WO2021042846A1 - Network isolation policy management method and network isolation policy management system - Google Patents

Network isolation policy management method and network isolation policy management system Download PDF

Info

Publication number
WO2021042846A1
WO2021042846A1 PCT/CN2020/099021 CN2020099021W WO2021042846A1 WO 2021042846 A1 WO2021042846 A1 WO 2021042846A1 CN 2020099021 W CN2020099021 W CN 2020099021W WO 2021042846 A1 WO2021042846 A1 WO 2021042846A1
Authority
WO
WIPO (PCT)
Prior art keywords
network
network isolation
policy
container
strategy
Prior art date
Application number
PCT/CN2020/099021
Other languages
French (fr)
Chinese (zh)
Inventor
杨帆
张军
Original Assignee
南京中兴软件有限责任公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 南京中兴软件有限责任公司 filed Critical 南京中兴软件有限责任公司
Publication of WO2021042846A1 publication Critical patent/WO2021042846A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/08Configuration management of networks or network elements
    • H04L41/0894Policy-based network configuration management
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/08Configuration management of networks or network elements
    • H04L41/0895Configuration of virtualised networks or elements, e.g. virtualised network function or OpenFlow elements
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols

Definitions

  • the present disclosure relates to the technical field of virtual networks, and in particular to a network isolation strategy management method, a container cluster management system, a software-defined network controller, and a network isolation strategy management system.
  • Kubernetes can easily run, operate, and expand applications, and can easily manage containerized applications that run across hosts.
  • container network management and isolation are not complete.
  • An important feature of Kubernetes is to connect the pods of different virtual switch nodes, ignoring the limitations of physical nodes.
  • Pods of different tenants should not communicate with each other, and network isolation is required at this time. For this reason, how to manage the network isolation strategy has become a technical problem that needs to be solved urgently.
  • the present disclosure aims to solve at least one of the technical problems existing in the prior art, and proposes a network isolation policy management method, a container cluster management system, a software-defined network controller, and a network isolation policy management system.
  • embodiments of the present disclosure provide a network isolation policy management method, including: in response to a container warehouse creation request sent by a user terminal, binding a corresponding label, and combining the creation location information of the first container warehouse to be created Write the virtual switch configuration library to create an associated network bridge on the virtual switch; send a network port creation and policy issuance request to the software-defined network controller for the software-defined network controller to respond to the network Port creation and policy issuance request, create a virtual network port for the first container warehouse, and when the network isolation policy information that matches the label of the first container warehouse is stored, the network isolation policy information Sent to the virtual switch where the first container warehouse is located.
  • embodiments of the present disclosure also provide a network isolation policy management method, including: in response to a network port creation and policy issuance request sent by a container cluster management system, creating a virtual network port for the first container warehouse, and The virtual network port is assigned an IP address, and the network port creation and policy issuance request includes: the warehouse name and label of the first container; and according to the label of the first container warehouse, it is inquired whether it has stored information related to the The network isolation policy information that matches the label of the first container warehouse; when the network isolation policy information that matches the label of the first container warehouse is queried, the queried network isolation policy is used through the IP address The information is sent to the virtual switch where the first container warehouse is located.
  • the embodiments of the present disclosure also provide a container cluster management system, including: one or more first processors; a first storage device on which one or more programs are stored; when the one or more When a program is executed by the one or more first processors, the one or more first processors implement the method provided in the foregoing first aspect.
  • embodiments of the present disclosure also provide a software-defined network controller, including: one or more second processors; a second storage device, on which one or more programs are stored; when the one or more When multiple programs are executed by the one or more second processors, the one or more first processors implement the method provided in the above second aspect.
  • embodiments of the present disclosure also provide a network isolation policy management system, including: the container cluster management system as described above and the software-defined network controller as described above.
  • the embodiments of the present disclosure provide a network isolation policy management method, a container cluster management system, a software-defined network controller, and a network isolation policy management system, using the powerful network orchestration capabilities of the SDN controller, and combining network policies to support tag-level networks
  • the characteristics of isolation strategy orchestration so as to flexibly customize and manage the effective isolation of container networks in various application scenarios.
  • FIG. 1 is a flowchart of a network isolation policy management method provided by an embodiment of the disclosure
  • FIG. 2 is a flowchart of another network isolation policy management method provided by an embodiment of the disclosure.
  • FIG. 3 is a signaling diagram of the container cluster management system and the software-defined network controller in the embodiment of the disclosure to implement the network policy landing process
  • FIG. 4 is a flowchart of another network isolation policy management method provided by an embodiment of the disclosure.
  • FIG. 5 is a flowchart of yet another network isolation policy management method provided by an embodiment of the present disclosure.
  • FIG. 6 is a signaling diagram of a container cluster management system and a software-defined network controller in an embodiment of the disclosure to implement a network policy storage process
  • FIG. 7 is a flowchart of yet another network isolation policy management method provided by an embodiment of the present disclosure.
  • FIG. 8 is a flowchart of yet another network isolation policy management method provided by an embodiment of the present disclosure.
  • FIG. 9 is a signaling diagram of the container cluster management system and the software-defined network controller in the embodiment of the disclosure to implement the container warehouse deletion process;
  • FIG. 10 is a flowchart of yet another network isolation policy management method provided by an embodiment of the present disclosure.
  • FIG. 11 is a flowchart of yet another network isolation policy management method provided by an embodiment of the present disclosure.
  • FIG. 12 is a signaling diagram of the container cluster management system and the software-defined network controller in the embodiment of the disclosure to implement the process of deleting the network isolation strategy scheme.
  • the present disclosure provides a network isolation policy management method based on a container cluster management system and a software defined network (Software Defined Network, SDN) controller, wherein the container cluster management system preferably adopts Kubernetes.
  • SDN Software Defined Network
  • the technical solution of the present disclosure utilizes the powerful network orchestration capability of the SDN controller, and combines the network policy (Network Policy) to support tag-level network isolation strategy orchestration, thereby flexibly customizing and managing effective isolation of container networks in various application scenarios .
  • Network Policy Network Policy
  • Fig. 1 is a flowchart of a network isolation policy management method provided by an embodiment of the present disclosure.
  • the execution body of the method is a container cluster management system, and the method includes:
  • Step S1 in response to the container warehouse creation request sent by the client, bind the corresponding label, and write the creation location information of the first container warehouse to be created into the virtual switch configuration database for creating associated information on the virtual switch Bridge.
  • the client submits a container warehouse creation request to the container cluster management system, and the container cluster management system responds to the request by binding a corresponding label to the Pod to be created (called the first Pod), and attaching the label of the first Pod And the creation location information is sent to the external container warehouse creation system (with a virtual switch configuration library); after the container warehouse creation system receives the label, it creates a bridge on the selected virtual switch based on the label and creation location information, and Associate the first Pod, the first Pod can provide applications or services for tenants to use.
  • the container warehouse creation system with a virtual switch configuration library
  • the specific process of the container warehouse creation system creating Pod according to the label belongs to the conventional technology in the field, and will not be described in detail here.
  • the first Pod created has a pod name.
  • the pod name may be manually designated by the client or automatically assigned by the container cluster management system.
  • Step S2 Send a network port creation and policy issuance request to the software-defined network controller.
  • the container cluster management system After the container cluster management system issues a label to the container warehouse creation system, it will also send a network port creation and policy issuance request to the SDN controller, so that the SDN controller can respond to the network port creation and policy issuance request and become the first Pod Create a virtual network port and use it as a virtual network port, and when the SDN controller itself stores the network isolation policy information that matches the label of the first container warehouse, the SDN controller sends the queried network isolation policy information to the first Pod. Virtual switch.
  • the network port creation and policy issuance request includes the warehouse name and label of the first Pod, and of course, may also include related information such as the location information of the virtual switch where the first Pod is located.
  • Fig. 2 is a flowchart of another network isolation policy management method provided by an embodiment of the present disclosure.
  • the execution body of the method is an SDN controller, and the method includes:
  • Step S3 In response to the network port creation and policy issuance request sent by the container cluster management system, a virtual network port is created for the container warehouse and an IP address is assigned to the virtual network port.
  • the SDN controller in response to the network port creation request sent by the container cluster management system, the SDN controller creates a virtual network port for the first Pod according to the warehouse name of the first Pod, and assigns an IP address to the virtual network port.
  • the SDN controller when the virtual network port is online (connected to the network), the virtual switch where the first Pod is located will send an asynchronous message to the SDN controller. Inform the SDN controller that the virtual network port is online, and the asynchronous message contains the device number and port number of the virtual network port.
  • the SDN controller After receiving the asynchronous information that the virtual network port is online, the SDN controller calls the open virtual switch database (Open vSwitch Database, OVSDB) background service of the virtual switch to query the device number and port number corresponding to the virtual network port.
  • the identity identification number (a 32-bit string) is the identity identification number of the virtual network port, and then based on the identity identification number of the virtual network port, the IP address is converted and used as the IP address assigned to the virtual network port.
  • Step S4 According to the label of the first container warehouse, query whether there is network isolation policy information matching the label of the first container warehouse in its own policy storage module.
  • the SDN controller has a strategy storage module, which stores different network isolation strategy information and corresponding label selectors; among them, the network isolation strategy information records the network isolation strategy configured by the client; the label selector defines the application The label of the Pod corresponding to the network isolation policy information, that is, it is determined which Pod with the label will apply the corresponding network isolation policy.
  • step S4 the SDN controller inquires in the policy storage module according to the label of the first Pod whether there is network isolation policy information matching the label of the first Pod.
  • the SDN controller matches the label of the first Pod with each label selector, and if the label of the first Pod is a label defined by at least one label selector, the policy storage module is queried for the existence of a label with the Pod. Match the network isolation policy information, and query the network isolation policy information that matches the label of the first Pod, and then perform step S5; if the label of the first Pod is not a label defined by any label selector, query There is no network isolation policy information matching the label of the first Pod in the policy storage module, that is, there is no network isolation policy that needs to be applied in the first Pod.
  • step S4 the label of the Pod may match multiple label selectors (network isolation policy information), that is, the Pod needs to apply multiple network isolation policies.
  • Step S5 Send the queried network isolation policy information to the virtual switch where the first container warehouse is located through the IP address of the virtual network port of the first container warehouse.
  • the SDN controller sends the network isolation policy information queried in step S4 to the corresponding virtual switch through the IP address of the virtual network port of the first Pod, which completes the implementation of the network policy.
  • the SDN controller maps the queried network isolation policy information to an access control list (Access Control List, ACL for short), and then uses the openflow protocol to stream all the access control lists mapped from the network isolation policy information The form of the table is sent to the corresponding virtual switch.
  • an access control list Access Control List, ACL for short
  • the technical solution of the present disclosure uses the container warehouse creation request as the trigger mechanism, and when the virtual network port of the created Pod is online, the network isolation strategy corresponding to the Pod can be sent to the corresponding virtual switch to realize the network strategy. Landing.
  • Figure 3 is a signaling diagram of the container cluster management system and the software-defined network controller in the embodiment of the disclosure to implement the network policy implementation process.
  • the implementation process of the network policy implementation in the embodiment of the present disclosure includes the above steps S1 ⁇ Step S5, for the specific description of each step, please refer to the foregoing content, which will not be repeated here.
  • FIG. 4 is a flowchart of another network isolation policy management method provided by an embodiment of the disclosure.
  • the execution body of the method is a container cluster management system.
  • the method not only includes the above steps S1 to S2, but also Including: step S6, only step S6 will be described in detail below.
  • Step S6 In response to the network isolation strategy scheme configuration request sent by the user terminal, forward the received network isolation strategy scheme to the software-defined network controller.
  • the container cluster management system is provided with a visual policy configuration interface through which the user terminal can complete the configuration of the network isolation strategy scheme and submit the corresponding network isolation strategy scheme to the container cluster management system.
  • the container cluster management system will The received network isolation strategy scheme is forwarded to the SDN controller, so that the SDN controller stores the received network isolation strategy scheme in its own strategy storage module.
  • the network isolation strategy scheme includes: network isolation strategy information and a label selector, and the tag selector defines the label of the container bin to which the network isolation strategy information is applied.
  • the client can create a yaml file of a Kubernetes object of type Network Policy, and then send the yaml file to the container cluster management system.
  • the configuration content fragment of the yaml file is as follows:
  • the content carried by the podSelector is used as the label selector, which defines that all inbound and outbound traffic of the Pod with the label label1 must follow the constraints of this network policy.
  • the content carried by Ingress is used as network isolation policy information, which defines: all IP addresses belonging to the 172.17.0.0/16 network segment, except for the IP addresses in the 172.17.1.0/24 network segment, other IP addresses (as the source IP address) ) Can access the Pod labeled labels1 (the IP address of the virtual network card of the Pod labeled labels1 is used as the destination IP address).
  • the container cluster management system when the container cluster management system receives the network isolation strategy scheme configured using the yaml file, the container cluster management system can first convert the yaml file, translate it into a file type that the SDN controller can recognize, and then complete The converted and translated network isolation strategy scheme is sent to the SDN controller through the restconf interface. It should be noted that in the process of converting and translating the yaml file, the network isolation strategy information remains unchanged.
  • the above-mentioned Network Policy has a standard policy model. Based on the policy model, the client can formulate the required network policy for the selected Pod.
  • the process of using the Network Policy to configure a network policy belongs to a conventional technology in this field, and the specific configuration process is not described in detail here.
  • step S6 can be executed before step S1 to step S2, or can be executed after step S1 to step S2. It can be executed synchronously with step S1 to step S2.
  • step S6 is executed after step S1 to step S2 is exemplified.
  • FIG. 5 is a flowchart of another network isolation policy management method provided by an embodiment of the disclosure. As shown in FIG. 5, the execution body of the method is the SDN controller. The method not only includes the above steps S3 to S5, but also includes : Step S7, only step S7 will be described in detail below.
  • Step S7 Receive the network isolation strategy scheme sent by the container cluster management system, and store the received network isolation strategy scheme in the strategy storage module.
