CN111935312A - Industrial Internet container cloud platform and flow access control method thereof - Google Patents

Abstract

The invention provides an industrial internet container cloud platform and a flow access control method thereof, wherein the container cloud platform comprises: the flow access control layer comprises a control service adaptation layer and a flow access assembly, the control service adaptation layer is connected with the flow access assembly and used for matching the difference characteristics of the flow of the control service adaptation layer to the corresponding flow access assembly according to access, the network and the work load unit are connected with the flow access assembly and used for receiving the information of the flow access assembly and informing the work load to process a work task, and the control node unit is connected with the network and the work load unit and used for deploying the network and the work load. The industrial internet container cloud platform can be rapidly adapted to access of various external flows, and the flow access control layer operates in a container cloud environment, so that the security, high performance and high concurrency of network flow access are improved.

Description

Industrial Internet container cloud platform and flow access control method thereof

Technical Field

The invention relates to the technical field of industrial internet, in particular to an industrial internet container cloud platform and a flow access control method thereof.

Background

The industrial internet digital transformation is suitable for the cloud application of the traditional enterprises, and the cloud protogenesis is a digital transformation mode. The container cloud is an overall vision of the industrial internet enterprise application service with cloud native and enterprise digital transformation. The container cloud is a brand-new cluster management platform based on a container technology and distributed architecture, is constructed on the basis of open source technologies Docker and Kubernets, takes 'container + micro service' as an architecture core, and forms a standardized, flexible and open platform core supporting layer for an industrial internet environment.

In an industrial internet container cloud environment, the Cluster IP and Pod IP of the container cloud are mainly used for network access service inside the Cluster and are inaccessible to applications outside the Cluster. In order to enable external applications to access services in a kubernets cluster, a common solution is to employ working node ports and a load balancing scheme. However, the two schemes have respective disadvantages that one port of the working node port can only mount one service; each service of load balancing must have an own IP, and in order to guarantee the capacity of load, a cloud service provider is generally required to be relied on. An Ingress method is generally used in the practice and deployment of an industrial internet container cloud, where Ingress is an important external network traffic inlet in kubernets and is also a traffic access specification, and the Ingress specification is implemented by various Ingress Controller technologies, where an Ingress Controller following an Apache open source protocol in a container cloud includes: nginx, HAProxy, Envoy, Traefeik, Kong Ingress and the like, but each flow controller supports different modes and scenes respectively, and great difficulty is brought to the access adaptation of the service flow in the container cloud.

Disclosure of Invention

In view of the above problems, the invention provides an industrial internet container cloud platform and a traffic access control method thereof, so as to solve the problems of automatic adaptation of container cloud internal services, Pod migration, working node port, domain name dynamic allocation, background address dynamic update and the like.

In order to solve the technical problems, the invention adopts the technical scheme that:

in one aspect, the present invention provides an industrial internet container cloud platform, comprising: the system comprises a flow access control layer, a network and working load unit and a control node unit, wherein the flow access control layer comprises a control service adaptation layer and a flow access component; the control service adaptation layer is connected with the flow access assembly and is used for matching the flow access assembly into the corresponding flow access assembly according to the difference characteristics of the flow accessed into the control service adaptation layer; the network and the workload unit are connected with the flow access assembly and used for receiving the information of the flow access assembly and informing the workload of processing the work task; the control node unit is connected with the network and the workload unit and is used for deploying the network and the workload.

As a preferred scheme, the flow enters the container cloud platform after being processed by the domain name resolution and load balancing device.

Preferably, the control service adaptation layer comprises one or more modules of canary release, address rewriting, session association, authentication, load balancing, network attack prevention, transmission limitation and route matching.

Preferably, the traffic access component comprises one or more control components of a reverse proxy, an interface gateway, a high availability proxy, a proxy, and an ingress service.

Preferably, the control node unit performs data transmission with the network and the workload unit through an API service interface, and the data transmission format is yaml file.

In another aspect, the present invention provides a traffic access control method for an industrial internet container cloud platform, including: step 1, industrial internet flow enters a container cloud platform through domain name resolution and load balancing equipment; step 2, after the flow is converted through the node ports of all the nodes, bridging to a control service adaptation layer; step 3, analyzing the flow and transferring the flow to a corresponding flow access component to complete the flow matching; and 4, calling the container cloud service, and informing the workload of processing the work task.

As a preferred scheme, the step 1 specifically comprises the following steps: and analyzing the internet website to the load balancing equipment through the domain name analyzing equipment, and distributing the flow to each working node by the load balancing equipment according to a corresponding algorithm.

