CN116155604A

Movatterモバイル変換

Info

Publication number: CN116155604A
Application number: CN202310165589.XA
Authority: CN
Inventors: 段鑫冬; 史晨阳; 彭晓; 王志刚; 解培
Original assignee: China Everbright Bank Co Ltd
Current assignee: China Everbright Bank Co Ltd
Priority date: 2023-02-15
Filing date: 2023-02-15
Publication date: 2023-05-23

Abstract

The invention discloses a container network micro-isolation protection method, device, equipment and storage medium. Comprising the following steps: acquiring container name space information in the current network environment, wherein the container name space information comprises name space names and creation time of all containers; generating labels and access right information of all containers based on the container name space information, and generating access control strategies of all containers according to the labels and the access right information; and determining abnormal access information of each container according to the access control strategy, and isolating and protecting the containers according to the abnormal access information. The label and access right information of each container are further acquired through the acquired container naming space information in the current network environment, then the access control strategy corresponding to each container is generated, so that the abnormal access information of each container is determined through the access control strategy, the isolation protection of the containers can be realized even in the environment with complex container business relationship, the risk of network attack is reduced, and the requirements of users are better met.

Description

Translated fromChinese

一种容器网络微隔离防护方法、装置、设备及存储介质A container network micro-isolation protection method, device, equipment and storage medium

技术领域technical field

本发明涉及计算机信息安全技术领域，尤其涉及一种容器网络微隔离防护方法、装置、设备及存储介质。The present invention relates to the technical field of computer information security, in particular to a container network micro-isolation protection method, device, equipment and storage medium.

背景技术Background technique

随着云计算时代的到来，尤其是容器化技术的飞速发展，云原生作为云计算的未来阶段，其安全势必成为云安全的主要战场。With the advent of the era of cloud computing, especially the rapid development of containerization technology, cloud native is the future stage of cloud computing, and its security is bound to become the main battlefield of cloud security.

在传统数据中心网络中，业界大多使用物理防火墙或者云防火墙作为网络隔离技术，这些隔离技术更偏向于针对生命周期较长、IP地址固定的物理机和虚拟机网络的隔离需求。In traditional data center networks, the industry mostly uses physical firewalls or cloud firewalls as network isolation technologies. These isolation technologies are more inclined to meet the isolation requirements of physical and virtual machine networks with long life cycles and fixed IP addresses.

但是在云原生环境中，容器的生命周期变得更加短暂，同时容器之间有着复杂的业务访问关系，尤其是当容器数量达到一定规模以后，这种访问关系将会变得异常的庞大和复杂，其更高的变化频率导致传统的网络隔离手段无法满足用户的要求。However, in the cloud-native environment, the life cycle of containers becomes shorter, and there are complex business access relationships between containers. Especially when the number of containers reaches a certain scale, this access relationship will become extremely large and complex. , and its higher change frequency makes traditional network isolation methods unable to meet user requirements.

发明内容Contents of the invention

本发明提供了一种容器网络微隔离防护方法、装置、设备及存储介质，以实现容器之间的访问隔离和防护。The present invention provides a container network micro-isolation protection method, device, equipment and storage medium, so as to realize access isolation and protection between containers.

根据本发明的一方面，提供了一种容器网络微隔离防护方法，该方法包括：According to one aspect of the present invention, a container network micro-isolation protection method is provided, the method comprising:

获取当前网络环境中的容器命名空间信息，其中，容器命名空间信息包括各容器的命名空间名称和创建时间；Obtain container namespace information in the current network environment, where the container namespace information includes the namespace name and creation time of each container;

基于容器命名空间信息生成各容器的标签和访问权限信息，根据标签和访问权限信息生成各容器的访问控制策略；Generate the label and access rights information of each container based on the container namespace information, and generate the access control policy of each container according to the label and access rights information;

根据访问控制策略确定各容器的异常访问信息，根据异常访问信息对容器进行隔离防护。The abnormal access information of each container is determined according to the access control policy, and the container is isolated and protected according to the abnormal access information.

可选的，获取当前网络环境中的容器命名空间信息，包括：确定当前网络环境中的各Kubernetes节点；获取各Kubernetes节点包含的容器集群，并获取各容器集群中各容器的命名空间名称和对应的创建时间以生成容器命名空间信息。Optionally, obtaining the container namespace information in the current network environment includes: determining each Kubernetes node in the current network environment; obtaining the container cluster contained in each Kubernetes node, and obtaining the namespace name and corresponding to generate container namespace information.

可选的，基于容器命名空间信息生成各容器的标签和访问权限信息，包括：将容器命名空间信息展示给用户；获取用户输入的各容器的容器属性信息，将容器属性信息作为标签，其中，容器属性信息包括所属业务系统名称、运行环境名称以及集群位置名称；获取用户输入的各容器的访问权限信息，其中，访问权限信息包括网络端口和网络协议。Optionally, generating labels and access rights information of each container based on the container namespace information, including: displaying the container namespace information to the user; obtaining the container attribute information of each container input by the user, and using the container attribute information as a label, wherein, The container attribute information includes the name of the business system to which it belongs, the name of the operating environment, and the name of the cluster location; access permission information of each container input by the user is obtained, wherein the access permission information includes network ports and network protocols.

可选的，根据标签和访问权限信息生成各容器的访问控制策略，包括：根据标签依次确定目标容器；根据目标容器对应的访问权限信息确定发起访问的容器IP地址和被访问的容器IP地址；根据发起访问的容器IP地址、被访问的容器IP地址和访问权限信息确定各目标容器的访问规则，并根据访问规则生成访问控制策略。Optionally, generate an access control policy for each container according to the label and access permission information, including: determining the target container in turn according to the label; determining the IP address of the container that initiates access and the IP address of the accessed container according to the access permission information corresponding to the target container; Determine the access rules for each target container based on the IP address of the container that initiates the access, the IP address of the accessed container, and the access rights information, and generate an access control policy based on the access rules.

