[go: up one dir, main page]

CN120692090A - A K8s unified authentication method, device, equipment and storage medium - Google Patents

A K8s unified authentication method, device, equipment and storage medium

Info

Publication number
CN120692090A
CN120692090A CN202511046202.4A CN202511046202A CN120692090A CN 120692090 A CN120692090 A CN 120692090A CN 202511046202 A CN202511046202 A CN 202511046202A CN 120692090 A CN120692090 A CN 120692090A
Authority
CN
China
Prior art keywords
request
authentication
target
token
project
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202511046202.4A
Other languages
Chinese (zh)
Inventor
杨桂龙
张建伟
高传集
玄德
郑强
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Inspur Enterprise Cloud Technology Shandong Co ltd
Original Assignee
Inspur Enterprise Cloud Technology Shandong Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Inspur Enterprise Cloud Technology Shandong Co ltd filed Critical Inspur Enterprise Cloud Technology Shandong Co ltd
Priority to CN202511046202.4A priority Critical patent/CN120692090A/en
Publication of CN120692090A publication Critical patent/CN120692090A/en
Pending legal-status Critical Current

Links

Landscapes

  • Stored Programmes (AREA)

Abstract

The application discloses a K8s unified authentication method, a device, equipment and a storage medium, which relate to the technical field of container arrangement and are applied to a preset project management platform, and comprise the steps of redirecting a request initiator to a login page of a Keycloak authentication system when a login request is received, and determining a target token; when a request initiator triggers the operation of a preset project resource, a K8s interface request is constructed based on a target token, target cluster identification is carried out through an authentication proxy system corresponding to K8s and the K8s interface request to determine a request analysis result, target authority information is determined through the authentication proxy system, the K8s interface request, the request analysis result and the Keycloak authentication system, and the authority verification and resource control operation under the corresponding project is completed through the authentication proxy system and the target authority information K8s interface request. The application realizes the unified authentication of various clusters such as project management, federation/outside/local and the like in a multi-cluster environment.

