[go: up one dir, main page]

CN114091025B - Security detection method, security detection device and mirror image construction method based on cloud native platform - Google Patents

Security detection method, security detection device and mirror image construction method based on cloud native platform Download PDF

Info

Publication number
CN114091025B
CN114091025B CN202111416424.2A CN202111416424A CN114091025B CN 114091025 B CN114091025 B CN 114091025B CN 202111416424 A CN202111416424 A CN 202111416424A CN 114091025 B CN114091025 B CN 114091025B
Authority
CN
China
Prior art keywords
container
image
security
security detection
layer
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202111416424.2A
Other languages
Chinese (zh)
Other versions
CN114091025A (en
Inventor
张小梅
徐雷
郭新海
丁攀
蓝鑫冲
刘安
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China United Network Communications Group Co Ltd
Original Assignee
China United Network Communications Group Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China United Network Communications Group Co Ltd filed Critical China United Network Communications Group Co Ltd
Priority to CN202111416424.2A priority Critical patent/CN114091025B/en
Publication of CN114091025A publication Critical patent/CN114091025A/en
Application granted granted Critical
Publication of CN114091025B publication Critical patent/CN114091025B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Physics & Mathematics (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Virology (AREA)
  • Analysing Materials By The Use Of Radiation (AREA)
  • Alarm Systems (AREA)

Abstract

The invention discloses a cloud native platform-based safety detection method, a cloud native platform-based safety detection device and a cloud native platform-based mirror image construction method, and relates to the technical field of communication. The method comprises the following steps: executing a first security detection process for each mirror layer included in the pre-built target mirror; under the condition that each mirror image layer of the target mirror image passes through the first security detection process, running a container corresponding to the target mirror image; a second security detection process is performed on the container in response to the container configuration change reminder information for the container. The method can realize automatic safety detection of the mirror image and the container.

Description

基于云原生平台的安全检测方法、装置、镜像构建方法Security detection method, device, and image building method based on cloud native platform

技术领域Technical Field

本发明涉及通信技术领域,具体涉及一种基于云原生平台的安全检测方法、检测装置、镜像构建方法和云原生平台。The present invention relates to the field of communication technology, and in particular to a security detection method, a detection device, an image building method and a cloud native platform based on a cloud native platform.

背景技术Background technique

云原生(Cloud-Native)技术有利于各组织在公有云、私有云和混合云等新型动态环境中,构建和运行可弹性扩展的应用。当前云原生服务平台通过引入容器技术提高应用开发效率。Cloud-native technology helps organizations build and run elastically scalable applications in new dynamic environments such as public clouds, private clouds, and hybrid clouds. The current cloud-native service platform improves application development efficiency by introducing container technology.

在云原生服务平台引入容器技术后,除了面临传统云环境中的安全问题,还需要考虑容器相关的安全问题。如果容器或镜像的安全配置出现问题,例如没有设置安全增强式Linux(Security-Enhanced Linux,SELinux)或没有设置以root/特权模式运行等,将容易使云原生服务平台被攻击,进而导致云原生服务平台无法正常使用。After the cloud-native service platform introduces container technology, in addition to facing security issues in traditional cloud environments, it also needs to consider container-related security issues. If there is a problem with the security configuration of the container or image, such as not setting Security-Enhanced Linux (SELinux) or not setting it to run in root/privileged mode, the cloud-native service platform will be easily attacked, which will cause the cloud-native service platform to be unable to use normally.

当前亟需一种安全检测方法以应对云原生平台中容器或镜像的安全配置不当的问题。There is an urgent need for a security detection method to address the problem of improper security configuration of containers or images in cloud native platforms.

发明内容Summary of the invention

为此,本发明提供一种基于云原生平台的安全检测方法、检测装置、镜像构建方法和云原生平台,以解决现有技术中云原生平台的容器或镜像的安全配置不当的问题。To this end, the present invention provides a security detection method, a detection device, an image building method and a cloud native platform based on a cloud native platform to solve the problem of improper security configuration of containers or images of cloud native platforms in the prior art.

为了实现上述目的,本发明第一方面提供一种基于云原生平台的安全检测方法。该云原生平台包括至少一个容器,每个所述容器对应预先构建的一个目标镜像,所述目标镜像包括至少一层镜像层,该安全检测方法包括:In order to achieve the above-mentioned object, the first aspect of the present invention provides a security detection method based on a cloud native platform. The cloud native platform includes at least one container, each of which corresponds to a pre-built target image, and the target image includes at least one image layer. The security detection method includes:

针对预先构建的目标镜像所包括的每一层镜像层,执行第一安全检测过程;For each image layer included in the pre-built target image, a first security detection process is performed;

在所述目标镜像的每一层所述镜像层均通过所述第一安全检测过程的情况下,运行与所述目标镜像对应的容器;When each image layer of the target image passes the first security detection process, running a container corresponding to the target image;

响应于针对所述容器的容器配置变更提醒信息,对所述容器执行第二安全检测过程。In response to the container configuration change reminder information for the container, a second security detection process is performed on the container.

可选地,所述执行第一安全检测过程包括:Optionally, the performing of the first security detection process includes:

启动当前层镜像层;Start the current mirror layer;

基于预设的镜像合规检测策略对当前层镜像层进行安全检测。Perform security checks on the current image layer based on the preset image compliance detection strategy.

可选地,所述基于预设的镜像合规检测策略对当前层镜像层进行安全检测的步骤,包括:Optionally, the step of performing security detection on the current image layer based on a preset image compliance detection strategy includes:

基于预设的镜像合规检测策略对当前层镜像层对应的镜像来源、镜像版本、镜像文件内容中的一项或多项进行安全检测。Based on the preset image compliance detection strategy, security detection is performed on one or more of the image source, image version, and image file content corresponding to the current image layer.

可选地,所述针对预先构建的目标镜像所包括的每一层镜像层,执行第一安全检测过程之后,所述方法还包括:Optionally, after performing the first security detection process for each image layer included in the pre-built target image, the method further includes:

在当前层镜像层未通过所述第一安全检测过程的情况下,基于预设的镜像合规加固策略对当前层镜像层进行镜像安全加固处理;If the current image layer fails the first security detection process, image security hardening is performed on the current image layer based on a preset image compliance hardening strategy;

对经镜像安全加固处理后的当前层镜像层,重新执行所述第一安全检测过程。The first security detection process is re-executed on the current image layer after the image security hardening process.

可选地,在所述响应于针对所述容器的容器配置变更提醒信息,对所述容器执行第二安全检测过程之前,所述方法还包括:Optionally, before performing a second security detection process on the container in response to the container configuration change reminder information for the container, the method further includes:

采集所述容器对应的容器配置信息;Collecting container configuration information corresponding to the container;

在所述容器配置信息没有发生变更的情况下,返回所述采集所述容器对应的容器配置信息的步骤;If the container configuration information has not changed, returning to the step of collecting the container configuration information corresponding to the container;

在所述容器配置信息发生变更的情况下,生成针对所述容器的容器配置变更提醒信息。When the container configuration information is changed, container configuration change reminder information for the container is generated.

可选地,对所述容器执行第二安全检测过程,包括:Optionally, performing a second safety detection process on the container includes:

基于预设的容器合规检测策略对所述容器对应的软件信息、操作系统信息和配置信息中的一项或多项进行安全检测。Based on a preset container compliance detection strategy, security detection is performed on one or more of the software information, operating system information, and configuration information corresponding to the container.

可选地,在所述响应于针对所述容器的容器配置变更提醒信息,对所述容器执行第二安全检测过程之后,所述方法还包括:Optionally, after performing a second security detection process on the container in response to the container configuration change reminder information for the container, the method further includes:

在所述容器没有通过所述第二安全检测过程的情况下,基于预设的容器合规加固策略对所述容器进行容器安全加固处理;If the container fails the second security detection process, performing container security hardening processing on the container based on a preset container compliance hardening strategy;

对经容器安全加固处理后的所述容器,重新执行所述第二安全检测过程。The second safety detection process is re-executed on the container after the container safety reinforcement process.