可选的，在根据标签和访问权限信息生成各容器的访问控制策略之后，还包括：当获取到容器的状态变化信息时，根据容器状态变化信息生成更新后的访问控制策略，其中，状态变化信息包括容器新建、容器删除和容器地址变化；根据访问控制策略确定各容器的异常访问信息，包括：根据更新后的访问控制策略确定各容器的异常访问信息。Optionally, after generating the access control policy of each container according to the label and access rights information, it also includes: when the state change information of the container is obtained, an updated access control policy is generated according to the state change information of the container, wherein the state change The information includes container creation, container deletion, and container address change; determining the abnormal access information of each container according to the access control policy, including: determining the abnormal access information of each container according to the updated access control policy.

可选的，根据更新后的访问控制策略确定各容器的异常访问信息，包括：根据更新后的访问控制策略确定各容器的访问者权限清单，其中，访问者权限清单中包括有访问权限的访问者网络IP地址；获取各容器的访问流量数据，其中，访问流量数据中包括访问时间、访问次数和各访问者网络IP地址；通过访问者权限清单筛选出访问流量数据中的异常访问者网络IP地址，并将异常访问者网络IP地址对应的访问流量数据作为异常访问信息。Optionally, determine the abnormal access information of each container according to the updated access control policy, including: determine the accessor permission list of each container according to the updated access control policy, wherein the visitor permission list includes access The IP address of the visitor network; obtain the access traffic data of each container, where the access traffic data includes the access time, the number of visits, and the network IP address of each visitor; filter out the abnormal visitor network IP in the access traffic data through the visitor permission list address, and use the access traffic data corresponding to the IP address of the abnormal visitor's network as the abnormal access information.

可选的，根据异常访问信息对容器进行隔离防护，包括：根据访问时间和访问次数确定各异常访问者的风险值；当风险值大于预设阈值时，根据异常访问信息确定被访问容器，并根据异常访问信息生成被访问容器对应的禁止访问规则；基于禁止访问规则对被访问容器进行隔离防护。Optionally, the container is isolated and protected according to the abnormal access information, including: determining the risk value of each abnormal visitor according to the access time and the number of visits; when the risk value is greater than the preset threshold, determining the accessed container according to the abnormal access information, and According to the abnormal access information, the access prohibition rules corresponding to the accessed containers are generated; the accessed containers are isolated and protected based on the access prohibition rules.

根据本发明的另一方面，提供了一种容器网络微隔离防护装置，该装置包括：According to another aspect of the present invention, a container network micro-isolation protection device is provided, which includes:

容器命名空间信息获取模块，用于获取当前网络环境中的容器命名空间信息，其中，容器命名空间信息包括各容器的命名空间名称和创建时间；The container namespace information acquisition module is used to obtain the container namespace information in the current network environment, wherein the container namespace information includes the namespace name and creation time of each container;

访问控制策略生成模块，用于基于容器命名空间信息生成各容器的标签和访问权限信息，根据标签和访问权限信息生成各容器的访问控制策略；An access control policy generation module, configured to generate labels and access rights information for each container based on the container namespace information, and generate an access control policy for each container according to the labels and access rights information;

异常访问信息确定模块，用于根据访问控制策略确定各容器的异常访问信息，根据异常访问信息对容器进行隔离防护。The abnormal access information determination module is used to determine the abnormal access information of each container according to the access control policy, and isolate and protect the containers according to the abnormal access information.

根据本发明的另一方面，提供了一种电子设备，所述电子设备包括：According to another aspect of the present invention, an electronic device is provided, and the electronic device includes:

至少一个处理器；以及at least one processor; and

与所述至少一个处理器通信连接的存储器；其中，a memory communicatively coupled to the at least one processor; wherein,

所述存储器存储有可被所述至少一个处理器执行的计算机程序，所述计算机程序被所述至少一个处理器执行，以使所述至少一个处理器能够执行本发明任一实施例所述的一种容器网络微隔离防护方法。The memory stores a computer program that can be executed by the at least one processor, and the computer program is executed by the at least one processor, so that the at least one processor can execute the method described in any embodiment of the present invention. A container network micro-isolation protection method.

根据本发明的另一方面，提供了一种计算机可读存储介质，所述计算机可读存储介质存储有计算机指令，所述计算机指令用于使处理器执行时实现本发明任一实施例所述的一种容器网络微隔离防护方法。According to another aspect of the present invention, a computer-readable storage medium is provided, the computer-readable storage medium stores computer instructions, and the computer instructions are used to enable a processor to implement any of the embodiments of the present invention when executed. A container network micro-isolation protection method.

本发明实施例的技术方案，通过获取的当前网络环境中的容器命名空间信息进一步获取各容器的标签和访问权限信息，然后生成各容器对应的访问控制策略，以通过访问控制策略确定各容器的异常访问信息，即使在具有复杂容器业务关系的环境中也能实现对容器的隔离防护，降低网络攻击风险，更好的满足用户的需求。According to the technical solution of the embodiment of the present invention, the labels and access rights information of each container are further obtained through the obtained container namespace information in the current network environment, and then the corresponding access control policies of each container are generated, so as to determine the access control policy of each container through the access control policy. Abnormal access information, even in an environment with complex container business relationships, can isolate and protect containers, reduce the risk of network attacks, and better meet user needs.

应当理解，本部分所描述的内容并非旨在标识本发明的实施例的关键或重要特征，也不用于限制本发明的范围。本发明的其它特征将通过以下的说明书而变得容易理解。It should be understood that the content described in this section is not intended to identify key or important features of the embodiments of the present invention, nor is it intended to limit the scope of the present invention. Other features of the present invention will be easily understood from the following description.

附图说明Description of drawings

为了更清楚地说明本发明实施例中的技术方案，下面将对实施例描述中所需要使用的附图作简单地介绍，显而易见地，下面描述中的附图仅仅是本发明的一些实施例，对于本领域普通技术人员来讲，在不付出创造性劳动的前提下，还可以根据这些附图获得其他的附图。In order to more clearly illustrate the technical solutions in the embodiments of the present invention, the drawings that need to be used in the description of the embodiments will be briefly introduced below. Obviously, the drawings in the following description are only some embodiments of the present invention. For those skilled in the art, other drawings can also be obtained based on these drawings without creative effort.

