PoS - Proceedings of Science
Volume 434 - International Symposium on Grids & Clouds (ISGC) 2023 in conjunction with HEPiX Spring 2023 Workshop (ISGC&HEPiX2023) - Converging Infrastructure Clouds, Virtualisation and HPC
Design and implementation of security policy for HEPS container computing platform
Q. Hu*, T. Cui, J. Xu and T. Yan
Full text: pdf
Published on: October 25, 2023
Abstract
Based on Kubernetes cluster, HEPS computing platform creates a container computing environment to provide analysis services for users. The computing platform provides a container data analysis environment based on jupyterlab with the jupyterhub web page as the entry point. The platform uses CVMFS to store the software library, and the container environment accesses the CVMFS by CSI. The Lustre is used to store user experiment data, map storage volumes to the container virtualization environment in localhost mode, and provide read/write data access services for users.

HEPS platform uses Kubernetes tool to manage LAN computing resources and create container environment for users to use. WAN users are authenticated by Oauth2.0 to access the LAN container environment for data analysis. The container environment that provides interactive functions for users needs to meet both communication requirements of accessing scale data of WAN and experimental data of LAN. In this service mode, how to effectively limit the activity range of hackers after they invade the container environment and how to quickly locate the container and login users after the IHEPSOC system detects the attack behavior, requires a series of security policies to protect the security of HEPS computing platform.

In view of the above security problems, this paper introduces the design scheme and application effect of the security policy of HEPS container computing platform from the aspects of Kubernetes network security policy, login behavior audit, network information association analysis, and so on, so as to realize configurable management of the activity scope of user analysis environment and traceability of abnormal container environment, so as to ensure the security of HEPS computing platform.
DOI: https://doi.org/10.22323/1.434.0002
How to cite

Metadata are provided both in "article" format (very similar to INSPIRE) as this helps creating very compact bibliographies which can be beneficial to authors and readers, and in "proceeding" format which is more detailed and complete.

Open Access
Creative Commons LicenseCopyright owned by the author(s) under the term of the Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International License.