本发明第二方面提供一种基于云原生平台的安全检测装置,该云原生平台包括至少一个容器,每个所述容器对应预先构建一个目标镜像,所述目标镜像包括至少一层镜像层;该安全检测装置包括:A second aspect of the present invention provides a security detection device based on a cloud native platform, the cloud native platform includes at least one container, each of the containers corresponds to a pre-built target image, and the target image includes at least one image layer; the security detection device includes:

第一安全检测模块,用于针对预先构建的目标镜像所包括的每一层镜像层,执行第一安全检测过程;A first security detection module, used for performing a first security detection process for each image layer included in the pre-built target image;

控制模块,用于在目标镜像的每一层所述镜像层均通过所述第一安全检测过程的情况下,运行与所述目标镜像对应的容器;A control module, configured to run a container corresponding to the target image when each image layer of the target image passes the first security detection process;

第二安全检测模块,用于响应于针对所述容器的容器配置变更提醒信息,对所述容器执行第二安全检测过程。The second security detection module is used to perform a second security detection process on the container in response to the container configuration change reminder information for the container.

本发明第三方面提供一种镜像构建方法,该镜像构建方法包括:A third aspect of the present invention provides a mirror image construction method, the mirror image construction method comprising:

拉取基础镜像,以作为目标镜像的第一层镜像层;Pull the base image as the first image layer of the target image;

在所述第一层镜像层之上构建安全处理层,所述安全处理层用于实现如上述任意一项所述的安全检测方法;Building a security processing layer on top of the first image layer, wherein the security processing layer is used to implement the security detection method as described in any one of the above;

基于所述基础镜像构建至少一层其他层镜像层。At least one other image layer is constructed based on the base image.

本发明第四方面提供一种云原生平台,该云原生平台包括:A fourth aspect of the present invention provides a cloud native platform, the cloud native platform comprising:

至少一个容器,每个所述容器对应根据上述的镜像构建方法构建的一个目标镜像,所述目标镜像包括至少一层镜像层。At least one container, each of the containers corresponds to a target image constructed according to the above-mentioned image construction method, and the target image includes at least one image layer.

本发明具有如下优点:The present invention has the following advantages:

本发明提供一种基于云原生平台的安全检测方法、检测装置、镜像构建方法和云原生平台。该云原生平台包括至少一个容器,每个容器对应预先构建的一个目标镜像,该目标镜像包括多层镜像层,该安全检测方法包括:首先,针对预先构建的目标镜像所包括的每一层镜像层,执行第一安全检测过程;然后,在目标镜像的每一层镜像层均通过该第一安全检测过程的情况下,运行与该目标镜像对应的容器;最后,响应于针对该容器的容器配置变更提醒信息,对该容器执行第二安全检测过程,能够实现对镜像和容器的自动安全检测,保证镜像和容器中存在的安全隐患能够被及时发现,进而提高云原生平台的安全保障性能。The present invention provides a security detection method, detection device, image building method and cloud native platform based on a cloud native platform. The cloud native platform includes at least one container, each container corresponds to a pre-built target image, and the target image includes multiple image layers. The security detection method includes: first, for each image layer included in the pre-built target image, a first security detection process is performed; then, when each image layer of the target image passes the first security detection process, the container corresponding to the target image is run; finally, in response to the container configuration change reminder information for the container, a second security detection process is performed on the container, which can realize automatic security detection of the image and the container, ensure that the security risks existing in the image and the container can be discovered in time, and then improve the security performance of the cloud native platform.

附图说明BRIEF DESCRIPTION OF THE DRAWINGS

附图是用来提供对本发明的进一步理解,并且构成说明书的一部分,与下面的具体实施方式一起用于解释本发明,但并不构成对本发明的限制。The accompanying drawings are used to provide further understanding of the present invention and constitute a part of the specification. Together with the following specific embodiments, they are used to explain the present invention, but do not constitute a limitation of the present invention.

图1为本发明实施例提供的一种基于云原生平台的安全检测方法的流程图;FIG1 is a flow chart of a security detection method based on a cloud native platform provided by an embodiment of the present invention;

图2为本发明实施例提供的第一安全检测过程的流程图;FIG2 is a flow chart of a first security detection process provided by an embodiment of the present invention;

图3为本发明实施例提供的另一种基于云原生平台的安全检测方法的流程图;FIG3 is a flow chart of another cloud-native platform-based security detection method provided by an embodiment of the present invention;

图4为本发明实施例提供的一种基于云原生平台的安全检测装置的结构示意图;FIG4 is a schematic diagram of the structure of a security detection device based on a cloud native platform provided by an embodiment of the present invention;

图5为本发明实施例提供的一种镜像构建方法的流程图;FIG5 is a flow chart of a mirror image construction method provided by an embodiment of the present invention;

图6为本发明实施例提供的一种目标镜像的结构示意图。FIG6 is a schematic diagram of the structure of a target image provided by an embodiment of the present invention.

具体实施方式Detailed ways

以下结合附图对本发明的具体实施方式进行详细说明。应当理解的是,此处所描述的具体实施方式仅用于说明和解释本发明,并不用于限制本发明。The specific implementation of the present invention is described in detail below in conjunction with the accompanying drawings. It should be understood that the specific implementation described herein is only used to illustrate and explain the present invention, and is not used to limit the present invention.

如本发明所使用的,术语“和/或”包括一个或多个相关列举条目的任何和全部组合。As used herein, the term "and/or" includes any and all combinations of one or more of the associated listed items.

本发明所使用的术语仅用于描述特定实施例,且不意欲限制本发明。如本发明所使用的,单数形式“一个”和“该”也意欲包括复数形式,除非上下文另外清楚指出。The terms used in the present invention are only used to describe specific embodiments and are not intended to limit the present invention. As used in the present invention, the singular forms "a", "an" and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise.

当本发明中使用术语“包括”和/或“由……制成”时,指定存在所述特征、整体、步骤、操作、元件和/或组件,但不排除存在或添加一个或多个其它特征、整体、步骤、操作、元件、组件和/或其群组。When the terms “comprising” and/or “made of…” are used in the present invention, it specifies the existence of the stated features, integers, steps, operations, elements and/or components, but does not exclude the existence or addition of one or more other features, integers, steps, operations, elements, components and/or groups thereof.

本发明所述实施例可借助本发明的理想示意图而参考平面图和/或截面图进行描述。因此,可根据制造技术和/或容限来修改示例图示。The embodiments of the present invention may be described with reference to plan views and/or cross-sectional views by way of ideal schematic views of the present invention. Therefore, the exemplary illustrations may be modified according to manufacturing techniques and/or tolerances.

除非另外限定,否则本发明所用的全部术语(包括技术和科学术语)的含义与本领域普通技术人员通常理解的含义相同。还将理解,诸如那些在常用字典中限定的那些术语应当被解释为具有与其在相关技术以及本发明的背景下的含义一致的含义,且将不解释为具有理想化或过度形式上的含义,除非本发明明确如此限定。Unless otherwise defined, all terms (including technical and scientific terms) used in the present invention have the same meaning as those commonly understood by those of ordinary skill in the art. It will also be understood that terms such as those defined in commonly used dictionaries should be interpreted as having a meaning consistent with their meaning in the context of the relevant art and the present invention, and will not be interpreted as having an idealized or overly formal meaning unless the present invention clearly defines it as such.

图1为本发明实施例提供的一种基于云原生平台的安全检测方法的流程图,应用于安全检测装置。FIG1 is a flow chart of a cloud-native platform-based security detection method provided by an embodiment of the present invention, which is applied to a security detection device.

其中,云原生平台指的是用于在公有云、私有云和混合云等新型动态环境中构建和运行可弹性扩展的应用的平台。该云原生平台包括至少一个容器,每个容器对应预先构建的一个目标镜像,该目标镜像包括多层镜像层。其中,容器是一个视图隔离、资源可限制、独立文件系统的进程集合。The cloud native platform refers to a platform for building and running elastically scalable applications in new dynamic environments such as public clouds, private clouds, and hybrid clouds. The cloud native platform includes at least one container, each of which corresponds to a pre-built target image, which includes multiple image layers. The container is a collection of processes with view isolation, limited resources, and an independent file system.

如图1所示,该安全检测方法包括下述步骤S101-步骤S103。As shown in FIG. 1 , the safety detection method includes the following steps S101 to S103 .

步骤S101、针对预先构建的目标镜像所包括的每一层镜像层,执行第一安全检测过程。Step S101: Perform a first security detection process for each image layer included in the pre-built target image.