图1是根据本发明实施例一提供的一种容器网络微隔离防护方法的流程图；FIG. 1 is a flow chart of a container network micro-isolation protection method according to Embodiment 1 of the present invention;

图2是根据本发明实施例二提供的另一种容器网络微隔离防护方法的流程图；FIG. 2 is a flow chart of another container network micro-isolation protection method provided according to Embodiment 2 of the present invention;

图3是根据本发明实施例三提供的一种容器网络微隔离防护装置的结构示意图；3 is a schematic structural diagram of a container network micro-isolation protection device provided according to Embodiment 3 of the present invention;

图4是实现本发明实施例的一种容器网络微隔离防护方法的电子设备的结构示意图。FIG. 4 is a schematic structural diagram of an electronic device implementing a container network micro-isolation protection method according to an embodiment of the present invention.

具体实施方式Detailed ways

为了使本技术领域的人员更好地理解本发明方案，下面将结合本发明实施例中的附图，对本发明实施例中的技术方案进行清楚、完整地描述，显然，所描述的实施例仅仅是本发明一部分的实施例，而不是全部的实施例。基于本发明中的实施例，本领域普通技术人员在没有做出创造性劳动前提下所获得的所有其他实施例，都应当属于本发明保护的范围。In order to enable those skilled in the art to better understand the solutions of the present invention, the technical solutions in the embodiments of the present invention will be clearly and completely described below in conjunction with the drawings in the embodiments of the present invention. Obviously, the described embodiments are only It is an embodiment of a part of the present invention, but not all embodiments. Based on the embodiments of the present invention, all other embodiments obtained by persons of ordinary skill in the art without making creative efforts shall fall within the protection scope of the present invention.

需要说明的是，本发明的说明书和权利要求书及上述附图中的术语“第一”、“第二”等是用于区别类似的对象，而不必用于描述特定的顺序或先后次序。应该理解这样使用的数据在适当情况下可以互换，以便这里描述的本发明的实施例能够以除了在这里图示或描述的那些以外的顺序实施。此外，术语“包括”和“具有”以及他们的任何变形，意图在于覆盖不排他的包含，例如，包含了一系列步骤或单元的过程、方法、系统、产品或设备不必限于清楚地列出的那些步骤或单元，而是可包括没有清楚地列出的或对于这些过程、方法、产品或设备固有的其它步骤或单元。It should be noted that the terms "first" and "second" in the description and claims of the present invention and the above drawings are used to distinguish similar objects, but not necessarily used to describe a specific sequence or sequence. It is to be understood that the data so used are interchangeable under appropriate circumstances such that the embodiments of the invention described herein can be practiced in sequences other than those illustrated or described herein. Furthermore, the terms "comprising" and "having", as well as any variations thereof, are intended to cover a non-exclusive inclusion, for example, a process, method, system, product or device comprising a sequence of steps or elements is not necessarily limited to the expressly listed instead, may include other steps or elements not explicitly listed or inherent to the process, method, product or apparatus.

实施例一Embodiment one

图1为本发明实施例一提供了一种容器网络微隔离防护方法的流程图，本实施例可适用于容器网络环境，该方法可以由容器网络微隔离防护装置来执行，该容器网络微隔离防护装置可以采用硬件和/或软件的形式实现，该容器网络微隔离防护装置可配置于计算机中。如图1所示，该方法包括：Figure 1 is a flow chart of a container network micro-isolation protection method provided by Embodiment 1 of the present invention. This embodiment is applicable to a container network environment, and the method can be executed by a container network micro-isolation protection device. The container network micro-isolation The protection device can be implemented in the form of hardware and/or software, and the container network micro-isolation protection device can be configured in a computer. As shown in Figure 1, the method includes:

S110、获取当前网络环境中的容器命名空间信息，其中，容器命名空间信息包括各容器的命名空间名称和创建时间。S110. Obtain container namespace information in the current network environment, where the container namespace information includes the namespace name and creation time of each container.

其中，网络环境是指当前计算机的运行环境，容器是指应用程序运行的环境，通过容器可以对各种资源做隔离及限制，包括CPU、内存和磁盘等。容器命名空间信息是指包含当前网络环境中全部命名空间的信息，即容器的命名空间名称和创建时间，命名空间名称由容器集群生成，控制器可以获取到当前网络环境包含的全部容器命名空间名称个创建时间的容器命名空间信息。Among them, the network environment refers to the operating environment of the current computer, and the container refers to the environment in which the application program runs. Through the container, various resources can be isolated and restricted, including CPU, memory, and disk. Container namespace information refers to information that includes all namespaces in the current network environment, that is, the namespace name and creation time of the container. The namespace name is generated by the container cluster, and the controller can obtain all the container namespace names contained in the current network environment. Container namespace information at creation time.

具体的，Kubernetes是以容器为中心的集群管理系统，控制器可以确定与当前网络环境相连的Kubernetes节点，并获取各Kubernetes节点包含的容器集群，确定出容器集群中包含的全部容器，确定各容器命名空间名称和对应的创建时间，即可生成容器命名空间信息。Specifically, Kubernetes is a container-centric cluster management system. The controller can determine the Kubernetes nodes connected to the current network environment, obtain the container clusters contained in each Kubernetes node, determine all the containers contained in the container cluster, and determine the The namespace name and the corresponding creation time can be used to generate container namespace information.

S120、基于容器命名空间信息生成各容器的标签和访问权限信息，根据标签和访问权限信息生成各容器的访问控制策略。S120. Generate labels and access rights information for each container based on the container namespace information, and generate an access control policy for each container according to the labels and access rights information.

进一步的，用户可以通过在控制器相连的用户终端的客户端上查看到容器命名空间信息，并设置容器标签，标签为容器属性信息，包括容器所属业务系统名称、运行环境名称以及集群位置名称，同时用户也可以对标签进行排序、查询和删除的操作。用户可以基于标签设置容器访问权限信息，即容器访问的网络端口和网络协议，通过设置标签可以针对业务属性建立用户易识别的体系，从业务视角更细粒度的实现容器之间的访问隔离，并且能够基于标签完全自动化地识别容器的IP地址，应对大规模容器环境中IP地址频繁变化的场景，实现访问控制策略快速更新和高效下发。Further, the user can view the container namespace information on the client of the user terminal connected to the controller, and set the container label, which is the container attribute information, including the name of the business system to which the container belongs, the name of the operating environment, and the name of the cluster location. At the same time, users can also sort, query and delete tags. Users can set container access permission information based on tags, that is, network ports and network protocols accessed by containers. By setting tags, users can establish an easily identifiable system for business attributes, and realize access isolation between containers in a more granular manner from a business perspective. It can fully automatically identify the IP address of the container based on the label, cope with the frequent change of the IP address in the large-scale container environment, and realize the rapid update and efficient distribution of the access control policy.