As a preferred scheme, the step 3 specifically comprises: the parameters of each flow access component are registered in advance in the control service adaptation layer, the flow is analyzed through the control service adaptation layer, and the parameters of each flow access component are matched according to the difference characteristics of the flow, so that the flow is transferred to the corresponding flow access component.

Preferably, the difference features include one or more of a protocol, a basic technology platform, a routing rule, a namespace, a deployment policy, upstream probing, a load algorithm, an authentication method, and a security policy.

As a preferred scheme, the step 4 specifically comprises: the traffic access component forwards and processes stateful, stateless, tasks and timed tasks through the container cloud service.

Compared with the prior art, the invention has the beneficial effects that:

1) the method and the device can be used for rapidly adapting to various external traffic accesses on an industrial Internet container cloud platform, and simultaneously support HTTP2 and HTTP3 by utilizing the characteristics supported by various traffic access components.

2) Algorithms such as WRR, consistent Hash load and EWMA load balancing are supported on the load balancing algorithm.

3) The flow access control layer operates in a container cloud environment, and based on Kubernets environment characteristics, safety, high performance and high concurrency of network flow access are improved.

Drawings

The disclosure of the present invention is illustrated with reference to the accompanying drawings. It is to be understood that the drawings are designed solely for the purposes of illustration and not as a definition of the limits of the invention. In the drawings, like reference numerals are used to refer to like parts. Wherein:

fig. 1 is a schematic structural diagram of an industrial internet container cloud platform according to an embodiment of the present invention;

fig. 2 is a schematic structural diagram of a traffic access control layer according to an embodiment of the present invention;

fig. 3 is a flowchart of a traffic access control method of an industrial internet container cloud platform according to an embodiment of the present invention.

Detailed Description

It is easily understood that according to the technical solution of the present invention, a person skilled in the art can propose various alternative structures and implementation ways without changing the spirit of the present invention. Therefore, the following detailed description and the accompanying drawings are merely illustrative of the technical aspects of the present invention, and should not be construed as all of the present invention or as limitations or limitations on the technical aspects of the present invention.

The terms in the examples of the present invention are explained as follows:

docker (application Container Engine, one of Kubernetes' Container runtime interfaces)

Kubernetes (Container arrangement engine)

Cluster IP (Container Cluster network address)

Pod IP (Container deployment Unit network Address)

LoadBalancer (load balancing)

Ingress (entrance)

Ingress Controller (entrance control)

Apache (a non-profit organization of open source)

Nginx (high performance HTTP and reverse proxy Web server)

HAProxy (open source high availability agent)

Envoy (open source edge and service agent)

Traefuk (HTTP reverse proxy and load balancing)

Kong Ingress (API gateway and reverse proxy)

Pod (basic unit of container arrangement engine)

Yaml (a mark-up language)

Upstream (Nginx flow module)

DDOS (distributed denial of service attack)

OpenResty (high performance Web platform)

Golang (a development language)

Host (Main unit)

Path (Path)

Method (Method)

Header (head)

Args (parameters)

backhaul-protocol (backend protocol)

canary (gray scale)

canary-by-head (grey head)

canary-by-header-value (grey header information)

canary-by-head-pattern (grey head format)

canary-weight (grey scale weight)

Rewrite URL (Rewrite address)

rewrite-target (rewrite tag)

app-root (root application)

affinity (affinity)

affinity-mod (affinity mode)

session-cookie-name (session name)

session-cookie-path (session path)

session-cookie-samesite (homologous session)

auth-type (authentication type)

auth-secret (authentication key)

auth-secret-type (authentication key type)

auth-realm (authentication domain)

upstream-hash-by (flow hash)

upstream-hash-by-subset (hash by sub-flow)

auth-tls-secret (secure authentication key)

auth-tls-verify-depth (safety certification)

Limit-rps (rate limiting)

Limit-count (number of requests)

Limit-req (request limit)

limit-writelist

Limit-connections (connection limits)

limit-rate-after (flow restriction outlet)

limit-rate (speed limit)

helm (deployment component)

DaemonSet (guard workload)

Indications

Class: Nginx (Kubernets flow inlet type Nginx)

ELB (elastic load balance)

An embodiment according to the present invention is shown in connection with fig. 1. An industrial internet container cloud platform comprising: the flow is accessed to a control layer, a network and working load unit and a control node unit, the flow analyzes an internet website to a load balancing device through a domain name analyzing device, and the load balancing device distributes the flow to each working node of the container cloud platform according to a corresponding algorithm. The load balancing equipment supports WRR (weighted round training scheduling algorithm), consistent Hash load algorithm, EWMA (exponential weighted moving average) load balancing algorithm and the like.

