US 12,437,088 B2
Container operation control method and apparatus
Wei Wei, Beijing (CN)
Assigned to Beijing Volcano Engine Technology Co., Ltd., Beijing (CN)
Appl. No. 18/843,232
Filed by Beijing Volcano Engine Technology Co., Ltd., Beijing (CN)
PCT Filed May 29, 2023, PCT No. PCT/CN2023/096771
§ 371(c)(1), (2) Date Aug. 30, 2024,
PCT Pub. No. WO2024/016838, PCT Pub. Date Jan. 25, 2024.
Claims priority of application No. 202210865142.9 (CN), filed on Jul. 21, 2022.
Prior Publication US 2025/0258940 A1, Aug. 14, 2025
Int. Cl. H04L 29/06 (2006.01); G06F 21/60 (2013.01)
CPC G06F 21/604 (2013.01) [G06F 2221/2141 (2013.01)] 20 Claims
OG exemplary drawing
 
1. A container operation control method, including:
providing at least one type of container security protection profile that allow users to select and configure, wherein the at least one type of container security protection profile includes: a container security protection profile based on a container security baseline and/or a container security protection profile for a specified vulnerability in a container environment;
receiving a profile configuration request initiated based on at least one container security protection profile of the at least one type of container security protection profile, through an application programing interface API service component of a container cluster, the profile configuration request including a profile identifier of a target container security protection profile and object information about a target protection object related to the container, the profile configuration request being used to request security protection for the target protection object based on the target container security protection profile;
creating a resource object of a first custom resource corresponding to the target container security protection profile through the API service component;
acquiring the target container security protection profile according to a definition of the first custom resource, and creating a second custom resource including the target container security protection profile, through an access control management component of the container cluster;
enabling the target container security protection profile for the target protection object in response to the profile configuration request, to monitor access requests to the target protection object, and perform access control on the access requests based on the target container security protection profile,
the target protection object includes a first workload created in the container cluster before the profile configuration request is received;
the enabling the target container security protection profile for the target protection object in response to the profile configuration request, comprises:
controlling an access control agent component of a node device in the container cluster where the container group of the first workload is deployed, to acquire the target container security protection profile according to the second custom resource, and load the target container security protection profile into a kernel of the node device to which it belongs.