Description

K8s unified authentication method, device, equipment and storage medium
Technical Field
The invention relates to the technical field of container arrangement, in particular to a K8s unified authentication method, device, equipment and storage medium.
Background
With the popularization of the cloud technology, kubernetes (K8 s for short, a container arrangement platform) has become a de facto standard for container arrangement. Enterprises typically need to manage multiple Kubernetes clusters (e.g., external clusters, federal clusters, etc.) and allocate resources among these clusters for use by different teams or projects. However, the RBAC (Role-Based Access Control ) mechanism, which is native to Kubernetes, has the following problems in a multi-cluster environment (1) decentralized rights management, difficult to uniformly control, (2) lack of item-level resource isolation, (3) complex user rights allocation, especially across cluster scenarios.
For this reason, keycloak, which is an identity and access management solution in the existing scheme, is integrated with Kubernetes, but this integration is limited to single cluster scenarios, and lacks support for multi-cluster project management.
Disclosure of Invention
In view of the above, the present invention aims to provide a method, an apparatus, a device and a storage medium for unified authentication of K8s, which can effectively implement project management in a multi-cluster environment, and implement unified authentication of multiple clusters such as federal/external/local, and support cross-cluster operation, so as to improve security of a platform and flexibility and convenience of rights management. The specific scheme is as follows:
In a first aspect, the present application provides a K8s unified authentication method, applied to a preset project management platform, including:
When a login request is received, redirecting a corresponding request initiator to a login page of a Keycloak authentication system, and determining a target token corresponding to the request initiator through the Keycloak authentication system, identity authentication information corresponding to the request initiator and project authority data;
When the request initiator triggers the operation of a preset project resource, a corresponding K8s interface request is constructed based on the target token, and target cluster identification is carried out through an authentication proxy system corresponding to K8s and the received K8s interface request so as to determine and store a request analysis result, wherein the target cluster comprises any one or more of a federal cluster, a local cluster and an external cluster;
verifying a token and inquiring rights through the authentication agent system, the K8s interface request, the request analysis result and the Keycloak authentication system so as to determine target rights information corresponding to the request initiator;
And forwarding the K8s interface request to a corresponding K8s interface through the authentication proxy system and the target authority information so as to complete the authority verification and resource control operation under the corresponding project and determine the project resource operation result.
Optionally, the determining, by the Keycloak authentication system, the identity authentication information corresponding to the request initiator and the project authority data, the target token corresponding to the request initiator includes:
acquiring identity authentication information corresponding to the request initiator based on the login page of the Keycloak authentication system, and determining an identity authentication result based on the identity authentication information;
The method comprises the steps of authenticating a system through Keycloak, and calling a project management component based on the identity authentication result to determine project authority data corresponding to a request initiator, wherein the project authority data comprises a project list, clusters and naming space mapping corresponding to each project in the project list and operation authority information;
Determining an initial token corresponding to the request initiator based on the Keycloak authentication system, the project permission data and a preset token format;
determining a target token based on a preset digital signature algorithm and the initial token;
Redirecting to the preset project management platform, and storing the target token locally.
Optionally, the constructing a corresponding K8s interface request based on the target token includes:
Reading the target token corresponding to the request initiator from the local;
And determining a K8s interface request based on the target token, the authorization header and the corresponding cluster identification information.
Optionally, the identifying the target cluster by the authentication proxy system corresponding to the K8s and the received K8s interface request to determine and store a request analysis result includes:
Intercepting the K8s interface request through an access controller in the authentication proxy system corresponding to the K8 s;
Performing target cluster identification and key information extraction based on the authentication proxy system and the K8s interface request to complete request analysis operation and determine a request analysis result;
and storing the request analysis result and the K8s interface request.
Optionally, the verifying the token and querying the permission by the authentication proxy system, the K8s interface request, the request analysis result and the Keycloak authentication system to determine the target permission information corresponding to the request initiator includes:
Forwarding the K8s interface request and the target token in the request analysis result to the Keycloak authentication system based on the authentication proxy system;
Performing signature verification on the target token based on the Keycloak authentication system and a public key to determine a signature verification result;
Checking the validity period of the target token based on the Keycloak authentication system to determine a token check result when the signature verification result indicates that verification is successful;
When the token check result shows that the check passes, performing permission cache inquiry based on the Keycloak authentication system, the permission cache mechanism, the K8s interface request and the target token to determine an inquiry result;
If the query result indicates that the query fails, performing real-time permission query based on the Keycloak authentication system, a preset database, the K8s interface request and the target token to determine target permission information corresponding to the request initiator;
and feeding back the target authority information to the authentication proxy system based on the Keycloak authentication system.
Optionally, after determining the token check result, the method further includes:
And if the permission cache invalidation notification corresponding to the target token is received, performing real-time permission query based on the Keycloak authentication system, the preset database, the K8s interface request and the target token to determine the target permission information.
Optionally, the forwarding the K8s interface request to the corresponding K8s interface through the authentication proxy system and the target authority information to complete the authority verification and resource control operation under the corresponding item, and determining the item resource operation result includes:
analyzing a target cluster, a target naming space and a target project resource operation type corresponding to the K8s interface request through the authentication proxy system so as to determine a target analysis result;
Based on the authentication proxy system, matching the target analysis result with the target authority information to determine a matching result;
based on the matching result, if the matching is successful, forwarding the K8s interface request to a corresponding K8s interface through the authentication proxy system and the matching result;
Performing resource control operation under corresponding items based on the K8s interface and the K8s interface request to determine item resource operation results, and feeding back the item resource operation results to the authentication proxy system;
and determining an operation success log based on the authentication agent system and the project resource operation result, and storing the operation success log into a preset auditing system.
In a second aspect, the present application provides a K8s unified authentication device, applied to a preset project management platform, including:
The token determining module is used for redirecting the corresponding request initiator to a login page of a Keycloak authentication system when receiving a login request, and determining a target token corresponding to the request initiator through the Keycloak authentication system, identity authentication information corresponding to the request initiator and project authority data;
The interface request analysis module is used for constructing a corresponding K8s interface request based on the target token when the request initiator triggers the operation of the preset project resource, and identifying a target cluster through an authentication proxy system corresponding to K8s and the received K8s interface request to determine and store a request analysis result;
The permission information determining module is used for verifying the token and inquiring the permission through the authentication agent system, the K8s interface request, the request analysis result and the Keycloak authentication system so as to determine target permission information corresponding to the request initiator;
And the authentication module is used for forwarding the K8s interface request to a corresponding K8s interface through the authentication proxy system and the target authority information so as to finish the authority verification and resource control operation under the corresponding project and determine the project resource operation result.
In a third aspect, the present application provides an electronic device, comprising:
a memory for storing a computer program;
and the processor is used for executing the computer program to realize the steps of the K8s unified authentication method.
In a fourth aspect, the present application provides a computer readable storage medium storing a computer program which, when executed by a processor, implements the steps of the aforementioned K8s unified authentication method.