  • step S7 specifically includes: the SDN network controller creates a security container in the policy storage module, and encapsulates the network isolation policy information in the network isolation policy solution in the security container in the form of security group rules; and, Establish the corresponding relationship between the security container and the label selector in the network isolation strategy scheme.
  • the Network Policy can be mapped to the security group rule of the SDN controller to facilitate storage by the SDN controller.
  • the security group rules of the Network Policy and the SDN controller have standard formats.
  • the field mapping strategy for mapping the Network Policy to the security group rules of the SDN controller is shown in Table 1:
  • the network isolation policy information in the yaml file can be converted into the following two security group rules
  • the source ip network segment is 172.17.0.0/16, the direction is ingress, and the action type is permit;
  • the source ip network segment is 172.17.1.0/24, the direction is ingress, and the action type is drop;
  • the above two security group rules can be mapped to the following two access control lists:
  • dst_ip represents the destination IP address
  • src_ip represents the source IP address
  • ip represents the IP address of the network port of the Pod labeled label1.
  • the network isolation policy information in the network isolation policy solution exists in the form of yaml file fragments of type Network Policy in the container cluster management system, and in the SDN controller as a security group encapsulated in a secure container Rules exist in the form of access control lists in the virtual switch.
  • step S7 can be executed before step S3 to step S5, or it can be located in step S3 to step S3.
  • step S5 After S5 is executed, it can also be executed synchronously with step S3 to step S5.
  • step S7 is executed after step S3 to step S5 is exemplified.
  • FIG. 6 is a signaling diagram of the container cluster management system and the software-defined network controller in the embodiment of the present disclosure to implement the network policy storage process.
  • the network policy storage process in the embodiment of the present disclosure includes the above steps S6 ⁇ Step S7, for the specific description of each step, please refer to the foregoing content, which will not be repeated here.
  • FIG. 7 is a flowchart of another network isolation policy management method provided by an embodiment of the present disclosure.
  • the execution body of the method is a container cluster management system.
  • the method not only includes the above steps S1 to S2, but also Including: step S8 to step S9, only step S8 to step S9 will be described in detail below.
  • Step S8 In response to the container warehouse deletion request sent by the user terminal, forward the container warehouse deletion request to the container warehouse deletion system.
  • the client submits the container warehouse delete system to the container cluster management system, and the container cluster management system forwards the container warehouse delete request to the external container warehouse delete system, so that the container warehouse delete system deletes the related configuration data of the second Pod.
  • the container warehouse delete request includes the warehouse name of the second Pod to be deleted.
  • Step S9 Determine the IP address of the virtual network port of the second container warehouse according to the warehouse name of the second container warehouse, and send a first delete control request to the software-defined network controller.
  • the container cluster management system queries its own database for the IP address of the virtual network port of the second Pod according to the warehouse name of the second Pod (after the SDN controller assigns the IP address of the virtual network port to the Pod, the Pod will assign it to To inform the container cluster management system of the IP address of the container cluster management system to facilitate the management of the container cluster management system), and send the first delete control request to the software-defined network controller, so that the software-defined network controller can respond to the first delete control request by itself
  • the policy delete instruction is sent to the virtual switch where the second container warehouse is located, so that the second container warehouse is located.
  • the virtual switch deletes its stored network isolation policy information applied to the second container warehouse.
  • the first delete control request includes the IP address of the virtual network port of the second Pod.
  • steps S8 to S9 and steps S1 to S2 can be executed before steps S1 to S2, or they can be executed in steps S1 to S1. It is executed after step S2, and it can also be executed synchronously with step S1 to step S2.
  • FIG. 7 only exemplarily shows the case where step S8 to step S9 are executed after step S1 to step S2.
  • FIG. 8 is a flowchart of another network isolation policy management method provided by an embodiment of the disclosure.
  • the execution body of the method is the SDN controller.
  • the method not only includes the above steps S3 to S5, but also includes : Step S5a and step S10 to step 12, only step S5a and step S10 to step S12 will be described in detail below.
  • Step S5a Establish a correspondence between the IP address of the virtual network port of the first Pod and the queried network isolation policy information, and store the correspondence in a predefined correspondence table.
  • step S5a when the SDN controller inquires that there is network isolation policy information matching the label of the container warehouse in its own policy storage module, step S5a may be performed while step S5 is performed.
  • the SDN controller establishes a corresponding relationship between the IP address allocated for the first Pod in step S3 and the network isolation policy information queried in step S4, and stores the corresponding relationship in a predefined corresponding relationship table.
  • the establishment of the corresponding relationship between the IP address and the network isolation policy information is essentially to establish the IP address and the security container The corresponding relationship.
  • Step S10 In response to the first delete control request sent by the container cluster management system, query whether there is network isolation policy information corresponding to the IP address of the virtual network port of the second container warehouse in the correspondence table stored in advance.
  • the SDN controller After the SDN controller receives the first delete control request, it queries whether there is network isolation policy information corresponding to the IP address of the virtual network port of the second container warehouse in its pre-stored correspondence table. Among them, different IP addresses and their corresponding network isolation policy information are stored in the correspondence table, and the correspondence stored in the correspondence table can be generated by the above step S5a.
  • step S11 and step S12 are executed; when the corresponding relationship table does not have the network isolation policy information corresponding to the IP address of the virtual network port of the second Pod, it indicates that the virtual switch where the second Pod is located does not store the network isolation policy information.
  • the network isolation strategy corresponding to the second pod does not need to be deleted.
  • Step S11 Send a policy deletion instruction to the virtual switch where the second container warehouse is located according to the queried network isolation policy information.
  • the SDN controller sends a policy deletion instruction to the virtual switch where the second Pod is located according to the queried network isolation policy information, so that the virtual switch where the second Pod is located deletes the stored network isolation policy information applied to the second Pod.
  • the SDN controller in the foregoing step S5 delivers the network isolation policy information to the corresponding virtual switch in the form of an access control list
  • the network isolation policy information in the virtual switch is performed in the form of an access control list. storage.
  • the SDN controller sends the policy delete instruction to the virtual switch where the second Pod is located, it needs to map the queried network isolation policy information to an access control list, and then encapsulate the mapped access control list in the policy delete instruction .
  • the same access control list in the virtual switch where the second Pod is located can be deleted through the openflow protocol.
  • Step S12 Delete the correspondence between the IP address of the virtual network port of the second container warehouse and the network isolation policy information recorded in the correspondence table.
  • the SDN controller When the SDN controller sends a policy deletion instruction to the virtual switch where the second Pod is located, it also deletes the correspondence between the IP address of the virtual network port of the second Pod and the network isolation policy information recorded in its correspondence table. , In order to save the storage space of the SDN controller.
  • steps S10 to S12 can be executed before steps S3 to S5, or they can be executed in steps S3 to S3. It is executed after step S5, and it can also be executed synchronously with step S3 to step S5.
  • FIG. 8 only exemplarily shows the case where step S10 to step S12 are executed after step S3 to step S5.
  • FIG. 9 is a signaling diagram of the container cluster management system and the software-defined network controller in the embodiment of the disclosure to implement the container warehouse deletion process.
  • the storage process of the network policy in the embodiment of the disclosure includes the above steps S8 ⁇ Step S12, for the specific description of each step, please refer to the foregoing content, which will not be repeated here.
  • FIG. 10 is a flowchart of another network isolation policy management method provided by an embodiment of the disclosure.
  • the execution body of the method is a container cluster management system.
  • the method not only includes the above steps S1 to S2, but also Including: step S13, only step S13 will be described in detail below.
  • Step S13 In response to the network isolation policy plan deletion request sent by the user terminal, a second deletion control request is sent to the software-defined network controller.
  • the client submits a network isolation strategy plan deletion request to the container cluster management system, and the network isolation strategy plan deletion request contains the policy name of the target network isolation strategy plan to be deleted.
  • the container cluster management system After receiving the network isolation strategy plan deletion request, the container cluster management system sends a second deletion control request to the SDN controller, so that the SDN controller can query whether there is an isolation strategy from the target network in the strategy storage module in response to the second deletion control request.
  • the network isolation strategy information corresponding to the strategy name of the scheme and when the strategy storage module has network isolation strategy information corresponding to the strategy name of the target network isolation strategy scheme, the strategy storage module is separated from the target network isolation strategy information.
  • the network isolation policy information corresponding to the policy name is deleted.
  • the second deletion control request includes the policy name of the target network isolation policy scheme.
  • step S13 can be executed before step S1 to step S2, or can be executed after step S1 to step S2. It can be executed synchronously with step S1 to step S2.
  • step S13 is executed after step S1 to step S2 is exemplified.
  • FIG. 11 is a flowchart of another network isolation policy management method provided by an embodiment of the present disclosure.
  • the execution body of the method is the SDN controller.
  • the method not only includes the above steps S3 to S5, but also includes : Steps S14 to S15, only steps S14 to S15 will be described in detail below.
  • Step S14 In response to the second delete control request sent by the container cluster management system, query whether there is network isolation policy information corresponding to the policy name of the target network isolation policy scheme in the policy storage module.
  • the strategy storage module will not only store the network isolation strategy information and the corresponding relationship between the label selector, but also store the network isolation strategy synchronously.
  • the strategy name of the network isolation strategy scheme That is, the policy name of the network isolation strategy scheme, the network isolation strategy information contained in the network isolation strategy scheme, and the label selector contained in the network isolation strategy scheme, there is a one-to-one correspondence between the three.
  • step S15 is executed; when the strategy storage module is queried, there is no strategy name corresponding to the strategy name of the target network isolation strategy scheme.
  • the network isolation policy information subsequent deletion processing is not required.
  • Step S15 Delete the network isolation strategy information corresponding to the strategy name of the target network isolation strategy scheme in the strategy storage module.
  • the SDN controller deletes the network isolation strategy information and the label selector corresponding to the strategy name of the target network isolation strategy scheme in the strategy storage module, so as to save the storage space of the SDN controller.
  • the SDN query finds out that the policy name corresponds to the target network isolation policy solution.
  • Network isolation policy information and then based on the queried network isolation policy information, query whether there is an IP address corresponding to the queried network isolation policy information in the aforementioned correspondence table (query the network isolation policy information in which virtual The landing is completed on the switch), if it exists, the policy deletion instruction is sent to the corresponding virtual switch according to the queried IP address, so that these virtual switches can delete the corresponding network isolation policy information.
  • step S14 to step S15 can be executed before step S3 to step S5, or can be executed after step S3 to step S5. It can also be executed synchronously with step S3 to step S5.
  • step S14 to step S15 is executed after step S3 to step S5 is exemplified.
  • FIG. 12 is a signaling diagram of the container cluster management system and the software-defined network controller in the embodiment of the disclosure to implement the network isolation strategy plan deletion process.
  • the implementation of the network strategy deletion process in the embodiment of the disclosure includes the above steps S13 to step S15, for the specific description of each step, please refer to the foregoing content, which will not be repeated here.
  • the network isolation strategy management method includes the above-mentioned steps S1 to S15, which simultaneously implements network strategy landing, network strategy storage, container warehouse deletion, and network isolation strategy solutions.
  • the embodiment of the present disclosure also provides a container cluster management system, including: one or more first processors and a first storage device; wherein, one or more programs are stored on the first storage device; when the one or more When a program is executed by the one or more first processors, the one or more first processors implement the network isolation policy management method provided in the foregoing embodiments.
  • the embodiment of the present disclosure also provides a software-defined network controller, including: one or more second processors and a second storage device; wherein, one or more programs are stored on the second storage device; when the one or more When multiple programs are executed by the one or more second processors, the one or more first processors implement the network isolation policy management method provided in the foregoing embodiments.
  • the embodiments of the present disclosure also provide a network isolation policy management system, including: the container cluster management system and the software-defined network controller provided in the foregoing embodiments.
  • the functional modules/units in the device can be implemented as software, firmware, hardware, and appropriate combinations thereof.
  • the division between functional modules/units mentioned in the above description does not necessarily correspond to the division of physical components; for example, a physical component may have multiple functions, or a function or step may consist of several physical components.
  • the components are executed cooperatively.
  • Some physical components or all physical components can be implemented as software executed by a processor, such as a central processing unit, a digital signal processor, or a microprocessor, or as hardware, or as an integrated circuit, such as an application specific integrated circuit .
  • Such software may be distributed on a computer-readable medium, and the computer-readable medium may include a computer storage medium (or a non-transitory medium) and a communication medium (or a transitory medium).
  • the term computer storage medium includes volatile and non-volatile data implemented in any method or technology for storing information (such as computer-readable instructions, data structures, program modules, or other data). Sexual, removable and non-removable media.
  • Computer storage media include but are not limited to RAM, ROM, EEPROM, flash memory or other memory technologies, CD-ROM, digital versatile disk (DVD) or other optical disk storage, magnetic cassettes, magnetic tapes, magnetic disk storage or other magnetic storage devices, or Any other medium used to store desired information and that can be accessed by a computer.
  • communication media usually contain computer-readable instructions, data structures, program modules, or other data in a modulated data signal such as carrier waves or other transmission mechanisms, and may include any information delivery media. .
  • the network isolation policy management method, container cluster management system, software-defined network controller, and network isolation policy management system provided by the embodiments of the present invention have the following beneficial effects: using the powerful network orchestration capability of the SDN controller, and Combined with the characteristics of network strategy support for label-level network isolation strategy orchestration, it is possible to flexibly customize and manage the effective isolation of container networks in various application scenarios.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

Provided in the present disclosure is a network isolation policy management method, comprising: in response to a pod creation request sent by a user terminal, binding a corresponding label and writing the creation location information of a first pod to be created to a virtual switch configuration library in order to create an associated network bridge on the virtual switch; sending a network port creation and policy issuing request to a software-defined network controller so that the software-defined network controller can create a virtual network port for the first pod in response to the network port creation and policy issuing quest and, when network isolation policy information matching the label of the first pod is stored therein, send the network isolation policy information to the virtual switch in which the first pod is located. Also provided in the embodiments of the present disclosure is a network isolation policy management system.

