program is C, C++, JAVA, machine language, etc. that can be read by the processor (CPU) of the computer through the device interface of the computer in order for the computer to read the program and execute the methods implemented in the program. It may include code coded in a computer language. These codes may include functional codes related to functions that define the necessary functions for executing the methods, and include control codes related to execution procedures necessary for the computer's processor to execute the functions according to predetermined procedures. can do. In addition, this code may further include a storage reference related code indicating which location (address address) of the computer's internal or external storage the additional information or media required for the computer's processor to execute the functions should be referenced. You can. In addition, if the computer's processor needs to communicate with any other remote computer or server in order to execute the above functions, the code uses the computer's communication module to determine how to communicate with any other remote computer or server. It may further include communication-related codes regarding whether communication should be performed and what information or media should be transmitted and received during communication.

The storage medium refers to a medium that stores data semi-permanently and can be read by a device, rather than a medium that stores data for a short period of time, such as a register, cache, or storage unit. Specifically, examples of the storage medium include ROM, RAM, CD-ROM, magnetic tape, floppy disk, optical data storage device, etc., but are not limited thereto. That is, the program may be stored in various recording media on various servers that the computer can access or on various recording media on the user's computer. Additionally, the medium may be distributed to computer systems connected to a network, and computer-readable code may be stored in a distributed manner.

The steps of the method or algorithm described in connection with the embodiments of the present disclosure may be implemented directly in hardware, implemented as a software module executed by hardware, or a combination thereof. Software modules include RAM (Random Access Memory), ROM (Read Only Memory), EPROM (Erasable Programmable ROM), EEPROM (Electrically Erasable Programmable ROM), Flash Memory, hard disk, removable disk, CD-ROM, Alternatively, it may reside on any type of computer-readable recording medium well known in the art to which this disclosure pertains.

Above, embodiments of the present disclosure have been described with reference to the attached drawings, but those skilled in the art will understand that the present disclosure can be implemented in other specific forms without changing its technical idea or essential features. You will be able to understand it. Therefore, the embodiments described above should be understood in all respects as illustrative and not restrictive.

10: Integrated security control system
100: Integrated security control device
110: processor
120: Department of Communications
130: storage unit
200: Kubernetes cluster

Claims (15)

