CN116170188A - Network access control method, device, electronic equipment and storage medium - Google Patents

Network access control method, device, electronic equipment and storage medium Download PDF

Info

Publication number
CN116170188A
CN116170188A CN202211733744.5A CN202211733744A CN116170188A CN 116170188 A CN116170188 A CN 116170188A CN 202211733744 A CN202211733744 A CN 202211733744A CN 116170188 A CN116170188 A CN 116170188A
Authority
CN
China
Prior art keywords
access control
pod
security access
control policy
security
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202211733744.5A
Other languages
Chinese (zh)
Inventor
别路
吕亚霖
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Yunsizhixue Technology Co ltd
Original Assignee
Beijing Yunsizhixue Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Yunsizhixue Technology Co ltd filed Critical Beijing Yunsizhixue Technology Co ltd
Priority to CN202211733744.5A priority Critical patent/CN116170188A/en
Publication of CN116170188A publication Critical patent/CN116170188A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The disclosure provides a network access control method, a network access control device, electronic equipment and a storage medium, and relates to the field of cloud technology. The network access control method comprises the following steps: the method comprises the steps that the method is applied to a working node worker, and a security access control strategy sent by a control node Controller is received, wherein the security access control strategy takes pod as a minimum access control unit; analyzing the security access control policy to obtain a first pod applying the security access control policy; and sending the security access control policy to the first pod. The method is applied to a control node Controller and used for acquiring a security access control strategy taking a pod as an access control unit; and sending the security access control strategy to a working node worker. The network access control method and the network access control device can finely control and improve the security level of the cluster.