Description

网络隔离策略管理方法和网络隔离策略管理系统Network isolation strategy management method and network isolation strategy management system 技术领域Technical field
本公开涉及虚拟网络技术领域,特别涉及一种网络隔离策略管理方法、容器集群管理系统、软件定义网络控制器和网络隔离策略管理系统。The present disclosure relates to the technical field of virtual networks, and in particular to a network isolation strategy management method, a container cluster management system, a software-defined network controller, and a network isolation strategy management system.
背景技术Background technique
Kubernetes作为开源的容器集群管理系统,能方便地运行、运维及扩展应用,并且能够方便地管理跨宿主机运行的容器化应用。但是Kubernetes在容器网络管理和隔离目前能力还不够完备,Kubernetes的一个重要特性就是要把不同虚拟交换机(Virtual Switch)节点的容器仓(Pod)连接起来,无视物理节点的限制。但是在某些应用环境中,比如公有云,不同租户的Pod不应该互通,这时需要存在网络隔离。为此,如何来对网络隔离策略进行管理,成为亟需解决的技术问题。As an open source container cluster management system, Kubernetes can easily run, operate, and expand applications, and can easily manage containerized applications that run across hosts. However, the current capabilities of Kubernetes in container network management and isolation are not complete. An important feature of Kubernetes is to connect the pods of different virtual switch nodes, ignoring the limitations of physical nodes. However, in some application environments, such as public clouds, Pods of different tenants should not communicate with each other, and network isolation is required at this time. For this reason, how to manage the network isolation strategy has become a technical problem that needs to be solved urgently.
针对相关技术中存在的上述问题,目前尚未提出有效的解决方案。In view of the above-mentioned problems existing in related technologies, no effective solutions have been proposed at present.
发明内容Summary of the invention
本公开旨在至少解决现有技术中存在的技术问题之一,提出了一种网络隔离策略管理方法、容器集群管理系统、软件定义网络控制器和网络隔离策略管理系统。The present disclosure aims to solve at least one of the technical problems existing in the prior art, and proposes a network isolation policy management method, a container cluster management system, a software-defined network controller, and a network isolation policy management system.
第一方面,本公开实施例提供了一种网络隔离策略管理方法,包括:响应于用户端发送的容器仓创建请求,绑定相应的标签,并将待创建的第一容器仓的创建位置信息写入虚拟交换机配置库,以供在虚拟交换机上创建相关联的网桥;向软件定义网络控制器发送网口创建及策略下发请求,以供所述软件定义网络控制器响应于所述网口创建及策略下发请求,为所述第一容器仓创建虚拟网口,并当自身存储 有与所述第一容器仓的标签相匹配的网络隔离策略信息时,将所述网络隔离策略信息发送至所述第一容器仓所在的虚拟交换机。In the first aspect, embodiments of the present disclosure provide a network isolation policy management method, including: in response to a container warehouse creation request sent by a user terminal, binding a corresponding label, and combining the creation location information of the first container warehouse to be created Write the virtual switch configuration library to create an associated network bridge on the virtual switch; send a network port creation and policy issuance request to the software-defined network controller for the software-defined network controller to respond to the network Port creation and policy issuance request, create a virtual network port for the first container warehouse, and when the network isolation policy information that matches the label of the first container warehouse is stored, the network isolation policy information Sent to the virtual switch where the first container warehouse is located.
第二方面,本公开实施例还提供了一种网络隔离策略管理方法,包括:响应于容器集群管理系统发送的网口创建及策略下发请求,为第一容器仓创建虚拟网口,并为所述虚拟网口分配IP地址,所述网口创建及策略下发请求包括:所述第一容器的仓名称和标签;根据所述第一容器仓的标签,查询自身是否存储有与所述第一容器仓的标签相匹配的网络隔离策略信息;当查询出自身存储有与所述第一容器仓的标签相匹配的网络隔离策略信息时,通过所述IP地址将查询出的网络隔离策略信息发送至所述第一容器仓所在的虚拟交换机。In a second aspect, embodiments of the present disclosure also provide a network isolation policy management method, including: in response to a network port creation and policy issuance request sent by a container cluster management system, creating a virtual network port for the first container warehouse, and The virtual network port is assigned an IP address, and the network port creation and policy issuance request includes: the warehouse name and label of the first container; and according to the label of the first container warehouse, it is inquired whether it has stored information related to the The network isolation policy information that matches the label of the first container warehouse; when the network isolation policy information that matches the label of the first container warehouse is queried, the queried network isolation policy is used through the IP address The information is sent to the virtual switch where the first container warehouse is located.
第三方面,本公开实施例还提供了一种容器集群管理系统,包括:一个或多个第一处理器;第一存储装置,其上存储有一个或多个程序;当所述一个或多个程序被所述一个或多个第一处理器执行时,使得所述一个或多个第一处理器实现上述第一方面所提供的方法。In a third aspect, the embodiments of the present disclosure also provide a container cluster management system, including: one or more first processors; a first storage device on which one or more programs are stored; when the one or more When a program is executed by the one or more first processors, the one or more first processors implement the method provided in the foregoing first aspect.
第四方面,本公开实施例还提供了一种软件定义网络控制器,包括:一个或多个第二处理器;第二存储装置,其上存储有一个或多个程序;当所述一个或多个程序被所述一个或多个第二处理器执行时,使得所述一个或多个第一处理器实现上述第二方面所提供的方法。In a fourth aspect, embodiments of the present disclosure also provide a software-defined network controller, including: one or more second processors; a second storage device, on which one or more programs are stored; when the one or more When multiple programs are executed by the one or more second processors, the one or more first processors implement the method provided in the above second aspect.
第五方面,本公开实施例还提供了一种网络隔离策略管理系统,包括:如上述的容器集群管理系统和如上述的软件定义网络控制器。In a fifth aspect, embodiments of the present disclosure also provide a network isolation policy management system, including: the container cluster management system as described above and the software-defined network controller as described above.
本公开实施例提供了一种网络隔离策略管理方法、容器集群管理系统、软件定义网络控制器和网络隔离策略管理系统,利用SDN控制器强大的网络编排能力,并结合网络策略支持标签级别的网络隔离策略编排的特点,从而灵活的定制和管理各种应用场景下容器网络有效的隔离。The embodiments of the present disclosure provide a network isolation policy management method, a container cluster management system, a software-defined network controller, and a network isolation policy management system, using the powerful network orchestration capabilities of the SDN controller, and combining network policies to support tag-level networks The characteristics of isolation strategy orchestration, so as to flexibly customize and manage the effective isolation of container networks in various application scenarios.
附图说明Description of the drawings
图1为本公开实施例提供的一种网络隔离策略管理方法的流程图;FIG. 1 is a flowchart of a network isolation policy management method provided by an embodiment of the disclosure;
图2为本公开实施例提供的另一种网络隔离策略管理方法的流程图;2 is a flowchart of another network isolation policy management method provided by an embodiment of the disclosure;
图3为本公开实施例中容器集群管理系统和软件定义网络控制器实现网络策略落地过程的信令图,FIG. 3 is a signaling diagram of the container cluster management system and the software-defined network controller in the embodiment of the disclosure to implement the network policy landing process,
图4为本公开实施例提供的又一种网络隔离策略管理方法的流程图;4 is a flowchart of another network isolation policy management method provided by an embodiment of the disclosure;
图5为本公开实施例提供的再一种网络隔离策略管理方法的流程图;FIG. 5 is a flowchart of yet another network isolation policy management method provided by an embodiment of the present disclosure;
图6为本公开实施例中容器集群管理系统和软件定义网络控制器实现网络策略存储过程的信令图;6 is a signaling diagram of a container cluster management system and a software-defined network controller in an embodiment of the disclosure to implement a network policy storage process;
图7为本公开实施例提供的再一种网络隔离策略管理方法的流程图;FIG. 7 is a flowchart of yet another network isolation policy management method provided by an embodiment of the present disclosure;
图8为本公开实施例提供的再一种网络隔离策略管理方法的流程图;FIG. 8 is a flowchart of yet another network isolation policy management method provided by an embodiment of the present disclosure;
图9为本公开实施例中容器集群管理系统和软件定义网络控制器实现容器仓删除过程的信令图;FIG. 9 is a signaling diagram of the container cluster management system and the software-defined network controller in the embodiment of the disclosure to implement the container warehouse deletion process;
图10为本公开实施例提供的再一种网络隔离策略管理方法的流程图;FIG. 10 is a flowchart of yet another network isolation policy management method provided by an embodiment of the present disclosure;
图11为本公开实施例提供的再一种网络隔离策略管理方法的流程图;FIG. 11 is a flowchart of yet another network isolation policy management method provided by an embodiment of the present disclosure;
图12为本公开实施例中容器集群管理系统和软件定义网络控制器实现网络隔离策略方案删除过程的信令图。FIG. 12 is a signaling diagram of the container cluster management system and the software-defined network controller in the embodiment of the disclosure to implement the process of deleting the network isolation strategy scheme.
具体实施方式detailed description
为使本领域的技术人员更好地理解本公开的技术方案,下面结合附图对本公开提供的一种网络隔离策略管理方法和系统进行详细描述。In order to enable those skilled in the art to better understand the technical solutions of the present disclosure, a network isolation policy management method and system provided by the present disclosure will be described in detail below with reference to the accompanying drawings.
在下文中将参考附图更充分地描述示例实施例,但是所述示例 实施例可以以不同形式来体现且不应当被解释为限于本文阐述的实施例。反之,提供这些实施例的目的在于使本公开透彻和完整,并将使本领域技术人员充分理解本公开的范围。Hereinafter, example embodiments will be described more fully with reference to the accompanying drawings, but the example embodiments may be embodied in different forms and should not be construed as being limited to the embodiments set forth herein. On the contrary, the purpose of providing these embodiments is to make the present disclosure thorough and complete, and to enable those skilled in the art to fully understand the scope of the present disclosure.
本文所使用的术语仅用于描述特定实施例,且不意欲限制本公开。如本文所使用的,单数形式“一个”和“该”也意欲包括复数形式,除非上下文另外清楚指出。还将理解的是,当本说明书中使用术语“包括”和/或“由……制成”时,指定存在所述特征、整体、步骤、操作、元件和/或组件,但不排除存在或添加一个或多个其他特征、整体、步骤、操作、元件、组件和/或其群组。The terms used herein are only used to describe specific embodiments and are not intended to limit the present disclosure. As used herein, the singular forms "a" and "the" are also intended to include the plural forms, unless the context clearly dictates otherwise. It will also be understood that when the terms "comprising" and/or "made of" are used in this specification, it specifies the presence of the described features, wholes, steps, operations, elements and/or components, but does not exclude the presence or Add one or more other features, wholes, steps, operations, elements, components, and/or groups thereof.
将理解的是,虽然本文可以使用术语第一、第二等来描述各种元件/指令/请求,但这些元件/指令/请求不应当受限于这些术语。这些术语仅用于区分一个元件/指令/请求和另一元件/指令/请求。It will be understood that although the terms first, second, etc. may be used herein to describe various elements/instructions/requests, these elements/instructions/requests should not be limited by these terms. These terms are only used to distinguish one element/instruction/request from another element/instruction/request.
除非另外限定,否则本文所用的所有术语(包括技术和科学术语)的含义与本领域普通技术人员通常理解的含义相同。还将理解,诸如那些在常用字典中限定的那些术语应当被解释为具有与其在相关技术以及本公开的背景下的含义一致的含义,且将不解释为具有理想化或过度形式上的含义,除非本文明确如此限定。Unless otherwise defined, the meanings of all terms (including technical and scientific terms) used herein are the same as those commonly understood by those of ordinary skill in the art. It will also be understood that terms such as those defined in commonly used dictionaries should be interpreted as having meanings consistent with their meanings in the context of the related technology and the present disclosure, and will not be interpreted as having idealized or excessive formal meanings, Unless this article specifically defines it as such.
本公开提供了一种网络隔离策略管理方法基于容器集群管理系统和软件定义网络(Software Defined Network,简称SDN)控制器,其中,容器集群管理系统优选采用Kubernetes。The present disclosure provides a network isolation policy management method based on a container cluster management system and a software defined network (Software Defined Network, SDN) controller, wherein the container cluster management system preferably adopts Kubernetes.
本公开的技术方案利用SDN控制器强大的网络编排能力,并结合网络策略(Network Policy)支持标签级别的网络隔离策略编排的特点,从而灵活的定制和管理各种应用场景下容器网络有效的隔离。The technical solution of the present disclosure utilizes the powerful network orchestration capability of the SDN controller, and combines the network policy (Network Policy) to support tag-level network isolation strategy orchestration, thereby flexibly customizing and managing effective isolation of container networks in various application scenarios .
图1为本公开实施例提供的一种网络隔离策略管理方法的流程图,如图1所示,该方法的执行主体为容器集群管理系统,该方法包括:Fig. 1 is a flowchart of a network isolation policy management method provided by an embodiment of the present disclosure. As shown in Fig. 1, the execution body of the method is a container cluster management system, and the method includes:
步骤S1、响应于用户端发送的容器仓创建请求,绑定相应的标签,并将待创建的第一容器仓的创建位置信息写入虚拟交换机配置库,以供在虚拟交换机上创建相关联的网桥。Step S1, in response to the container warehouse creation request sent by the client, bind the corresponding label, and write the creation location information of the first container warehouse to be created into the virtual switch configuration database for creating associated information on the virtual switch Bridge.
客户端向容器集群管理系统提交容器仓创建请求,容器集群管 理系统响应该请求,为待创建的Pod(称为第一Pod)绑定一个对应的标签(label),并将第一Pod的标签和创建位置信息下发至外部的容器仓创建系统(具有虚拟交换机配置库);容器仓创建系统接收到该标签后,根据该标签和创建位置信息在选定的虚拟交换机上创建网桥,并关联第一Pod,该第一Pod可提供应用或服务给租户使用。The client submits a container warehouse creation request to the container cluster management system, and the container cluster management system responds to the request by binding a corresponding label to the Pod to be created (called the first Pod), and attaching the label of the first Pod And the creation location information is sent to the external container warehouse creation system (with a virtual switch configuration library); after the container warehouse creation system receives the label, it creates a bridge on the selected virtual switch based on the label and creation location information, and Associate the first Pod, the first Pod can provide applications or services for tenants to use.
需要说明的是,容器仓创建系统根据标签创建Pod的具体过程属于本领域的常规技术,此处不进行详细描述。此时,创建出的第一Pod具有仓名称(Pod name),仓名称可以是由客户端人工指定,也可以是由容器集群管理系统自动分配。It should be noted that the specific process of the container warehouse creation system creating Pod according to the label belongs to the conventional technology in the field, and will not be described in detail here. At this time, the first Pod created has a pod name. The pod name may be manually designated by the client or automatically assigned by the container cluster management system.
步骤S2、向软件定义网络控制器发送网口创建及策略下发请求。Step S2: Send a network port creation and policy issuance request to the software-defined network controller.