Ministry of Communications;
A storage unit storing information on each of the components having a hierarchical structure in a Kubernetes cluster to which one or more instructions and an overlay network are applied, the hierarchical structure, and a connection path between the components according to the hierarchical structure; and
It includes one or more processors that execute the instructions stored in the storage unit,
The processor,
Collect events occurring in the Kubernetes cluster through the communication unit,
Monitor the collected events based on preset security rules,
If it is determined that an abnormality has occurred as a result of the monitoring, the connection path of the attack destination from the attack source for the abnormality is traced based on the connection path stored in the storage unit,
The processor,
Check information on the components in the Kubernetes cluster using a predetermined command at preset times,
When an existing pod in the Kubernetes cluster is deleted or a new pod is created, data in the storage unit is updated based on information about the hierarchical structure and the access path stored in the storage unit,
Among the configurations in the Kubernetes cluster, monitoring weights are assigned to a connection path related to a specific pod in which the anomaly symptom is detected and a configuration having a connection path related to the specific pod,
Characterized by changing the monitoring cycle or changing the criteria for determining abnormalities based on the assigned monitoring weight,
An integrated security control device for monitoring Kubernetes clusters.
According to paragraph 1,
The processor,
Identifying the port for the first configuration in the first pod where the abnormality was detected as the attack source,
Identifying the port for the second configuration in the second pod where the abnormality was detected as the attack destination,
Based on the connection path according to the hierarchical structure of the configurations in the Kubernetes cluster stored in the storage unit,
Identifying components included in the first path of the router from the first pod, and identifying connection paths between the identified components,
Characterized in identifying the components included in the second path of the second pod from the router and identifying the connection path between the identified components,
An integrated security control device for monitoring Kubernetes clusters.
According to paragraph 2,
Configurations included in the first path include the first veth (Virtual Ethernet Devices) to which the first pod belongs, the first CNI, the first NAT (Network Address Translation), and the first eth0,
Configurations included in the second path include a second veth (Virtual Ethernet Devices) to which the second pod belongs, a second CNI, a second NAT (Network Address Translation), and a second eth0.
An integrated security control device for monitoring Kubernetes clusters.
According to paragraph 3,
The processor,
Based on the connection path stored in the storage unit, the connection path of the first CNI from the first veth (Virtual Ethernet Devices) to which the first pod belongs, the connection path of the first NAT (Network Address Translation) from the first CNI, The connection path of the first eth0 from the first NAT, the connection path of the router from the first eth0, the connection path of the second eth0 from the router, the connection path of the second NAT from the second eth0, the connection path of the second NAT from the second NAT Characterized in identifying the connection path of 2 CNI, the connection path of the second veth to which the second pod belongs from the second CNI,
An integrated security control device for monitoring Kubernetes clusters.
According to paragraph 1,
The storage unit stores predetermined commands to check information about pods, containers, and namespaces within the Kubernetes cluster and information about components within the Kubernetes cluster,
The processor,
Characterized in checking information on the components in the Kubernetes cluster using the predetermined command at each preset time and updating the information stored in the storage unit,
An integrated security control device for monitoring Kubernetes clusters.
According to clause 5,
The processor,
Characterized in checking the information of eth0, flannel and cni in the Kubernetes cluster using the predetermined command,
An integrated security control device for monitoring Kubernetes clusters.
delete According to paragraph 1,
The processor,
When an existing pod in the Kubernetes cluster is deleted or a new pod is created, information is stored in the storage unit based on the hierarchical structure stored in the storage unit and information about the connection path between components according to the hierarchical structure. Characterized by updating data,
An integrated security control device for monitoring Kubernetes clusters.
According to clause 5,
The processor,
Characterized in that, when a connection attempt exceeding a preset first number for the connection path or configuration within the Kubernetes cluster is detected, the connection attempt is determined to be an abnormality.
An integrated security control device for monitoring Kubernetes clusters.
According to clause 9,
The first number of times is set for each connection path between the components having a hierarchical structure within the Kubernetes cluster,
The processor,
Characterized in that the connection attempt is judged as an abnormality symptom based on the first number of times set for each connection path,
An integrated security control device for monitoring Kubernetes clusters.
According to clause 9,
The processor,
Calculating a security risk based on the identified attack source, attack destination, and configurations on the access path included in the attack destination from the attack source and the number of access attempts for the abnormality,
An integrated security control device for monitoring Kubernetes clusters.
According to clause 9,
The processor,
When an attempt to access data larger than a preset first size is detected in excess of a preset second number for the connection path or configuration within the Kubernetes cluster, the connection attempt is determined to be an abnormality symptom,
An integrated security control device for monitoring Kubernetes clusters.
delete In a method performed by an integrated security control device,
Collecting events occurring in a Kubernetes cluster;
Monitoring the collected events based on preset security rules;
If it is determined that an abnormality has occurred as a result of the monitoring, tracking the connection path of the attack destination from the attack source for the abnormality based on the connection path stored in the storage unit,
The storage unit stores information about each component having a hierarchical structure in a Kubernetes cluster to which an overlay network is applied, the hierarchical structure, and a connection path between the components according to the hierarchical structure,
The integrated security control device,
Check information on the components in the Kubernetes cluster using a predetermined command at preset times,
When an existing pod in the Kubernetes cluster is deleted or a new pod is created, data in the storage unit is updated based on information about the hierarchical structure and the access path stored in the storage unit,
Among the configurations in the Kubernetes cluster, monitoring weights are assigned to a connection path related to a specific pod in which the anomaly symptom is detected and a configuration having a connection path related to the specific pod,
Characterized by changing the monitoring cycle or changing the criteria for determining abnormalities based on the assigned monitoring weight,
Integrated security control method for monitoring Kubernetes clusters.
A computer-readable recording medium coupled to a hardware computer and storing a program for executing the method of claim 14.