其中，访问控制策略用于限制一个容器是否可以访问另一个容器。生成访问控制策略时，控制器可以根据标签依次将每个容器作为目标容器，然后自动检测识别目标容器对应的发起访问的容器IP地址和被访问的容器IP地址，然后根据发起访问的容器IP地址、被访问的容器IP地址和访问权限信息确定各目标容器的访问规则，将各容器的访问规则进行汇总即可生成访问控制策略，访问控制策略包括发起访问的容器IP地址、被访问的容器IP地址、端口和网络协议。例如，存在发起访问的目标容器A，以及被访问容器B，访问规则设置为允许访问则容器A可以访问容器B，访问规则设置为不允许则容器A不能访问容器B。Among them, the access control policy is used to limit whether a container can access another container. When generating an access control policy, the controller can take each container as the target container in turn according to the label, and then automatically detect and identify the IP address of the container that initiates access and the IP address of the container that is accessed corresponding to the target container, and then according to the IP address of the container that initiates access , the IP address of the accessed container and the access rights information to determine the access rules of each target container, and the access control policy can be generated by summarizing the access rules of each container. The access control policy includes the IP address of the container that initiates the access, and the IP address of the accessed container. address, port, and network protocol. For example, there is a target container A that initiates access, and an accessed container B. If the access rule is set to allow access, container A can access container B. If the access rule is set to disallow, container A cannot access container B.

进一步的，控制器可以将容器命名空间信息发送给相连的用户终端，以通过用户终端的客户端展示给用户，用户可以进行容器的查询以及容器的编辑，编辑包括新建、删除和更改地址。当用户执行编辑操作时，控制器可以根据用户的编辑操作生成容器的状态变化信息，状态变化信息包括容器新建、容器删除和容器地址变化，控制器可以根据容器状态变化信息自动对访问控制策略进行更新生成更新后的访问控制策略，然后会根据更新后的访问控制策略确定各容器的异常访问信息，以进行对容器的隔离防护。Further, the controller can send the container namespace information to the connected user terminal, so as to display it to the user through the client terminal of the user terminal, and the user can query and edit the container, and the editing includes creating, deleting, and changing addresses. When the user performs an editing operation, the controller can generate container state change information according to the user's editing operation. The state change information includes container creation, container deletion, and container address change. The controller can automatically implement access control policies based on the container state change information. The update generates an updated access control policy, and then determines the abnormal access information of each container according to the updated access control policy, so as to isolate and protect the container.

S130、根据访问控制策略确定各容器的异常访问信息，根据异常访问信息对容器进行隔离防护。S130. Determine the abnormal access information of each container according to the access control policy, and isolate and protect the containers according to the abnormal access information.

具体的，控制器可以根据访问控制策略确定各容器的异常访问信息，并且会在访问控制策略发生更新时，根据更新后的访问控制策略进行确定。即可以根据更新后的访问控制策略确定各容器的访问者权限清单，通过访问者权限清单可以确定出各容器对应的有访问权限的访问者，访问者权限清单中包括有访问权限的访问者网络IP地址。通过获取各容器的访问流量数据，由于访问流量数据中包括访问者网络IP地址，然后通过访问者权限清单对访问流量数据进行筛选，将访问流量数据中没有访问权限的访问者网络IP地址作为异常访问者网络IP地址，并将异常访问者网络IP地址对应的访问流量数据作为异常访问信息，以进一步通过异常访问信息对容器进行隔离防护。示例性的，容器A对应的访问者权限清单包括访问者001和访问者003，容器A对应的访问流量数据中存在访问者001和访问者002，由于访问者权限清单中没有访问者002，即访问者002和对应的访问时间以及访问次数为容器A的异常访问信息。Specifically, the controller can determine the abnormal access information of each container according to the access control policy, and when the access control policy is updated, determine according to the updated access control policy. That is, the visitor authority list of each container can be determined according to the updated access control policy, and the visitors with access authority corresponding to each container can be determined through the visitor authority list. The visitor authority list includes the visitor network with access authority IP address. By obtaining the access traffic data of each container, since the access traffic data includes the visitor network IP address, the access traffic data is then filtered through the visitor permission list, and the visitor network IP address without access rights in the access traffic data is regarded as an exception The visitor's network IP address, and the access traffic data corresponding to the abnormal visitor's network IP address is used as the abnormal access information, so as to further isolate and protect the container through the abnormal access information. Exemplarily, the visitor authority list corresponding to container A includes visitor 001 and visitor 003, and visitor 001 and visitor 002 exist in the access traffic data corresponding to container A, since there is no visitor 002 in the visitor authority list, that is Visitor 002 and the corresponding visit time and visit times are the abnormal visit information of container A.

实施例二Embodiment two

图2为本发明实施例二提供的一种容器网络微隔离防护方法的流程图，本实施例在上述实施例一的基础上增加了对根据异常访问信息对容器进行隔离防护过程的具体说明。其中，步骤S210-S220的具体内容与实施例一中的步骤S110-S120大致相同，因此本实施方式中不再进行赘述。如图2所示，该方法包括：Fig. 2 is a flowchart of a container network micro-isolation protection method provided by Embodiment 2 of the present invention. On the basis of Embodiment 1 above, this embodiment adds a specific description of the process of isolating and protecting containers based on abnormal access information. Wherein, the specific content of steps S210-S220 is substantially the same as that of steps S110-S120 in the first embodiment, so it will not be repeated in this embodiment. As shown in Figure 2, the method includes:

S210、获取当前网络环境中的容器命名空间信息，其中，容器命名空间信息包括各容器的命名空间名称和创建时间。S210. Obtain container namespace information in the current network environment, where the container namespace information includes the namespace name and creation time of each container.

S220、基于容器命名空间信息生成各容器的标签和访问权限信息，根据标签和访问权限信息生成各容器的访问控制策略。S220. Generate labels and access rights information for each container based on the container namespace information, and generate an access control policy for each container according to the labels and access rights information.

可选的，基于容器命名空间信息生成各容器的标签和访问权限信息，包括：将容器命名空间信息展示给用户；获取用户输入的各容器的容器属性信息，将容器属性信息作为标签，其中，容器属性信息包括所属业务系统名称、运行环境名称以及集群位置名称；获取用户输入的各容器的访问权限信息，其中，访问权限信息包括端口和网络协议。Optionally, generating labels and access rights information of each container based on the container namespace information, including: displaying the container namespace information to the user; obtaining the container attribute information of each container input by the user, and using the container attribute information as a label, wherein, The container attribute information includes the name of the business system to which it belongs, the name of the operating environment, and the name of the cluster location; access permission information of each container input by the user is obtained, wherein the access permission information includes port and network protocol.

S230、根据访问控制策略确定各容器的异常访问信息。S230. Determine abnormal access information of each container according to the access control policy.

S240、根据访问时间和访问次数确定各异常访问者的风险值。S240. Determine the risk value of each abnormal visitor according to the visit time and the number of visits.

具体的，根据各容器的异常访问信息可以分析出容器的潜在风险，即对异常访问者的访问时间和访问次数进行评估，如果出现异常的访问趋势则风险值越高，例如异常访问者的访问次数多或者是指定访问时间内出现频繁访问，风险值为0-100的数值，数值越大说明风险值越高，控制器会根据访问时间和访问次数确定各异常访问者的风险值。Specifically, according to the abnormal access information of each container, the potential risk of the container can be analyzed, that is, the access time and number of visits of abnormal visitors are evaluated. If there is an abnormal access trend, the risk value is higher, such as the visit of abnormal visitors If there are many visits or frequent visits within the specified visit time, the risk value is a value from 0 to 100. The larger the value, the higher the risk value. The controller will determine the risk value of each abnormal visitor according to the visit time and number of visits.

S250、当风险值大于预设阈值时，根据异常访问信息确定被访问容器，并根据异常访问信息生成被访问容器对应的禁止访问规则。S250. When the risk value is greater than the preset threshold, determine the accessed container according to the abnormal access information, and generate an access prohibition rule corresponding to the accessed container according to the abnormal access information.

S260、基于禁止访问规则对被访问容器进行隔离防护。S260. Isolate and protect the accessed container based on the access prohibition rule.

具体的，用户可以根据防护需求设置预设阈值，控制器会将确定出的风险值和预设阈值进行比较，当风险值大于预设阈值时，可以根据异常访问信息对应的被访问容器，然后对被访问容器下发应急处置策略，即对被访问容器设置禁止访问规则，然后基于禁止访问规则对被访问容器下发应急处置策略，从而阻断异常访问流程，降低网络攻击风险，实现对容器的隔离防护。Specifically, the user can set a preset threshold according to protection requirements, and the controller will compare the determined risk value with the preset threshold. When the risk value is greater than the preset threshold, the corresponding accessed container can be accessed according to the abnormal access information, and then Issue an emergency response policy to the accessed container, that is, set access prohibition rules for the accessed container, and then issue an emergency response policy to the accessed container based on the access prohibition rule, thereby blocking the abnormal access process, reducing the risk of network attacks, and realizing container security. isolation protection.

本发明实施例的技术方案，通过获取的当前网络环境中的容器命名空间信息进一步获取各容器的标签和访问权限信息，然后生成各容器对应的访问控制策略，以通过访问控制策略确定各容器的异常访问信息，可以根据异常访问信息对应的被访问容器，然后对被访问容器下发应急处置策略，即对被访问容器设置禁止访问规则，然后基于禁止访问规则对被访问容器下发应急处置策略，从而阻断异常访问流程，降低网络攻击风险，即使在具有复杂容器业务关系的环境中也能实现对容器的隔离防护，更好的满足用户的需求。According to the technical solution of the embodiment of the present invention, the labels and access rights information of each container are further obtained through the obtained container namespace information in the current network environment, and then the corresponding access control policies of each container are generated, so as to determine the access control policy of each container through the access control policy. Abnormal access information, according to the accessed container corresponding to the abnormal access information, and then issue an emergency response policy to the accessed container, that is, set access prohibition rules for the accessed container, and then issue emergency response policies to the accessed container based on the access prohibition rules , so as to block the abnormal access process, reduce the risk of network attack, even in the environment with complex container business relationship, it can realize the isolation and protection of the container, and better meet the needs of users.

实施例三Embodiment Three

图3为本发明实施例三提供的一种容器网络微隔离防护装置的结构示意图。如图3所示，该装置包括：容器命名空间信息获取模块310，用于获取当前网络环境中的容器命名空间信息，其中，容器命名空间信息包括各容器的命名空间名称和创建时间；访问控制策略生成模块320，用于基于容器命名空间信息生成各容器的标签和访问权限信息，根据标签和访问权限信息生成各容器的访问控制策略；异常访问信息确定模块330，用于根据访问控制策略确定各容器的异常访问信息，根据异常访问信息对容器进行隔离防护。FIG. 3 is a schematic structural diagram of a container network micro-isolation protection device provided by Embodiment 3 of the present invention. As shown in FIG. 3 , the device includes: a container namespaceinformation acquisition module 310, configured to acquire container namespace information in the current network environment, wherein the container namespace information includes the namespace name and creation time of each container; access control Thepolicy generation module 320 is used to generate the label and access rights information of each container based on the container namespace information, and generates the access control policy of each container according to the label and access rights information; the abnormal accessinformation determination module 330 is used to determine according to the access control policy The abnormal access information of each container is used to isolate and protect the container according to the abnormal access information.

可选的，容器命名空间信息获取模块310，具体用于：确定当前网络环境中的各Kubernetes节点；获取各Kubernetes节点包含的容器集群，并获取各容器集群中各容器的命名空间名称和对应的创建时间以生成容器命名空间信息。Optionally, the container namespaceinformation obtaining module 310 is specifically used to: determine each Kubernetes node in the current network environment; obtain the container cluster contained in each Kubernetes node, and obtain the namespace name and corresponding Create time to generate container namespace information.

可选的，访问控制策略生成模块320，具体包括：标签和访问权限信息获取单元，用于：将容器命名空间信息展示给用户；获取用户输入的各容器的容器属性信息，将容器属性信息作为标签，其中，容器属性信息包括所属业务系统名称、运行环境名称以及集群位置名称；获取用户输入的各容器的访问权限信息，其中，访问权限信息包括网络端口和网络协议。Optionally, the access controlpolicy generation module 320 specifically includes: a label and access rights information acquisition unit, configured to: display container namespace information to the user; obtain container attribute information of each container input by the user, and use the container attribute information as label, where the container attribute information includes the name of the business system to which it belongs, the name of the operating environment, and the name of the cluster location; obtain the access permission information of each container input by the user, where the access permission information includes network ports and network protocols.

可选的，访问控制策略生成模块320，还包括：访问控制策略生成单元，用于：根据标签依次确定目标容器；根据目标容器对应的访问权限信息确定发起访问的容器IP地址和被访问的容器IP地址；根据发起访问的容器IP地址、被访问的容器IP地址和访问权限信息确定各目标容器的访问规则，并根据访问规则生成访问控制策略。Optionally, the access controlpolicy generation module 320 also includes: an access control policy generation unit, configured to: sequentially determine the target container according to the label; determine the IP address of the container that initiates access and the accessed container according to the access permission information corresponding to the target container IP address; determine the access rules of each target container according to the IP address of the container that initiates the access, the IP address of the accessed container, and the access rights information, and generate an access control policy based on the access rules.

可选的，装置还包括：访问控制策略更新模块，用于：在根据标签和访问权限信息生成各容器的访问控制策略之后，当获取到容器的状态变化信息时，根据容器状态变化信息生成更新后的访问控制策略，其中，状态变化信息包括容器新建、容器删除和容器地址变化；根据访问控制策略确定各容器的异常访问信息，包括：根据更新后的访问控制策略确定各容器的异常访问信息。Optionally, the device further includes: an access control policy update module, configured to: after the access control policy of each container is generated according to the label and access rights information, when the state change information of the container is obtained, generate an update according to the container state change information The updated access control policy, wherein the status change information includes container creation, container deletion and container address change; determining the abnormal access information of each container according to the access control policy, including: determining the abnormal access information of each container according to the updated access control policy .

可选的，异常访问信息确定模块330，具体包括：异常访问信息确定单元，用于：根据更新后的访问控制策略确定各容器的访问者权限清单，其中，访问者权限清单中包括有访问权限的访问者网络IP地址；获取各容器的访问流量数据，其中，访问流量数据中包括访问时间、访问次数和各访问者网络IP地址；通过访问者权限清单筛选出访问流量数据中的异常访问者网络IP地址，并将异常访问者网络IP地址对应的访问流量数据作为异常访问信息。Optionally, the abnormal accessinformation determining module 330 specifically includes: an abnormal access information determining unit, configured to: determine the visitor authority list of each container according to the updated access control policy, wherein the visitor authority list includes the access authority The IP address of the visitor's network; obtain the access traffic data of each container, where the access traffic data includes the access time, number of visits, and each visitor's network IP address; filter out abnormal visitors in the access traffic data through the visitor permission list The network IP address, and the access traffic data corresponding to the abnormal visitor's network IP address is used as the abnormal access information.

可选的，异常访问信息确定模块330，还包括：隔离防护单元，用于根据访问时间和访问次数确定各异常访问者的风险值；当风险值大于预设阈值时，根据异常访问信息确定被访问容器，并根据异常访问信息生成被访问容器对应的禁止访问规则；基于禁止访问规则对被访问容器进行隔离防护。Optionally, the abnormal accessinformation determination module 330 also includes: an isolation protection unit, configured to determine the risk value of each abnormal visitor according to the access time and the number of visits; Access the container, and generate the access prohibition rules corresponding to the accessed container according to the abnormal access information; isolate and protect the accessed container based on the access prohibition rules.

本发明实施例所提供的一种容器网络微隔离防护装置可执行本发明任意实施例所提供的一种容器网络微隔离防护方法，具备执行方法相应的功能模块和有益效果。A container network micro-isolation protection device provided in an embodiment of the present invention can execute a container network micro-isolation protection method provided in any embodiment of the present invention, and has corresponding functional modules and beneficial effects for executing the method.

实施例四Embodiment four

图4示出了可以用来实施本发明的实施例的电子设备10的结构示意图。电子设备旨在表示各种形式的数字计算机，诸如，膝上型计算机、台式计算机、工作台、个人数字助理、服务器、刀片式服务器、大型计算机、和其它适合的计算机。电子设备还可以表示各种形式的移动装置，诸如，个人数字处理、蜂窝电话、智能电话、可穿戴设备(如头盔、眼镜、手表等)和其它类似的计算装置。本文所示的部件、它们的连接和关系、以及它们的功能仅仅作为示例，并且不意在限制本文中描述的和/或者要求的本发明的实现。FIG. 4 shows a schematic structural diagram of anelectronic device 10 that can be used to implement an embodiment of the present invention. Electronic device is intended to represent various forms of digital computers, such as laptops, desktops, workstations, personal digital assistants, servers, blade servers, mainframes, and other suitable computers. Electronic devices may also represent various forms of mobile devices, such as personal digital processing, cellular phones, smart phones, wearable devices (eg, helmets, glasses, watches, etc.), and other similar computing devices. The components shown herein, their connections and relationships, and their functions, are by way of example only, and are not intended to limit implementations of the inventions described and/or claimed herein.