容器集群管理系统向容器仓创建系统下发标签之后,还会向SDN控制器发送网口创建及策略下发请求,以供SDN控制器响应于网口创建及策略下发请求,为第一Pod创建虚拟网口并为虚拟网口,以及当SDN控制器自身存储有第一容器仓的标签相匹配的网络隔离策略信息时,SDN控制器将查询出的网络隔离策略信息发送至第一Pod所在的虚拟交换机。After the container cluster management system issues a label to the container warehouse creation system, it will also send a network port creation and policy issuance request to the SDN controller, so that the SDN controller can respond to the network port creation and policy issuance request and become the first Pod Create a virtual network port and use it as a virtual network port, and when the SDN controller itself stores the network isolation policy information that matches the label of the first container warehouse, the SDN controller sends the queried network isolation policy information to the first Pod. Virtual switch.
其中,网口创建及策略下发请求中包含有第一Pod的仓名称和标签,当然还可以包括第一Pod所在虚拟交换机的位置信息等相关信息。Among them, the network port creation and policy issuance request includes the warehouse name and label of the first Pod, and of course, may also include related information such as the location information of the virtual switch where the first Pod is located.
图2为本公开实施例提供的另一种网络隔离策略管理方法的流程图,如图1所示,该方法的执行主体为SDN控制器,该方法包括:Fig. 2 is a flowchart of another network isolation policy management method provided by an embodiment of the present disclosure. As shown in Fig. 1, the execution body of the method is an SDN controller, and the method includes:
步骤S3、响应于容器集群管理系统发送的网口创建及策略下发请求,为容器仓创建虚拟网口并为虚拟网口分配IP地址。Step S3: In response to the network port creation and policy issuance request sent by the container cluster management system, a virtual network port is created for the container warehouse and an IP address is assigned to the virtual network port.
SDN控制器,响应于容器集群管理系统发送的网口创建请求,SDN控制器根据第一Pod的仓名称为该第一Pod创建虚拟网口,并为该虚拟网口分配IP地址。The SDN controller, in response to the network port creation request sent by the container cluster management system, the SDN controller creates a virtual network port for the first Pod according to the warehouse name of the first Pod, and assigns an IP address to the virtual network port.
作为一种可选方案,在SDN控制器为第一Pod创建出虚拟网口后,当该虚拟网口上线(接入网络)时,第一Pod所在虚拟交换机会向SDN控制器发送异步消息以告知SDN控制器该虚拟网口上线,其中该异步消息中包含有该虚拟网口的设备号和端口号。在接收到虚拟网 口上线的异步信息后,SDN控制器调用该虚拟交换机的开放虚拟交换机数据库(Open vSwitch Database,简称OVSDB)后台服务,以查询该虚拟网口的设备号和端口号所对应的身份标识号(32位的字符串),即为该虚拟网口的身份标识号,然后基于该虚拟网口的身份标识号转换出IP地址,以作为分配给该虚拟网口的IP地址。As an optional solution, after the SDN controller creates a virtual network port for the first Pod, when the virtual network port is online (connected to the network), the virtual switch where the first Pod is located will send an asynchronous message to the SDN controller. Inform the SDN controller that the virtual network port is online, and the asynchronous message contains the device number and port number of the virtual network port. After receiving the asynchronous information that the virtual network port is online, the SDN controller calls the open virtual switch database (Open vSwitch Database, OVSDB) background service of the virtual switch to query the device number and port number corresponding to the virtual network port. The identity identification number (a 32-bit string) is the identity identification number of the virtual network port, and then based on the identity identification number of the virtual network port, the IP address is converted and used as the IP address assigned to the virtual network port.
步骤S4、根据第一容器仓的标签,查询自身的策略存储模块中是否存在与第一容器仓的标签相匹配的网络隔离策略信息。Step S4: According to the label of the first container warehouse, query whether there is network isolation policy information matching the label of the first container warehouse in its own policy storage module.
SDN控制器具有策略存储模块,策略存储模块存储有不同的网络隔离策略信息及其对应标签选择器;其中,网络隔离策略信息中记载有用户端所配置的网络隔离策略;标签选择器定义出应用其对应网络隔离策略信息的Pod的标签,即确定出具有哪些标签的Pod会应用对应的网络隔离策略。The SDN controller has a strategy storage module, which stores different network isolation strategy information and corresponding label selectors; among them, the network isolation strategy information records the network isolation strategy configured by the client; the label selector defines the application The label of the Pod corresponding to the network isolation policy information, that is, it is determined which Pod with the label will apply the corresponding network isolation policy.
对于策略存储模块存储网络隔离策略信息及其对应标签选择器的过程及方式,将后续内容中进行详细描述。The process and method for the policy storage module to store the network isolation policy information and its corresponding label selector will be described in detail in the subsequent content.
在步骤S4中,SDN控制器根据第一Pod的标签,在策略存储模块中查询是否存在与第一Pod的标签相匹配的网络隔离策略信息。In step S4, the SDN controller inquires in the policy storage module according to the label of the first Pod whether there is network isolation policy information matching the label of the first Pod.
具体地,SDN控制器将第一Pod的标签与各标签选择器进行匹配,若第一Pod的标签为至少一个标签选择器所定义的标签,则查询出策略存储模块中存在与该Pod的标签相匹配的网络隔离策略信息,并查询出与第一Pod的标签相匹配的网络隔离策略信息,此后执行步骤S5;若第一Pod的标签不为任意一个标签选择器所定义的标签,则查询出策略存储模块中不存在与第一Pod的标签相匹配的网络隔离策略信息,即第一Pod不存在需应用的网络隔离策略。Specifically, the SDN controller matches the label of the first Pod with each label selector, and if the label of the first Pod is a label defined by at least one label selector, the policy storage module is queried for the existence of a label with the Pod. Match the network isolation policy information, and query the network isolation policy information that matches the label of the first Pod, and then perform step S5; if the label of the first Pod is not a label defined by any label selector, query There is no network isolation policy information matching the label of the first Pod in the policy storage module, that is, there is no network isolation policy that needs to be applied in the first Pod.
需要说明的是,在步骤S4中,该Pod的标签可能匹配多个标签选择器(网络隔离策略信息),即该Pod需应用多个网络隔离策略。It should be noted that in step S4, the label of the Pod may match multiple label selectors (network isolation policy information), that is, the Pod needs to apply multiple network isolation policies.
步骤S5、通过第一容器仓的虚拟网口的IP地址将查询出的网络隔离策略信息发送至第一容器仓所在的虚拟交换机。Step S5: Send the queried network isolation policy information to the virtual switch where the first container warehouse is located through the IP address of the virtual network port of the first container warehouse.
SDN控制器通过第一Pod的虚拟网口的IP地址将步骤S4查询出的网络隔离策略信息发送至对应的虚拟交换机,即完成网络策略的落地。The SDN controller sends the network isolation policy information queried in step S4 to the corresponding virtual switch through the IP address of the virtual network port of the first Pod, which completes the implementation of the network policy.
在一些实施例中,SDN控制器将查询出的网络隔离策略信息映射为访问控制列表(Access Control List,简称ACL),然后将网络隔离策略信息所映射出的全部访问控制列表采用openflow协议以流表的形式发送至对应的虚拟交换机。In some embodiments, the SDN controller maps the queried network isolation policy information to an access control list (Access Control List, ACL for short), and then uses the openflow protocol to stream all the access control lists mapped from the network isolation policy information The form of the table is sent to the corresponding virtual switch.
本公开的技术方案,以容器仓创建请求作为触发机制,可在所创建的Pod的虚拟网口上线时,将该Pod所对应的网络隔离策略发送至对应的虚拟交换机上,以实现网络策略的落地。The technical solution of the present disclosure uses the container warehouse creation request as the trigger mechanism, and when the virtual network port of the created Pod is online, the network isolation strategy corresponding to the Pod can be sent to the corresponding virtual switch to realize the network strategy. Landing.
图3为本公开实施例中容器集群管理系统和软件定义网络控制器实现网络策略落地过程的信令图,如图3所示,本公开实施例中实现网络策略的落地过程包括上述步骤S1~步骤S5,对于各步骤的具体描述可参见前述内容,此处不再赘述。Figure 3 is a signaling diagram of the container cluster management system and the software-defined network controller in the embodiment of the disclosure to implement the network policy implementation process. As shown in Figure 3, the implementation process of the network policy implementation in the embodiment of the present disclosure includes the above steps S1~ Step S5, for the specific description of each step, please refer to the foregoing content, which will not be repeated here.
图4为本公开实施例提供的又一种网络隔离策略管理方法的流程图,如图4所示,该方法的执行主体为容器集群管理系统,该方法不但包括上述步骤S1~步骤S2,还包括:步骤S6,下面仅对步骤S6进行详细描述。FIG. 4 is a flowchart of another network isolation policy management method provided by an embodiment of the disclosure. As shown in FIG. 4, the execution body of the method is a container cluster management system. The method not only includes the above steps S1 to S2, but also Including: step S6, only step S6 will be described in detail below.
步骤S6、响应于用户端发送的网络隔离策略方案配置请求,将接收到的网络隔离策略方案转发至软件定义网络控制器。Step S6: In response to the network isolation strategy scheme configuration request sent by the user terminal, forward the received network isolation strategy scheme to the software-defined network controller.
在本公开实施例中,容器集群管理系统设置有可视化策略配置接口,用户端可通过该接口完成网络隔离策略方案的配置以及向容器集群管理系统提交相应的网络隔离策略方案,容器集群管理系统将接收到的网络隔离策略方案转发至SDN控制器,以供SDN控制器将接收到的网络隔离策略方案存储至自身的策略存储模块中。其中,网络隔离策略方案包括:网络隔离策略信息和标签选择器,标签选择器定义出应用该网络隔离策略信息的容器仓的标签。In the embodiment of the present disclosure, the container cluster management system is provided with a visual policy configuration interface through which the user terminal can complete the configuration of the network isolation strategy scheme and submit the corresponding network isolation strategy scheme to the container cluster management system. The container cluster management system will The received network isolation strategy scheme is forwarded to the SDN controller, so that the SDN controller stores the received network isolation strategy scheme in its own strategy storage module. Among them, the network isolation strategy scheme includes: network isolation strategy information and a label selector, and the tag selector defines the label of the container bin to which the network isolation strategy information is applied.
在一些场景中,用户端可创建一个类型为Network Policy的Kubernetes对象的yaml文件,然后将该yaml文件发送至容器集群管理系统。In some scenarios, the client can create a yaml file of a Kubernetes object of type Network Policy, and then send the yaml file to the container cluster management system.
作为一个示例,yaml文件的配置内容片段如下:As an example, the configuration content fragment of the yaml file is as follows:
Figure PCTCN2020099021-appb-000001
Figure PCTCN2020099021-appb-000001
Figure PCTCN2020099021-appb-000002
Figure PCTCN2020099021-appb-000002
在上述示例中,podSelector所携带的内容作为标签选择器,其定义了:标签为label1的Pod所有出入站流量要遵循本network policy的约束。Ingress所携带的内容作为网络隔离策略信息,其定义了:所有属于172.17.0.0/16网段的IP地址,除了172.17.1.0/24网段中的ip地址外,其他IP地址(作为源IP地址)都可以来访问标签为labels1的Pod(标签为labels1的Pod的虚拟网卡的IP地址作为目的IP地址)。In the above example, the content carried by the podSelector is used as the label selector, which defines that all inbound and outbound traffic of the Pod with the label label1 must follow the constraints of this network policy. The content carried by Ingress is used as network isolation policy information, which defines: all IP addresses belonging to the 172.17.0.0/16 network segment, except for the IP addresses in the 172.17.1.0/24 network segment, other IP addresses (as the source IP address) ) Can access the Pod labeled labels1 (the IP address of the virtual network card of the Pod labeled labels1 is used as the destination IP address).
在实际应用中,容器集群管理系统在接收到使用yaml文件所配置网络隔离策略方案时,容器集群管理系统可先将yaml文件进行转换、翻译为SDN控制器能够识别的文件类型,然后再将完成转换和翻译的网络隔离策略方案通过restconf接口发送至SDN控制器。需要说明的是,在对yaml文件进行转换、翻译过程中,网络隔离策略信息是不变的。In practical applications, when the container cluster management system receives the network isolation strategy scheme configured using the yaml file, the container cluster management system can first convert the yaml file, translate it into a file type that the SDN controller can recognize, and then complete The converted and translated network isolation strategy scheme is sent to the SDN controller through the restconf interface. It should be noted that in the process of converting and translating the yaml file, the network isolation strategy information remains unchanged.
上述Network Policy具有标准的策略模型,用户端基于该策略模型可为选定的Pod制定所需的网络策略。对于利用Network Policy来配置网络策略的过程,属于本领域的常规技术,具体配置过程此处不进行详细描述。The above-mentioned Network Policy has a standard policy model. Based on the policy model, the client can formulate the required network policy for the selected Pod. The process of using the Network Policy to configure a network policy belongs to a conventional technology in this field, and the specific configuration process is not described in detail here.
需要说明的是,本公开的技术方案对步骤S6与步骤S1~步骤S2的执行顺序不作限定,即步骤S6可以位于步骤S1~步骤S2之前执行,也可以位于步骤S1~步骤S2之后执行,还可以与步骤S1~步骤S2同步执行,附图4中仅示例性画出了步骤S6位于步骤S1~步骤S2之后执行的情况。It should be noted that the technical solution of the present disclosure does not limit the execution order of step S6 and step S1 to step S2, that is, step S6 can be executed before step S1 to step S2, or can be executed after step S1 to step S2. It can be executed synchronously with step S1 to step S2. In FIG. 4, only the case where step S6 is executed after step S1 to step S2 is exemplified.
图5为本公开实施例提供的再一种网络隔离策略管理方法的流程图,如图5所示,该方法的执行主体为SDN控制器,该方法不但包 括上述步骤S3~步骤S5,还包括:步骤S7,下面仅对步骤S7进行详细描述。FIG. 5 is a flowchart of another network isolation policy management method provided by an embodiment of the disclosure. As shown in FIG. 5, the execution body of the method is the SDN controller. The method not only includes the above steps S3 to S5, but also includes : Step S7, only step S7 will be described in detail below.
步骤S7、接收容器集群管理系统发送的网络隔离策略方案,并将接收到的网络隔离策略方案存储至策略存储模块。Step S7: Receive the network isolation strategy scheme sent by the container cluster management system, and store the received network isolation strategy scheme in the strategy storage module.
在一些实施例中,步骤S7具体包括:SDN络控制器在策略存储模块内创建安全容器,并将网络隔离策略方案中的网络隔离策略信息以安全组规则的形式封装于安全容器内;以及,建立安全容器与网络隔离策略方案中标签选择器的对应关系。In some embodiments, step S7 specifically includes: the SDN network controller creates a security container in the policy storage module, and encapsulates the network isolation policy information in the network isolation policy solution in the security container in the form of security group rules; and, Establish the corresponding relationship between the security container and the label selector in the network isolation strategy scheme.
在本公开中,可以将Network Policy映射为SDN控制器的安全组规则,以便于SDN控制器进行存储。其中Network Policy和SDN控制器的安全组规则均具有标准格式,将Network Policy映射为SDN控制器的安全组规则的字段映射策略如下表1所示:In the present disclosure, the Network Policy can be mapped to the security group rule of the SDN controller to facilitate storage by the SDN controller. The security group rules of the Network Policy and the SDN controller have standard formats. The field mapping strategy for mapping the Network Policy to the security group rules of the SDN controller is shown in Table 1:
表1.Network Policy与SDN控制器安全组的字段映射策略Table 1. Field mapping strategy of Network Policy and SDN Controller Security Group
Figure PCTCN2020099021-appb-000003
Figure PCTCN2020099021-appb-000003
Figure PCTCN2020099021-appb-000004
Figure PCTCN2020099021-appb-000004
基于映射策略转换后,上述yaml文件中的网络隔离策略信息可以转化为如下两条安全组规则;After conversion based on the mapping policy, the network isolation policy information in the yaml file can be converted into the following two security group rules;
1)源ip网段为172.17.0.0/16,方向ingress,动作类型是permit;1) The source ip network segment is 172.17.0.0/16, the direction is ingress, and the action type is permit;
2)源ip网段为172.17.1.0/24,方向ingress,动作类型是drop;2) The source ip network segment is 172.17.1.0/24, the direction is ingress, and the action type is drop;
需要说明的是,当以安全组规则的形式存储于SDN控制器的网络隔离策略信息需通过前述步骤S5发送至对应的虚拟交换机时,可以将先将这些组规则映射为访问控制列表,然后再以流表形式通过openflow协议发送至对应的虚拟交换机。It should be noted that when the network isolation policy information stored in the SDN controller in the form of security group rules needs to be sent to the corresponding virtual switch through the aforementioned step S5, these group rules can be mapped to an access control list first, and then It is sent to the corresponding virtual switch through the openflow protocol in the form of a flow table.
作为一个示例,上述两条安全组规则可以映射为如下两个访问控制列表:As an example, the above two security group rules can be mapped to the following two access control lists:
1)dst_ip=ip1,src_ip=172.17.0.0/16,priority=100,actions=go_to_next_table;1) dst_ip=ip1, src_ip=172.17.0.0/16, priority=100, actions=go_to_next_table;
2)dst_ip=ip1,src_ip=172.17.1.0/24,priority=130,actions=drop;2) dst_ip=ip1, src_ip=172.17.1.0/24, priority=130, actions=drop;
其中,dst_ip表示目标IP地址,src_ip表示源IP地址,ip表示标签为label1的Pod的网口的IP地址。Among them, dst_ip represents the destination IP address, src_ip represents the source IP address, and ip represents the IP address of the network port of the Pod labeled label1.
在一些实施例中,网络隔离策略方案中的网络隔离策略信息,在容器集群管理系统中以类型为Network Policy的yaml文件片段的形式存在,在SDN控制器中以封装于安全容器内的安全组规则的形式存在,在虚拟交换机中以访问控制列表的形式存在。In some embodiments, the network isolation policy information in the network isolation policy solution exists in the form of yaml file fragments of type Network Policy in the container cluster management system, and in the SDN controller as a security group encapsulated in a secure container Rules exist in the form of access control lists in the virtual switch.
需要说明的是,需要说明的是,本公开的技术方案对步骤S7与步骤S3~步骤S5的执行顺序不作限定,即步骤S7可以位于步骤S3~步骤S5之前执行,也可以位于步骤S3~步骤S5之后执行,还可以与步骤S3~步骤S5同步执行,附图5中仅示例性画出了步骤S7位于步骤S3~步骤S5之后执行的情况。It should be noted that the technical solution of the present disclosure does not limit the execution order of step S7 and step S3 to step S5, that is, step S7 can be executed before step S3 to step S5, or it can be located in step S3 to step S3. After S5 is executed, it can also be executed synchronously with step S3 to step S5. In FIG. 5, only the case where step S7 is executed after step S3 to step S5 is exemplified.
图6为本公开实施例中容器集群管理系统和软件定义网络控制 器实现网络策略存储过程的信令图,如图6所示,本公开实施例中实现网络策略的存储过程包括上述步骤S6~步骤S7,对于各步骤的具体描述可参见前述内容,此处不再赘述。FIG. 6 is a signaling diagram of the container cluster management system and the software-defined network controller in the embodiment of the present disclosure to implement the network policy storage process. As shown in FIG. 6, the network policy storage process in the embodiment of the present disclosure includes the above steps S6~ Step S7, for the specific description of each step, please refer to the foregoing content, which will not be repeated here.
图7为本公开实施例提供的再一种网络隔离策略管理方法的流程图,如图7所示,该方法的执行主体为容器集群管理系统,该方法不但包括上述步骤S1~步骤S2,还包括:步骤S8~步骤S9,下面仅对步骤S8~步骤S9进行详细描述。FIG. 7 is a flowchart of another network isolation policy management method provided by an embodiment of the present disclosure. As shown in FIG. 7, the execution body of the method is a container cluster management system. The method not only includes the above steps S1 to S2, but also Including: step S8 to step S9, only step S8 to step S9 will be described in detail below.
步骤S8、响应于用户端发送的容器仓删除请求,向容器仓删除系统转发容器仓删除请求。Step S8: In response to the container warehouse deletion request sent by the user terminal, forward the container warehouse deletion request to the container warehouse deletion system.
客户端向容器集群管理系统提交容器仓删除系统,容器集群管理系统向外部的容器仓删除系统转发容器仓删除请求,以供容器仓删除系统删除第二Pod的相关配置数据。其中,容器仓删除请求包含有待删除的第二Pod的仓名称。The client submits the container warehouse delete system to the container cluster management system, and the container cluster management system forwards the container warehouse delete request to the external container warehouse delete system, so that the container warehouse delete system deletes the related configuration data of the second Pod. Among them, the container warehouse delete request includes the warehouse name of the second Pod to be deleted.
步骤S9、根据第二容器仓的仓名称确定第二容器仓的虚拟网口的IP地址,并向软件定义网络控制器发送第一删除控制请求。Step S9: Determine the IP address of the virtual network port of the second container warehouse according to the warehouse name of the second container warehouse, and send a first delete control request to the software-defined network controller.
容器集群管理系统根据第二Pod的仓名称从自身数据库中查询出该第二Pod的虚拟网口的IP地址(在SDN控制器为Pod分配虚拟网口的IP地址后,Pod会将所分配到的IP地址告知容器集群管理系统,以便于容器集群管理系统进行管理),并向软件定义网络控制器发送第一删除控制请求,以供软件定义网络控制器响应于第一删除控制请求,在自身预先存储的对应关系表中存在与第二容器仓的虚拟网口的IP地址相对应的网络隔离策略信息时,向第二容器仓所在的虚拟交换机发送策略删除指令,以供第二容器仓所在的虚拟交换机删除自身所存储的应用于第二容器仓的网络隔离策略信息。其中,第一删除控制请求中包含第二Pod的虚拟网口的IP地址。The container cluster management system queries its own database for the IP address of the virtual network port of the second Pod according to the warehouse name of the second Pod (after the SDN controller assigns the IP address of the virtual network port to the Pod, the Pod will assign it to To inform the container cluster management system of the IP address of the container cluster management system to facilitate the management of the container cluster management system), and send the first delete control request to the software-defined network controller, so that the software-defined network controller can respond to the first delete control request by itself When there is network isolation policy information corresponding to the IP address of the virtual network port of the second container warehouse in the pre-stored correspondence table, the policy delete instruction is sent to the virtual switch where the second container warehouse is located, so that the second container warehouse is located. The virtual switch deletes its stored network isolation policy information applied to the second container warehouse. Wherein, the first delete control request includes the IP address of the virtual network port of the second Pod.
需要说明的是,本公开的技术方案对步骤S8~步骤S9与步骤S1~步骤S2的执行顺序不作限定,即步骤S8~步骤S9可以位于步骤S1~步骤S2之前执行,也可以位于步骤S1~步骤S2之后执行,还可以与步骤S1~步骤S2同步执行,附图7中仅示例性画出了步骤S8~步骤S9位于步骤S1~步骤S2之后执行的情况。It should be noted that the technical solution of the present disclosure does not limit the execution sequence of steps S8 to S9 and steps S1 to S2, that is, steps S8 to S9 can be executed before steps S1 to S2, or they can be executed in steps S1 to S1. It is executed after step S2, and it can also be executed synchronously with step S1 to step S2. FIG. 7 only exemplarily shows the case where step S8 to step S9 are executed after step S1 to step S2.
图8为本公开实施例提供的再一种网络隔离策略管理方法的流程图,如图8所示,该方法的执行主体为SDN控制器,该方法不但包括上述步骤S3~步骤S5,还包括:步骤S5a以及步骤S10~步骤12,下面仅对步骤S5a和步骤S10~步骤S12进行详细描述。FIG. 8 is a flowchart of another network isolation policy management method provided by an embodiment of the disclosure. As shown in FIG. 8, the execution body of the method is the SDN controller. The method not only includes the above steps S3 to S5, but also includes : Step S5a and step S10 to step 12, only step S5a and step S10 to step S12 will be described in detail below.
步骤S5a、建立第一Pod的虚拟网口的IP地址与查询出的网络隔离策略信息的对应关系,并将该对应关系存储至预定义的对应关系表中。Step S5a: Establish a correspondence between the IP address of the virtual network port of the first Pod and the queried network isolation policy information, and store the correspondence in a predefined correspondence table.
在步骤S4中,当SDN控制器查询出自身的策略存储模块中存在与容器仓的标签相匹配的网络隔离策略信息时,在执行步骤S5的同时还可以执行步骤S5a。In step S4, when the SDN controller inquires that there is network isolation policy information matching the label of the container warehouse in its own policy storage module, step S5a may be performed while step S5 is performed.
SDN控制器将步骤S3中为第一Pod分配的IP地址,与步骤S4查询出的网络隔离策略信息建立对应关系,并将该对应关系存储至预定义的对应关系表。The SDN controller establishes a corresponding relationship between the IP address allocated for the first Pod in step S3 and the network isolation policy information queried in step S4, and stores the corresponding relationship in a predefined corresponding relationship table.
需要说明的是,当在SDN控制器中的网络隔离策略信息是以安全组规则的形式封装于安全容器内时,建立IP地址与网络隔离策略信息的对应关系,实质是建立IP地址与安全容器的对应关系。It should be noted that when the network isolation policy information in the SDN controller is encapsulated in the security container in the form of security group rules, the establishment of the corresponding relationship between the IP address and the network isolation policy information is essentially to establish the IP address and the security container The corresponding relationship.
步骤S10、响应于容器集群管理系统发送的第一删除控制请求,查询自身预先存储的对应关系表中是否存在与第二容器仓的虚拟网口的IP地址相对应的网络隔离策略信息。Step S10: In response to the first delete control request sent by the container cluster management system, query whether there is network isolation policy information corresponding to the IP address of the virtual network port of the second container warehouse in the correspondence table stored in advance.
SDN控制器接收到的第一删除控制请求后,其查询自身预先存储的对应关系表中是否存在与第二容器仓的虚拟网口的IP地址相对应的网络隔离策略信息。其中,对应关系表中存储有不同IP地址及其对应的网络隔离策略信息,对应关系表中所存储的对应关系可由上述步骤S5a来生成。After the SDN controller receives the first delete control request, it queries whether there is network isolation policy information corresponding to the IP address of the virtual network port of the second container warehouse in its pre-stored correspondence table. Among them, different IP addresses and their corresponding network isolation policy information are stored in the correspondence table, and the correspondence stored in the correspondence table can be generated by the above step S5a.
当查询出对应关系表中存在与第二Pod的虚拟网口的IP地址相对应的网络隔离策略信息时,则表明第二pod所在虚拟交换机中存储有该第二pod所对应的网络隔离策略,此后执行步骤S11和步骤S12;当查询出对应关系表中不存在与第二Pod的虚拟网口的IP地址相对应的网络隔离策略信息时,则表明第二Pod所在虚拟交换机中未存储有该第二pod所对应的网络隔离策略,无需进行删除处理。When the correspondence table is queried, there is network isolation policy information corresponding to the IP address of the virtual network port of the second Pod, it indicates that the virtual switch where the second pod is located stores the network isolation policy corresponding to the second pod. After that, step S11 and step S12 are executed; when the corresponding relationship table does not have the network isolation policy information corresponding to the IP address of the virtual network port of the second Pod, it indicates that the virtual switch where the second Pod is located does not store the network isolation policy information. The network isolation strategy corresponding to the second pod does not need to be deleted.
步骤S11、根据查询出的网络隔离策略信息向第二容器仓所在的虚拟交换机发送策略删除指令。Step S11: Send a policy deletion instruction to the virtual switch where the second container warehouse is located according to the queried network isolation policy information.
SDN控制器根据查询出的网络隔离策略信息向第二Pod所在的虚拟交换机发送策略删除指令,以供第二Pod所在的虚拟交换机删除自身所存储的应用于该第二Pod的网络隔离策略信息。The SDN controller sends a policy deletion instruction to the virtual switch where the second Pod is located according to the queried network isolation policy information, so that the virtual switch where the second Pod is located deletes the stored network isolation policy information applied to the second Pod.
需要说明的是,当前述步骤S5中SDN控制器是将网络隔离策略信息以访问控制列表的形式下发至对应的虚拟交换机时,则在虚拟交换机中网络隔离策略信息以访问控制列表的形式进行存储。此时,SDN控制器在向第二Pod所在的虚拟交换机发送策略删除指令之前,需要将查询出的网络隔离策略信息映射为访问控制列表,然后将映射出的访问控制列表封装于策略删除指令中。此时,可通过openflow协议删除第二Pod所在的虚拟交换机中相同的访问控制列表。It should be noted that when the SDN controller in the foregoing step S5 delivers the network isolation policy information to the corresponding virtual switch in the form of an access control list, the network isolation policy information in the virtual switch is performed in the form of an access control list. storage. At this time, before the SDN controller sends the policy delete instruction to the virtual switch where the second Pod is located, it needs to map the queried network isolation policy information to an access control list, and then encapsulate the mapped access control list in the policy delete instruction . At this time, the same access control list in the virtual switch where the second Pod is located can be deleted through the openflow protocol.
步骤S12、将对应关系表中记载的第二容器仓的虚拟网口的IP地址与网络隔离策略信息的对应关系删除。Step S12: Delete the correspondence between the IP address of the virtual network port of the second container warehouse and the network isolation policy information recorded in the correspondence table.
SDN控制器向第二Pod所在的虚拟交换机发送策略删除指令的同时,其还会将自身对应关系表中所记载的第二Pod的虚拟网口的IP地址与网络隔离策略信息的对应关系进行删除,以节省SDN控制器的存储空间。When the SDN controller sends a policy deletion instruction to the virtual switch where the second Pod is located, it also deletes the correspondence between the IP address of the virtual network port of the second Pod and the network isolation policy information recorded in its correspondence table. , In order to save the storage space of the SDN controller.
需要说明的是,本公开的技术方案对步骤S10~步骤S12与步骤S3~步骤S5的执行顺序不作限定,即步骤S10~步骤S12可以位于步骤S3~步骤S5之前执行,也可以位于步骤S3~步骤S5之后执行,还可以与步骤S3~步骤S5同步执行,附图8中仅示例性画出了步骤S10~步骤S12位于步骤S3~步骤S5之后执行的情况。It should be noted that the technical solution of the present disclosure does not limit the execution order of steps S10 to S12 and steps S3 to S5, that is, steps S10 to S12 can be executed before steps S3 to S5, or they can be executed in steps S3 to S3. It is executed after step S5, and it can also be executed synchronously with step S3 to step S5. FIG. 8 only exemplarily shows the case where step S10 to step S12 are executed after step S3 to step S5.
图9为本公开实施例中容器集群管理系统和软件定义网络控制器实现容器仓删除过程的信令图,如图9所示,本公开实施例中实现网络策略的存储过程包括上述步骤S8~步骤S12,对于各步骤的具体描述可参见前述内容,此处不再赘述。FIG. 9 is a signaling diagram of the container cluster management system and the software-defined network controller in the embodiment of the disclosure to implement the container warehouse deletion process. As shown in FIG. 9, the storage process of the network policy in the embodiment of the disclosure includes the above steps S8~ Step S12, for the specific description of each step, please refer to the foregoing content, which will not be repeated here.