其中,目标镜像是一种特殊的文件系统,用于提供运行容器所需的程序、库、资源、配置参数等信息。该目标镜像包括多层镜像层,每一层镜像层具有唯一的镜像标识。第一安全检测过程是用于对镜像层进行安全检测的检测过程。The target image is a special file system that provides information such as programs, libraries, resources, configuration parameters, etc. required to run the container. The target image includes multiple image layers, each of which has a unique image identifier. The first security detection process is a detection process for performing security detection on the image layer.

在本实施例中,通过对镜像层执行第一安全检测过程,能够自动确认该镜像层的安全性,避免无法及时发现镜像层配置不当产生的安全隐患,能够提高目标镜像所在的云原生平台的安全保障性能。In this embodiment, by performing the first security detection process on the image layer, the security of the image layer can be automatically confirmed, avoiding the failure to timely discover security risks caused by improper configuration of the image layer, and improving the security performance of the cloud native platform where the target image is located.

步骤S102、在目标镜像的每一层镜像层均通过该第一安全检测过程的情况下,运行与该目标镜像对应的容器。Step S102: When each image layer of the target image passes the first security detection process, run a container corresponding to the target image.

其中,目标镜像对应的容器是该目标镜像运行的实体,即在目标镜像之上增加容器存储层,构成该目标镜像对应的容器。该容器存储层用于容器运行时的读写操作。The container corresponding to the target image is the entity on which the target image runs, that is, a container storage layer is added on top of the target image to form the container corresponding to the target image. The container storage layer is used for read and write operations when the container is running.

在一个实施方式中,运行与该目标镜像对应的容器之后,采集容器对应的容器配置信息。In one embodiment, after running the container corresponding to the target image, container configuration information corresponding to the container is collected.

其中,该容器配置信息包括容器对应的软件信息、操作系统信息和配置信息中的一项或多项。容器对应的软件信息是容器中安装的软件的信息,该软件信息例如软件版本、软件来源和软件安装数据等。容器对应的操作系统信息是指该容器所运行的操作系统环境的信息,该操作系统信息例如操作系统版本信息、操作系统内存占用信息等。容器对应的配置信息例如匿名卷、环境变量等信息。The container configuration information includes one or more of the software information, operating system information, and configuration information corresponding to the container. The software information corresponding to the container is the information of the software installed in the container, such as the software version, software source, and software installation data. The operating system information corresponding to the container refers to the information of the operating system environment running the container, such as the operating system version information, operating system memory usage information, etc. The configuration information corresponding to the container includes anonymous volumes, environment variables, and other information.

在一个实施方式中,为了节省容器资源,上述采集容器对应的容器配置信息的步骤,包括:基于预设周期采集容器对应的容器配置信息。其中,该预设周期可以根据具体场景进行设置,例如可以设置为12小时、一天或者一周。In one embodiment, in order to save container resources, the step of collecting container configuration information corresponding to the container includes: collecting container configuration information corresponding to the container based on a preset period. The preset period can be set according to specific scenarios, for example, 12 hours, one day or one week.

在一个实施方式中,在采集容器对应的容器配置信息之后,确定该容器配置信息相较于上一次采集的容器配置信息是否发生变更。In one embodiment, after collecting the container configuration information corresponding to the container, it is determined whether the container configuration information is changed compared to the container configuration information collected last time.

在一些实施例中,在容器配置信息没有发生变更的情况下,返回采集容器对应的容器配置信息的步骤,并重新确定采集的容器配置信息相较于上一次采集的容器配置信息是否发生变更。In some embodiments, when the container configuration information has not changed, the process returns to the step of collecting the container configuration information corresponding to the container, and re-determines whether the collected container configuration information has changed compared to the last collected container configuration information.

在另一些实施例中,在容器配置信息发生变更的情况下,生成针对该容器的容器配置变更提醒信息。In other embodiments, when container configuration information is changed, container configuration change reminder information for the container is generated.

步骤S103、响应于针对该容器的容器配置变更提醒信息,对该容器执行第二安全检测过程。Step S103: In response to the container configuration change reminder information for the container, a second security detection process is performed on the container.

其中,第二安全检测过程是用于对容器进行安全检测的检测过程。The second safety detection process is a detection process for performing safety detection on the container.

在一个实施方式中,响应于针对该容器的容器配置变更提醒信息,对容器执行第二安全检测过程,包括:基于预设的容器合规检测策略对该容器对应的软件信息、操作系统和配置信息中的一项或多项进行安全检测。In one embodiment, in response to container configuration change reminder information for the container, a second security detection process is performed on the container, including: performing a security detection on one or more of the software information, operating system and configuration information corresponding to the container based on a preset container compliance detection strategy.

其中,容器合规检测策略是用于对容器进行安全合规检测的策略。Among them, the container compliance detection strategy is a strategy used to perform security compliance detection on containers.

在另一个实施方式中,响应于针对该容器的容器配置变更提醒信息,对容器执行第二安全检测过程,包括:基于预设的容器合规检测策略对docker(一种应用容器引擎)或KBS(全称kubernetes,一种容器编排引擎)中的一项或多项进行安全检测。In another embodiment, in response to the container configuration change reminder information for the container, a second security check process is performed on the container, including: performing security checks on one or more of docker (an application container engine) or KBS (full name kubernetes, a container orchestration engine) based on a preset container compliance check strategy.

在本实施例中,通过对该容器执行第二安全检测过程,能够自动确认该容器的安全性,避免无法及时发现容器配置不当产生的安全隐患,进而能够提高容器所在的该云原生平台的安全保障性能。In this embodiment, by performing a second security detection process on the container, the security of the container can be automatically confirmed, avoiding the failure to timely discover security risks caused by improper container configuration, thereby improving the security performance of the cloud native platform where the container is located.

在一个实施方式中,在响应于针对该容器的容器配置变更提醒信息,对该容器执行第二安全检测过程之后,在该容器没有通过第二安全检测过程的情况下,基于预设的容器合规加固策略对该容器进行容器安全加固处理,并对经容器安全加固处理后的容器,重新执行第二安全检测过程。In one embodiment, after executing a second security check process on the container in response to a container configuration change reminder message for the container, if the container fails the second security check process, the container is security hardened based on a preset container compliance hardening strategy, and the second security check process is re-executed on the container after the container security hardening process.

其在,容器合规加固策略是用于对容器进行安全合规加固的策略。In particular, the container compliance hardening strategy is a strategy used to harden the security compliance of containers.

在一个实施方式中,上述基于预设的容器合规加固策略对该容器进行容器安全加固处理的步骤,包括:基于预设的容器合规检测策略对该容器对应的软件信息、操作系统和配置信息中的一项或多项进行安全检测。In one embodiment, the step of performing container security hardening processing on the container based on a preset container compliance hardening strategy includes: performing security detection on one or more of the software information, operating system, and configuration information corresponding to the container based on a preset container compliance detection strategy.

在另一个实施方式中,上述基于预设的容器合规加固策略对该容器进行容器安全加固处理的步骤,包括:基于预设的容器合规加固策略对docker或KBS中的一项或多项进行加固处理。In another embodiment, the step of performing container security hardening processing on the container based on a preset container compliance hardening strategy includes: hardening one or more of docker or KBS based on a preset container compliance hardening strategy.

在一些实施例中,对经容器安全加固处理后的容器,重新执行第二安全检测过程之后,该经容器安全加固处理后的容器仍旧不通过该第二安全检测过程的情况下,基于预设的容器合规加固策略再次对该容器进行容器安全加固处理,并对经容器安全加固处理后的容器,重新执行第二安全检测过程,直至该容器通过该第二安全检测过程。In some embodiments, after re-execution of the second security inspection process on the container that has undergone container security reinforcement processing, if the container that has undergone container security reinforcement processing still fails the second security inspection process, container security reinforcement processing is performed again on the container based on a preset container compliance reinforcement strategy, and the second security inspection process is re-executed on the container that has undergone container security reinforcement processing until the container passes the second security inspection process.