The method and the device are applicable to a preset project management platform, when a login request is received, a corresponding request initiator is redirected to a login page of a Keycloak authentication system, a target token corresponding to the request initiator is determined through the Keycloak authentication system, identity authentication information corresponding to the request initiator and project authority data, when the request initiator triggers a preset project resource operation, a corresponding K8s interface request is constructed based on the target token, target cluster identification is conducted through an authentication proxy system corresponding to K8s and the received K8s interface request to determine and store a request analysis result, the target cluster comprises one or more of a federal cluster, a local cluster and an external cluster, the authentication proxy system, the K8s interface request, the request analysis result and the Keycloak authentication system conduct token verification and authority inquiry to determine target authority information corresponding to the request initiator, the K8s interface request is forwarded to a corresponding K8s interface through the authentication proxy system and the target information, and the operation authority operation resource control result is determined. That is, in the present application, when a preset project management platform receives a login request, a target token is determined through Keycloak authentication systems and identity authentication information corresponding to a request initiator, then, when the request initiator triggers a preset project resource operation, a corresponding K8s interface request is constructed based on the target token, the K8s interface request is accepted and analyzed through an authentication proxy system corresponding to the K8s interface request, token verification and authority query are performed in combination with Keycloak authentication systems to determine target authority information, and then, the K8s interface request is forwarded to a corresponding K8s interface through the authentication proxy system and the target authority information, so that authority verification and resource control operation under the corresponding project are completed, and a project resource operation result is determined. Therefore, project management in a multi-cluster environment can be effectively realized, unified authentication of multiple clusters such as federation/outside/local and the like is realized, and cross-cluster operation is supported, so that the security of a platform and the flexibility and convenience of authority management are improved.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings that are required to be used in the embodiments or the description of the prior art will be briefly described below, and it is obvious that the drawings in the following description are only embodiments of the present invention, and that other drawings can be obtained according to the provided drawings without inventive effort for a person skilled in the art.
FIG. 1 is a flowchart of a K8s unified authentication method provided by the application;
FIG. 2 is a timing diagram of a token acquired by a logon platform according to the present application;
FIG. 3 is a diagram of an example code for token generation according to the present application;
FIG. 4 is a schematic diagram of a multi-cluster unified authentication flow provided by the present application;
FIG. 5 is a timing diagram of a K8s interface with token access provided by the present application;
FIG. 6 is a diagram of an exemplary code provided by the present application for Kubectl using token configuration;
FIG. 7 is a timing diagram of an authentication proxy system verification token provided by the present application;
FIG. 8 is a code example diagram of a rights cache provided by the present application;
FIG. 9 is a timing diagram of project resource control according to rights provided by the present application;
Fig. 10 is a schematic structural diagram of a K8s unified authentication device provided by the application;
Fig. 11 is a block diagram of an electronic device according to the present application.
Detailed Description
The following description of the embodiments of the present invention will be made clearly and completely with reference to the accompanying drawings, in which it is apparent that the embodiments described are only some embodiments of the present invention, but not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.
The RBAC mechanism in the Kubernetes native has the following problems in a multi-cluster environment that (1) the authority management is decentralized and difficult to uniformly control, (2) the resource isolation at the project level is lacked, and (3) the user authority allocation is complex, especially in a cross-cluster scene. For this reason, keycloak, which is an identity and access management solution in the existing scheme, is integrated with Kubernetes, but this integration is limited to single cluster scenarios, and lacks support for multi-cluster project management.
Therefore, the application provides a K8s unified authentication scheme, which can effectively realize project management in a multi-cluster environment, realize unified authentication of multiple clusters such as federation/outside/local and the like, and support cross-cluster operation, thereby improving the security of a platform and the flexibility and convenience of authority management.
Referring to fig. 1, the embodiment of the invention discloses a K8s unified authentication method, which is applied to a preset project management platform and comprises the following steps:
And step S11, when a login request is received, redirecting the corresponding request initiator to a login page of a Keycloak authentication system, and determining a target token corresponding to the request initiator through the Keycloak authentication system, identity authentication information corresponding to the request initiator and project authority data.
In this embodiment, when a request sender (user) obtains a token through a preset project management platform, the method is implemented through a Keycloak authentication system, that is, firstly, based on the login page of the Keycloak authentication system, identity authentication information corresponding to the request initiator is obtained, and an identity authentication result is determined based on the identity authentication information, then, based on the Keycloak authentication system, and based on the identity authentication result, a project management component is invoked to determine project authority data corresponding to the request initiator, wherein the project authority data comprises a project list, clusters and namespaces corresponding to each project in the project list, and operation authority information, an initial token corresponding to the request initiator is determined based on the Keycloak authentication system, the project authority data and a preset token format, a target token is determined based on a preset digital signature algorithm and the initial token, and the target token is redirected to the preset project management platform, and is stored locally. That is, after receiving the identity authentication information at the login page of the Keycloak authentication system, the project management component (i.e., the project management module in fig. 2) is queried for the user authority, and then the Keycloak authentication system generates a JWT Token (JSON Web Token) based on the queried authority data.
Referring to FIG. 2, when Token distribution is realized through the Token of Keycloak, the flow is (1), and a user initiates a login request. And (2) the user accesses a preset project management platform or a client, and the platform redirects the user to Keycloak login pages (2) and performs identity authentication. The user inputs user name/password (multi-factor authentication is supported), keycloak verifies the validity of the certificate (the back end of LDAP/AD (LIGHTWEIGHT DIRECTORY ACCESS PROTOCOL/Active Directory, lightweight Directory access protocol/Active Directory) can be integrated), and the like, (3) rights data acquisition. Keycloak calling the project management module to acquire user project resource rights, wherein the user project resource rights comprise a belonging project list, a cluster/name space mapping of each project, and specific operation rights (comprising get/list/create/update/delete), and (4) Token generation and return. Keycloak generates a JWT format Token, encodes the rights data into Token's custom claims field, signs (private key signature, public key verification) using RS256 algorithm, and then returns Token to the platform's system or client (HTTP (Hypertext Transfer Protocol, hypertext transfer protocol) response or redirection). An example of a relevant code for token generation may be as shown in fig. 3.
It should be understood that, regarding the project management component, it is used to store cluster registration information, project configuration and authority rules, provide REST API (Representational STATE TRANSFER Application Programming Interface, application programming interface conforming to REST architecture specification) for other system call, and dynamically synchronize authority with the authentication proxy system of K8 s. Regarding Keycloak authentication systems, they are used to provide a user unified authentication portal (e.g., based on an open identity authentication protocol), issue a JWT Token carrying a rights claim, manage the mapping of user-project-namespaces.
It will be appreciated that in this embodiment, an item may contain multiple namespaces across clusters (registered external clusters, federal clusters), and a user may belong to multiple items, but only have access to add, delete, and modify related resources to namespaces under the item. The administrator creates a namespace by providing kubeconfig files when registering the external clusters and associates to the project for use by the user. The average user has resource management rights only to the assigned namespaces.
And step S12, when the request initiator triggers the operation of the preset project resource, constructing a corresponding K8S interface request based on the target token, and identifying a target cluster through an authentication proxy system corresponding to K8S and the received K8S interface request to determine and store a request analysis result, wherein the target cluster comprises any one or more of a federal cluster, a local cluster and an external cluster.
In this embodiment, after the user completes identity authentication and rights allocation through Keycloak, if the user wants to operate the project resource and send a corresponding request, the corresponding request is processed by the authentication proxy system corresponding to K8s as shown in fig. 4. The authentication proxy system has the functions of intercepting a request through a dynamic access controller (such as Mutating Webhook, a changeable access controller), analyzing and verifying Token rights, and executing cross-cluster rights verification.