图10为本公开实施例提供的再一种网络隔离策略管理方法的流程图,如图10所示,该方法的执行主体为容器集群管理系统,该方法不但包括上述步骤S1~步骤S2,还包括:步骤S13,下面仅对步 骤S13进行详细描述。FIG. 10 is a flowchart of another network isolation policy management method provided by an embodiment of the disclosure. As shown in FIG. 10, the execution body of the method is a container cluster management system. The method not only includes the above steps S1 to S2, but also Including: step S13, only step S13 will be described in detail below.
步骤S13、响应于用户端发送的网络隔离策略方案删除请求,向软件定义网络控制器发送第二删除控制请求。Step S13: In response to the network isolation policy plan deletion request sent by the user terminal, a second deletion control request is sent to the software-defined network controller.
客户端向容器集群管理系统提交网络隔离策略方案删除请求,网络隔离策略方案删除请求中包含有待删除的目标网络隔离策略方案的策略名称。The client submits a network isolation strategy plan deletion request to the container cluster management system, and the network isolation strategy plan deletion request contains the policy name of the target network isolation strategy plan to be deleted.
容器集群管理系统接收到网络隔离策略方案删除请求后,向SDN控制器发送第二删除控制请求,以供SDN控制器响应于第二删除控制请求,查询策略存储模块内是否存在与目标网络隔离策略方案的策略名称相对应的网络隔离策略信息,并当查询出策略存储模块存在与目标网络隔离策略方案的策略名称相对应的网络隔离策略信息时,将策略存储模块内与目标网络隔离策略方案的策略名称相对应的网络隔离策略信息删除。其中,第二删除控制请求包含有目标网络隔离策略方案的策略名称。After receiving the network isolation strategy plan deletion request, the container cluster management system sends a second deletion control request to the SDN controller, so that the SDN controller can query whether there is an isolation strategy from the target network in the strategy storage module in response to the second deletion control request The network isolation strategy information corresponding to the strategy name of the scheme, and when the strategy storage module has network isolation strategy information corresponding to the strategy name of the target network isolation strategy scheme, the strategy storage module is separated from the target network isolation strategy information. The network isolation policy information corresponding to the policy name is deleted. Wherein, the second deletion control request includes the policy name of the target network isolation policy scheme.
需要说明的是,本公开的技术方案对步骤S13与步骤S1~步骤S2的执行顺序不作限定,即步骤S13可以位于步骤S1~步骤S2之前执行,也可以位于步骤S1~步骤S2之后执行,还可以与步骤S1~步骤S2同步执行,附图10中仅示例性画出了步骤S13位于步骤S1~步骤S2之后执行的情况。It should be noted that the technical solution of the present disclosure does not limit the execution order of step S13 and step S1 to step S2, that is, step S13 can be executed before step S1 to step S2, or can be executed after step S1 to step S2. It can be executed synchronously with step S1 to step S2. In FIG. 10, only the case where step S13 is executed after step S1 to step S2 is exemplified.
图11为本公开实施例提供的再一种网络隔离策略管理方法的流程图,如图11所示,该方法的执行主体为SDN控制器,该方法不但包括上述步骤S3~步骤S5,还包括:步骤S14~步骤S15,下面仅对步骤S14~步骤S15进行详细描述。FIG. 11 is a flowchart of another network isolation policy management method provided by an embodiment of the present disclosure. As shown in FIG. 11, the execution body of the method is the SDN controller. The method not only includes the above steps S3 to S5, but also includes : Steps S14 to S15, only steps S14 to S15 will be described in detail below.
步骤S14、响应于容器集群管理系统发送的第二删除控制请求,查询策略存储模块内是否存在与目标网络隔离策略方案的策略名称相对应的网络隔离策略信息。Step S14: In response to the second delete control request sent by the container cluster management system, query whether there is network isolation policy information corresponding to the policy name of the target network isolation policy scheme in the policy storage module.
需要说明的是,SDN控制器在基于网络隔离策略方案来对对网络隔离策略信息进行存储时,策略存储模块不但会存储网络隔离策略信息和标签选择器的对应关系,还会同步存储网络隔离策略信息与网络隔离策略方案的策略名称的对应关系。即网络隔离策略方案的策略名 称、网络隔离策略方案中所包含的网络隔离策略信息、网络隔离策略方案中所包含的标签选择器,三者存在一一对应关系。It should be noted that when the SDN controller stores the network isolation strategy information based on the network isolation strategy scheme, the strategy storage module will not only store the network isolation strategy information and the corresponding relationship between the label selector, but also store the network isolation strategy synchronously. Correspondence between the information and the strategy name of the network isolation strategy scheme. That is, the policy name of the network isolation strategy scheme, the network isolation strategy information contained in the network isolation strategy scheme, and the label selector contained in the network isolation strategy scheme, there is a one-to-one correspondence between the three.
当查询出策略存储模块存在与目标网络隔离策略方案的策略名称相对应的网络隔离策略信息时,则执行步骤S15;当查询出策略存储模块不存在与目标网络隔离策略方案的策略名称相对应的网络隔离策略信息时,则后续无需进行删除处理。When it is queried that the strategy storage module has network isolation strategy information corresponding to the strategy name of the target network isolation strategy scheme, step S15 is executed; when the strategy storage module is queried, there is no strategy name corresponding to the strategy name of the target network isolation strategy scheme. When the network isolation policy information, subsequent deletion processing is not required.
步骤S15、将策略存储模块内与目标网络隔离策略方案的策略名称相对应的网络隔离策略信息删除。Step S15: Delete the network isolation strategy information corresponding to the strategy name of the target network isolation strategy scheme in the strategy storage module.
SDN控制器将策略存储模块内与目标网络隔离策略方案的策略名称相对应的网络隔离策略信息、标签选择器删除,以节省SDN控制器的存储空间。The SDN controller deletes the network isolation strategy information and the label selector corresponding to the strategy name of the target network isolation strategy scheme in the strategy storage module, so as to save the storage space of the SDN controller.
需要说明的是,在一些实施例中,当查询出策略存储模块存在与目标网络隔离策略方案的策略名称相对应的网络隔离策略信息时,SDN查询出与目标网络隔离策略方案的策略名称相对应的网络隔离策略信息,然后基于查询出的网络隔离策略信息,查询前述的对应关系表中是否存在与该查询出的网络隔离策略信息所对应的IP地址(查询该网络隔离策略信息已经在哪些虚拟交换机上完成落地),若存在,则根据查询出的IP地址向相应虚拟交换机发送策略删除指令,以供这些虚拟交换机删除相应的网络隔离策略信息。It should be noted that, in some embodiments, when the policy storage module is queried for network isolation policy information corresponding to the policy name of the target network isolation policy solution, the SDN query finds out that the policy name corresponds to the target network isolation policy solution. Network isolation policy information, and then based on the queried network isolation policy information, query whether there is an IP address corresponding to the queried network isolation policy information in the aforementioned correspondence table (query the network isolation policy information in which virtual The landing is completed on the switch), if it exists, the policy deletion instruction is sent to the corresponding virtual switch according to the queried IP address, so that these virtual switches can delete the corresponding network isolation policy information.
本公开的技术方案对步骤S14~步骤S15与步骤S3~步骤S5的执行顺序不作限定,即步骤S14~步骤S15可以位于步骤S3~步骤S5之前执行,也可以位于步骤S3~步骤S5之后执行,还可以与步骤S3~步骤S5同步执行,附图11中仅示例性画出了步骤S14~步骤S15位于步骤S3~步骤S5之后执行的情况。The technical solution of the present disclosure does not limit the execution order of step S14 to step S15 and step S3 to step S5, that is, step S14 to step S15 can be executed before step S3 to step S5, or can be executed after step S3 to step S5. It can also be executed synchronously with step S3 to step S5. In FIG. 11, only the case where step S14 to step S15 is executed after step S3 to step S5 is exemplified.
图12为本公开实施例中容器集群管理系统和软件定义网络控制器实现网络隔离策略方案删除过程的信令图,如图12所示,本公开实施例中实现网络策略的删除过程包括上述步骤S13~步骤S15,对于各步骤的具体描述可参见前述内容,此处不再赘述。FIG. 12 is a signaling diagram of the container cluster management system and the software-defined network controller in the embodiment of the disclosure to implement the network isolation strategy plan deletion process. As shown in FIG. 12, the implementation of the network strategy deletion process in the embodiment of the disclosure includes the above steps S13 to step S15, for the specific description of each step, please refer to the foregoing content, which will not be repeated here.
需要说明的是,在本公开中,上述各实施例中不同步骤之间可以相互组合,以得到新技术方案,该组合出的新技术方案也应属于本 公开的保护范围。作为一种组合方案,该网络隔离策略管理方法包括上述步骤S1~步骤S15,即同时实现了网络策略落地、网络策略存储、容器仓删除以及网络隔离策略方案。It should be noted that in the present disclosure, different steps in the foregoing embodiments can be combined with each other to obtain a new technical solution, and the new technical solution resulting from the combination should also fall within the protection scope of the present disclosure. As a combined solution, the network isolation strategy management method includes the above-mentioned steps S1 to S15, which simultaneously implements network strategy landing, network strategy storage, container warehouse deletion, and network isolation strategy solutions.
本公开实施例还提供了一种容器集群管理系统,包括:一个或多个第一处理器以及第一存储装置;其中,第一存储装置上存储有一个或多个程序;当该一个或多个程序被该一个或多个第一处理器执行时,使得该一个或多个第一处理器实现如前述实施例提供的网络隔离策略管理方法。The embodiment of the present disclosure also provides a container cluster management system, including: one or more first processors and a first storage device; wherein, one or more programs are stored on the first storage device; when the one or more When a program is executed by the one or more first processors, the one or more first processors implement the network isolation policy management method provided in the foregoing embodiments.
本公开实施例还提供了一种软件定义网络控制器,包括:一个或多个第二处理器以及第二存储装置;其中,第二存储装置上存储有一个或多个程序;当该一个或多个程序被该一个或多个第二处理器执行时,使得该一个或多个第一处理器实现如前述实施例提供的网络隔离策略管理方法。The embodiment of the present disclosure also provides a software-defined network controller, including: one or more second processors and a second storage device; wherein, one or more programs are stored on the second storage device; when the one or more When multiple programs are executed by the one or more second processors, the one or more first processors implement the network isolation policy management method provided in the foregoing embodiments.
本公开实施例还提供了一种网络隔离策略管理系统,包括:前述实施例提供的容器集群管理系统和软件定义网络控制器。The embodiments of the present disclosure also provide a network isolation policy management system, including: the container cluster management system and the software-defined network controller provided in the foregoing embodiments.
本领域普通技术人员可以理解,上文中所公开方法中的全部或某些步骤、装置中的功能模块/单元可以被实施为软件、固件、硬件及其适当的组合。在硬件实施方式中,在以上描述中提及的功能模块/单元之间的划分不一定对应于物理组件的划分;例如,一个物理组件可以具有多个功能,或者一个功能或步骤可以由若干物理组件合作执行。某些物理组件或所有物理组件可以被实施为由处理器,如中央处理器、数字信号处理器或微处理器执行的软件,或者被实施为硬件,或者被实施为集成电路,如专用集成电路。这样的软件可以分布在计算机可读介质上,计算机可读介质可以包括计算机存储介质(或非暂时性介质)和通信介质(或暂时性介质)。如本领域普通技术人员公知的,术语计算机存储介质包括在用于存储信息(诸如计算机可读指令、数据结构、程序模块或其他数据)的任何方法或技术中实施的易失性和非易失性、可移除和不可移除介质。计算机存储介质包括但不限于RAM、ROM、EEPROM、闪存或其他存储器技术、CD-ROM、数字多功能盘(DVD)或其他光盘存储、磁盒、磁带、磁盘存储或其他磁存 储装置、或者可以用于存储期望的信息并且可以被计算机访问的任何其他的介质。此外,本领域普通技术人员公知的是,通信介质通常包含计算机可读指令、数据结构、程序模块或者诸如载波或其他传输机制之类的调制数据信号中的其他数据,并且可包括任何信息递送介质。A person of ordinary skill in the art can understand that all or some of the steps in the methods disclosed above, and the functional modules/units in the device can be implemented as software, firmware, hardware, and appropriate combinations thereof. In the hardware implementation, the division between functional modules/units mentioned in the above description does not necessarily correspond to the division of physical components; for example, a physical component may have multiple functions, or a function or step may consist of several physical components. The components are executed cooperatively. Some physical components or all physical components can be implemented as software executed by a processor, such as a central processing unit, a digital signal processor, or a microprocessor, or as hardware, or as an integrated circuit, such as an application specific integrated circuit . Such software may be distributed on a computer-readable medium, and the computer-readable medium may include a computer storage medium (or a non-transitory medium) and a communication medium (or a transitory medium). As is well known to those of ordinary skill in the art, the term computer storage medium includes volatile and non-volatile data implemented in any method or technology for storing information (such as computer-readable instructions, data structures, program modules, or other data). Sexual, removable and non-removable media. Computer storage media include but are not limited to RAM, ROM, EEPROM, flash memory or other memory technologies, CD-ROM, digital versatile disk (DVD) or other optical disk storage, magnetic cassettes, magnetic tapes, magnetic disk storage or other magnetic storage devices, or Any other medium used to store desired information and that can be accessed by a computer. In addition, as is well known to those of ordinary skill in the art, communication media usually contain computer-readable instructions, data structures, program modules, or other data in a modulated data signal such as carrier waves or other transmission mechanisms, and may include any information delivery media. .
本文已经公开了示例实施例,并且虽然采用了具体术语,但它们仅用于并仅应当被解释为一般说明性含义,并且不用于限制的目的。在一些实例中,对本领域技术人员显而易见的是,除非另外明确指出,否则可单独使用与特定实施例相结合描述的特征、特性和/或元素,或可与其他实施例相结合描述的特征、特性和/或元件组合使用。因此,本领域技术人员将理解,在不脱离由所附的权利要求阐明的本公开的范围的情况下,可进行各种形式和细节上的改变。Example embodiments have been disclosed herein, and although specific terms are adopted, they are used and should only be construed as general descriptive meanings, and are not used for the purpose of limitation. In some instances, it is obvious to those skilled in the art that, unless clearly indicated otherwise, the features, characteristics, and/or elements described in combination with a specific embodiment may be used alone, or features, characteristics, and/or elements described in combination with other embodiments may be used, Combination of features and/or components. Therefore, those skilled in the art will understand that various changes in form and details can be made without departing from the scope of the present disclosure as set forth by the appended claims.
工业实用性Industrial applicability
如上所述,本发明实施例提供的一种网络隔离策略管理方法、容器集群管理系统、软件定义网络控制器和网络隔离策略管理系统具有以下有益效果:利用SDN控制器强大的网络编排能力,并结合网络策略支持标签级别的网络隔离策略编排的特点,从而灵活的定制和管理各种应用场景下容器网络有效的隔离。As described above, the network isolation policy management method, container cluster management system, software-defined network controller, and network isolation policy management system provided by the embodiments of the present invention have the following beneficial effects: using the powerful network orchestration capability of the SDN controller, and Combined with the characteristics of network strategy support for label-level network isolation strategy orchestration, it is possible to flexibly customize and manage the effective isolation of container networks in various application scenarios.

