CN-115455430-B - Safety protection method and system based on Kyverno safety strategy

Abstract

The invention discloses a security protection method and system based on Kyverno security policy, relating to the field of cloud primary security, wherein the method comprises the steps of obtaining a service logic characteristic set of a development operation and maintenance personnel; the method comprises the steps of carrying out principal component analysis on a service logic characteristic set to obtain a dimension reduction characteristic set, taking the dimension reduction characteristic set as service logic characteristics, selecting a service security policy according to the service logic characteristics, inputting policy configuration parameters based on the service security policy, when the policy configuration parameters are transmitted into a Generator, the Generator searches a corresponding policy rule template from Etcd to conduct rendering to generate a policy rule, and applying the policy rule to Kyverno to generate a security protection action. The technical problems that the prior art has larger learning cost for developers and operation and maintenance security personnel, and the writing and testing are time-consuming and labor-consuming are solved.

Inventors

• Du Fengyang

Assignees

• 中国建设银行股份有限公司
• 建信金融科技有限责任公司

Dates

Publication Date

20260505

Application Date

20220920

Claims (10)

1. 1. A security protection method based on Kyverno security policies, the method comprising: acquiring a service logic characteristic set of a development operation and maintenance person; performing principal component analysis on the service logic characteristic set to obtain a dimension reduction characteristic set; Taking the dimension reduction characteristic set as a business logic characteristic; selecting a service security policy according to the service logic characteristics; inputting policy configuration parameters based on the service security policies; when the strategy configuration parameters are transmitted into a Generator, the Generator searches a corresponding strategy rule template from Etcd for rendering to generate strategy rules; and applying the policy rules to Kyverno to generate a safety protection action.
2. 2. The method of claim 1, wherein selecting a traffic security policy based on the traffic logic characteristic comprises: The self-defined parameters are extracted and obtained according to security personnel; Based on the service logic characteristics, the development and maintenance personnel select from the self-defined parameters to construct the service security policy.
3. 3. The method of claim 2, wherein the custom parameters comprise: policy rule name, resource type, namespace name, namespace tag, pod tag, application advanced resource type, auditor blocking.
4. 4. The method of claim 1, wherein the Generator looking for a corresponding policy rule template from Etcd for rendering, comprising: etcd stores a set of policy rule templates; Based on the set of policy rule templates, the Generator selects the policy rule templates from Etcd for rendering.
5. 5. The method of claim 2, wherein Etcd stores a set of policy rule templates, comprising: The security personnel extracts strategy template information; constructing a strategy rule template set according to the strategy template information; and storing the policy rule template set into the Etcd.
6. 6. The method of claim 1, wherein the applying the policy rules to Kyverno generates a security guard action comprises: the policy rules are applied to Kyverno and interact with KubernetesAPI to generate the security actions.
7. 7. A safety protection system based on Kyverno safety policies, the system comprising: the service logic characteristic set obtaining module is used for obtaining a service logic characteristic set of a development operation and maintenance personnel; The principal component analysis module is used for carrying out principal component analysis on the service logic characteristic set to obtain a dimension reduction characteristic set; The service logic characteristic obtaining module is used for taking the dimension reduction characteristic set as service logic characteristics; the service security policy selection module is used for selecting a service security policy according to the service logic characteristics; The policy configuration parameter input module is used for inputting policy configuration parameters based on the service security policy; the policy rule generation module is used for searching a corresponding policy rule template from Etcd for rendering when the policy configuration parameters are transmitted into the Generator, so as to generate a policy rule; and the safety protection behavior generation module is used for applying the policy rules to Kyverno to generate safety protection behaviors.
8. 8. A safety-protection electronic device based on Kyverno safety policies, comprising a bus, a transceiver, a memory, a processor and a computer program stored on the memory and executable on the processor, the transceiver, the memory and the processor being connected by the bus, characterized in that the computer program when executed by the processor implements the steps of the method according to any one of claims 1-6.
9. 9. A computer readable storage medium, on which a computer program is stored, characterized in that the computer program, when being executed by a processor, implements the steps of the method according to any of claims 1-6.
10. 10. A computer program product comprising a computer program and/or instructions which, when executed by a processor, implement the steps of the method of any of claims 1-6.

Description

Safety protection method and system based on Kyverno safety strategy Technical Field The invention relates to the field of cloud primary security, in particular to a security protection method and system based on Kyverno security policies. Background With the development of technology, kubernetes has gradually become an industry-accepted container orchestration scheduling platform that can automatically deploy, expand, and manipulate application containers, becoming an infrastructure in the cloud-native world. However, as the business migrates to the cloud, kubernets security becomes an important concern for the industry. In order to secure production workloads, kubernetes provides a number of security functions, one of which is an "admission controller" (Admission Controllers). The request needs to go through the Kubernetes admission controller before using other advanced security functions, such as performing a security configuration baseline across the entire namespace with Pod security policies. The Kubernetes admission controller is a plug-in that controls and enforces the use of clusters, and can be considered as an interceptor that intercepts (authenticated) API requests, and can alter request objects, even completely reject requests. The "admission control chain" (shown in figure 1) is divided into two phases, altering (Mutating) the admission control, modifying the requested object, validating (VALIDATING) the admission control, validating the requested object. The admission controller can be used either as a change and verification or a combination of both. By utilizing the mechanism, the Kubernetes proposes a security admission controller PSP which can carry out fine-granularity authorization on the operation of Pod, detect and block the starting of high-authority Pod, and guarantee the security of cloud environment to a certain extent. But the defects are obvious that the authorization model is not wide enough in coverage, the functions are easy to open and close, the API interface lacks consistency and expansibility, the dynamically injected Side-Car cannot be processed, and the modification reinforcement cannot be performed only by verification. Kyverno is a policy engine designed for Kubernets based on these pain points, which can perform authorization management, easy-to-open and easy-to-close functions, support tag selector and regular matching, operate as a dynamic admission controller, and can verify and change resources. However, the above-described manner has been found to have at least the following technical problems: the prior art has larger learning cost for developers and operation and maintenance security personnel, and the writing and testing are time-consuming and labor-consuming. Disclosure of Invention The application solves the technical problems that the prior art has larger learning cost for developers and operation and maintenance security personnel, and the writing and testing are time-consuming and labor-consuming by providing the safety protection method and the system based on Kyverno safety strategies, achieves the purposes that the operation and maintenance developers can rapidly and efficiently finish issuing and executing the safety strategies by only inputting strategy names and related parameters, reduces the difficulty of rule formulation, simultaneously enables the developers to select the safety rules which are most suitable for self business conditions, and avoids excessive safety prevention and control, thereby reducing the influence on other businesses. Meanwhile, the scheme has high expansibility, and along with the generation of new security holes and requirements, security personnel can formulate new security policy templates, enrich policy template rule sets of the scheme, and provide more comprehensive technical effects of prevention and control for business aspects. The present invention has been made in view of the above problems, and it is an object of the present invention to provide a method of overcoming or at least partially solving the above problems. The application provides a safety protection method based on Kyverno safety strategies, which comprises the steps of obtaining a service logic characteristic set of development operation and maintenance personnel, carrying out principal component analysis on the service logic characteristic set to obtain a dimension reduction characteristic set, taking the dimension reduction characteristic set as service logic characteristics, selecting the service safety strategies according to the service logic characteristics, inputting strategy configuration parameters based on the service safety strategies, when the strategy configuration parameters are transmitted into a Generator, the Generator searches a corresponding strategy rule template from Etcd to conduct rendering to generate strategy rules, and applying the strategy rules to Kyverno to generate safety protection behaviors. On the other hand, the a