In connection with fig. 5, when a user triggers an operation, the platform constructs a corresponding K8s interface request based on a corresponding target token, namely, reads the target token corresponding to the request initiator from the local, and determines the K8s interface request based on the target token, the authorization header and corresponding cluster identification information. And then receiving and analyzing a K8s interface request through an authentication proxy system corresponding to K8s, namely intercepting the K8s interface request through an admission controller in the authentication proxy system corresponding to K8s, carrying out target cluster identification and key information extraction based on the authentication proxy system and the K8s interface request to complete request analysis operation and determine a request analysis result, and storing the request analysis result and the K8s interface request. After the user verifies, the target token is stored locally, so that the target token is read from the local storage, the request for building the authentication Header is reminiscent to be added, and the cluster identification can be added to the request through a URL (Uniform Resource Locator ) path and/or a custom Header. And then forwarding the request, intercepting and receiving the request by an authentication agency system, extracting key information in the request, namely a Token, a target cluster and a resource path, storing the key information, and preparing to trigger a subsequent authentication flow. Up to this point, the request has not arrived at the real K8s interface server.
It will be appreciated that the flow for carrying Token access to the K8s interface is shown below (1), client configuration. Kubectl (K8 s command line tool) an example of using Token configuration can be as shown in FIG. 6, and the front end application passes through Authorization Header (authorization header), (2), request routing. All K8s interface requests are sent to a unified authentication agent, which can identify the target cluster by two forms: And (3) preprocessing is requested by customizing a Header, namely X-Target-Cluster, namely Cluster-east. Agent extracting key parameter HTTP method Operation type (GET)Get, URL pathResource namespaces (e.g.:/namespaces/ns-dev/..), resource types (points/deployments, etc.).
And step S13, verifying the token and inquiring the authority through the authentication proxy system, the K8S interface request, the request analysis result and the Keycloak authentication system so as to determine the target authority information corresponding to the request initiator.
In this embodiment, as shown in fig. 7, a specific authentication flow is started, that is, the target token in the K8s interface request and the request analysis result is forwarded to the Keycloak authentication system based on the authentication proxy system, then signature verification is performed on the target token based on the Keycloak authentication system and a public key to determine a signature verification result, when the signature verification result indicates that verification is successful, the validity period of the target token is checked based on the Keycloak authentication system to determine a token check result, when the token check result indicates that check is passed, permission cache inquiry is performed based on the Keycloak authentication system, permission cache mechanism, the K8s interface request and the target token to determine an inquiry result, if the inquiry result indicates that inquiry fails, real-time permission inquiry is performed on the basis of the Keycloak authentication system, a preset database, the K8s interface request and the target token to determine target information corresponding to the request initiator, and when the token check result indicates that check is successful, the target information is fed back to the authentication proxy system based on the Keycloak authentication system.
In addition, after determining a token checking result, if a permission cache invalidation notification corresponding to the target token has been received, real-time permission query is performed based on the Keycloak authentication system, the preset database, the K8s interface request and the target token to determine the target permission information.
That is, the specific flow of verifying Token and acquiring authority by the authentication proxy system in this embodiment is shown as (1) Token verification. And (3) verifying the JWT signature by using Keycloak public keys and preventing tampering, namely immediately rejecting the request after signature verification failure (401), and (2) a permission caching mechanism. Redis cache key format: The default cache can be set according to the user requirement, the cache content is shown in figure 8, and if the cache is invalid, a Redis PUBLISH notification is sent when the permission is changed, and (3) the real-time database is queried. And (4) after the cache is not hit or the cache is invalid, inquiring the database in real time through Keycloak to obtain the authority of the user, and (4) determining the engine. And matching the analysis request cluster, the name space and the operation type with the user permission, returning a release notice if the permission is provided, and returning a refusal notice if the permission is not provided.
And S14, forwarding the K8S interface request to a corresponding K8S interface through the authentication proxy system and the target authority information so as to complete the authority verification and resource control operation under the corresponding project and determine the project resource operation result.
In this embodiment, as shown in fig. 9, after the authentication proxy system completes the authority verification, the request initiator is restricted from operating the namespace under the specific project according to the verified authority, that is, the authentication proxy system analyzes the target cluster, the target namespace and the target project resource operation type corresponding to the K8s interface request to determine a target analysis result, matches the target analysis result with the target authority information to determine a matching result based on the authentication proxy system, forwards the K8s interface request to the corresponding K8s interface through the authentication proxy system and the matching result if the matching result indicates successful, performs the resource control operation under the corresponding project based on the K8s interface and the K8s interface request to determine a project resource operation result, feeds back the project resource operation result to the authentication proxy system, determines an operation success log based on the authentication proxy system and the project resource operation result, and stores the operation success log to a preset system. If the authority allows, the proxy system forwards the K8s interface request to the server of the corresponding interface, and adds cluster authentication information, such as: Original user information (audit needs) is retained. And then the authentication proxy system receives the operation result returned by the interface and records a success log in the auditing system. Otherwise, if the rights are denied, a standard HTTP 403 response is returned and a security alert is recorded in the auditing system, the security alert containing the user identity, the requested resource, the target cluster/namespace, the attempted operation.
It should be appreciated that with respect to audit systems, it is used to store audit logs, query download audit logs.
In connection with FIG. 4, a local master cluster may send a server-side processing request through a local K8s interface, while regarding clusters other than the local cluster, such as a federal cluster, the authentication proxy system of K8s automatically routes the request to the member cluster through the server-side processing request of the federal interface, and the authority of the federal namespace is automatically inherited to the member cluster, and an external cluster, because an administrator can register the external cluster through a kubeconfig file and associate the namespace to an item, loads kubeconfig from a database according to the ID (Identity Document, identity) of the target cluster, initializes a cluster connection pool to complete processing of the corresponding request according to kubeconfig.
In summary, the embodiment provides a scheme for realizing unified authentication with Kubernetes based on Keycloak Token, which supports project management modes in a multi-cluster environment, and realizes the functions of (1) realizing unified authentication of multiple cluster types of federation/outside/local, flexible user authority allocation, supporting cross-cluster operation, (2) supporting resource isolation at a project level, controlling authority to a namespace level accurately, improving security, (3) realizing zero-invasion integration without modifying Kubernetes core components, registering clusters rapidly through kubeconfig files, (4) synchronizing to an authentication system within 30 seconds after authority change, and (5) having a complete audit data chain, and meeting the requirements of user safety compliance.
Therefore, in the application, when the preset project management platform receives a login request, a target token is determined through the Keycloak authentication system and the identity authentication information corresponding to the request initiator, then when the request initiator triggers the operation of the preset project resource, a corresponding K8s interface request is constructed based on the target token, the K8s interface request is accepted and analyzed through the authentication proxy system corresponding to the K8s, the verification and the permission query of the token are carried out by combining with the Keycloak authentication system to determine target permission information, and then the K8s interface request is forwarded to the corresponding K8s interface through the authentication proxy system and the target permission information, so that the permission verification and the resource control operation under the corresponding project are completed, and the project resource operation result is determined. Therefore, project management in a multi-cluster environment can be effectively realized, unified authentication of multiple clusters such as federation/outside/local and the like is realized, and cross-cluster operation is supported, so that the security of a platform and the flexibility and convenience of authority management are improved.
Referring to fig. 10, the embodiment of the present application further correspondingly discloses a K8s unified authentication device, which is applied to a preset project management platform, and includes:
the token determining module 11 is configured to redirect, when a login request is received, a corresponding request initiator to a login page of a Keycloak authentication system, and determine, according to the Keycloak authentication system, identity authentication information corresponding to the request initiator, and project permission data, a target token corresponding to the request initiator;
The interface request analysis module 12 is configured to construct a corresponding K8s interface request based on the target token when the request initiator triggers a preset project resource operation, and identify a target cluster through an authentication proxy system corresponding to K8s and the received K8s interface request to determine and store a request analysis result;
The permission information determining module 13 is configured to perform verification of a token and permission query through the authentication proxy system, the K8s interface request, the request analysis result and the Keycloak authentication system, so as to determine target permission information corresponding to the request initiator;