在本实施例中,基于预设的容器合规加固策略对容器进行容器安全加固处理,能够实现容器在存在安全问题时的自愈,提高容器的安全性。而对经容器安全加固处理后的容器重新执行第二安全检测过程,能够进一步确认容器的安全性,避免容器配置不当的问题。In this embodiment, the container is security hardened based on the preset container compliance hardening strategy, which can realize the self-healing of the container when there is a security problem and improve the security of the container. Re-performing the second security detection process on the container after the container security hardening process can further confirm the security of the container and avoid the problem of improper container configuration.

本发明实施例提供一种基于云原生平台的安全检测方法,该云原生平台包括至少一个容器,每个容器对应预先构建的一个目标镜像,该目标镜像包括多层镜像层,该安全检测方法包括:首先,针对预先构建的目标镜像所包括的每一层镜像层,执行第一安全检测过程;然后,在目标镜像的每一层镜像层均通过该第一安全检测过程的情况下,运行与该目标镜像对应的容器;最后,响应于针对该容器的容器配置变更提醒信息,对该容器执行第二安全检测过程,能够实现对镜像和容器的自动安全检测,保证镜像和容器中存在的安全隐患能够被及时发现,进而提高云原生平台的安全保障性能。An embodiment of the present invention provides a security detection method based on a cloud native platform, the cloud native platform includes at least one container, each container corresponds to a pre-built target image, the target image includes multiple image layers, and the security detection method includes: first, for each image layer included in the pre-built target image, a first security detection process is performed; then, when each image layer of the target image passes the first security detection process, a container corresponding to the target image is run; finally, in response to container configuration change reminder information for the container, a second security detection process is performed on the container, so that automatic security detection of images and containers can be realized, ensuring that security risks existing in images and containers can be discovered in time, thereby improving the security performance of the cloud native platform.

图2为本发明实施例提供的第一安全检测过程的流程图。在一个实施方式中,如图2所示,上述针对预先构建的目标镜像所包括的每一层镜像层,执行第一安全检测过程包括:步骤S201-步骤S202。Fig. 2 is a flow chart of the first security detection process provided by an embodiment of the present invention. In one embodiment, as shown in Fig. 2, for each image layer included in the pre-built target image, executing the first security detection process includes: step S201-step S202.

步骤S201、启动当前层镜像层。Step S201, start the current mirror layer.

其中,当前层镜像层是当前需要进行安全检测的镜像层。The current image layer is the image layer that needs to be security checked.

本发明实施例中,目标镜像的多层镜像层分层启动。上述启动当前层镜像层的步骤,包括:基于预设启动命令启动当前层镜像层,其中,预设启动命令可以用于配置目标镜像的多层镜像层中各镜像层的启动顺序。In the embodiment of the present invention, the target image has multiple image layers that are started in layers. The step of starting the current image layer includes: starting the current image layer based on a preset start command, wherein the preset start command can be used to configure the start order of each image layer in the target image's multiple image layers.

步骤S202、基于预设的镜像合规检测策略对当前层镜像层进行安全检测。Step S202: Perform security detection on the current image layer based on a preset image compliance detection strategy.

其中,镜像合规检测策略是用于对镜像层进行安全合规检测的策略。The image compliance detection policy is a policy used to perform security compliance detection on the image layer.

在一个实施方式中,基于预设的镜像合规检测策略对当前层镜像层对应的至少一项核查项进行安全检测。In one implementation, a security check is performed on at least one check item corresponding to the current image layer based on a preset image compliance check policy.

其中,核查项包括:镜像来源、镜像版本和镜像文件内容中的一种或多种。该核查项还可以包括其他项目,在实际应用场景中,可以根据具体场景进行设置。The check items include: one or more of the image source, image version and image file content. The check items may also include other items, which may be set according to the specific scenario in the actual application scenario.

需要说明的是,在当前层镜像层对应的至少一项核查项不通过安全检测的情况下,该当前层镜像层不通过该第一安全检测过程;在当前层镜像层对应的全部核查项均通过安全检测的情况下,该当前层镜像层通过该第一安全检测过程。It should be noted that, if at least one check item corresponding to the current image layer fails the security check, the current image layer fails the first security check process; if all check items corresponding to the current image layer pass the security check, the current image layer passes the first security check process.

在一个实施方式中,上述基于预设的镜像合规检测策略对当前层镜像层进行安全检测的步骤,包括:基于预设的镜像合规检测策略对当前层镜像层对应的镜像来源、镜像版本、镜像文件内容中的一项或多项进行安全检测。In one embodiment, the step of performing security detection on the current image layer based on a preset image compliance detection strategy includes: performing security detection on one or more of the image source, image version, and image file content corresponding to the current image layer based on the preset image compliance detection strategy.

其中,基于预设的镜像合规检测策略对镜像来源进行安全检测,能够检测当前层镜像层的镜像来源是否为合法来源。例如,针对目标镜像的第一层镜像层,检测第一层进行层对应的基础镜像的来源是否为预设的官方来源。Among them, the image source is security-checked based on the preset image compliance detection strategy, which can detect whether the image source of the current image layer is a legitimate source. For example, for the first image layer of the target image, it is detected whether the source of the base image corresponding to the first layer is the preset official source.

基于预设的镜像合规检测策略对镜像版本进行安全检测,能够检测当前层镜像层的镜像版本是否为最新版本。例如,针对目标镜像的第一层镜像层,检测第一层进行层对应的基础镜像的版本是否为最新版本。需要说明的是,最新版本的镜像相比较于之前版本的镜像,一般都会修复已知的漏洞,安全性高。Based on the preset image compliance detection strategy, the image version is security-checked to detect whether the image version of the current image layer is the latest version. For example, for the first image layer of the target image, detect whether the version of the base image corresponding to the first layer is the latest version. It should be noted that the latest version of the image generally fixes known vulnerabilities compared to the previous version of the image, and has high security.

基于预设的镜像合规检测策略对镜像文件内容进行安全检测,能够检测当前层镜像层的镜像文件内容是否存在漏洞,以消除安全隐患。Based on the preset image compliance detection strategy, the image file content is security checked to detect whether there are loopholes in the image file content of the current image layer to eliminate security risks.

图3为本发明实施例提供的另一种基于云原生平台的安全检测方法的流程图。在一个实施方式中,上述针对预先构建的目标镜像所包括的每一层镜像层,执行第一安全检测过程之后,如图3所示,该方法还包括:步骤S301-步骤S302。Figure 3 is a flow chart of another cloud-native platform-based security detection method provided by an embodiment of the present invention. In one embodiment, after executing the first security detection process for each image layer included in the pre-built target image, as shown in Figure 3, the method further includes: step S301-step S302.

步骤S301、在当前层镜像层未通过该第一安全检测过程的情况下,基于预设的镜像合规加固策略对当前层镜像层进行镜像安全加固处理。Step S301: When the current image layer fails the first security detection process, image security hardening is performed on the current image layer based on a preset image compliance hardening strategy.

其中,镜像合规加固策略是用于对镜像层进行安全合规加固的策略。Among them, the image compliance hardening strategy is a strategy used to harden the security compliance of the image layer.

在本实施例中,基于预设的镜像合规加固策略对当前层镜像层进行镜像安全加固处理,能够实现镜像层在出现安全问题时的自愈能力,提高当前层镜像层的安全性,避镜像层免配置不当的问题。In this embodiment, the image security reinforcement processing is performed on the current image layer based on the preset image compliance reinforcement strategy, which can realize the self-healing ability of the image layer when security problems occur, improve the security of the current image layer, and avoid the problem of improper configuration of the image layer.

在一个实施方式中,为了提高目标镜像的安全性,可以预先对目标镜像中每一层镜像层均预先基于预设的镜像合规加固策略进行镜像安全加固处理,然后再执行上述针对预先构建的目标镜像所包括的每一层镜像层,执行第一安全检测过程的步骤(步骤S101)。In one embodiment, in order to improve the security of the target image, each image layer in the target image can be pre-processed for image security based on a preset image compliance hardening strategy, and then the above-mentioned step of executing the first security detection process (step S101) is executed for each image layer included in the pre-built target image.

在一个实施方式中,基于预设的镜像合规加固策略对当前层镜像层进行镜像安全加固处理的步骤,包括:In one embodiment, the step of performing image security hardening processing on the current image layer based on a preset image compliance hardening policy includes:

基于预设的镜像合规加固策略对在第一安全检测过程中当前层镜像层中没有通过安全检测的核查项进行相应安全加固。Based on the preset image compliance hardening strategy, corresponding security hardening is performed on the verification items in the current image layer that have not passed the security check during the first security check process.

例如,在第一安全检测过程中当前层镜像层中没有通过安全检测的核查项为镜像版本,则将当前层镜像层的镜像版本用预设版本进行替换,该预设版本可以是最新版本。For example, in the first security check process, if the verification item that does not pass the security check in the current image layer is the image version, the image version of the current image layer is replaced with a preset version, and the preset version may be the latest version.

步骤S302、对经镜像安全加固处理后的当前层镜像层,重新执行第一安全检测过程。Step S302: re-execute the first security detection process on the current image layer after the image security hardening process.

其中,对经镜像安全加固处理后的当前层镜像层重新执行第一安全检测过程,能够进一步确认当前层镜像层的安全性。The first security detection process is re-executed on the current image layer after the image security reinforcement process, so as to further confirm the security of the current image layer.

在一个实施方式中,对经镜像安全加固处理后的当前层镜像层,重新执行第一安全检测过程之后,在该经镜像安全加固处理后的当前层镜像层仍旧不通过该第一安全检测过程的情况下,对该当前层镜像层重新执行步骤S301-步骤S302,直至该经镜像安全加固处理后的当前层镜像层通过该第一安全检测过程。In one embodiment, after re-executing the first security detection process for the current image layer after the image security hardening process, if the current image layer after the image security hardening process still fails to pass the first security detection process, step S301-step S302 is re-executed on the current image layer until the current image layer after the image security hardening process passes the first security detection process.

在另一个实施方式中,对经镜像安全加固处理后的当前层镜像层,重新执行第一安全检测过程之后,在该经镜像安全加固处理后的当前层镜像层通过该第一安全检测过程的情况下,对下一个当前层镜像层执行第一安全检测过程。In another embodiment, after re-executing the first security detection process for the current image layer after the image security hardening process, if the current image layer after the image security hardening process passes the first security detection process, the first security detection process is performed on the next current image layer.

图4为本发明实施例提供的一种基于云原生平台的安全检测装置的结构示意图。其中。云原生平台包括至少一个容器,每个容器对应预先构建一个目标镜像,该目标镜像包括多层镜像层。如图4所示,该安全检测装置包括:第一安全检测模块41、控制模块42和第二安全检测模块43。FIG4 is a schematic diagram of the structure of a security detection device based on a cloud native platform provided by an embodiment of the present invention. The cloud native platform includes at least one container, each container corresponds to a pre-built target image, and the target image includes multiple image layers. As shown in FIG4 , the security detection device includes: a first security detection module 41, a control module 42, and a second security detection module 43.

其中,第一安全检测模块41,用于针对预先构建的目标镜像所包括的每一层镜像层,执行第一安全检测过程。The first security detection module 41 is used to perform a first security detection process for each image layer included in the pre-built target image.

在本实施例中,第一安全检测模块41通过对镜像层执行第一安全检测过程,能够自动确认该镜像层的安全性,避免无法及时发现镜像层配置不当产生的安全隐患,能够提高目标镜像所在的云原生平台的安全保障性能。In this embodiment, the first security detection module 41 can automatically confirm the security of the image layer by performing the first security detection process on the image layer, avoid the failure to timely discover security risks caused by improper configuration of the image layer, and improve the security performance of the cloud native platform where the target image is located.

在一个实施方式中,该第一安全检测模块41,用于启动当前层镜像层,基于预设的镜像合规检测策略对当前层镜像层进行安全检测。In one embodiment, the first security detection module 41 is used to start the current image layer and perform security detection on the current image layer based on a preset image compliance detection policy.

在一个实施方式中,安全检测装置还包括第一安全加固模块。该第一安全加固模块,用于在当前层镜像层未通过第一安全检测过程的情况下,基于预设的镜像合规加固策略对当前层镜像层进行镜像安全加固处理。In one embodiment, the security detection device further includes a first security reinforcement module, which is used to perform image security reinforcement processing on the current image layer based on a preset image compliance reinforcement strategy when the current image layer fails the first security detection process.

在一个实施方式中,上述第一安全检测模块41,还用于对经镜像安全加固处理后的当前层镜像层,重新执行所述第一安全检测过程。In one embodiment, the first security detection module 41 is further configured to re-execute the first security detection process on the current image layer after the image security hardening process.

控制模块42,用于在目标镜像的每一层镜像层均通过第一安全检测过程的情况下,运行与该目标镜像对应的容器。The control module 42 is used to run a container corresponding to the target image when each image layer of the target image passes the first security detection process.

在一个实施方式中,安全检测装置还包括采集模块和采集信息处理模块。In one embodiment, the safety detection device further includes a collection module and a collection information processing module.

其中,采集模块用于采集容器对应的容器配置信息。The collection module is used to collect container configuration information corresponding to the container.

采集信息处理模块用于确定该容器配置信息相较于上一次采集的容器配置信息是否发生变更。在该容器配置信息没有发生变更的情况下,返回采集模块采集容器对应的容器配置信息的步骤;在容器配置信息发生变更的情况下,生成针对该容器的容器配置变更提醒信息。The collected information processing module is used to determine whether the container configuration information has changed compared to the container configuration information collected last time. If the container configuration information has not changed, the collection module returns to the step of collecting the container configuration information corresponding to the container; if the container configuration information has changed, a container configuration change reminder information for the container is generated.

第二安全检测模块43,用于响应于针对容器的容器配置变更提醒信息,对该容器执行第二安全检测过程。The second security detection module 43 is configured to execute a second security detection process on the container in response to the container configuration change reminder information for the container.

其中,第二安全检测过程是用于对容器进行安全检测的检测过程。The second safety detection process is a detection process for performing safety detection on the container.

在一个实施方式中,第二安全检测模块43,用于基于预设的容器合规检测策略对该容器对应的软件信息、操作系统和配置信息中的一项或多项进行安全检测。In one embodiment, the second security detection module 43 is used to perform security detection on one or more of the software information, operating system and configuration information corresponding to the container based on a preset container compliance detection policy.

在一个实施方式中,安全检测装置还包括第二安全加固模块。该第二安全加固模块,用于在该容器没有通过第二安全检测过程的情况下,基于预设的容器合规加固策略对该容器进行容器安全加固处理。In one embodiment, the security detection device further includes a second security reinforcement module, which is used to perform container security reinforcement processing on the container based on a preset container compliance reinforcement strategy when the container fails the second security detection process.

上述第二安全检测模块43,用于对经容器安全加固处理后的容器,重新执行第二安全检测过程。The second safety detection module 43 is used to re-execute the second safety detection process on the container after the container safety reinforcement process.

在本实施例中,第二安全加固模块基于预设的容器合规加固策略对容器进行容器安全加固处理,能够实现容器在存在安全问题时的自愈,提高容器的安全性。而第二安全检测模块43对经容器安全加固处理后的容器重新执行第二安全检测过程,能够进一步确认容器的安全性,避免容器配置不当的问题。In this embodiment, the second security reinforcement module performs container security reinforcement processing on the container based on the preset container compliance reinforcement strategy, which can realize the self-healing of the container when there is a security problem and improve the security of the container. The second security detection module 43 re-executes the second security detection process on the container after the container security reinforcement processing, which can further confirm the security of the container and avoid the problem of improper container configuration.

上面各种方法的步骤划分,只是为了描述清楚,实现时可以合并为一个步骤或者对某些步骤进行拆分,分解为多个步骤,只要包括相同的逻辑关系,都在本专利的保护范围内;对算法中或者流程中添加无关紧要的修改或者引入无关紧要的设计,但不改变其算法和流程的核心设计都在该专利的保护范围内。The step division of the above methods is only for clear description. When implemented, they can be combined into one step or some steps can be split and decomposed into multiple steps. As long as they include the same logical relationship, they are all within the scope of protection of this patent; adding insignificant modifications to the algorithm or process or introducing insignificant designs without changing the core design of the algorithm and process are all within the scope of protection of this patent.

本发明实施例提供一种基于云原生平台的安全检测装置,该云原生平台包括至少一个容器,每个容器对应预先构建的一个目标镜像,该目标镜像包括多层镜像层,该安全检测装置包括:第一安全检测模块,用于针对预先构建的目标镜像所包括的每一层镜像层,执行第一安全检测过程;控制模块,用于在目标镜像的每一层镜像层均通过该第一安全检测过程的情况下,运行与该目标镜像对应的容器;第二安全检测模块,用于响应于针对该容器的容器配置变更提醒信息,对该容器执行第二安全检测过程,能够实现对镜像和容器的自动安全检测,保证镜像和容器中存在的安全隐患能够被及时发现,进而提高云原生平台的安全保障性能。An embodiment of the present invention provides a security detection device based on a cloud native platform, the cloud native platform includes at least one container, each container corresponds to a pre-built target image, the target image includes multiple image layers, and the security detection device includes: a first security detection module, used to execute a first security detection process for each image layer included in the pre-built target image; a control module, used to run a container corresponding to the target image when each image layer of the target image passes the first security detection process; a second security detection module, used to execute a second security detection process for the container in response to container configuration change reminder information for the container, which can realize automatic security detection of images and containers, ensure that security risks existing in images and containers can be discovered in time, and thus improve the security performance of the cloud native platform.

图5为本发明实施例提供的一种镜像构建方法的流程图,应用于云原生平台。如图5所示,该镜像构建方法,包括:步骤S501-步骤S502。Fig. 5 is a flow chart of an image building method provided by an embodiment of the present invention, which is applied to a cloud native platform. As shown in Fig. 5, the image building method includes: step S501-step S502.

步骤S501、拉取基础镜像,以作为目标镜像的第一层镜像层。Step S501: Pull a base image as the first image layer of a target image.

其中,基础镜像是从公有镜像库中拉取的镜像,该基础镜像例如:社区企业操作系统(Community ENTerprise Operating System,CentOS)、ubuntu(一个以桌面应用为主的Linux操作系统)等。该基础镜像可以作为目标镜像的第一层镜像层。The base image is an image pulled from a public image library, such as Community ENTerprise Operating System (CentOS), Ubuntu (a Linux operating system mainly based on desktop applications), etc. The base image can be used as the first image layer of the target image.

步骤S502、在第一层镜像层之上构建安全处理层。Step S502: construct a security processing layer on top of the first image layer.

其中,该安全处理层用于实现本发明前述实施例提供的安全检测方法。The security processing layer is used to implement the security detection method provided in the aforementioned embodiment of the present invention.

步骤S503、基于上述基础镜像构建至少一层其他层镜像层。Step S503: construct at least one other image layer based on the base image.

在一个实施方式中,基于上述基础镜像构建至少一层其他层镜像层的步骤,包括:在基础镜像上安装预设软件,以获得一层其他层镜像层。其中,预设软件可以根据具体场景进行设置,本实施例中不做限定。In one embodiment, the step of building at least one other image layer based on the base image includes: installing preset software on the base image to obtain another image layer. The preset software can be set according to the specific scenario and is not limited in this embodiment.

在一个实施方式中,该至少一层其他层镜像层可以位于安全处理层之上。In one embodiment, the at least one other image layer may be located above the security processing layer.

在一些实施场景中,在目标镜像仅包括一层镜像层的情况下,可以仅执行上述步骤S501-步骤S502,以构建目标镜像。In some implementation scenarios, when the target image includes only one image layer, only the above steps S501 and S502 may be performed to construct the target image.

在另一些实施场景中,在目标镜像仅包括多层镜像层的情况下,可以执行上述步骤S501-步骤S503,以构建目标镜像。In other implementation scenarios, when the target image only includes multiple image layers, the above steps S501 to S503 may be performed to construct the target image.

本发明实施例提供的一种镜像构建方法,通过在目标镜像构建过程中增加安全处理层,能够在目标镜像构建完成之后,实现对目标镜像和该目标镜像对应的容器的自动安全检测,保证目标镜像和该目标镜像对应的容器中存在的安全隐患能够被及时发现,同时还能够实现镜像或容器在存在安全问题时的自愈,进而提高云原生平台的安全保障性能。An image building method provided by an embodiment of the present invention can realize automatic security detection of a target image and a container corresponding to the target image after the target image is built by adding a security processing layer in the target image building process, thereby ensuring that the potential safety hazards existing in the target image and the container corresponding to the target image can be discovered in time, and can also realize self-healing of the image or container when there are security problems, thereby improving the security performance of the cloud native platform.

图6为本发明实施例提供的一种目标镜像的结构示意图。FIG6 is a schematic diagram of the structure of a target image provided by an embodiment of the present invention.

在一个实施场景中,目标镜像的安全处理层可以由多层集成不同功能的功能层构成。如图6所示,目标镜像包括基础镜像层61,该基础镜像层之上包括安全处理层,该安全处理层包括安全合规核查层62和安全合规加固层63。In an implementation scenario, the security processing layer of the target image can be composed of multiple functional layers integrating different functions. As shown in FIG6 , the target image includes a base image layer 61 , and the base image layer includes a security processing layer, and the security processing layer includes a security compliance verification layer 62 and a security compliance reinforcement layer 63 .

其中,安全合规核查层62配置有镜像合规检测策略、镜像合规检测脚本、容器合规检测策略和容器合规检测脚本。该安全合规核查层62可以通过执行镜像合规检测脚本以实现对应的镜像合规检测策略,以及,通过执行容器合规检测脚本以实现对应的容器合规检测策略。The security compliance verification layer 62 is configured with an image compliance detection strategy, an image compliance detection script, a container compliance detection strategy, and a container compliance detection script. The security compliance verification layer 62 can implement the corresponding image compliance detection strategy by executing the image compliance detection script, and implement the corresponding container compliance detection strategy by executing the container compliance detection script.

该安全合规核查层62用于针对该目标镜像包括的每一层镜像层,执行第一安全检测过程;以及,针对响应于容器配置变更提醒信息,对目标镜像对应的容器执行第二安全检测过程。The security compliance verification layer 62 is used to perform a first security detection process on each image layer included in the target image; and, in response to the container configuration change reminder information, perform a second security detection process on the container corresponding to the target image.

安全合规加固层63配置有镜像合规加固策略、镜像合规加固脚本、容器合规加固策略和容器合规加固脚本。安全合规加固层63可以通过执行镜像合规加固脚本以实现对应的镜像合规加固策略,以及,通过执行容器合规加固脚本以实现对应的容器合规加固策略。The security compliance reinforcement layer 63 is configured with an image compliance reinforcement policy, an image compliance reinforcement script, a container compliance reinforcement policy, and a container compliance reinforcement script. The security compliance reinforcement layer 63 can implement the corresponding image compliance reinforcement policy by executing the image compliance reinforcement script, and implement the corresponding container compliance reinforcement policy by executing the container compliance reinforcement script.

该安全合规加固层63用于在当前层镜像层未通过第一安全检测过程的情况下,基于预设的镜像合规加固策略对当前层镜像层进行镜像安全加固处理;还用于在目标镜像对应的容器没有通过第二安全检测过程的情况下,基于预设的容器合规加固策略对该容器进行容器安全加固处理。The security compliance reinforcement layer 63 is used to perform image security reinforcement processing on the current image layer based on a preset image compliance reinforcement strategy when the current image layer fails to pass the first security detection process; it is also used to perform container security reinforcement processing on the container based on a preset container compliance reinforcement strategy when the container corresponding to the target image fails to pass the second security detection process.

在一个实施方式中,该目标镜像构建完成后,云原生平台还可以基于该目标镜像构建对应的容器。其中,目标镜像对应的容器是该目标镜像运行的实体,即在目标镜像之上增加容器存储层,构成该目标镜像对应的容器。该容器存储层用于容器运行时的读写操作。In one embodiment, after the target image is built, the cloud native platform can also build a corresponding container based on the target image. The container corresponding to the target image is the entity running the target image, that is, a container storage layer is added on top of the target image to form the container corresponding to the target image. The container storage layer is used for read and write operations when the container is running.

本发明实施例提供的目标镜像,能够实现对目标镜像和该目标镜像对应的容器的自动安全检测,保证目标镜像和该目标镜像对应的容器中存在的安全隐患能够被及时发现,进而提高云原生平台的安全保障性能。The target image provided by the embodiment of the present invention can realize automatic security detection of the target image and the container corresponding to the target image, ensuring that the potential security risks existing in the target image and the container corresponding to the target image can be discovered in time, thereby improving the security performance of the cloud native platform.