Claims (15)

  1. 一种网络隔离策略管理方法,包括:A network isolation strategy management method, including:
    响应于用户端发送的容器仓创建请求,绑定相应的标签,并将待创建的第一容器仓的创建位置信息写入虚拟交换机配置库,以供在虚拟交换机上创建相关联的网桥;Respond to the container warehouse creation request sent by the user terminal, bind the corresponding label, and write the creation location information of the first container warehouse to be created into the virtual switch configuration library for creating the associated network bridge on the virtual switch;
    向软件定义网络控制器发送网口创建及策略下发请求,以供所述软件定义网络控制器响应于所述网口创建及策略下发请求,为所述第一容器仓创建虚拟网口,并当自身存储有与所述第一容器仓的标签相匹配的网络隔离策略信息时,将所述网络隔离策略信息发送至所述第一容器仓所在的虚拟交换机。Sending a network port creation and policy issuance request to the software-defined network controller, so that the software-defined network controller creates a virtual network port for the first container warehouse in response to the network port creation and policy issuance request, And when the network isolation policy information that matches the label of the first container warehouse is stored by itself, the network isolation policy information is sent to the virtual switch where the first container warehouse is located.
  2. 根据权利要求1所述的网络隔离策略管理方法,其中,还包括:The network isolation policy management method according to claim 1, further comprising:
    响应于用户端发送的网络隔离策略方案配置请求,将接收到的网络隔离策略方案转发至所述软件定义网络控制器,所述网络隔离策略方案包括:网络隔离策略信息和标签选择器,所述标签选择器定义出应用该网络隔离策略信息的容器仓的标签。In response to the network isolation strategy scheme configuration request sent by the user end, the received network isolation strategy scheme is forwarded to the software-defined network controller. The network isolation strategy scheme includes: network isolation strategy information and a label selector. The label selector defines the label of the container bin to which the network isolation policy information is applied.
  3. 根据权利要求1所述的网络隔离策略管理方法,其中,还包括:The network isolation policy management method according to claim 1, further comprising:
    响应于用户端发送的容器仓删除请求,向容器仓删除系统转发所述容器仓删除请求,以供所述容器仓删除系统删除相应的第二容器仓,所述容器仓删除请求包括:待删除的第二容器仓的仓名称;In response to the container warehouse delete request sent by the user terminal, forward the container warehouse delete request to the container warehouse delete system for the container warehouse delete system to delete the corresponding second container warehouse, and the container warehouse delete request includes: to be deleted The warehouse name of the second container warehouse;
    根据所述第二容器仓的仓名称确定所述第二容器仓的虚拟网口的IP地址,并向所述软件定义网络控制器发送第一删除控制请求,以供所述软件定义网络控制器响应于所述第一删除控制请求,在自身预先存储的对应关系表中存在与所述第二容器仓的虚拟网口的IP地址相对应的网络隔离策略信息时,向所述第二容器仓所在的虚拟交换机发送策略删除指令。Determine the IP address of the virtual network port of the second container warehouse according to the warehouse name of the second container warehouse, and send a first delete control request to the software-defined network controller for the software-defined network controller In response to the first delete control request, when the network isolation policy information corresponding to the IP address of the virtual network port of the second container warehouse exists in the corresponding relationship table stored in advance, the second container warehouse The virtual switch where it is located sends a policy deletion instruction.
  4. 根据权利要求1所述的网络隔离策略管理方法,其中,还包括:The network isolation policy management method according to claim 1, further comprising:
    响应于用户端发送的网络隔离策略方案删除请求,向所述软件定义网络控制器发送第二删除控制请求,以供所述软件定义网络控制器响应于所述第二删除控制请求,在自身存储有与目标网络隔离策略方案的策略名称相对应的网络隔离策略信息时,将与所述目标网络隔离策略方案的策略名称相对应的网络隔离策略信息删除;In response to the network isolation policy plan deletion request sent by the client, a second deletion control request is sent to the software-defined network controller so that the software-defined network controller can store in itself in response to the second deletion control request. When there is network isolation strategy information corresponding to the strategy name of the target network isolation strategy scheme, delete the network isolation strategy information corresponding to the strategy name of the target network isolation strategy scheme;
    所述第二删除控制请求包括:目标网络隔离策略方案的策略名称。The second deletion control request includes: the policy name of the target network isolation policy scheme.
  5. 一种网络隔离策略管理方法,包括:A network isolation strategy management method, including:
    响应于容器集群管理系统发送的网口创建及策略下发请求,为第一容器仓创建虚拟网口,并为所述虚拟网口分配IP地址,所述网口创建及策略下发请求包括:所述第一容器仓的仓名称和标签;In response to the network port creation and policy issuance request sent by the container cluster management system, a virtual network port is created for the first container warehouse and an IP address is assigned to the virtual network port. The network port creation and policy issuance request includes: The name and label of the first container warehouse;
    根据所述第一容器仓的标签,查询自身是否存储有与所述第一容器仓的标签相匹配的网络隔离策略信息;According to the label of the first container warehouse, query whether it stores network isolation policy information that matches the label of the first container warehouse;
    当查询出自身存储有与所述第一容器仓的标签相匹配的网络隔离策略信息时,通过所述IP地址将查询出的网络隔离策略信息发送至所述第一容器仓所在的虚拟交换机。When it is queried that the network isolation policy information that matches the label of the first container warehouse is stored by itself, the queried network isolation policy information is sent to the virtual switch where the first container warehouse is located through the IP address.
  6. 根据权利要求5所述的网络隔离策略管理方法,其中,还包括:The network isolation policy management method according to claim 5, further comprising:
    接收容器集群管理系统发送的网络隔离策略方案,将接收到的所述网络隔离策略方案存储至策略存储模块,所述网络隔离策略方案包括:网络隔离策略信息和标签选择器,所述标签选择器定义出应用该网络隔离策略信息的容器仓的标签。Receive the network isolation strategy scheme sent by the container cluster management system, and store the received network isolation strategy scheme in the strategy storage module. The network isolation strategy scheme includes: network isolation strategy information and a label selector, the label selector Define the label of the container warehouse to which the network isolation policy information is applied.
  7. 根据权利要求6所述的网络隔离策略管理方法,其中,所述将接收到的所述网络隔离策略方案存储至策略存储模块的步骤包括:The network isolation policy management method according to claim 6, wherein the step of storing the received network isolation policy scheme in a policy storage module comprises:
    在所述策略存储模块内创建安全容器,将所述网络隔离策略方案中的网络隔离策略信息以安全组规则的形式封装于所述安全容器内;Creating a security container in the policy storage module, and encapsulating the network isolation policy information in the network isolation strategy scheme in the security container in the form of a security group rule;
    建立所述安全容器与所述网络隔离策略方案中标签选择器的对应关系。Establish a correspondence between the security container and the label selector in the network isolation strategy scheme.
  8. 根据权利要求5所述的网络隔离策略管理方法,其中,所述当查询出自身存储有与所述容器仓的标签相匹配的网络隔离策略信息时,还包括:The network isolation policy management method according to claim 5, wherein, when the query finds out that the network isolation policy information that matches the label of the container warehouse is stored by itself, the method further comprises:
    建立所述IP地址与查询出的网络隔离策略信息的对应关系,并将该对应关系存储至预定义的对应关系表中。The corresponding relationship between the IP address and the queried network isolation policy information is established, and the corresponding relationship is stored in a predefined corresponding relationship table.
  9. 根据权利要求5所述的网络隔离策略管理方法,其中,还包括:The network isolation policy management method according to claim 5, further comprising:
    响应于所述容器集群管理系统发送的第一删除控制请求,查询自身预先存储的对应关系表中是否存在与第二容器仓的虚拟网口的IP地址相对应的网络隔离策略信息;其中,所述第一删除控制请求包括:所述第二容器仓的虚拟网口的IP地址,所述对应关系表中记载有不同容器仓的虚拟网口的IP地址及其对应的网络隔离策略信息;In response to the first delete control request sent by the container cluster management system, query whether there is network isolation policy information corresponding to the IP address of the virtual network port of the second container warehouse in the correspondence table stored in advance; The first deletion control request includes: the IP addresses of the virtual network ports of the second container warehouse, and the IP addresses of the virtual network ports of different container warehouses and their corresponding network isolation policy information are recorded in the correspondence table;
    当查询出所述对应关系表中存在与所述第二容器仓的虚拟网口的IP地址相对应的网络隔离策略信息时,根据查询出的网络隔离策略信息向所述第二容器仓所在的虚拟交换机发送策略删除指令,以供所述第二容器仓所在的虚拟交换机删除自身所存储的应用于所述第二容器仓的网络隔离策略信息。When the network isolation policy information corresponding to the IP address of the virtual network port of the second container warehouse is found in the corresponding relationship table, the network isolation policy information found out is reported to the location where the second container warehouse is located. The virtual switch sends a policy deletion instruction for the virtual switch where the second container warehouse is located to delete the stored network isolation policy information applied to the second container warehouse.
  10. 根据权利要求9所述的网络隔离策略管理方法,其中,当查询出所述对应关系表中存在与所述第二容器仓的虚拟网口的IP地址相对应的网络隔离策略信息时,还包括:The network isolation policy management method according to claim 9, wherein when the corresponding relationship table is queried, there is network isolation policy information corresponding to the IP address of the virtual network port of the second container warehouse, further comprising: :
    将所述对应关系表中记载的所述第二容器仓的虚拟网口的IP地 址与网络隔离策略信息的对应关系删除。The correspondence between the IP address of the virtual network port of the second container warehouse and the network isolation policy information recorded in the correspondence table is deleted.
  11. 根据权利要求5所述的网络隔离策略管理方法,其中,还包括:The network isolation policy management method according to claim 5, further comprising:
    响应于所述容器集群管理系统发送的第二删除控制请求,查询自身是否存储有与目标网络隔离策略方案的策略名称相对应的网络隔离策略信息;其中,所述第二删除控制请求包括:所述目标网络隔离策略方案的策略名称;In response to the second deletion control request sent by the container cluster management system, query whether it has stored network isolation policy information corresponding to the policy name of the target network isolation strategy scheme; wherein, the second deletion control request includes: State the strategy name of the target network isolation strategy plan;
    当查询出自身存储有与所述目标网络隔离策略方案的策略名称相对应的网络隔离策略信息时,将自身所存储的与所述目标网络隔离策略方案的策略名称相对应的网络隔离策略信息删除。When it is queried that the network isolation policy information corresponding to the policy name of the target network isolation strategy scheme is stored by itself, the network isolation policy information corresponding to the policy name of the target network isolation strategy scheme stored by itself is deleted .
  12. 根据权利要求5所述的网络隔离策略管理方法,其中,所述通过所述IP地址将查询出的网络隔离策略信息发送至所述第一容器仓所在的虚拟交换机的步骤包括:The network isolation policy management method according to claim 5, wherein the step of sending the queried network isolation policy information to the virtual switch where the first container warehouse is located through the IP address comprises:
    将查询出的网络隔离策略信息映射为访问控制列表;Map the queried network isolation policy information to an access control list;
    通过所述IP地址将映射出的访问控制列表采用openflow协议以流表的形式发送至对应的虚拟交换机。The mapped access control list is sent to the corresponding virtual switch in the form of a flow table using the openflow protocol through the IP address.
  13. 一种容器集群管理系统,包括:A container cluster management system, including:
    一个或多个第一处理器;One or more first processors;
    第一存储装置,其上存储有一个或多个程序;The first storage device has one or more programs stored thereon;
    当所述一个或多个程序被所述一个或多个第一处理器执行时,使得所述一个或多个第一处理器实现如权利要求1-4中任一所述的方法。When the one or more programs are executed by the one or more first processors, the one or more first processors are caused to implement the method according to any one of claims 1-4.
  14. 一种软件定义网络控制器,包括:A software-defined network controller includes:
    一个或多个第二处理器;One or more second processors;
    第二存储装置,其上存储有一个或多个程序;The second storage device has one or more programs stored thereon;
    当所述一个或多个程序被所述一个或多个第二处理器执行时, 使得所述一个或多个第一处理器实现如权利要求5-12中任一所述的方法。When the one or more programs are executed by the one or more second processors, the one or more first processors are caused to implement the method according to any one of claims 5-12.
  15. 一种网络隔离策略管理系统,包括:如上述权利要求13所述的容器集群管理系统和如上述权利要求14所述的软件定义网络控制器。A network isolation policy management system, comprising: the container cluster management system according to claim 13 and the software-defined network controller according to claim 14.
PCT/CN2020/099021 2019-09-04 2020-06-29 Network isolation policy management method and network isolation policy management system WO2021042846A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201910851744.7A CN112543108B (en) 2019-09-04 2019-09-04 Network isolation policy management method and network isolation policy management system
CN201910851744.7 2019-09-04

Publications (1)

Publication Number Publication Date
WO2021042846A1 true WO2021042846A1 (en) 2021-03-11

Family

ID=74852057

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2020/099021 WO2021042846A1 (en) 2019-09-04 2020-06-29 Network isolation policy management method and network isolation policy management system

Country Status (2)

Country Link
CN (1) CN112543108B (en)
WO (1) WO2021042846A1 (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113965376A (en) * 2021-10-21 2022-01-21 合肥城市云数据中心股份有限公司 Cloud host remote data communication method based on data isolation platform
WO2023134066A1 (en) * 2022-01-14 2023-07-20 平安科技(深圳)有限公司 Virtual private cloud service access method, apparatus and device, and storage medium

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113608824A (en) * 2021-06-28 2021-11-05 济南浪潮数据技术有限公司 Cluster external service access control method, system, device and readable storage medium
CN114640678A (en) * 2022-03-14 2022-06-17 明阳产业技术研究院(沈阳)有限公司 Pod management method, device and medium based on SR-IOV

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20170093923A1 (en) * 2015-09-29 2017-03-30 NeuVector, Inc. Creating Additional Security Containers For Transparent Network Security For Application Containers Based On Conditions
CN107864131A (en) * 2017-11-03 2018-03-30 郑州云海信息技术有限公司 A kind of method and system for realizing Kubernetes cluster multi-tenant Network Isolations
CN107947961A (en) * 2017-10-17 2018-04-20 上海数讯信息技术有限公司 Kubernetes Network Management System and method based on SDN
CN109947452A (en) * 2019-03-26 2019-06-28 南京联创信息科技有限公司 A kind of Kubernetes container platform application update method
CN110198231A (en) * 2018-05-08 2019-09-03 腾讯科技(深圳)有限公司 Capacitor network management method and system and middleware for multi-tenant

Family Cites Families (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8990371B2 (en) * 2012-01-31 2015-03-24 International Business Machines Corporation Interconnecting data centers for migration of virtual machines
CN104104572B (en) * 2014-07-15 2017-12-08 新华三技术有限公司 Interchanger automatic deployment method and device in a kind of SDN
US9900263B2 (en) * 2014-09-29 2018-02-20 Alcatel-Lucent Usa Inc. Non-overlay resource access in datacenters using overlay networks
US10579403B2 (en) * 2015-06-29 2020-03-03 Vmware, Inc. Policy based provisioning of containers
CN107222353B (en) * 2017-07-11 2019-11-22 中国科学技术大学 The unrelated software defined network virtual management platform of supported protocol
CN108989091B (en) * 2018-06-22 2022-02-11 杭州才云科技有限公司 Tenant network isolation method based on Kubernetes network, storage medium and electronic equipment
CN109561108B (en) * 2019-01-07 2020-09-01 中国人民解放军国防科技大学 Policy-based container network resource isolation control method
CN109542630A (en) * 2019-01-29 2019-03-29 中国人民解放军火箭军工程大学 A kind of mobile communication net network function virtual platform based on container cloud
CN109995641B (en) * 2019-03-21 2021-05-28 新华三技术有限公司 Information processing method, computing node and storage medium

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20170093923A1 (en) * 2015-09-29 2017-03-30 NeuVector, Inc. Creating Additional Security Containers For Transparent Network Security For Application Containers Based On Conditions
CN107947961A (en) * 2017-10-17 2018-04-20 上海数讯信息技术有限公司 Kubernetes Network Management System and method based on SDN
CN107864131A (en) * 2017-11-03 2018-03-30 郑州云海信息技术有限公司 A kind of method and system for realizing Kubernetes cluster multi-tenant Network Isolations
CN110198231A (en) * 2018-05-08 2019-09-03 腾讯科技(深圳)有限公司 Capacitor network management method and system and middleware for multi-tenant
CN109947452A (en) * 2019-03-26 2019-06-28 南京联创信息科技有限公司 A kind of Kubernetes container platform application update method

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113965376A (en) * 2021-10-21 2022-01-21 合肥城市云数据中心股份有限公司 Cloud host remote data communication method based on data isolation platform
CN113965376B (en) * 2021-10-21 2023-09-19 合肥城市云数据中心股份有限公司 Cloud host remote data communication method based on data isolation platform
WO2023134066A1 (en) * 2022-01-14 2023-07-20 平安科技(深圳)有限公司 Virtual private cloud service access method, apparatus and device, and storage medium

Also Published As

Publication number Publication date
CN112543108A (en) 2021-03-23
CN112543108B (en) 2024-08-30

Similar Documents

Publication Publication Date Title
WO2021042846A1 (en) Network isolation policy management method and network isolation policy management system
US9602307B2 (en) Tagging virtual overlay packets in a virtual networking system
US10574477B2 (en) Priority tagging based solutions in fc sans independent of target priority tagging capability
US11991246B2 (en) Cloud scale multi-tenancy for RDMA over converged ethernet (RoCE)
US10742697B2 (en) Packet forwarding apparatus for handling multicast packet
US12106132B2 (en) Provider network service extensions
US12010195B2 (en) Efficient flow management utilizing control packets
JP2004038922A (en) Technique for enabling a plurality of virtual filers on single filer to participate in a plurality of address spaces with overlapping network addresses
US20120054850A1 (en) Proxying for Clusters of Fiber Channel Servers to Reduce Configuration Requirements for Fiber Channel Storage Arrays
US11929976B2 (en) Virtual network routing gateway that supports address translation for dataplane as well as dynamic routing protocols (control plane)
US10725813B2 (en) Virtual machine aware fibre channel
US20230344777A1 (en) Customized processing for different classes of rdma traffic
US11917004B2 (en) Prioritizing data replication packets in cloud environment
US20240291889A1 (en) CLOUD SCALE MULTI-TENANCY FOR RDMA OVER CONVERGED ETHERNET (RoCE)
US20220417139A1 (en) Routing policies for graphical processing units
US9641611B2 (en) Logical interface encoding
US7577735B1 (en) Transparent mode
US20230222007A1 (en) Publishing physical topology network locality information for graphical processing unit workloads
US20230344778A1 (en) Network device level optimizations for bandwidth sensitive rdma traffic
US20240106760A1 (en) Network device level optimizations for latency sensitive rdma traffic
US10348519B2 (en) Virtual target port aggregation
US20230013110A1 (en) Techniques for processing network flows
US20240323255A1 (en) Class-based queueing for scalable multi-tenant rdma traffic
CN118266195A (en) Virtual network interface for computing managed layer 2 connections at a service extension location
JP2024524992A (en) Graphics Processing Unit Routing Policy

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 20861008

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 20861008

Country of ref document: EP

Kind code of ref document: A1