And the authentication module 14 is used for forwarding the K8s interface request to the corresponding K8s interface through the authentication proxy system and the target authority information so as to complete the authority verification and resource control operation under the corresponding project and determine the project resource operation result.
Therefore, in the application, when the preset project management platform receives a login request, a target token is determined through the Keycloak authentication system and the identity authentication information corresponding to the request initiator, then when the request initiator triggers the operation of the preset project resource, a corresponding K8s interface request is constructed based on the target token, the K8s interface request is accepted and analyzed through the authentication proxy system corresponding to the K8s, the verification and the permission query of the token are carried out by combining with the Keycloak authentication system to determine target permission information, and then the K8s interface request is forwarded to the corresponding K8s interface through the authentication proxy system and the target permission information, so that the permission verification and the resource control operation under the corresponding project are completed, and the project resource operation result is determined. Therefore, project management in a multi-cluster environment can be effectively realized, unified authentication of multiple clusters such as federation/outside/local and the like is realized, and cross-cluster operation is supported, so that the security of a platform and the flexibility and convenience of authority management are improved.
In some embodiments, the token determination module 11 may be specifically configured to obtain, based on the login page of the Keycloak authentication system, identity authentication information corresponding to the request initiator and determine an identity authentication result based on the identity authentication information, invoke, by the Keycloak authentication system and based on the identity authentication result, a project management component to determine project authority data corresponding to the request initiator, where the project authority data includes a project list, a cluster and a namespace map corresponding to each project in the project list, and operation authority information, determine an initial token corresponding to the request initiator based on the Keycloak authentication system, the project authority data, and a preset token format, determine a target token based on a preset digital signature algorithm and the initial token, redirect the target token to the preset project management platform, and store the target token locally.
In some embodiments, the interface request parsing module 12 may be specifically configured to locally read the target token corresponding to the request initiator, and determine a K8s interface request based on the target token, an authorization header, and corresponding cluster identification information.
In some embodiments, the interface request parsing module 12 may be specifically configured to intercept the K8s interface request through an admission controller in an authentication proxy system corresponding to the K8s, perform target cluster identification and key information extraction based on the authentication proxy system and the K8s interface request, so as to complete a request parsing operation, determine a request parsing result, and store the request parsing result and the K8s interface request.
In some embodiments, the permission information determining module 13 may be specifically configured to forward the target token in the K8s interface request and the request parsing result to the Keycloak authentication system based on the authentication proxy system, perform signature verification on the target token based on the Keycloak authentication system and a public key to determine a signature verification result, check the validity period of the target token based on the Keycloak authentication system to determine a token check result when the signature verification result indicates that verification is successful, perform permission cache query based on the Keycloak authentication system, permission cache mechanism, the K8s interface request and the target token to determine a query result when the token check result indicates that check is passed, perform real-time permission query based on the Keycloak authentication system, a preset database, the K8s interface request and the target token to determine target information corresponding to the initiator if the query result indicates that query is failed, and feed back the target permission information to the authentication proxy system based on the Keycloak authentication system.
In some embodiments, the K8s unified authentication device may be further configured to, if a permission cache invalidation notification corresponding to the target token has been received, perform real-time permission query based on the Keycloak authentication system, the preset database, the K8s interface request, and the target token to determine the target permission information.
In some embodiments, the authentication module 14 may be specifically configured to parse, by the authentication proxy system, the target cluster, the target namespace, and the target project resource operation type corresponding to the K8s interface request to determine a target parsing result, match the target parsing result with the target authority information based on the authentication proxy system to determine a matching result, forward, by the authentication proxy system and the matching result, the K8s interface request to a corresponding K8s interface if the matching result indicates a success, perform a resource control operation under a corresponding project based on the K8s interface and the K8s interface request to determine a project resource operation result, and feed back the project resource operation result to the authentication proxy system, determine an operation success log based on the authentication proxy system and the project resource operation result, and store to a preset audit system.
Further, the embodiment of the present application further discloses an electronic device, and fig. 11 is a block diagram of an electronic device 20 according to an exemplary embodiment, where the content of the diagram is not to be considered as any limitation on the scope of use of the present application.
Fig. 11 is a schematic structural diagram of an electronic device 20 according to an embodiment of the present application. The electronic device 20 may include, in particular, at least one processor 21, at least one memory 22, a power supply 23, a communication interface 24, an input-output interface 25, and a communication bus 26. The memory 22 is used for storing a computer program, and the computer program is loaded and executed by the processor 21 to implement relevant steps in the K8s unified authentication method disclosed in any of the foregoing embodiments. In addition, the electronic device 20 in the present embodiment may be specifically an electronic computer.
In this embodiment, the power supply 23 is configured to provide working voltages for each hardware device on the electronic device 20, the communication interface 24 is capable of creating a data transmission channel with an external device for the electronic device 20, and the communication protocol to be followed is any communication protocol applicable to the technical solution of the present application, which is not specifically limited herein, and the input/output interface 25 is configured to obtain external input data or output data to the external device, and the specific interface type of the input/output interface may be selected according to the specific application needs and is not specifically limited herein.
The memory 22 may be a carrier for storing resources, such as a read-only memory, a random access memory, a magnetic disk, or an optical disk, and the resources stored thereon may include an operating system 221, a computer program 222, and the like, and the storage may be temporary storage or permanent storage.
The operating system 221 is used for managing and controlling various hardware devices on the electronic device 20 and the computer program 222, which may be Windows Server, netware, unix, linux, etc. The computer program 222 may further comprise a computer program capable of performing other specific tasks in addition to the computer program capable of performing the K8s unified authentication method performed by the electronic device 20 as disclosed in any of the previous embodiments.
Furthermore, the application also discloses a computer readable storage medium for storing a computer program, wherein the computer program realizes the K8s unified authentication method when being executed by a processor. For specific steps of the method, reference may be made to the corresponding contents disclosed in the foregoing embodiments, and no further description is given here.
In this specification, each embodiment is described in a progressive manner, and each embodiment is mainly described in a different point from other embodiments, so that the same or similar parts between the embodiments are referred to each other. For the device disclosed in the embodiment, since it corresponds to the method disclosed in the embodiment, the description is relatively simple, and the relevant points refer to the description of the method section.
Those of skill would further appreciate that the various illustrative elements and algorithm steps described in connection with the embodiments disclosed herein may be implemented as electronic hardware, computer software, or combinations of both, and that the various illustrative elements and steps are described above generally in terms of functionality in order to clearly illustrate the interchangeability of hardware and software. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the solution. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present application.
The steps of a method or algorithm described in connection with the embodiments disclosed herein may be embodied directly in hardware, in a software module executed by a processor, or in a combination of the two. The software modules may be disposed in Random Access Memory (RAM), memory, read Only Memory (ROM), electrically programmable ROM, electrically erasable programmable ROM, registers, hard disk, a removable disk, a CD-ROM, or any other form of storage medium known in the art.
Finally, it is further noted that relational terms such as first and second, and the like are used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Moreover, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising one does not exclude the presence of other like elements in a process, method, article, or apparatus that comprises an element.
While the foregoing has been provided to illustrate the principles and embodiments of the present application, specific examples have been provided herein to assist in understanding the principles and embodiments of the present application, and are intended to be in no way limiting, for those of ordinary skill in the art will, in light of the above teachings, appreciate that the principles and embodiments of the present application may be varied in any way.