如图4所示，电子设备10包括至少一个处理器11，以及与至少一个处理器11通信连接的存储器，如只读存储器(ROM)12、随机访问存储器(RAM)13等，其中，存储器存储有可被至少一个处理器执行的计算机程序，处理器11可以根据存储在只读存储器(ROM)12中的计算机程序或者从存储单元18加载到随机访问存储器(RAM)13中的计算机程序，来执行各种适当的动作和处理。在RAM 13中，还可存储电子设备10操作所需的各种程序和数据。处理器11、ROM 12以及RAM 13通过总线14彼此相连。输入/输出(I/O)接口15也连接至总线14。As shown in FIG. 4, theelectronic device 10 includes at least oneprocessor 11, and a memory connected in communication with the at least oneprocessor 11, such as a read-only memory (ROM) 12, a random access memory (RAM) 13, etc., wherein the memory stores There is a computer program executable by at least one processor, and theprocessor 11 can operate according to a computer program stored in a read-only memory (ROM) 12 or loaded from astorage unit 18 into a random access memory (RAM) 13. Various appropriate actions and processes are performed. In theRAM 13, various programs and data necessary for the operation of theelectronic device 10 are also stored. Theprocessor 11 ,ROM 12 , andRAM 13 are connected to each other through abus 14 . An input/output (I/O)interface 15 is also connected to thebus 14 .

电子设备10中的多个部件连接至I/O接口15，包括：输入单元16，例如键盘、鼠标等；输出单元17，例如各种类型的显示器、扬声器等；存储单元18，例如磁盘、光盘等；以及通信单元19，例如网卡、调制解调器、无线通信收发机等。通信单元19允许电子设备10通过诸如因特网的计算机网络和/或各种电信网络与其他设备交换信息/数据。Multiple components in theelectronic device 10 are connected to the I/O interface 15, including: aninput unit 16, such as a keyboard, a mouse, etc.; anoutput unit 17, such as various types of displays, speakers, etc.; astorage unit 18, such as a magnetic disk, an optical disk etc.; and acommunication unit 19, such as a network card, a modem, a wireless communication transceiver, and the like. Thecommunication unit 19 allows theelectronic device 10 to exchange information/data with other devices through a computer network such as the Internet and/or various telecommunication networks.

处理器11可以是各种具有处理和计算能力的通用和/或专用处理组件。处理器11的一些示例包括但不限于中央处理单元(CPU)、图形处理单元(GPU)、各种专用的人工智能(AI)计算芯片、各种运行机器学习模型算法的处理器、数字信号处理器(DSP)、以及任何适当的处理器、控制器、微控制器等。处理器11执行上文所描述的各个方法和处理，例如一种容器网络微隔离防护方法。Processor 11 may be various general and/or special purpose processing components having processing and computing capabilities. Some examples ofprocessor 11 include, but are not limited to, central processing units (CPUs), graphics processing units (GPUs), various dedicated artificial intelligence (AI) computing chips, various processors that run machine learning model algorithms, digital signal processing processor (DSP), and any suitable processor, controller, microcontroller, etc. Theprocessor 11 executes various methods and processes described above, for example, a container network micro-isolation protection method.

在一些实施例中，一种容器网络微隔离防护方法可被实现为计算机程序，其被有形地包含于计算机可读存储介质，例如存储单元18。在一些实施例中，计算机程序的部分或者全部可以经由ROM 12和/或通信单元19而被载入和/或安装到电子设备10上。当计算机程序加载到RAM 13并由处理器11执行时，可以执行上文描述的一种容器网络微隔离防护方法的一个或多个步骤。备选地，在其他实施例中，处理器11可以通过其他任何适当的方式(例如，借助于固件)而被配置为执行一种容器网络微隔离防护方法。In some embodiments, a container network micro-isolation protection method may be implemented as a computer program, which is tangibly contained in a computer-readable storage medium, such as thestorage unit 18 . In some embodiments, part or all of the computer program may be loaded and/or installed on theelectronic device 10 via theROM 12 and/or thecommunication unit 19 . When the computer program is loaded into theRAM 13 and executed by theprocessor 11, one or more steps of the container network micro-isolation protection method described above can be executed. Alternatively, in other embodiments, theprocessor 11 may be configured in any other appropriate way (for example, by means of firmware) to execute a container network micro-isolation protection method.

本文中以上描述的系统和技术的各种实施方式可以在数字电子电路系统、集成电路系统、场可编程门阵列(FPGA)、专用集成电路(ASIC)、专用标准产品(ASSP)、芯片上系统的系统(SOC)、负载可编程逻辑设备(CPLD)、计算机硬件、固件、软件、和/或它们的组合中实现。这些各种实施方式可以包括：实施在一个或者多个计算机程序中，该一个或者多个计算机程序可在包括至少一个可编程处理器的可编程系统上执行和/或解释，该可编程处理器可以是专用或者通用可编程处理器，可以从存储系统、至少一个输入装置、和至少一个输出装置接收数据和指令，并且将数据和指令传输至该存储系统、该至少一个输入装置、和该至少一个输出装置。Various implementations of the systems and techniques described above herein can be implemented in digital electronic circuit systems, integrated circuit systems, field programmable gate arrays (FPGAs), application specific integrated circuits (ASICs), application specific standard products (ASSPs), systems on chips Implemented in a system of systems (SOC), load programmable logic device (CPLD), computer hardware, firmware, software, and/or combinations thereof. These various embodiments may include being implemented in one or more computer programs executable and/or interpreted on a programmable system including at least one programmable processor, the programmable processor Can be special-purpose or general-purpose programmable processor, can receive data and instruction from storage system, at least one input device, and at least one output device, and transmit data and instruction to this storage system, this at least one input device, and this at least one output device an output device.

用于实施本发明的方法的计算机程序可以采用一个或多个编程语言的任何组合来编写。这些计算机程序可以提供给通用计算机、专用计算机或其他可编程数据处理装置的处理器，使得计算机程序当由处理器执行时使流程图和/或框图中所规定的功能/操作被实施。计算机程序可以完全在机器上执行、部分地在机器上执行，作为独立软件包部分地在机器上执行且部分地在远程机器上执行或完全在远程机器或服务器上执行。Computer programs for implementing the methods of the present invention may be written in any combination of one or more programming languages. These computer programs can be provided to a processor of a general-purpose computer, a special-purpose computer, or other programmable data processing apparatus, so that the computer program causes the functions/operations specified in the flowcharts and/or block diagrams to be implemented when executed by the processor. A computer program may execute entirely on the machine, partly on the machine, as a stand-alone software package partly on the machine and partly on a remote machine or entirely on the remote machine or server.

在本发明的上下文中，计算机可读存储介质可以是有形的介质，其可以包含或存储以供指令执行系统、装置或设备使用或与指令执行系统、装置或设备结合地使用的计算机程序。计算机可读存储介质可以包括但不限于电子的、磁性的、光学的、电磁的、红外的、或半导体系统、装置或设备，或者上述内容的任何合适组合。备选地，计算机可读存储介质可以是机器可读信号介质。机器可读存储介质的更具体示例会包括基于一个或多个线的电气连接、便携式计算机盘、硬盘、随机存取存储器(RAM)、只读存储器(ROM)、可擦除可编程只读存储器(EPROM或快闪存储器)、光纤、便捷式紧凑盘只读存储器(CD-ROM)、光学储存设备、磁储存设备、或上述内容的任何合适组合。In the context of the present invention, a computer readable storage medium may be a tangible medium that may contain or store a computer program for use by or in conjunction with an instruction execution system, apparatus or device. A computer readable storage medium may include, but is not limited to, electronic, magnetic, optical, electromagnetic, infrared, or semiconductor systems, apparatus, or devices, or any suitable combination of the foregoing. Alternatively, a computer readable storage medium may be a machine readable signal medium. More specific examples of machine-readable storage media would include one or more wire-based electrical connections, portable computer discs, hard drives, random access memory (RAM), read only memory (ROM), erasable programmable read only memory (EPROM or flash memory), optical fiber, compact disk read only memory (CD-ROM), optical storage, magnetic storage, or any suitable combination of the foregoing.

为了提供与用户的交互，可以在电子设备上实施此处描述的系统和技术，该电子设备具有：用于向用户显示信息的显示装置(例如，CRT(阴极射线管)或者LCD(液晶显示器)监视器)；以及键盘和指向装置(例如，鼠标或者轨迹球)，用户可以通过该键盘和该指向装置来将输入提供给电子设备。其它种类的装置还可以用于提供与用户的交互；例如，提供给用户的反馈可以是任何形式的传感反馈(例如，视觉反馈、听觉反馈、或者触觉反馈)；并且可以用任何形式(包括声输入、语音输入或者、触觉输入)来接收来自用户的输入。In order to provide interaction with the user, the systems and techniques described herein can be implemented on an electronic device having a display device (e.g., a CRT (cathode ray tube) or LCD (liquid crystal display)) for displaying information to the user. monitor); and a keyboard and pointing device (eg, a mouse or a trackball) through which the user can provide input to the electronic device. Other kinds of devices can also be used to provide interaction with the user; for example, the feedback provided to the user can be any form of sensory feedback (e.g., visual feedback, auditory feedback, or tactile feedback); and can be in any form (including Acoustic input, speech input or, tactile input) to receive input from the user.

可以将此处描述的系统和技术实施在包括后台部件的计算系统(例如，作为数据服务器)、或者包括中间件部件的计算系统(例如，应用服务器)、或者包括前端部件的计算系统(例如，具有图形用户界面或者网络浏览器的用户计算机，用户可以通过该图形用户界面或者该网络浏览器来与此处描述的系统和技术的实施方式交互)、或者包括这种后台部件、中间件部件、或者前端部件的任何组合的计算系统中。可以通过任何形式或者介质的数字数据通信(例如，通信网络)来将系统的部件相互连接。通信网络的示例包括：局域网(LAN)、广域网(WAN)、区块链网络和互联网。The systems and techniques described herein can be implemented in a computing system that includes back-end components (e.g., as a data server), or a computing system that includes middleware components (e.g., an application server), or a computing system that includes front-end components (e.g., as a a user computer having a graphical user interface or web browser through which a user can interact with embodiments of the systems and techniques described herein), or including such backend components, middleware components, Or any combination of front-end components in a computing system. The components of the system can be interconnected by any form or medium of digital data communication, eg, a communication network. Examples of communication networks include: local area networks (LANs), wide area networks (WANs), blockchain networks, and the Internet.

计算系统可以包括客户端和服务器。客户端和服务器一般远离彼此并且通常通过通信网络进行交互。通过在相应的计算机上运行并且彼此具有客户端-服务器关系的计算机程序来产生客户端和服务器的关系。服务器可以是云服务器，又称为云计算服务器或云主机，是云计算服务体系中的一项主机产品，以解决了传统物理主机与VPS服务中，存在的管理难度大，业务扩展性弱的缺陷。A computing system can include clients and servers. Clients and servers are generally remote from each other and typically interact through a communication network. The relationship of client and server arises by computer programs running on the respective computers and having a client-server relationship to each other. The server can be a cloud server, also known as a cloud computing server or a cloud host. It is a host product in the cloud computing service system to solve the problems of difficult management and weak business expansion in traditional physical hosts and VPS services. defect.

应该理解，可以使用上面所示的各种形式的流程，重新排序、增加或删除步骤。例如，本发明中记载的各步骤可以并行地执行也可以顺序地执行也可以不同的次序执行，只要能够实现本发明的技术方案所期望的结果，本文在此不进行限制。It should be understood that steps may be reordered, added or deleted using the various forms of flow shown above. For example, each step described in the present invention may be executed in parallel, sequentially, or in a different order, as long as the desired result of the technical solution of the present invention can be achieved, there is no limitation herein.

上述具体实施方式，并不构成对本发明保护范围的限制。本领域技术人员应该明白的是，根据设计要求和其他因素，可以进行各种修改、组合、子组合和替代。任何在本发明的精神和原则之内所作的修改、等同替换和改进等，均应包含在本发明保护范围之内。The above specific implementation methods do not constitute a limitation to the protection scope of the present invention. It should be apparent to those skilled in the art that various modifications, combinations, sub-combinations and substitutions may be made depending on design requirements and other factors. Any modifications, equivalent replacements and improvements made within the spirit and principles of the present invention shall be included within the protection scope of the present invention.