Security policy generation using container metadata
First Claim
1. A method for security in a container-based virtualization environment comprising:
- receiving metadata about a deployed container from a container orchestration layer, the metadata including an image type of the deployed container, the deployed container being deployed in a hardware server;
determining an application or service performed by the deployed container from the received metadata;
retrieving at least one model using the determined application or service, the at least one model identifying expected network communications behavior of the deployed container;
generating a high-level declarative security policy associated with the deployed container using the at least one model, the high-level declarative security policy indicating at least an application or service with which the deployed container communicates; and
launching a compiler, the compiler producing a low-level firewall rule set using the high-level declarative security policy, the low-level firewall rule set being provided to an enforcement point, the enforcement point applying the low-level firewall rule set to data network traffic.
2 Assignments
0 Petitions
Accused Products
Abstract
Methods, systems, and media for producing a firewall rule set are provided herein. Exemplary methods may include: receiving metadata about a deployed container from a container orchestration layer; determining an application or service associated with the container from the received metadata; retrieving at least one model using the determined application or service, the at least one model identifying expected network communications behavior of the container; and generating a high-level declarative security policy associated with the container using the at least one model, the high-level declarative security policy indicating at least an application or service with which the container can communicate.
163 Citations
17 Claims
-
1. A method for security in a container-based virtualization environment comprising:
-
receiving metadata about a deployed container from a container orchestration layer, the metadata including an image type of the deployed container, the deployed container being deployed in a hardware server; determining an application or service performed by the deployed container from the received metadata; retrieving at least one model using the determined application or service, the at least one model identifying expected network communications behavior of the deployed container; generating a high-level declarative security policy associated with the deployed container using the at least one model, the high-level declarative security policy indicating at least an application or service with which the deployed container communicates; and launching a compiler, the compiler producing a low-level firewall rule set using the high-level declarative security policy, the low-level firewall rule set being provided to an enforcement point, the enforcement point applying the low-level firewall rule set to data network traffic. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. A system for security in a container-based virtualization environment comprising:
-
a hardware processor; and a memory coupled to the hardware processor, the memory storing instructions which are executable by the hardware processor to perform a method comprising; receiving metadata about a deployed container from a container orchestration layer, the metadata including an image type of the deployed container, the deployed container being deployed in a hardware server; determining an application or service performed by the deployed container from the received metadata; retrieving at least one model using the determined application or service, the at least one model identifying expected network communications behavior of the deployed container; generating a high-level declarative security policy associated with the deployed container using the at least one model, the high-level declarative security policy indicating at least an application or service with which the deployed container communicates; and launching a compiler, the compiler producing a low-level firewall rule set using the high-level declarative security policy, the low-level firewall rule set being provided to an enforcement point, the enforcement point applying the low-level firewall rule set to data network traffic. - View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
-
-
17. A non-transitory computer-readable storage medium having embodied thereon a program, the program being executable by a processor to perform a method for security in a container-based virtualization environment, the method comprising:
-
receiving metadata about a deployed container from a container orchestration layer, the metadata including an image type of the deployed container, the deployed container being deployed in a hardware server; determining an application or service performed by the deployed container from the received metadata; retrieving at least one model using the determined application or service, the at least one model identifying expected network communications behavior of the deployed container; generating a high-level declarative security policy associated with the deployed container using the at least one model, the high-level declarative security policy indicating at least an application or service with which the deployed container communicates; and launching a compiler, the compiler producing a low-level firewall rule set using the high-level declarative security policy, the low-level firewall rule set being provided to an enforcement point, the enforcement point applying the low-level firewall rule set to data network traffic.
-
Specification