Claims (10)

1.一种K8s统一鉴权方法,其特征在于,应用于预设项目管理平台,包括:1. A K8s unified authentication method, characterized by being applied to a preset project management platform, comprising: 当接收到登录请求时,将对应的请求发起方重定向至Keycloak认证系统的登录页面,并通过所述Keycloak认证系统、所述请求发起方对应的身份认证信息以及项目权限数据,确定所述请求发起方对应的目标令牌;When a login request is received, the corresponding request initiator is redirected to the login page of the Keycloak authentication system, and the target token corresponding to the request initiator is determined based on the Keycloak authentication system, the identity authentication information corresponding to the request initiator, and the project permission data; 当所述请求发起方触发预设项目资源操作时,基于所述目标令牌构建对应的K8s接口请求,通过K8s对应的鉴权代理系统以及接收到的所述K8s接口请求进行目标集群识别,以确定并存储请求解析结果;所述目标集群包括联邦集群、本地集群及外部集群中的任一种或多种;When the request initiator triggers a preset project resource operation, a corresponding K8s interface request is constructed based on the target token, and the target cluster is identified through the K8s corresponding authentication proxy system and the received K8s interface request to determine and store the request parsing result; the target cluster includes any one or more of a federated cluster, a local cluster, and an external cluster; 通过所述鉴权代理系统、所述K8s接口请求、所述请求解析结果及所述Keycloak认证系统进行令牌的验证以及权限查询,以确定所述请求发起方对应的目标权限信息;Token verification and permission query are performed through the authentication proxy system, the K8s interface request, the request parsing result, and the Keycloak authentication system to determine the target permission information corresponding to the request initiator; 通过所述鉴权代理系统及所述目标权限信息,将所述K8s接口请求转发至对应的K8s接口,以完成对应项目下的权限校验与资源控制操作,并确定项目资源操作结果。Through the authentication proxy system and the target permission information, the K8s interface request is forwarded to the corresponding K8s interface to complete the permission verification and resource control operations under the corresponding project and determine the project resource operation results. 2.根据权利要求1所述的K8s统一鉴权方法,其特征在于,所述通过所述Keycloak认证系统、所述请求发起方对应的身份认证信息以及项目权限数据,确定所述请求发起方对应的目标令牌,包括:2. The K8s unified authentication method according to claim 1, wherein determining the target token corresponding to the request initiator through the Keycloak authentication system, the identity authentication information corresponding to the request initiator, and project permission data comprises: 基于所述Keycloak认证系统的所述登录页面获取所述请求发起方对应的身份认证信息,并基于所述身份认证信息确定身份认证结果;Obtaining identity authentication information corresponding to the request initiator based on the login page of the Keycloak authentication system, and determining an identity authentication result based on the identity authentication information; 通过所述Keycloak认证系统,并基于所述身份认证结果进行项目管理组件的调用,以确定所述请求发起方对应的项目权限数据;所述项目权限数据包括项目列表、所述项目列表中各项目对应的集群和命名空间映射、操作权限信息;The project management component is called based on the identity authentication result through the Keycloak authentication system to determine the project permission data corresponding to the request initiator; the project permission data includes a project list, cluster and namespace mappings corresponding to each project in the project list, and operation permission information; 基于所述Keycloak认证系统、所述项目权限数据以及预设令牌格式,确定所述请求发起方对应的初始令牌;Determining an initial token corresponding to the request initiator based on the Keycloak authentication system, the project permission data, and a preset token format; 基于预设数字签名算法以及所述初始令牌确定目标令牌;Determine a target token based on a preset digital signature algorithm and the initial token; 重定向至所述预设项目管理平台,并将所述目标令牌存储至本地。Redirect to the preset project management platform and store the target token locally. 3.根据权利要求1所述的K8s统一鉴权方法,其特征在于,所述基于所述目标令牌构建对应的K8s接口请求,包括:3. The K8s unified authentication method according to claim 1, wherein the step of constructing a corresponding K8s interface request based on the target token comprises: 从本地读取与所述请求发起方对应的所述目标令牌;Read the target token corresponding to the request initiator from the local; 基于所述目标令牌、授权头以及对应的集群标识信息确定K8s接口请求。Determine the K8s interface request based on the target token, authorization header and corresponding cluster identification information. 4.根据权利要求1所述的K8s统一鉴权方法,其特征在于,所述通过K8s对应的鉴权代理系统以及接收到的所述K8s接口请求进行目标集群识别,以确定并存储请求解析结果,包括:4. The K8s unified authentication method according to claim 1, wherein the target cluster is identified by the authentication proxy system corresponding to K8s and the received K8s interface request to determine and store the request parsing result, including: 通过所述K8s对应的鉴权代理系统中的准入控制器拦截所述K8s接口请求;Intercept the K8s interface request through the admission controller in the authentication proxy system corresponding to the K8s; 基于所述鉴权代理系统以及所述K8s接口请求进行目标集群识别和关键信息提取,以完成请求解析操作,并确定请求解析结果;Based on the authentication proxy system and the K8s interface request, target cluster identification and key information extraction are performed to complete the request parsing operation and determine the request parsing result; 存储所述请求解析结果和所述K8s接口请求。The request parsing result and the K8s interface request are stored. 5.根据权利要求1所述的K8s统一鉴权方法,其特征在于,所述通过所述鉴权代理系统、所述K8s接口请求、所述请求解析结果及所述Keycloak认证系统进行令牌的验证以及权限查询,以确定所述请求发起方对应的目标权限信息,包括:5. The K8s unified authentication method according to claim 1, wherein the token verification and permission query are performed through the authentication proxy system, the K8s interface request, the request parsing result, and the Keycloak authentication system to determine the target permission information corresponding to the request initiator, including: 基于所述鉴权代理系统,将所述K8s接口请求和所述请求解析结果中的所述目标令牌转发至所述Keycloak认证系统;Based on the authentication proxy system, forward the K8s interface request and the target token in the request parsing result to the Keycloak authentication system; 基于所述Keycloak认证系统以及公钥对所述目标令牌进行签名验证,以确定签名验证结果;Perform signature verification on the target token based on the Keycloak authentication system and the public key to determine a signature verification result; 当所述签名验证结果表明验证成功时,基于所述Keycloak认证系统对所述目标令牌的有效期进行检查,以确定令牌检查结果;When the signature verification result indicates that the verification is successful, the validity period of the target token is checked based on the Keycloak authentication system to determine a token check result; 当所述令牌检查结果表明检查通过时,基于所述Keycloak认证系统、权限缓存机制、所述K8s接口请求以及所述目标令牌进行权限缓存查询,以确定查询结果;When the token check result indicates that the check is passed, a permission cache query is performed based on the Keycloak authentication system, the permission cache mechanism, the K8s interface request, and the target token to determine the query result; 若所述查询结果表明查询失败,则基于所述Keycloak认证系统、预设数据库、所述K8s接口请求以及所述目标令牌进行实时权限查询,以确定所述请求发起方对应的目标权限信息;If the query result indicates that the query fails, a real-time permission query is performed based on the Keycloak authentication system, the preset database, the K8s interface request, and the target token to determine the target permission information corresponding to the request initiator; 基于所述Keycloak认证系统,将所述目标权限信息反馈至所述鉴权代理系统。