Description

Network access control method, device, electronic equipment and storage medium
Technical Field
The disclosure relates to the field of cloud technologies, and in particular, to a network access control method and device, electronic equipment and a storage medium.
Background
In the field of cloud technology, cluster management computer entities (k 8 s) are a powerful but very complex container platform. Thousands of services are often run in a k8s cluster, different service lines are deployed in a cluster, different service attributes have different requirements on information security control, and sensitive data of each service line needs to be strictly limited to access due to safety protection.
At present, in order to realize safe access limitation, the access limitation is generally set through the IP address of a machine, but in the field of cloud protogenesis, the minimum running unit of service is pod, the pods are mixed and deployed on a batch of machines, and no clear machine division exists between services, so that the current machine-based IP address access control mode is inaccurate, and the data of a cluster lacks security guarantee.
Disclosure of Invention
In order to overcome the deficiencies of the prior art, the present disclosure provides a network access control method, apparatus, electronic device and storage medium.
According to a first aspect of an embodiment of the present disclosure, there is provided a network access control method applied to a working node worker, the method including:
receiving a security access control strategy sent by a control node Controller, wherein the security access control strategy takes a pod as a minimum access control unit;
analyzing the security access control policy to obtain a first pod applying the security access control policy;
and sending the security access control policy to the first pod.
In some embodiments of the present disclosure, the security access control policy is a control policy input through a man-machine interaction operation interface, and includes identification information of a pod to which the security access control policy is applied and namespace information to which the pod belongs.
In some embodiments of the present disclosure, the parsing the security access control policy obtaining a first pod that applies the security access control policy includes:
analyzing the security access control policy, and acquiring the first pod applying the security access control policy according to the name space information in the security access control policy and the identification information of the pod.
In some embodiments of the present disclosure, the sending the secure access control policy to the first pod comprises:
acquiring information of all second pod laid out on the worker node;
querying the information of all the second pod to determine that the first pod applying the security access control policy is in the information of all the second pod;
and if the security access control strategy is determined to be in the second pod, sending the security access control strategy to the first pod.
In some embodiments of the present disclosure, the obtaining information of all second pod of the layout on the current node includes:
acquiring information of all second pod laid out on the current node in real time;
or polling to acquire the information of all the second pod laid out on the current node according to the preset time.
In some embodiments of the present disclosure, the security access control policy issued by the receiving control node Controller includes:
Receiving the security access control strategy sent by the Controller through a hypertext transfer protocol (HTTP);
or receiving the security access control strategy sent by the Controller through a shared storage mode;
or receiving the security access control strategy sent by the Controller through a message queue communication mode.
According to a second aspect of an embodiment of the present disclosure, a network access control method, applied to a control node Controller, includes:
acquiring a security access control strategy taking a pod as an access control unit;
and sending the security access control strategy to a working node worker.
In some embodiments of the present disclosure, the obtaining a security access control policy with a pod as an access control unit includes:
receiving a control strategy input through a man-machine interaction operation interface, identification information of a first pod applying the security access control strategy and naming space information of the pod;
generating the security access control policy according to the control policy, the identification information of the first pod applying the security access control policy and the name space information of the pod, wherein the security access control policy comprises the identification information of the pod applying the security access control policy and the name space information of the pod.
In some embodiments of the present disclosure, the sending the security access control policy to the working node worker includes:
sending the security access control strategy to a working node worker through a hypertext transfer protocol (HTTP);
or the security access control strategy is sent to a working node worker in a shared storage mode;
or the security access control strategy is sent to the work node worker in a message queue communication mode.
According to a third aspect of the embodiments of the present disclosure, a network access control device, applied to a working node worker, includes:
the receiving unit is used for receiving a security access control strategy sent by the control node Controller, wherein the security access control strategy takes a pod as a minimum access control unit;
the analyzing unit is used for analyzing the security access control policy to obtain a first pod applying the security access control policy;
and the sending unit is used for sending the security access control strategy to the first pod.
According to a fourth aspect of embodiments of the present disclosure, a network access control device, applied to a control node Controller, includes:
the acquisition unit is used for acquiring a security access control strategy taking the pod as an access control unit;
And the sending unit is used for sending the security access control strategy to a working node worker.
According to a fifth aspect of embodiments of the present disclosure, a network access control system includes:
a control node Controller according to any of the second aspect and at least one worker node, each worker having disposed thereon an Agent capable of performing the method according to any of the first aspect.
According to a sixth aspect of embodiments of the present disclosure, there is provided an electronic device, comprising:
at least one processor; and
a memory communicatively coupled to the at least one processor; wherein,,
the memory stores instructions executable by the at least one processor to enable the at least one processor to perform the method described in the first aspect.
According to a seventh aspect of the present disclosure, there is provided a non-transitory computer readable storage medium storing computer instructions for causing a computer to perform the method described in the foregoing first aspect.
According to an eighth aspect of the present disclosure, there is provided a computer program product comprising a computer program which, when executed by a processor, implements a method as described in the foregoing first aspect.
The network access control method, the network access control device and the electronic equipment are applied to a working node worker, and receive a security access control strategy sent by a control node Controller, wherein the security access control strategy takes a pod as a minimum access control unit; analyzing the security access control policy to obtain a first pod applying the security access control policy; and sending the security access control policy to the first pod. The method is applied to a control node Controller and used for acquiring a security access control strategy taking a pod as an access control unit; and sending the security access control strategy to a working node worker. The invention finally obtains the security access control strategy taking the pod as the minimum access control unit, realizes the method for controlling the fine network strategy in the cluster, strengthens the security management and control of the cluster network and improves the security level of the cluster.
It should be understood that the description of this section is not intended to identify key or critical features of the embodiments of the application or to delineate the scope of the application. Other features of the present application will become apparent from the description that follows.
Drawings
The drawings are for a better understanding of the present solution and are not to be construed as limiting the present disclosure. Wherein:
Fig. 1 is a flow chart of a network access control method according to an embodiment of the disclosure;
fig. 2 is a schematic flow chart of a network access control method according to an embodiment of the disclosure;
fig. 3 is a flow chart of a network access control method according to an embodiment of the disclosure;
fig. 4 is a schematic flow chart of another network access control provided in an embodiment of the disclosure;
fig. 5 is a block diagram of an apparatus for network access control according to an embodiment of the present disclosure;
fig. 6 is a block diagram of an apparatus for network access control according to an embodiment of the present disclosure;
fig. 7 is a block diagram of an apparatus for network access control according to an embodiment of the present disclosure;
fig. 8 is a block diagram of an apparatus for network access control according to an embodiment of the present disclosure;
FIG. 9 is a schematic block diagram of an electronic device 400 provided by an embodiment of the present disclosure;
Detailed Description
Exemplary embodiments of the present disclosure are described below in conjunction with the accompanying drawings, which include various details of the embodiments of the present disclosure to facilitate understanding, and should be considered as merely exemplary. Accordingly, one of ordinary skill in the art will recognize that various changes and modifications of the embodiments described herein can be made without departing from the scope and spirit of the present disclosure. Also, descriptions of well-known functions and constructions are omitted in the following description for clarity and conciseness.
The network access control method, apparatus, electronic device, and storage medium of the embodiments of the present disclosure are described below with reference to the accompanying drawings.
It should be noted that the terms "first," "second," and the like in the description and claims of the present disclosure and in the foregoing figures are used for distinguishing between similar objects and not necessarily for describing a particular sequential or chronological order. It should be understood that the data so used may be interchanged where appropriate such that embodiments of the present disclosure described herein may be implemented in a sequence other than those illustrated or described herein, and that the implementations described in the following exemplary embodiments are not representative of all implementations consistent with the present disclosure. Rather, they are merely apparatuses and methods consistent with some aspects of the present disclosure as detailed in the accompanying claims.
In the field of cloud technology, cluster management computer entities (k 8 s) are a powerful but very complex container platform. Thousands of services are often run in a k8s cluster, different service lines are deployed in a cluster, different service attributes have different requirements on information security control, and sensitive data of each service line needs to be strictly limited to access due to safety protection.
At present, in order to realize safe access limitation, the access limitation is generally set through the IP address of a machine, but in the field of cloud protogenesis, the minimum running unit of service is pod, the pods are mixed and deployed on a batch of machines, and no clear machine division exists between services, so that the current machine-based IP address access control mode is inaccurate, and the data of a cluster lacks security guarantee.
It should be noted here that the k8s cluster of the present disclosure includes a plurality of working nodes, a master node, and a control node controller, where the control node controller may be disposed in the working node or the master node, and in particular, embodiments of the present disclosure are not limited thereto. A agent is deployed on each worker node in the manner of Daemoset, which is a deployment of pod in k8s, similar to daemons, running a pod on each designated node. The Agent can acquire all the pod deployed on the worker, receive the security access control policy issued by the controller, and issue the security access control policy to the corresponding pod, so as to realize fine management based on the pod as a unit.
In order to solve the above-mentioned problems, as shown in fig. 1, fig. 1 is a flowchart of a network access control method provided in an embodiment of the present disclosure, where the method is applied to a working node worker, and the method includes:
and step 101, receiving a security access control strategy sent by a control node Controller, wherein the security access control strategy takes a pod as a minimum access control unit.
The embodiment of the disclosure needs to be described herein that the security access control policy sent by the receiving control node Cotroller is the security access control policy sent by the receiving control node Cotroller through an existing communication manner, where the security access control policy is a main policy of network security protection and protection, and a pod is taken as a minimum access control unit, and the pod is taken as a minimum unit set by the minimum access control unit as a security access authority.
In addition, it should be further noted that the security access control policy may be automatically generated or input through a man-machine interface, and in particular, embodiments of the present disclosure are not limited thereto.
Step 102, analyzing the security access control policy to obtain a first pod applying the security access control policy.
It should be noted here that, in the embodiments of the present disclosure, the parsing the security access control policy is to interpret content included in the security access control policy, where the security access control policy includes security access time, access frequency, access manner, all the pod involved and access space to which the pod belongs, and other content may also be other content, and specific embodiments of the present disclosure do not limit this.
In addition, it should be noted that, acquiring the first pod to which the security access control policy is applied is to analyze the security access control policy to acquire the first pod to which the pod is applied. The security access control policy includes identification information of a pod applying the security access control policy and namespace information to which the pod belongs, where the namespaces contain pods, and the number of each namespace is unique, but the number of the pod in each namespace is not unique and may be repeated. For example, the number of pod included in namespace 1 may be 1, 2, 3- - -etc. sequential; the number of pod included in namespace number 2 may also be encoded sequentially 1, 2, 3- -; therefore, in order to uniquely determine the number of a pod, the number information of the namespace and the pod number are needed together to uniquely determine a pod; therefore, after determining that the pod information to which the security access control policy is applied is obtained, the embodiment of the present disclosure further needs to determine the namespace information of the pod to uniquely determine the first pod to which the security access control policy is applied.
The pod identification information may be one or more than one; the above-mentioned namespace information may be one or more, and each pod has a corresponding namespace, which is not limited by the embodiment of the present disclosure.
Step 103, sending the security access control policy to the first pod.
Embodiments of the present disclosure should be described herein, in which the security access control policy is an existing manner of sending information to the pod, and specifically, embodiments of the present disclosure are not limited thereto.
The invention provides a network access control method and a network access control device, which can effectively improve the security level of a cluster. Specifically, as shown in fig. 2, fig. 2 is a flowchart of a network access control method provided by an embodiment of the present disclosure, where the method is applied to control node controllers, and the method includes:
step 201, a security access control policy using pod as an access control unit is obtained.
In the embodiment provided by the disclosure, the security access control policy is a main policy of network security protection and protection, and a pod is taken as a minimum access control unit, and the pod is taken as a minimum unit set by the minimum access control unit for security access authority. The security access control policy includes identification information of a pod applying the security access control policy and namespace information to which the pod belongs, where the namespaces contain pods, and the number of each namespace is unique, but the number of the pod in each namespace is not unique and may be repeated.
The pod identification information may be one or more than one; the above-mentioned namespace information may be one or more, and each pod has a corresponding namespace, which is not limited by the embodiment of the present disclosure.
In addition, it should be noted that, when the security access control policy using the pod as the access control unit is acquired, the input security access control policy may be received, the full access control policy issued by the server may be received, or the security access control policy generated according to a preset rule, which is not limited in the embodiment of the present disclosure.
And 202, sending the security access control strategy to a working node worker.
In the embodiment of the disclosure, the sending of the security access control policy to the working node worker is to send the security access control policy to the working node worker through an existing communication mode. In particular, embodiments of the present disclosure are not limited in this regard.
The embodiment of the disclosure provides a network access control method, a device and an electronic device, which are applied to a working node worker, and are used for receiving a security access control strategy sent by a control node Controller, wherein the security access control strategy takes pod as a minimum access control unit; analyzing the security access control policy to obtain a first pod applying the security access control policy; and sending the security access control policy to the first pod. The method is applied to a control node Controller and used for acquiring a security access control strategy taking a pod as an access control unit; and sending the security access control strategy to a working node worker. The invention finally obtains the security access control strategy taking the pod as the minimum access control unit, realizes the method for controlling the fine network strategy in the cluster, strengthens the security management and control of the cluster network and improves the security level of the cluster.
In some embodiments of the present disclosure, the security access control policy is a control policy input through a man-machine interaction operation interface, and includes identification information of a pod to which the security access control policy is applied and namespace information to which the pod belongs. The security access control policy may be automatically generated or may be input through a human-machine interface, which is not limited by the specific embodiments of the present disclosure.
In some embodiments of the present disclosure, resolving the security access control policy, obtaining the first pod applying the security access control policy according to the namespace information in the security access control policy and the identification information of the pod, and sending the security access control policy to the first pod may adopt, but is not limited to, the following manners, as shown in fig. 3, including:
step 301, obtaining information of all second pod laid out on the worker node.
In some embodiments of the present disclosure, the acquiring information of all the second pod laid out on the current node may be acquiring information of all the second pod laid out on the current node in real time, or may also be acquiring information of all the second pod laid out on the current node according to a predetermined time polling. In particular, embodiments of the present disclosure are not limited in this regard.
Step 302, querying information of all second pod to determine that the first pod applying the security access control policy is in the information of all second pod.
In some embodiments of the present disclosure, first, all second pod information that can be queried on a worker is acquired, and whether the first pod of the security access control policy is in the information of the second pod is determined according to all second pod information laid out on the worker node.
Step 303, if it is determined that the secure access control policy is in the second pod, sending the secure access control policy to the first pod.
In some embodiments of the present disclosure, if it is determined that the security access control policy is in the second pod, the security access control policy may be sent to the first pod by using an existing communication manner, and in particular, embodiments of the present disclosure are not limited thereto.
Further, in the following embodiments of the present disclosure, the worker node receives the security access control policy issued by the control node Controller, and may be displayed in the following manner, but is not limited to, the method includes:
in the first way, receiving the security access control policy sent by the Controller via hypertext transfer protocol (Hyper Text Transfer Protocol, HTTP) is a simple request-response protocol. The HTTP protocol is a common technique that may be preferred during transmission, but is not particularly limited
And in a second mode, receiving the security access control policy sent by the Controller through a shared storage mode. The method of sharing storage may store the security access control policy in a temporary or fixed storage location, may issue a storage path to a sharer, may also read according to a contract to a predetermined storage space, or may use other methods, and in particular, embodiments of the present disclosure are not limited thereto.
And in a third mode, receiving the security access control policy sent by the Controller through a message queue communication mode. The security access control policy is performed by a first-in first-out mechanism in a message queue manner, and specific related description can refer to related description of an existing message queue, which is not limited in particular by the embodiments of the present disclosure.
In some embodiments of the present disclosure, when the Controller obtains the security access control policy using the pod as the access control unit, the method may be implemented in the following manner, as shown in fig. 4, and includes:
step 401, receiving a control policy input through a man-machine interaction operation interface, and identification information of a first pod applying the security access control policy, and name space information to which the pod belongs.
In the embodiment of the disclosure, when the Controllerr accepts the security access control policy, the identification information of the first pod applying the security access control policy, and the namespace information to which the pod belongs, the embodiment of the disclosure may accept the input security access control policy or may accept the security policy issued by the server, which is not limited in the embodiment of the disclosure.
The network security protection and protection method comprises the steps of taking a pod as a minimum access control unit according to an access control policy as a main policy of network security protection and protection. The pod is the minimum unit set by the minimum access control unit for the secure access rights.
Step 402, generating the security access control policy according to the control policy, the identification information of the first pod applying the security access control policy, and the namespace information to which the pod belongs, where the security access control policy includes the identification information of the pod applying the security access control policy and the namespace information to which the pod belongs.
And acquiring the first pod applying the pod for resolving the security access control policy when acquiring the first pod applying the security access control policy. After the pod information applying the security access control policy is obtained according to the determination, the namespace information of the pod needs to be determined, so that the first pod applying the security access control policy can be determined uniquely.
Further, in the following embodiments of the present disclosure, the Controller may send the security access control policy to the worker in the following manner, which includes, but is not limited to:
in the first way, the security access control policy is sent to the worker through the hypertext transfer protocol HTTP. The HTTP protocol is a common technical means, and may be preferred when transmission is performed, but is not particularly limited.
In this way, the HTTP is a protocol of the application layer, which is a communication protocol between the client and the server, and is a way to send the security access control policy to the working node.
And in a second mode, the security access control strategy is sent to a worker through a shared storage mode. The method of sharing storage may store the security access control policy in a temporary or fixed storage location, may issue a storage path to a sharer, may read according to a contract to a predetermined storage space, or may use other methods, and in particular, embodiments of the present disclosure are not limited thereto.
And thirdly, sending the security access control strategy to a worker through a message queue communication mode. The security access control policy is performed by a first-in first-out mechanism in a message queue manner, and specific related description can refer to related description of an existing message queue, which is not limited in particular by the embodiments of the present disclosure.
Wherein the message queue is for holding messages until sent to the consumer. It is the container of the message and also the end of the message. A message may be placed into one or more queues. Messages remain in the queue waiting for the consumer to connect to the queue to take them away. The main purpose of the queues is to provide routing and to ensure delivery of messages.
The main feature of message queues is asynchronous processing, the main purpose being to reduce request response time and decoupling. The primary usage scenario is to put operations that are time consuming and do not require immediate (synchronous) return of results as messages into a message queue. Meanwhile, due to the fact that the message queue is used, as long as the fact that the message format is unchanged is guaranteed, a sender and a receiver of the message do not need to be in contact with each other, and are not influenced by each other, namely decoupling is not needed. This is also the meaning of message middleware.
The embodiment of the disclosure provides a network access control method, a device and an electronic device, which are applied to a working node worker, and are used for receiving a security access control strategy sent by a control node Controller, wherein the security access control strategy takes pod as a minimum access control unit; analyzing the security access control policy to obtain a first pod applying the security access control policy; and sending the security access control policy to the first pod. The method is applied to a control node Controller and used for acquiring a security access control strategy taking a pod as an access control unit; and sending the security access control strategy to a working node worker. The invention finally obtains the security access control strategy taking the pod as the minimum access control unit, realizes the method for controlling the fine network strategy in the cluster, strengthens the security management and control of the cluster network and improves the security level of the cluster.
Corresponding to the network access control method, the invention also provides a composition structure schematic diagram of the network access control device. Since the device embodiment of the present invention corresponds to the above-described method embodiment, details not disclosed in the device embodiment may refer to the above-described method embodiment, and the disclosure will not be repeated.
Fig. 5 is a block diagram of a network access control device according to an embodiment of the present disclosure, which is applied to a working node worker, as shown in fig. 5, and includes:
and the receiving unit 501 is configured to receive a security access control policy sent by the Controller, where the security access control policy uses a pod as a minimum access control unit.
The parsing unit 502 is configured to parse the security access control policy to obtain a first pod to which the security access control policy is applied.
A sending unit 503, configured to send the security access control policy to the first pod.
In some embodiments of the present disclosure, the security access control policy is a control policy input through a man-machine interaction operation interface, and includes identification information of a pod to which the security access control policy is applied and namespace information to which the pod belongs.
In some embodiments of the present disclosure, the parsing the security access control policy obtaining a first pod that applies the security access control policy includes: the parsing unit 502 is specifically configured to:
analyzing the security access control policy, and acquiring the first pod applying the security access control policy according to the name space information in the security access control policy and the identification information of the pod.
In some embodiments of the present disclosure, as shown in fig. 6, the parsing unit 502 includes:
an obtaining module 5021, configured to obtain information of all second pod laid out on the worker node;
a query module 5022, configured to query information of all second pods to determine that a first pod applying the security access control policy is in the information of all second pods;
and a sending module 5023, configured to send the security access control policy to the first pod if it is determined that the second pod is located.
In some embodiments of the present disclosure, the obtaining module 5021 is configured to:
acquiring information of all second pod laid out on the current node in real time;
or polling to acquire the information of all the second pod laid out on the current node according to the preset time.
In some embodiments of the present disclosure, the transmitting unit 503 includes:
the first way is to receive the security access control policy sent by the Controller through a hypertext transfer protocol (HTTP);
the second way is to receive the security access control strategy sent by the Controller through a shared storage way;
and in a third mode, receiving the security access control policy sent by the Controller through a message queue communication mode.
In the foregoing embodiments, the sending of the security access control policy by the worker may be shown by the worker, but is not limited to the foregoing manner, and specific embodiments of the disclosure are not limited thereto.
The composition block diagram of a network access control device provided in the disclosed embodiment is applied to a Controller, as shown in fig. 7, and the device includes:
an obtaining unit 601, configured to obtain a security access control policy using the pod as an access control unit.
And the sending unit 602 is configured to send the security access control policy to a worker.
In some embodiments of the present disclosure, as shown in fig. 8, the acquiring unit 601 includes:
an accepting module 6011, configured to receive a control policy input through a man-machine interaction operation interface, identification information of a first pod applying the security access control policy, and namespace information to which the pod belongs;
A generating module 6012, configured to generate the security access control policy according to the control policy, identification information of a first pod applying the security access control policy, and namespace information to which the pod belongs, where the security access control policy includes identification information of the pod applying the security access control policy and namespace information to which the pod belongs.
In some embodiments of the present disclosure, the transmitting unit 602 includes:
the first way is that the security access control strategy is sent to a working node worker through a hypertext transfer protocol (HTTP);
the second mode is that the security access control strategy is sent to a work node worker in a shared storage mode;
and thirdly, sending the security access control strategy to a work node worker through a message queue communication mode.
In the above embodiments, the Controller may send the security access control policy to the worker in the manner described above, but is not limited thereto, and specific embodiments of the disclosure are not limited thereto.
The embodiment of the disclosure provides a network access control method, a device and an electronic device, which are applied to a working node worker, and are used for receiving a security access control strategy sent by a control node Controller, wherein the security access control strategy takes pod as a minimum access control unit; analyzing the security access control policy to obtain a first pod applying the security access control policy; and sending the security access control policy to the first pod. The method is applied to a control node Controller and used for acquiring a security access control strategy taking a pod as an access control unit; and sending the security access control strategy to a working node worker. The invention finally obtains the security access control strategy taking the pod as the minimum access control unit, realizes the method for controlling the fine network strategy in the cluster, strengthens the security management and control of the cluster network and improves the security level of the cluster.
According to embodiments of the present disclosure, the present disclosure also provides an electronic device, a readable storage medium and a computer program product.
Fig. 9 shows a schematic block diagram of an example electronic device 400 that may be used to implement embodiments of the present disclosure. Electronic devices are intended to represent various forms of digital computers, such as laptops, desktops, workstations, personal digital assistants, servers, blade servers, mainframes, and other appropriate computers. The electronic device may also represent various forms of mobile devices, such as personal digital processing, cellular telephones, smartphones, wearable devices, and other similar computing devices. The components shown herein, their connections and relationships, and their functions, are meant to be exemplary only, and are not meant to limit implementations of the disclosure described and/or claimed herein.
As shown in fig. 9, the apparatus 400 includes a computing unit 401 that can perform various appropriate actions and processes according to a computer program stored in a ROM (Read-Only Memory) 402 or a computer program loaded from a storage unit 408 into a RAM (Random Access Memory ) 403. In RAM 403, various programs and data required for the operation of device 400 may also be stored. The computing unit 401, ROM 402, and RAM 403 are connected to each other by a bus 404. An I/O (Input/Output) interface 405 is also connected to bus 404.
Various components in device 400 are connected to I/O interface 405, including: an input unit 406 such as a keyboard, a mouse, etc.; an output unit 407 such as various types of displays, speakers, and the like; a storage unit 408, such as a magnetic disk, optical disk, etc.; and a communication unit 409 such as a network card, modem, wireless communication transceiver, etc. The communication unit 409 allows the device 400 to exchange information/data with other devices via a computer network, such as the internet, and/or various telecommunication networks.
The computing unit 401 may be a variety of general purpose and/or special purpose processing components having processing and computing capabilities. Some examples of computing unit 401 include, but are not limited to, a CPU (Central Processing Unit ), a GPU (Graphic Processing Units, graphics processing unit), various dedicated AI (Artificial Intelligence ) computing chips, various computing units running machine learning model algorithms, a DSP (Digital Signal Processor ), and any suitable processor, controller, microcontroller, etc. The computing unit 401 performs the respective methods and processes described above, such as a safety seat insertion detection method. For example, in some embodiments, the safety seat insertion detection method may be implemented as a computer software program tangibly embodied on a machine-readable medium, such as the storage unit 408. In some embodiments, part or all of the computer program may be loaded and/or installed onto the device 400 via the ROM 402 and/or the communication unit 409. When the computer program is loaded into RAM 403 and executed by computing unit 401, one or more steps of the method described above may be performed. Alternatively, in other embodiments, the computing unit 401 may be configured to perform the aforementioned safety seat insertion detection method by any other suitable means (e.g. by means of firmware).
Various implementations of the systems and techniques described here above may be implemented in digital electronic circuitry, integrated circuit System, FPGA (Field Programmable Gate Array ), ASIC (Application-Specific Integrated Circuit, application-specific integrated circuit), ASSP (Application Specific Standard Product, special-purpose standard product), SOC (System On Chip ), CPLD (Complex Programmable Logic Device, complex programmable logic device), computer hardware, firmware, software, and/or combinations thereof. These various embodiments may include: implemented in one or more computer programs, the one or more computer programs may be executed and/or interpreted on a programmable system including at least one programmable processor, which may be a special purpose or general-purpose programmable processor, that may receive data and instructions from, and transmit data and instructions to, a storage system, at least one input device, and at least one output device.
Program code for carrying out methods of the present disclosure may be written in any combination of one or more programming languages. These program code may be provided to a processor or controller of a general purpose computer, special purpose computer, or other programmable data processing apparatus such that the program code, when executed by the processor or controller, causes the functions/operations specified in the flowchart and/or block diagram to be implemented. The program code may execute entirely on the machine, partly on the machine, as a stand-alone software package, partly on the machine and partly on a remote machine or entirely on the remote machine or server.
In the context of this disclosure, a machine-readable medium may be a tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device. The machine-readable medium may be a machine-readable signal medium or a machine-readable storage medium. The machine-readable medium may include, but is not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any suitable combination of the foregoing. More specific examples of a machine-readable storage medium would include an electrical connection based on one or more wires, a portable computer diskette, a hard disk, RAM, ROM, EPROM (Electrically Programmable Read-Only-Memory, erasable programmable read-Only Memory) or flash Memory, an optical fiber, a CD-ROM (Compact Disc Read-Only Memory), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing.
To provide for interaction with a user, the systems and techniques described here can be implemented on a computer having: a display device (e.g., CRT (Cathode-Ray Tube) or LCD (Liquid Crystal Display ) monitor) for displaying information to a user; and a keyboard and pointing device (e.g., a mouse or trackball) by which a user can provide input to the computer. Other kinds of devices may also be used to provide for interaction with a user; for example, feedback provided to the user may be any form of sensory feedback (e.g., visual feedback, auditory feedback, or tactile feedback); and input from the user may be received in any form, including acoustic input, speech input, or tactile input.
The systems and techniques described here can be implemented in a computing system that includes a background component (e.g., as a data server), or that includes a middleware component (e.g., an application server), or that includes a front-end component (e.g., a user computer having a graphical user interface or a web browser through which a user can interact with an implementation of the systems and techniques described here), or any combination of such background, middleware, or front-end components. The components of the system can be interconnected by any form or medium of digital data communication (e.g., a communication network). Examples of communication networks include: LAN (Local Area Network ), WAN (Wide Area Network, wide area network), internet and blockchain networks.
The computer system may include a client and a server. The client and server are typically remote from each other and typically interact through a communication network. The relationship of client and server arises by virtue of computer programs running on the respective computers and having a client-server relationship to each other. The server can be a cloud server, also called a cloud computing server or a cloud host, and is a host product in a cloud computing service system, so that the defects of high management difficulty and weak service expansibility in the traditional physical hosts and VPS service ("Virtual Private Server" or simply "VPS") are overcome. The server may also be a server of a distributed system or a server that incorporates a blockchain.
It should be noted that, artificial intelligence is a subject of studying a certain thought process and intelligent behavior (such as learning, reasoning, thinking, planning, etc.) of a computer to simulate a person, and has a technology at both hardware and software level. Artificial intelligence hardware technologies generally include technologies such as sensors, dedicated artificial intelligence chips, cloud computing, distributed storage, big data processing, and the like; the artificial intelligence software technology mainly comprises a computer vision technology, a voice recognition technology, a natural language processing technology, a machine learning/deep learning technology, a big data processing technology, a knowledge graph technology and the like.
It should be appreciated that various forms of the flows shown above may be used to reorder, add, or delete steps. For example, the steps recited in the present disclosure may be performed in parallel or sequentially or in a different order, provided that the desired results of the technical solutions of the present disclosure are achieved, and are not limited herein.
The above detailed description should not be taken as limiting the scope of the present disclosure. It will be apparent to those skilled in the art that various modifications, combinations, sub-combinations and alternatives are possible, depending on design requirements and other factors. Any modifications, equivalent substitutions and improvements made within the spirit and principles of the present disclosure are intended to be included within the scope of the present disclosure.

Claims (15)

1. The network access control method is characterized by being applied to a working node worker and comprising the following steps:
receiving a security access control strategy sent by a control node Controller, wherein the security access control strategy takes a pod as a minimum access control unit;
analyzing the security access control policy to obtain a first pod applying the security access control policy;
and sending the security access control policy to the first pod.
2. The method of claim 1, wherein the security access control policy is a control policy input through a man-machine interaction operation interface, and comprises identification information of a pod to which the security access control policy is applied and namespace information to which the pod belongs.
3. The method of claim 2, wherein said parsing the secure access control policy to obtain a first pod to which the secure access control policy is applied comprises:
analyzing the security access control policy, and acquiring the first pod applying the security access control policy according to the name space information in the security access control policy and the identification information of the pod.
4. The method of claim 3, wherein the sending the secure access control policy to the first pod comprises:
Acquiring information of all second pod laid out on the worker node;
querying the information of all the second pod to determine that the first pod applying the security access control policy is in the information of all the second pod;
and if the security access control strategy is determined to be in the second pod, sending the security access control strategy to the first pod.
5. The method of claim 4, wherein the obtaining information for all second pod's of the layout on the current node comprises:
acquiring information of all second pod laid out on the current node in real time;
or polling to acquire the information of all the second pod laid out on the current node according to the preset time.
6. The method according to any of claims 1-5, wherein receiving a security access control policy issued by a control node Controller comprises:
receiving the security access control strategy sent by the Controller through a hypertext transfer protocol (HTTP);
or receiving the security access control strategy sent by the Controller through a shared storage mode;
or receiving the security access control strategy sent by the Controller through a message queue communication mode.
7. A network access control method, applied to a control node Controller, comprising:
Acquiring a security access control strategy taking a pod as an access control unit;
and sending the security access control strategy to a working node worker.
8. The method of claim 7, wherein the obtaining a secure access control policy with pod as an access control element comprises:
receiving a control strategy input through a man-machine interaction operation interface, identification information of a first pod applying the security access control strategy and naming space information of the pod;
generating the security access control policy according to the control policy, the identification information of the first pod applying the security access control policy and the name space information of the pod, wherein the security access control policy comprises the identification information of the pod applying the security access control policy and the name space information of the pod.
9. The method of claim 8, wherein the sending the secure access control policy to a worker node comprises:
sending the security access control strategy to a working node worker through a hypertext transfer protocol (HTTP);
or the security access control strategy is sent to a working node worker in a shared storage mode;
Or the security access control strategy is sent to the work node worker in a message queue communication mode.
10. A network access control device, applied to a working node worker, comprising:
the receiving unit is used for receiving a security access control strategy sent by the control node Controller, wherein the security access control strategy takes a pod as a minimum access control unit;
the analyzing unit is used for analyzing the security access control policy to obtain a first pod applying the security access control policy;
and the sending unit is used for sending the security access control strategy to the first pod.
11. A network access control device, characterized by controlling a node Controller, comprising:
the acquisition unit is used for acquiring a security access control strategy taking the pod as an access control unit;
and the sending unit is used for sending the security access control strategy to a working node worker.
12. A network access control system, comprising:
a control node Controller according to any of claims 7-9, and at least one worker node, each of said workers having disposed thereon an Agent capable of performing the method according to any of claims 1-6.
13. An electronic device, comprising:
at least one processor; and
a memory communicatively coupled to the at least one processor; wherein,,
the memory stores instructions executable by the at least one processor to enable the at least one processor to perform the method of any one of claims 1-6 or the method of any one of claims 7-9.
14. A non-transitory computer readable storage medium storing computer instructions for causing the computer to perform the method of any one of claims 1-6 or the method of any one of claims 7-9.
15. A computer program product comprising a computer program which, when executed by a processor, implements the method according to any one of claims 1-6 or the method according to any one of claims 7-9.
CN202211733744.5A 2022-12-30 2022-12-30 Network access control method, device, electronic equipment and storage medium Pending CN116170188A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202211733744.5A CN116170188A (en) 2022-12-30 2022-12-30 Network access control method, device, electronic equipment and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202211733744.5A CN116170188A (en) 2022-12-30 2022-12-30 Network access control method, device, electronic equipment and storage medium

Publications (1)

Publication Number Publication Date
CN116170188A true CN116170188A (en) 2023-05-26

Family

ID=86417566

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202211733744.5A Pending CN116170188A (en) 2022-12-30 2022-12-30 Network access control method, device, electronic equipment and storage medium

Country Status (1)

Country Link
CN (1) CN116170188A (en)

Similar Documents

Publication Publication Date Title
CN113220420B (en) Service monitoring method, device, equipment, storage medium and computer program product
CN113766487B (en) Cloud mobile phone information acquisition method, device, equipment and medium
CN114448802B (en) Gateway configuration method, device, electronic equipment and storage medium
CN115242731A (en) Message processing method, device, equipment and storage medium
CN113778644B (en) Task processing method, device, equipment and storage medium
CN114389969A (en) Client test method and device, electronic equipment and storage medium
CN113452760A (en) Verification code synchronization method and device, electronic equipment and storage medium
CN112559632A (en) Method, device, electronic equipment and medium for synchronizing state of distributed graph database
CN115514718B (en) Data interaction method, control layer and equipment based on data transmission system
CN116248772A (en) Data transmission method, device, equipment and medium under virtualization management
CN116170188A (en) Network access control method, device, electronic equipment and storage medium
CN114070889A (en) Configuration method, traffic forwarding method, device, storage medium, and program product
CN113971200A (en) Map service flow recording system and method of cloud native platform
CN117076185B (en) Server inspection method, device, equipment and medium
CN116306407B (en) Verification method, device, equipment and storage medium of Network On Chip (NOC)
CN112596922B (en) Communication management method, device, equipment and medium
CN114461502B (en) Model monitoring method and device
CN114416040A (en) Page construction method, device, equipment and storage medium
CN117651078A (en) Data transmission method and device, electronic equipment and storage medium
CN117785494A (en) Asynchronous process processing method, device and system, electronic equipment and storage medium
CN116225568A (en) Management method, device and equipment of application system interface and storage medium
CN117156398A (en) Message processing method, device, electronic equipment and storage medium
CN117785413A (en) Task forwarding method, device, equipment and storage medium
CN117971777A (en) File system service distribution method and device
CN114444041A (en) Interface access method and device, electronic equipment and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination