Search

CN-122027334-A - Security audit method and device for K8s cluster and electronic equipment

CN122027334ACN 122027334 ACN122027334 ACN 122027334ACN-122027334-A

Abstract

The application provides a security audit method, a device and electronic equipment of a K8s cluster, wherein the method obtains real identity information of a user based on a preset security identity authentication protocol by receiving a K8s cluster request instruction input by the user based on a K8s client, then determines a target configuration file which the user requests to access, obtains a character string identity authentication credential configured in the target configuration file, performs security check on the real identity of the user based on character string identity authentication, and forwards the K8s cluster request instruction initiated by the user to a corresponding call interface server only under the condition that the verification is passed. Therefore, the specific identity of the user can be accurately audited when the user accesses the K8s cluster, only the specific identity meets the security check condition and can be allowed to be accessed, and the security risk brought by using the shared identity can be effectively avoided.

Inventors

  • SUN HANXI
  • FENG CHUNFENG
  • MO HONGFEI
  • XU JIAN

Assignees

  • 度小满科技(北京)有限公司

Dates

Publication Date
20260512
Application Date
20260320

Claims (10)

  1. 1. A security audit method for a K8s cluster, the method being for a K8s client, the method comprising: Receiving a K8s cluster request instruction, wherein the K8s cluster request instruction is a K8s cluster operation request input by a user based on the K8s client, and acquiring real identity information of the user based on a preset safety identity authentication protocol; Determining a target configuration file which is requested to be accessed by the user, and acquiring character string identity authentication credentials configured in the target configuration file; And carrying out safety verification on the true identity of the user based on the character string identity authentication credentials, and if the verification is passed, forwarding the K8s cluster request instruction to a corresponding calling interface server.
  2. 2. The security audit method according to claim 1 wherein after the step of forwarding the K8s cluster request instruction to a corresponding call interface server, the method further comprises: and recording behavior data generated by the true identity of the user, and returning an audit state notification message to the calling interface server.
  3. 3. The security audit method according to claim 1 wherein the K8s client is kubectl clients, and the obtaining the true identity information of the user based on a preset security identity authentication protocol includes: Intercepting a K8s request sent by the user through a command line at the kubectl client; And acquiring a client ticket of the kubectl client and determining the real identity information of the user based on the client ticket, wherein the client ticket is key information generated by a third party authentication plug-in according to an identity authentication result when the user registers to use the kubectl client.
  4. 4. A security audit method according to claim 3 wherein the third party authentication plug-in is a KDC authentication plug-in, the method further comprising: And calling the KDC authentication plug-in to carry out KDC authentication on the user in response to a kubectl client request for registration submitted by the user, and generating the client bill for the user if the authentication is passed.
  5. 5. The security audit method according to claim 1 wherein the target profile has authentication credential information recorded therein, the determining the target profile that the user requested access to includes: acquiring the target configuration file according to a preset configuration file storage path, analyzing the target configuration file, and acquiring authentication credential information contained in the target configuration file; and acquiring the configured character string identity authentication credentials based on the authentication credential information.
  6. 6. The security audit method according to claim 1, wherein address information of an interface server of the K8s cluster is recorded in the target configuration file, and the forwarding the K8s cluster request instruction to a corresponding calling interface server includes: And forwarding the K8s cluster request instruction to a corresponding calling interface server according to the address information of the interface server of the K8s cluster recorded by the target configuration file and the address information corresponding to the K8s cluster request instruction.
  7. 7. A security audit device for a K8s cluster, the device comprising: The K8s client is used for receiving a K8s cluster request instruction, wherein the K8s cluster request instruction is a K8s cluster operation request input by a user based on the K8s client, and acquires real identity information of the user based on a preset safety identity authentication protocol; and the auditing module is used for carrying out safety verification on the true identity of the user based on the character string identity authentication credentials, and if the verification is passed, forwarding the K8s cluster request instruction to a corresponding calling interface server.
  8. 8. The security audit device of claim 7 wherein the K8s client is further configured to: after the step of forwarding the K8s cluster request instruction to the corresponding calling interface server, recording behavior data generated by the true identity of the user, and returning an audit state notification message to the calling interface server.
  9. 9. An electronic device comprising a processor and a memory storing a program, wherein the program comprises instructions that when executed by the processor cause the processor to perform the method of any of claims 1-6.
  10. 10. A non-transitory computer readable storage medium storing computer instructions for causing a computer to perform the method of any one of claims 1-6.

Description

Security audit method and device for K8s cluster and electronic equipment Technical Field The application relates to the technical field of network security, in particular to a security audit method and device for a K8s cluster and electronic equipment. Background The K8s (Kubernetes) cluster is a set formed by a group of servers (or node devices) interconnected through a network, and the node devices are in labor division cooperation to jointly realize full life cycle management such as automatic deployment, elastic expansion and contraction, fault self-healing, load balancing and the like of containerized applications. When the user uses K8s, security audit is needed to be carried out on the user, the user using K8s is ensured to be a safe user, and potential safety hazards caused by data leakage in K8s due to the fact that an illegal user uses K8s are avoided. However, if the K8s is used in the financial field, the K8s cluster for running, managing and storing the core service may be referred to as a production environment, and if the production environment uses a simple user name/password mode for identity verification, the problems of high password management difficulty and low security coefficient are easily caused. Disclosure of Invention In view of the above, the embodiment of the application provides a security audit method, a security audit device and electronic equipment for a K8s cluster, so as to accurately conduct security audit on the identity of a user using the K8s cluster, and reduce potential safety hazards caused by illegal users to a K8s production environment. In a first aspect, an embodiment of the present application provides a security audit method for a K8s cluster, where the method is used for a K8s client, and the method includes: Receiving a K8s cluster request instruction, wherein the K8s cluster request instruction is a K8s cluster operation request input by a user based on the K8s client, and acquiring real identity information of the user based on a preset safety identity authentication protocol; Determining a target configuration file which is requested to be accessed by the user, and acquiring character string identity authentication credentials configured in the target configuration file; And carrying out safety verification on the true identity of the user based on the character string identity authentication credentials, and if the verification is passed, forwarding the K8s cluster request instruction to a corresponding calling interface server. In some possible embodiments, after the step of forwarding the K8s cluster request instruction to the corresponding call interface server, the method further includes: and recording behavior data generated by the true identity of the user, and returning an audit state notification message to the calling interface server. In some possible embodiments, the K8s client is kubectl client, and the acquiring the real identity information of the user based on the preset secure identity authentication protocol includes: Intercepting a K8s request sent by the user through a command line at the kubectl client; And acquiring a client ticket of the kubectl client and determining the real identity information of the user based on the client ticket, wherein the client ticket is key information generated by a third party authentication plug-in according to an identity authentication result when the user registers to use the kubectl client. In some possible embodiments, the third party authentication plug-in is a KDC authentication plug-in, the method further comprising: And calling the KDC authentication plug-in to carry out KDC authentication on the user in response to a kubectl client request for registration submitted by the user, and generating the client bill for the user if the authentication is passed. In some possible embodiments, the target profile has authentication credential information recorded therein, and the determining the target profile that the user requests to access includes: acquiring the target configuration file according to a preset configuration file storage path, analyzing the target configuration file, and acquiring authentication credential information contained in the target configuration file; and acquiring the configured character string identity authentication credentials based on the authentication credential information. In some possible embodiments, the target configuration file records address information of an interface server of the K8s cluster, and the forwarding the K8s cluster request instruction to a corresponding calling interface server includes: And forwarding the K8s cluster request instruction to a corresponding calling interface server according to the address information of the interface server of the K8s cluster recorded by the target configuration file and the address information corresponding to the K8s cluster request instruction. In a second aspect, an embodiment of the present application