Based on the Keycloak authentication system, the target permission information is fed back to the authentication proxy system. 6.根据权利要求5所述的K8s统一鉴权方法,其特征在于,所述确定令牌检查结果之后,还包括:6. The K8s unified authentication method according to claim 5, characterized in that after determining the token check result, it also includes: 若已接收到与所述目标令牌对应的权限缓存失效通知,则基于所述Keycloak认证系统、所述预设数据库、所述K8s接口请求及所述目标令牌进行实时权限查询,以确定所述目标权限信息。If a permission cache expiration notification corresponding to the target token has been received, a real-time permission query is performed based on the Keycloak authentication system, the preset database, the K8s interface request and the target token to determine the target permission information. 7.根据权利要求1至6任一项所述的K8s统一鉴权方法,其特征在于,所述通过所述鉴权代理系统及所述目标权限信息,将所述K8s接口请求转发至对应的K8s接口,以完成对应项目下的权限校验与资源控制操作,并确定项目资源操作结果,包括:7. The K8s unified authentication method according to any one of claims 1 to 6, characterized in that the K8s interface request is forwarded to the corresponding K8s interface through the authentication proxy system and the target permission information to complete the permission verification and resource control operations under the corresponding project and determine the project resource operation results, including: 通过所述鉴权代理系统解析所述K8s接口请求对应的目标集群、目标命名空间以及目标项目资源操作类型,以确定目标解析结果;Parsing the target cluster, target namespace, and target project resource operation type corresponding to the K8s interface request through the authentication proxy system to determine the target parsing result; 基于所述鉴权代理系统,将所述目标解析结果与所述目标权限信息进行匹配,以确定匹配结果;Based on the authentication proxy system, matching the target parsing result with the target permission information to determine a matching result; 基于所述匹配结果表明匹配成功,则通过所述鉴权代理系统和所述匹配结果将所述K8s接口请求转发至对应的K8s接口;If the matching result indicates a successful match, the K8s interface request is forwarded to the corresponding K8s interface through the authentication proxy system and the matching result; 基于所述K8s接口和所述K8s接口请求进行对应项目下的资源控制操作,以确定项目资源操作结果,并将所述项目资源操作结果反馈至所述鉴权代理系统;Perform resource control operations under the corresponding project based on the K8s interface and the K8s interface request to determine the project resource operation result, and feed back the project resource operation result to the authentication proxy system; 基于所述鉴权代理系统和所述项目资源操作结果确定操作成功日志,并存储至预设审计系统。An operation success log is determined based on the authentication proxy system and the project resource operation result, and stored in a preset audit system. 8.一种K8s统一鉴权装置,其特征在于,应用于预设项目管理平台,包括:8. A K8s unified authentication device, characterized by being applied to a preset project management platform, comprising: 令牌确定模块,用于当接收到登录请求时,将对应的请求发起方重定向至Keycloak认证系统的登录页面,并通过所述Keycloak认证系统、所述请求发起方对应的身份认证信息以及项目权限数据,确定所述请求发起方对应的目标令牌;A token determination module is configured to, upon receiving a login request, redirect the corresponding request initiator to the login page of the Keycloak authentication system and determine the target token corresponding to the request initiator based on the Keycloak authentication system, the identity authentication information corresponding to the request initiator, and the project permission data; 接口请求解析模块,用于当所述请求发起方触发预设项目资源操作时,基于所述目标令牌构建对应的K8s接口请求,通过K8s对应的鉴权代理系统以及接收到的所述K8s接口请求进行目标集群识别,以确定并存储请求解析结果;所述目标集群包括联邦集群、本地集群及外部集群中的任一种或多种;An interface request parsing module is used to construct a corresponding K8s interface request based on the target token when the request initiator triggers a preset project resource operation, identify the target cluster through the K8s corresponding authentication proxy system and the received K8s interface request, and determine and store the request parsing result; the target cluster may include any one or more of a federated cluster, a local cluster, and an external cluster; 权限信息确定模块,用于通过所述鉴权代理系统、所述K8s接口请求、所述请求解析结果及所述Keycloak认证系统进行令牌的验证以及权限查询,以确定所述请求发起方对应的目标权限信息;The permission information determination module is used to verify the token and query the permission through the authentication proxy system, the K8s interface request, the request parsing result and the Keycloak authentication system to determine the target permission information corresponding to the request initiator; 鉴权模块,用于通过所述鉴权代理系统及所述目标权限信息,将所述K8s接口请求转发至对应的K8s接口,以完成对应项目下的权限校验与资源控制操作,并确定项目资源操作结果。The authentication module is used to forward the K8s interface request to the corresponding K8s interface through the authentication proxy system and the target permission information to complete the permission verification and resource control operations under the corresponding project and determine the project resource operation results. 9.一种电子设备,其特征在于,包括:9. An electronic device, comprising: 存储器,用于保存计算机程序;Memory, used to store computer programs; 处理器,用于执行所述计算机程序以实现如权利要求1至7任一项所述的K8s统一鉴权方法。A processor, configured to execute the computer program to implement the K8s unified authentication method as described in any one of claims 1 to 7. 10.一种计算机可读存储介质,其特征在于,用于保存计算机程序,所述计算机程序被处理器执行时实现如权利要求1至7任一项所述的K8s统一鉴权方法。10. A computer-readable storage medium, characterized in that it is used to store a computer program, which, when executed by a processor, implements the K8s unified authentication method according to any one of claims 1 to 7.
CN202511046202.4A 2025-07-29 2025-07-29 A K8s unified authentication method, device, equipment and storage medium Pending CN120692090A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202511046202.4A CN120692090A (en) 2025-07-29 2025-07-29 A K8s unified authentication method, device, equipment and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202511046202.4A CN120692090A (en) 2025-07-29 2025-07-29 A K8s unified authentication method, device, equipment and storage medium

Publications (1)

Publication Number Publication Date
CN120692090A true CN120692090A (en) 2025-09-23

Family

ID=97071394

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202511046202.4A Pending CN120692090A (en) 2025-07-29 2025-07-29 A K8s unified authentication method, device, equipment and storage medium

Country Status (1)

Country Link
CN (1) CN120692090A (en)

Similar Documents

Publication Publication Date Title
US11558344B1 (en) Resolving blockchain domains
CN103795690B (en) A kind of method, proxy server and the system of cloud access control
US10505929B2 (en) Management and authentication in hosted directory service
CN114902612B (en) Account protection service based on edge network
US10263987B2 (en) Techniques for sharing virtual machine (VM) resources
JP6417472B2 (en) Use authentication information stored in different directories to access a common endpoint
US6832366B2 (en) Application generator
US8554749B2 (en) Data file access control
KR20210046659A (en) Blockchain network-based data processing method and apparatus, electronic device, and storage medium
US9706007B2 (en) System and method for querying disparate data sources in real time
US20050154887A1 (en) System and method for secure network state management and single sign-on
US10476733B2 (en) Single sign-on system and single sign-on method
US20110145786A1 (en) Remote commands in a shell environment
US10650153B2 (en) Electronic document access validation
CN103870727B (en) A kind of method and system for being managed collectively authority
US20240338471A1 (en) Facilitating secured access to protected resources hosted in one cloud from another cloud
CN102064953A (en) System, device and method for configuring user right information of lightweight directory access protocol (ldap) server
CN106415519A (en) Secure unified cloud storage
JP7553055B2 (en) Destination addressing associated with distributed ledgers
JP7099198B2 (en) Management equipment, management systems and programs
CN120692090A (en) A K8s unified authentication method, device, equipment and storage medium
Jenkins et al. The JSON Meta Application Protocol (JMAP)
CN116010933B (en) Resource permission identification method and related equipment
US20070050457A1 (en) Electronic mail device

Legal Events

Date Code Title Description
PB01 Publication