As shown in fig. 2, the traffic access control layer includes a control service adaptation layer and a traffic access component, and the control service adaptation layer includes one or more modules of canary publishing, address rewriting, session association, authentication, load balancing, network attack prevention, transmission restriction, and route matching. The traffic access components include one or more control components among a reverse proxy, an interface gateway, a high availability proxy, a proxy, and an ingress service.

Further, the configuration of the control service adaptation layer is as follows:

(1) and the canary releases the flow request number to a new version, tests and verifies whether the application and the service are normal or not, and rolls back in time if the application and the service are abnormal. The method is realized by configuring backup-protocol, canary-by-header-value, canary-by-header-pattern, canary-weight and the like.

(2) And the address rewriting is used for rewriting the URL address so as to realize that the exposed URL address in the back-end service and the URL entry rule exposed to the client are different. By configuring the rewrite-target, app-root, etc.

(3) And the session association is used for forwarding all access requests of one user to the same service instance by setting the session association when the backend upstream service has a plurality of instances. The method is realized by configuring afdefinition, afdefinition-mod, ession-cookie-name, session-cookie-path and session-cookie-session.

(4) And identity authentication, which is used for adding identity authentication or other annotations in the entry rule to verify the consistency of the user name and the password. The method is realized by configuring auth-type, auth-secret-type and auth-realm, etc.

(5) Load balancing, to customize hash of upstream servers, to support load balancing of client-server mapping based on consistent hash of keys. Realized by upstream-hash-by and upstream-hash-by-subset.

(6) And the authentication of the client certificate is realized by configuring an auth-tls-secret and an auth-tls-verify-depth.

(7) And the network attack prevention device is used for preventing network denial of service attacks. This is achieved by configuring limit-connections, limit-rps, limit-count, limit-req, and limit-writelist.

(8) And transmission limitation, which is used for limiting the transmission rate, is realized by configuring limit-connections, limit-rps, limit-rpm, limit-rate-after, limit-rate and limit-whitetest.

(9) And route matching, namely selecting the best matched flow access component for the received flow data packet according to the message in the flow data packet, and transferring the flow to the corresponding flow access component.

Furthermore, based on the container cloud yaml deployment file, the custom resource file adds corresponding annotations, and may be applied to the control components such as Nginx (reverse proxy), Envoy (interface gateway), haprox (high available proxy), Traefik (proxy), and Kong Ingress (portal service) that follow the Apache open source protocol.

The control service adaptation layer is connected with the flow access assembly and used for being matched into the corresponding flow access assembly according to the difference characteristics of the flow accessed to the control service adaptation layer, the network and workload unit is connected with the flow access assembly and used for receiving the information of the flow access assembly and informing the workload of processing a work task, and the control node unit is connected with the network and workload unit and used for deploying the network and the workload. The control node unit transmits data with the network and the workload unit through the API service interface, and the data transmission format is a yaml file.

As shown in fig. 3, the invention also discloses a flow access control method for the industrial internet container cloud platform, which comprises the following steps:

step 1, industrial internet flow enters a container cloud platform through domain name resolution and load balancing equipment. The method specifically comprises the following steps: and analyzing the internet website to the load balancing equipment through the domain name analyzing equipment, and distributing the flow to each working node by the load balancing equipment according to a corresponding algorithm.

Step 2, after the flow is converted through the node ports of all the nodes, bridging to a control service adaptation layer;

and 3, analyzing the flow, and transferring the flow to a corresponding flow access component to complete the flow matching. The method specifically comprises the following steps: the parameters of each flow access component are registered in advance in the control service adaptation layer, the flow is analyzed through the control service adaptation layer, and the parameters of each flow access component are matched according to the difference characteristics of the flow, so that the flow is transferred to the corresponding flow access component. The difference features comprise one or more of a protocol, a basic technology platform, a routing rule, a namespace, a deployment strategy, upstream detection, a load algorithm, an authentication mode and a security strategy.

And 4, calling the container cloud service, and informing the workload of processing the work task. The method specifically comprises the following steps: the traffic access component forwards and processes stateful, stateless, tasks and timed tasks through the container cloud service.

The invention is described in further detail below:

and the flow of the user client entering the industrial Internet container cloud platform through DNS domain name resolution or public network IP enters the container cloud platform through the node ports of all the working nodes. And the container cloud management end performs data transmission with the network and the workload unit through the API service port of the control node, is used for deploying internal services such as the network and the workload, and has a data transmission format of a yaml file.

In order to support the service management capability of different flow access components in the aspects of processing protocol conversion, a basic technology platform, routing rule matching, namespace support, deployment strategy, upstream detection, load balancing algorithm, authentication mode, DDOS defense and the like, a flow access control layer is added between flow and an inlet, the direct strong logic relationship between a working node and a rear-end inlet and between the working node and the service is decoupled, and different flow access components are selected according to different use scenes and routing strategies.

The flow access service has multiple access scenes, wherein in the aspect of a basic technical platform, Nginx, OpenResty and native Golang are used; the method supports multiple route matching, such as support of host and path, support of method, header and args, or cross use of each capability, and the like. The flow access control layer mainly comprises a control service adaptation layer and a flow access assembly, wherein the control service adaptation layer abstracts various flow service management capabilities and packages the various flow service management capabilities into general services supporting gold sparrow release, URL rewriting, session association, authentication, a load balancing algorithm, safety, transmission rate control, multi-route matching and the like.

In different flow access scenes, the control service adaptation layer automatically selects and routes to the corresponding flow access assembly through modes of rule matching, feature code scanning and the like according to the difference characteristics of a request line, a message, a host head, a communication protocol and the like of flow transmission. The flow access component is a control component of various portals, and is specifically responsible for one or more flow control policies and is connected to the portal service.

In the embodiment of the invention, the networking mode of flow access is as follows:

(1) control components such as Nginx (reverse proxy), HAProxy (high available proxy), Envoy (interface gateway), Traefeik (proxy) and Kong Ingress (Ingress service) are installed through a yaml or helm deployment component, and the control components form a traffic access component.

(2) And installing a traffic access control layer in a DaemonSet mode.

(3) And configuring modules of canary publishing, URL rewriting, conversation, authentication, load and rate control and the like of a flow access control layer.

(4) The Ingress specifies the indications of anions as kubernets. io/Ingress. class: nginx (haproxy/traefik), etc.

(5) The DNS domain name or ELB (elastic load balance) points to the public network IP where the Ingress is located.

The technical scope of the present invention is not limited to the above description, and those skilled in the art can make various changes and modifications to the above-described embodiments without departing from the technical spirit of the present invention, and such changes and modifications should fall within the protective scope of the present invention.

Claims (10)

1. An industrial internet container cloud platform, comprising: the system comprises a flow access control layer, a network and working load unit and a control node unit, wherein the flow access control layer comprises a control service adaptation layer and a flow access component;

the control service adaptation layer is connected with the flow access assembly and is used for matching the flow access assembly into the corresponding flow access assembly according to the difference characteristics of the flow accessed into the control service adaptation layer;

the network and the workload unit are connected with the flow access assembly and used for receiving the information of the flow access assembly and informing the workload of processing the work task;

the control node unit is connected with the network and the workload unit and is used for deploying the network and the workload.

2. The industrial internet container cloud platform of claim 1, wherein the traffic enters the container cloud platform after being processed by domain name resolution and load balancing equipment.

3. The industrial internet container cloud platform of claim 1, wherein the control service adaptation layer comprises one or more of canary publishing, address rewriting, session association, authentication, load balancing, network attack prevention, transport restriction, route matching.

4. The industrial internet container cloud platform of claim 1, wherein the traffic access component comprises one or more control components of a reverse proxy, an interface gateway, a high availability proxy, a proxy, an ingress service.

5. The industrial internet container cloud platform of claim 1, wherein the control node unit performs data transmission with the network and the workload unit through an API service interface, and the data transmission format is a yaml file.

6. The traffic access control method of the industrial internet container cloud platform as claimed in any one of claims 1 to 5, comprising:

step 1, industrial internet flow enters a container cloud platform through domain name resolution and load balancing equipment;

step 2, after the flow is converted through the node ports of all the nodes, bridging to a control service adaptation layer;

step 3, analyzing the flow and transferring the flow to a corresponding flow access component to complete the flow matching;

and 4, calling the container cloud service, and informing the workload of processing the work task.

7. The traffic access control method of the industrial internet container cloud platform according to claim 6, wherein the step 1 specifically comprises: and analyzing the internet website to the load balancing equipment through the domain name analyzing equipment, and distributing the flow to each working node by the load balancing equipment according to a corresponding algorithm.

8. The traffic access control method for the industrial internet container cloud platform according to claim 6, wherein the step 3 specifically comprises: the parameters of each flow access component are registered in advance in the control service adaptation layer, the flow is analyzed through the control service adaptation layer, and the parameters of each flow access component are matched according to the difference characteristics of the flow, so that the flow is transferred to the corresponding flow access component.

9. The traffic access control method of the industrial internet container cloud platform according to claim 8, wherein the difference features include one or more of a protocol, a base technology platform, a routing rule, a namespace, a deployment policy, upstream probing, a load algorithm, an authentication method, and a security policy.

10. The traffic access control method for the industrial internet container cloud platform according to claim 6, wherein the step 4 specifically comprises: the traffic access component forwards and processes stateful, stateless, tasks and timed tasks through the container cloud service.

Images