本发明实施例还提供一种云原生平台,该云原生平台包括:至少一个容器,每个容器对应预先根据本发明前述实施例提供的镜像构建方法构建的一个目标镜像,该目标镜像包括至少一层镜像层。An embodiment of the present invention also provides a cloud native platform, which includes: at least one container, each container corresponds to a target image pre-built according to the image building method provided by the aforementioned embodiment of the present invention, and the target image includes at least one image layer.

在一个实施方式中,该云原生平台还包括:构建模块,用于根据本发明前述实施例提供的镜像构建方法构建目标镜像,以及构建该目标镜像对应的容器。In one embodiment, the cloud native platform further includes: a construction module, which is used to build a target image according to the image construction method provided by the aforementioned embodiment of the present invention, and to build a container corresponding to the target image.

本领域普通技术人员可以理解,上文中所发明方法中的全部或某些步骤、系统、装置中的功能模块/单元可以被实施为软件、固件、硬件及其适当的组合。在硬件实施方式中,在以上描述中提及的功能模块/单元之间的划分不一定对应于物理组件的划分;例如,一个物理组件可以具有多个功能,或者一个功能或步骤可以由若干物理组件合作执行。某些物理组件或所有物理组件可以被实施为由处理器,如中央处理器、数字信号处理器或微处理器执行的软件,或者被实施为硬件,或者被实施为集成电路,如专用集成电路。这样的软件可以分布在计算机可读介质上,计算机可读介质可以包括计算机存储介质(或非暂时性介质)和通信介质(或暂时性介质)。如本领域普通技术人员公知的,术语计算机存储介质包括在用于存储信息(诸如计算机可读指令、数据结构、程序模块或其它数据)的任何方法或技术中实施的易失性和非易失性、可移除和不可移除介质。计算机存储介质包括但不限于RAM、ROM、EEPROM、闪存或其它存储器技术、CD-ROM、数字多功能盘(DVD)或其它光盘存储、磁盒、磁带、磁盘存储或其它磁存储装置、或者可以用于存储期望的信息并且可以被计算机访问的任何其它的介质。此外,本领域普通技术人员公知的是,通信介质通常包含计算机可读指令、数据结构、程序模块或者诸如载波或其它传输机制之类的调制数据信号中的其它数据,并且可包括任何信息递送介质。It will be appreciated by those skilled in the art that all or some of the steps, systems, and functional modules/units in the invented method described above may be implemented as software, firmware, hardware, and appropriate combinations thereof. In hardware implementations, the division between the functional modules/units mentioned in the above description does not necessarily correspond to the division of physical components; for example, a physical component may have multiple functions, or a function or step may be performed by several physical components in cooperation. Some or all physical components may be implemented as software executed by a processor, such as a central processing unit, a digital signal processor, or a microprocessor, or implemented as hardware, or implemented as an integrated circuit, such as an application-specific integrated circuit. Such software may be distributed on a computer-readable medium, which may include a computer storage medium (or non-transitory medium) and a communication medium (or temporary medium). As known to those skilled in the art, the term computer storage medium includes volatile and non-volatile, removable and non-removable media implemented in any method or technology for storing information (such as computer-readable instructions, data structures, program modules, or other data). Computer storage media include, but are not limited to, RAM, ROM, EEPROM, flash memory or other memory technology, CD-ROM, digital versatile disks (DVD) or other optical disk storage, magnetic cassettes, magnetic tapes, magnetic disk storage or other magnetic storage devices, or any other medium that can be used to store the desired information and can be accessed by a computer. In addition, it is well known to those skilled in the art that communication media typically contain computer-readable instructions, data structures, program modules, or other data in a modulated data signal such as a carrier wave or other transport mechanism, and may include any information delivery media.

需要说明的是,在本文中,术语“包括”、“包含”或者其任何其他变体意在涵盖非排他性的包含,从而使得包括一系列要素的过程、方法、物品或者装置不仅包括那些要素,而且还包括没有明确列出的其他要素,或者是还包括为这种过程、方法、物品或者装置所固有的要素。在没有更多限制的情况下,由语句“包括一个……”限定的要素,并不排除在包括该要素的过程、方法、物品或者装置中还存在另外的相同要素。It should be noted that, in this article, the terms "include", "comprises" or any other variations thereof are intended to cover non-exclusive inclusion, so that a process, method, article or device including a series of elements includes not only those elements, but also other elements not explicitly listed, or also includes elements inherent to such process, method, article or device. In the absence of further restrictions, an element defined by the sentence "comprises a ..." does not exclude the existence of other identical elements in the process, method, article or device including the element.

本领域的技术人员能够理解,尽管在此所述的一些实施例包括其它实施例中所包括的某些特征而不是其它特征,但是不同实施例的特征的组合意味着处于本实施例的范围之内并且形成不同的实施例。Those skilled in the art will appreciate that although some embodiments described herein include certain features included in other embodiments but not other features, the combination of features from different embodiments is meant to be within the scope of the present embodiment and to form different embodiments.

可以理解的是,以上实施方式仅仅是为了说明本发明的原理而采用的示例性实施方式,然而本发明并不局限于此。对于本领域内的普通技术人员而言,在不脱离本发明的精神和实质的情况下,可以做出各种变型和改进,这些变型和改进也视为本发明的保护范围。It is to be understood that the above embodiments are merely exemplary embodiments used to illustrate the principles of the present invention, but the present invention is not limited thereto. For those of ordinary skill in the art, various modifications and improvements can be made without departing from the spirit and essence of the present invention, and these modifications and improvements are also considered to be within the scope of protection of the present invention.

Claims (9)

1.一种基于云原生平台的安全检测方法,其特征在于,所述云原生平台包括至少一个容器,每个所述容器对应预先构建的一个目标镜像,所述目标镜像包括至少一层镜像层,所述安全检测方法包括:1. A security detection method based on a cloud native platform, characterized in that the cloud native platform includes at least one container, each of the containers corresponds to a pre-built target image, the target image includes at least one image layer, and the security detection method includes: 针对预先构建的目标镜像所包括的每一层镜像层,执行第一安全检测过程;For each image layer included in the pre-built target image, a first security detection process is performed; 在所述目标镜像的每一层所述镜像层均通过所述第一安全检测过程的情况下,运行与所述目标镜像对应的容器;When each image layer of the target image passes the first security detection process, running a container corresponding to the target image; 采集所述容器对应的容器配置信息;Collecting container configuration information corresponding to the container; 在所述容器配置信息没有发生变更的情况下,返回所述采集所述容器对应的容器配置信息的步骤;If the container configuration information has not changed, returning to the step of collecting the container configuration information corresponding to the container; 在所述容器配置信息发生变更的情况下,生成针对所述容器的容器配置变更提醒信息;When the container configuration information is changed, generating container configuration change reminder information for the container; 响应于针对所述容器的容器配置变更提醒信息,对所述容器执行第二安全检测过程。In response to the container configuration change reminder information for the container, a second security detection process is performed on the container. 2.根据权利要求1所述的安全检测方法,其特征在于,所述执行第一安全检测过程包括:2. The security detection method according to claim 1, wherein the performing of the first security detection process comprises: 启动当前层镜像层;Start the current layer image layer; 基于预设的镜像合规检测策略对当前层镜像层进行安全检测。Perform security checks on the current image layer based on the preset image compliance detection strategy. 3.根据权利要求2所述的安全检测方法,其特征在于,所述基于预设的镜像合规检测策略对当前层镜像层进行安全检测的步骤,包括:3. The security detection method according to claim 2, characterized in that the step of performing security detection on the current image layer based on a preset image compliance detection strategy comprises: 基于预设的镜像合规检测策略对当前层镜像层对应的镜像来源、镜像版本、镜像文件内容中的一项或多项进行安全检测。Based on the preset image compliance detection strategy, security detection is performed on one or more of the image source, image version, and image file content corresponding to the current image layer. 4.根据权利要求1所述的安全检测方法,其特征在于,所述针对预先构建的目标镜像所包括的每一层镜像层,执行第一安全检测过程之后,所述方法还包括:4. The security detection method according to claim 1, characterized in that after performing the first security detection process for each image layer included in the pre-built target image, the method further comprises: 在当前层镜像层未通过所述第一安全检测过程的情况下,基于预设的镜像合规加固策略对当前层镜像层进行镜像安全加固处理;If the current image layer fails the first security detection process, image security hardening is performed on the current image layer based on a preset image compliance hardening strategy; 对经镜像安全加固处理后的当前层镜像层,重新执行所述第一安全检测过程。The first security detection process is re-executed on the current image layer after the image security hardening process. 5.根据权利要求1所述的安全检测方法,其特征在于,对所述容器执行第二安全检测过程,包括:5. The safety detection method according to claim 1, characterized in that performing a second safety detection process on the container comprises: 基于预设的容器合规检测策略对所述容器对应的软件信息、操作系统信息和配置信息中的一项或多项进行安全检测。Based on a preset container compliance detection strategy, security detection is performed on one or more of the software information, operating system information, and configuration information corresponding to the container. 6.根据权利要求1所述的安全检测方法,其特征在于,在所述响应于针对所述容器的容器配置变更提醒信息,对所述容器执行第二安全检测过程之后,所述方法还包括:6. The security detection method according to claim 1, characterized in that after performing a second security detection process on the container in response to the container configuration change reminder information for the container, the method further comprises: 在所述容器没有通过所述第二安全检测过程的情况下,基于预设的容器合规加固策略对所述容器进行容器安全加固处理;If the container fails the second security detection process, performing container security hardening processing on the container based on a preset container compliance hardening strategy; 对经容器安全加固处理后的所述容器,重新执行所述第二安全检测过程。The second safety detection process is re-executed on the container after the container safety reinforcement process. 7.一种基于云原生平台的安全检测装置,其特征在于,所述云原生平台包括至少一个容器,每个所述容器对应预先构建一个目标镜像,所述目标镜像包括至少一层镜像层;所述安全检测装置包括:7. A security detection device based on a cloud native platform, characterized in that the cloud native platform includes at least one container, each of the containers corresponds to a pre-built target image, and the target image includes at least one image layer; the security detection device includes: 第一安全检测模块,用于针对预先构建的目标镜像所包括的每一层镜像层,执行第一安全检测过程;A first security detection module, used for performing a first security detection process for each image layer included in the pre-built target image; 控制模块,用于在目标镜像的每一层所述镜像层均通过所述第一安全检测过程的情况下,运行与所述目标镜像对应的容器;A control module, configured to run a container corresponding to the target image when each image layer of the target image passes the first security detection process; 第二安全检测模块,用于响应于针对所述容器的容器配置变更提醒信息,对所述容器执行第二安全检测过程;A second security detection module, configured to perform a second security detection process on the container in response to the container configuration change reminder information for the container; 其中,在所述第二安全检测模块响应于针对所述容器的容器配置变更提醒信息,对所述容器执行第二安全检测过程之前,所述安全检测装置还用于:Before the second security detection module performs a second security detection process on the container in response to the container configuration change reminder information for the container, the security detection device is further used to: 采集所述容器对应的容器配置信息;Collecting container configuration information corresponding to the container; 在所述容器配置信息没有发生变更的情况下,返回所述采集所述容器对应的容器配置信息的步骤;If the container configuration information has not changed, returning to the step of collecting the container configuration information corresponding to the container; 在所述容器配置信息发生变更的情况下,生成针对所述容器的容器配置变更提醒信息。When the container configuration information is changed, container configuration change reminder information for the container is generated. 8.一种镜像构建方法,其特征在于,所述镜像构建方法包括:8. A mirror image construction method, characterized in that the mirror image construction method comprises: 拉取基础镜像,以作为目标镜像的第一层镜像层;Pull the base image as the first image layer of the target image; 在所述第一层镜像层之上构建安全处理层,所述安全处理层用于实现如权利要求1-6任意一项所述的安全检测方法;Building a security processing layer on top of the first image layer, wherein the security processing layer is used to implement the security detection method according to any one of claims 1 to 6; 基于所述基础镜像构建至少一层其他层镜像层。At least one other image layer is constructed based on the base image. 9.一种云原生平台,其特征在于,所述云原生平台包括:9. A cloud native platform, characterized in that the cloud native platform includes: 至少一个容器,每个所述容器对应根据权利要求8所述的镜像构建方法构建的一个目标镜像,所述目标镜像包括至少一层镜像层。At least one container, each of the containers corresponds to a target image constructed according to the image construction method according to claim 8, and the target image includes at least one image layer.
CN202111416424.2A 2021-11-25 2021-11-25 Security detection method, security detection device and mirror image construction method based on cloud native platform Active CN114091025B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202111416424.2A CN114091025B (en) 2021-11-25 2021-11-25 Security detection method, security detection device and mirror image construction method based on cloud native platform

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202111416424.2A CN114091025B (en) 2021-11-25 2021-11-25 Security detection method, security detection device and mirror image construction method based on cloud native platform

Publications (2)

Publication Number Publication Date
CN114091025A CN114091025A (en) 2022-02-25
CN114091025B true CN114091025B (en) 2024-07-16

Family

ID=80304691

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202111416424.2A Active CN114091025B (en) 2021-11-25 2021-11-25 Security detection method, security detection device and mirror image construction method based on cloud native platform

Country Status (1)

Country Link
CN (1) CN114091025B (en)

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115189933A (en) * 2022-07-06 2022-10-14 上海交通大学 Automatic configuration security detection method and system for Docker
CN115189934A (en) * 2022-07-06 2022-10-14 上海交通大学 Automatic configuration security detection method and system for Kubernetes
CN116318793A (en) * 2022-12-14 2023-06-23 北京瀚马信息科技有限公司 Cloud security detection method, device and storage medium

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP2159072A4 (en) * 2007-05-14 2013-02-27 Internat Frontier Tech Lab Inc Authenticity validation subject, authenticity validation chip reader, and authenticity judging method
CN107704593B (en) * 2017-10-12 2020-11-27 成都知道创宇信息技术有限公司 Method for detecting and solving conflict between Docker local mirror image and remote warehouse mirror image
CN110851241A (en) * 2019-11-20 2020-02-28 杭州安恒信息技术股份有限公司 Safety protection method, device and system for Docker container environment

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
Graceful ECC-uncorrectable Error Handling in the Operating System Kernel;Takumi Iguchi等;《2022 IEEE 33rd International Symposium on Software Reliability Engineering (ISSRE)》;20221221;第109-120页 *

Also Published As

Publication number Publication date
CN114091025A (en) 2022-02-25

Similar Documents

Publication Publication Date Title
CN114091025B (en) Security detection method, security detection device and mirror image construction method based on cloud native platform
CN107870968B (en) Performing real-time updates to a file system volume
RU2571726C2 (en) System and method of checking expediency of installing updates
US6917951B2 (en) System and method for replicating data in resource sets
US20200264863A1 (en) Hot update method, operating system, terminal device, and storage medium
US20240169062A1 (en) Method and device for analyzing and processing malicious code for container image, and computer-readable recording medium
US10043020B2 (en) File filter
CN110213368B (en) Data processing method, data processing device and computer system
US11481284B2 (en) Systems and methods for generating self-notarized backups
CN110162429A (en) System repair, server and storage medium
US20200341674A1 (en) Method, device and computer program product for restoring data
WO2023273994A1 (en) Method, system, and apparatus for executing smart contract, and storage medium
CN111274609A (en) A method and device for inheriting user rights of a distributed file storage system
CN110070360B (en) Transaction request processing method, device, equipment and storage medium
US8762662B1 (en) Method and apparatus for application migration validation
CN116501573A (en) Firmware detection method, firmware detection device, electronic device, storage medium and program product
CN105608150A (en) Business data processing method and system
WO2011124101A1 (en) Method and device for moving software
EP4519781A1 (en) Automatically managing access policies for archived objects
CN112991067B (en) Block chain consensus method, device and system
CN115544496A (en) Server-free computing method, device and equipment based on trusted execution environment
CN112445761B (en) File checking method and device and storage medium
CN110866021A (en) A method and system for locking and releasing locks of distributed locks based on Go language
CN112559484A (en) Method, apparatus and computer program product for managing data objects
US12141269B2 (en) System and method for building a security monitor

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant