CN115664797A

CN115664797A - Information transmission method, device, equipment and storage medium

Info

Publication number: CN115664797A
Application number: CN202211305803.9A
Authority: CN
Inventors: 周文君
Original assignee: China Telecom Corp Ltd
Current assignee: China Telecom Corp Ltd
Priority date: 2022-10-24
Filing date: 2022-10-24
Publication date: 2023-01-31

Abstract

The disclosure provides an information transmission method, device, equipment and storage medium, and relates to the field of network technology and security. The method is applied to the container management module, and the method includes: receiving the encryption and decryption policy and the data interception rule sent by the user equipment; the data interception rule includes the identification of the container, and generating an eBPF attachment module according to the encryption and decryption policy and the data interception rule, so that the eBPF attachment module Determine the container to be intercepted according to the identifier of the container, and encrypt and decrypt the transmission information of the intercepted container according to the encryption and decryption strategy. The present disclosure overcomes, at least to a certain extent, the problem that the transmitted information is difficult to be encrypted during the current information transmission process of the container or virtual machine, resulting in low security of the transmitted information.

Description

Information transmission method, device, equipment and storage medium

技术领域technical field

本公开涉及网络技术与安全领域，尤其涉及一种信息传输方法、装置、设备及存储介质。The present disclosure relates to the field of network technology and security, and in particular to an information transmission method, device, equipment and storage medium.

背景技术Background technique

随着时代的发展，网络的质量不断提高。伴随着网络质量的提高，云技术逐渐成为人们日常的重要组成部分。With the development of the times, the quality of the network continues to improve. With the improvement of network quality, cloud technology has gradually become an important part of people's daily life.

在云技术应用的过程中，由于内核无法感知容器或虚拟机，就会导致内核难以对所属的容器或虚拟机进行处理。并且，由于内核通常对应多个容器或虚拟机，不同的容器以及虚拟机又会进行大量的信息的传输，这就使得内核难以对大量的信息进行管理，而容器以及虚拟机自身也难以对传输的信息进行管理，这就导致当前容器或虚拟机传输的信息难以被加密，安全性较低。In the process of cloud technology application, since the kernel cannot perceive the container or virtual machine, it will make it difficult for the kernel to process the container or virtual machine to which it belongs. Moreover, since the kernel usually corresponds to multiple containers or virtual machines, different containers and virtual machines will transmit a large amount of information, which makes it difficult for the kernel to manage a large amount of information, and it is also difficult for the container and the virtual machine itself to transmit This makes it difficult to encrypt the information transmitted by the current container or virtual machine, and the security is low.

发明内容Contents of the invention

本公开提供一种信息传输方法、装置、设备及存储介质，至少在一定程度上克服了在当前的容器或虚拟机传输信息的过程中，传输的信息难以被加密，导致的传输的信息安全性较低的问题。The present disclosure provides an information transmission method, device, device, and storage medium, at least to a certain extent, overcoming the difficulty in encrypting the transmitted information in the process of transmitting information in the current container or virtual machine, resulting in the information security of the transmission lower question.

本公开的其他特性和优点将通过下面的详细描述变得显然，或部分地通过本公开的实践而习得。Other features and advantages of the present disclosure will become apparent from the following detailed description, or in part, be learned by practice of the present disclosure.

根据本公开的一个方面，提供一种信息传输方法，应用于容器管理模块，方法包括：According to an aspect of the present disclosure, there is provided an information transmission method, which is applied to a container management module, and the method includes:

接收用户设备发送的加解密策略以及数据拦截规则；数据拦截规则包括容器的标识；Receive the encryption and decryption policies and data interception rules sent by the user equipment; the data interception rules include the identification of the container;

根据加解密策略以及数据拦截规则生成eBPF附着模块，以使eBPF附着模块根据容器的标识确定待拦截的容器，并根据加解密策略将拦截的容器的传输信息进行加解密。The eBPF attachment module is generated according to the encryption and decryption policy and data interception rules, so that the eBPF attachment module determines the container to be intercepted according to the identity of the container, and encrypts and decrypts the transmission information of the intercepted container according to the encryption and decryption policy.

在本公开的一个实施例中，在接收用户设备发送的加解密策略以及数据拦截规则之前，方法还包括：In an embodiment of the present disclosure, before receiving the encryption and decryption policies and data interception rules sent by the user equipment, the method further includes:

接收用户设备发送的创建容器请求；Receive a container creation request sent by the user device;

根据创建容器请求创建容器；Create a container according to the create container request;

创建加密策略控制器；Create an encryption policy controller;

获取创建的容器的容器标识；Get the container ID of the created container;

将容器标识发送至加密策略控制器，以使加密策略控制器将容器标识发至用户设备。The container identification is sent to the encryption policy controller, so that the encryption policy controller sends the container identification to the user equipment.

在本公开的一个实施例中，接收用户设备发送的加解密策略以及数据拦截规则，包括：In an embodiment of the present disclosure, receiving the encryption and decryption policies and data interception rules sent by the user equipment includes:

接收加密策略控制器发送的加解密策略以及数据拦截规则，加解密策略以及数据拦截规则是加密策略控制器根据容器标识以及用户设备发送的安全关联、安全策略以及对应关系生成的；对应关系包括安全关联与容器标识的对应关系以及安全策略与容器标识的对应关系。Receive the encryption and decryption policies and data interception rules sent by the encryption policy controller. The encryption and decryption policies and data interception rules are generated by the encryption policy controller according to the container identifier and the security association, security policy and corresponding relationship sent by the user device; the corresponding relationship includes security The correspondence between associations and container IDs, and the correspondence between security policies and container IDs.

根据本公开的另一个方面，提供一种信息传输方法，应用于用户设备，方法包括：According to another aspect of the present disclosure, an information transmission method is provided, which is applied to a user equipment, and the method includes:

向容器管理模块发送加解密策略以及数据拦截规则；数据拦截规则包括容器的标识，以使容器管理模块根据加解密策略以及数据拦截规则生成eBPF附着模块，由eBPF附着模块根据容器的标识确定待拦截的容器，并根据加解密策略将拦截的容器的传输信息进行加解密。Send the encryption and decryption policy and data interception rules to the container management module; the data interception rules include the identification of the container, so that the container management module generates an eBPF attachment module according to the encryption and decryption policy and data interception rules, and the eBPF attachment module determines to be intercepted according to the identification of the container container, and encrypt and decrypt the transmission information of the intercepted container according to the encryption and decryption strategy.

在本公开的一个实施例中，方法还包括：In one embodiment of the present disclosure, the method also includes:

向容器管理模块发送创建容器请求，以使容器管理模块创建容器并创建加密策略控制器；Send a container creation request to the container management module, so that the container management module creates a container and creates an encryption policy controller;

接收用户设备根据加密策略控制器转发的容器标识。Receive the container identifier forwarded by the user equipment according to the encryption policy controller.

在本公开的一个实施例中，向容器管理模块发送加解密策略以及数据拦截规则，包括：In one embodiment of the present disclosure, the encryption and decryption policy and data interception rules are sent to the container management module, including:

根据容器标识生成安全关联以及安全策略；Generate security associations and security policies based on container identifiers;

将安全关联、安全策略以及对应关系发送至加密策略控制器，以使加密策略控制器根据容器标识以及用户设备发送的安全关联、安全策略以及对应关系生成加解密策略以及数据拦截规则。Send the security association, security policy and corresponding relationship to the encryption policy controller, so that the encryption policy controller generates encryption and decryption policies and data interception rules according to the container identifier and the security association, security policy and corresponding relationship sent by the user equipment.

根据本公开的再一个方面，提供一种信息传输装置，应用于容器管理模块，装置包括：According to another aspect of the present disclosure, an information transmission device is provided, which is applied to a container management module, and the device includes:

第一接收模块，用于接收用户设备发送的加解密策略以及数据拦截规则；数据拦截规则包括容器的标识；The first receiving module is used to receive the encryption and decryption policy and data interception rules sent by the user equipment; the data interception rules include the identification of the container;

生成模块，用于根据加解密策略以及数据拦截规则生成eBPF附着模块，以使eBPF附着模块根据容器的标识确定待拦截的容器，并根据加解密策略将拦截的容器的传输信息进行加解密。The generation module is used to generate the eBPF attachment module according to the encryption and decryption policy and data interception rules, so that the eBPF attachment module determines the container to be intercepted according to the container identification, and encrypts and decrypts the transmission information of the intercepted container according to the encryption and decryption policy.

在本公开的一个实施例中，装置还包括：In one embodiment of the present disclosure, the device further includes:

第二接收模块，在接收用户设备发送的加解密策略以及数据拦截规则之前，用于接收用户设备发送的创建容器请求；The second receiving module is used to receive the container creation request sent by the user equipment before receiving the encryption and decryption policy and the data interception rules sent by the user equipment;

第一创建模块，用于根据创建容器请求创建容器；A first creation module, configured to create a container according to a container creation request;

第二创建模块，用于创建加密策略控制器；The second creation module is used to create an encryption policy controller;

获取模块，用于获取创建的容器的容器标识；The acquisition module is used to obtain the container ID of the created container;

第二发送模块，用于将容器标识发送至加密策略控制器，以使加密策略控制器将容器标识发至用户设备。The second sending module is configured to send the container ID to the encryption policy controller, so that the encryption policy controller sends the container ID to the user equipment.

在本公开的一个实施例中，第一接收模块，包括：In one embodiment of the present disclosure, the first receiving module includes:

接收单元，用于接收加密策略控制器发送的加解密策略以及数据拦截规则，加解密策略以及数据拦截规则是加密策略控制器根据容器标识以及用户设备发送的安全关联、安全策略以及对应关系生成的；对应关系包括安全关联与容器标识的对应关系以及安全策略与容器标识的对应关系。The receiving unit is configured to receive the encryption and decryption policies and data interception rules sent by the encryption policy controller. The encryption and decryption policies and data interception rules are generated by the encryption policy controller according to the container identifier and the security association, security policy and corresponding relationship sent by the user equipment ; The corresponding relationship includes the corresponding relationship between the security association and the container ID, and the corresponding relationship between the security policy and the container ID.

根据本公开的又一个方面，提供一种信息传输装置，应用于用户设备，装置包括：According to yet another aspect of the present disclosure, an information transmission device is provided, which is applied to a user equipment, and the device includes:

第一发送模块，用于向容器管理模块发送加解密策略以及数据拦截规则；数据拦截规则包括容器的标识，以使容器管理模块根据加解密策略以及数据拦截规则生成eBPF附着模块，由eBPF附着模块根据容器的标识确定待拦截的容器，并根据加解密策略将拦截的容器的传输信息进行加解密。The first sending module is used to send the encryption and decryption policy and the data interception rule to the container management module; the data interception rule includes the identification of the container, so that the container management module generates an eBPF attachment module according to the encryption and decryption policy and the data interception rule, and the eBPF attachment module Determine the container to be intercepted according to the identifier of the container, and encrypt and decrypt the transmission information of the intercepted container according to the encryption and decryption strategy.

第三发送模块，用于向容器管理模块发送创建容器请求，以使容器管理模块创建容器并创建加密策略控制器；The third sending module is configured to send a container creation request to the container management module, so that the container management module creates a container and creates an encryption policy controller;

第三接收模块，用于接收用户设备根据加密策略控制器转发的容器标识。The third receiving module is configured to receive the container identifier forwarded by the user equipment according to the encryption policy controller.

在本公开的一个实施例中，第一发送模块，包括：In one embodiment of the present disclosure, the first sending module includes:

生成单元，用于根据容器标识生成安全关联以及安全策略；a generating unit, configured to generate a security association and a security policy according to the container identifier;

发送单元，用于将安全关联、安全策略以及对应关系发送至加密策略控制器，以使加密策略控制器根据容器标识以及用户设备发送的安全关联、安全策略以及对应关系生成加解密策略以及数据拦截规则。The sending unit is configured to send the security association, the security policy, and the corresponding relationship to the encryption policy controller, so that the encryption policy controller generates an encryption and decryption policy and data interception according to the container identifier and the security association, security policy, and corresponding relationship sent by the user equipment rule.

根据本公开的再一个方面，提供一种电子设备，包括：处理器；以及存储器，用于存储处理器的可执行指令；其中，处理器配置为经由执行可执行指令来执行上述的信息传输方法。According to another aspect of the present disclosure, there is provided an electronic device, including: a processor; and a memory for storing executable instructions of the processor; wherein, the processor is configured to execute the above information transmission method by executing the executable instructions .

根据本公开的又一个方面，提供一种计算机可读存储介质，其上存储有计算机程序，计算机程序被处理器执行时实现上述的信息传输方法。According to yet another aspect of the present disclosure, a computer-readable storage medium is provided, on which a computer program is stored, and when the computer program is executed by a processor, the above information transmission method is implemented.

本公开的实施例所提供的信息传输方法，通过接收用户设备发送的加密策略以及数据拦截规则，然后根据加密策略以及数据拦截规则生成eBPF附着模块，由eBPF附着模块根据容器的标识确定待拦截的容器，根据加解密策略将拦截的容器的传输信息进行加解密。根据生成的eBPF附着模块对容器传输的信息进行加解密，避免了容器管理模块无法感知容器，且容器难以通过自身对传输的信息进行加解密的问题，在容器传输信息的过程中，提高了容器传输的信息的安全性。The information transmission method provided by the embodiments of the present disclosure receives the encryption policy and data interception rules sent by the user equipment, and then generates an eBPF attachment module according to the encryption policy and data interception rules, and the eBPF attachment module determines the to-be-intercepted The container encrypts and decrypts the transmission information of the intercepted container according to the encryption and decryption strategy. According to the generated eBPF attachment module, the information transmitted by the container is encrypted and decrypted, which avoids the problem that the container management module cannot perceive the container, and it is difficult for the container to encrypt and decrypt the transmitted information by itself. Security of Information Transmitted.

应当理解的是，以上的一般描述和后文的细节描述仅是示例性和解释性的，并不能限制本公开。It is to be understood that both the foregoing general description and the following detailed description are exemplary and explanatory only and are not restrictive of the present disclosure.

附图说明Description of drawings

此处的附图被并入说明书中并构成本说明书的一部分，示出了符合本公开的实施例，并与说明书一起用于解释本公开的原理。显而易见地，下面描述中的附图仅仅是本公开的一些实施例，对于本领域普通技术人员来讲，在不付出创造性劳动的前提下，还可以根据这些附图获得其他的附图。The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate embodiments consistent with the disclosure and together with the description serve to explain the principles of the disclosure. Apparently, the drawings in the following description are only some embodiments of the present disclosure, and those skilled in the art can obtain other drawings according to these drawings without creative efforts.

图1示出本公开实施例中一种信息传输系统结构的示意图；FIG. 1 shows a schematic diagram of the structure of an information transmission system in an embodiment of the present disclosure;

图2示出本公开实施例中一种信息传输方法流程图；FIG. 2 shows a flowchart of an information transmission method in an embodiment of the present disclosure;

图3示出本公开实施例中另一种信息传输方法流程图；FIG. 3 shows a flowchart of another information transmission method in an embodiment of the present disclosure;

图4示出本公开实施例中再一种信息传输方法流程图；FIG. 4 shows a flowchart of another information transmission method in an embodiment of the present disclosure;

图5示出本公开实施例中又一种信息传输方法流程图；FIG. 5 shows a flowchart of another information transmission method in an embodiment of the present disclosure;

图6示出本公开实施例中一种信息传输装置示意图；FIG. 6 shows a schematic diagram of an information transmission device in an embodiment of the present disclosure;

图7示出本公开实施例中另一种信息传输装置示意图；和FIG. 7 shows a schematic diagram of another information transmission device in an embodiment of the present disclosure; and

图8示出本公开实施例中一种电子设备的结构框图。Fig. 8 shows a structural block diagram of an electronic device in an embodiment of the present disclosure.

具体实施方式Detailed ways

现在将参考附图更全面地描述示例实施方式。然而，示例实施方式能够以多种形式实施，且不应被理解为限于在此阐述的范例；相反，提供这些实施方式使得本公开将更加全面和完整，并将示例实施方式的构思全面地传达给本领域的技术人员。所描述的特征、结构或特性可以以任何合适的方式结合在一个或更多实施方式中。Example embodiments will now be described more fully with reference to the accompanying drawings. Example embodiments may, however, be embodied in many forms and should not be construed as limited to the examples set forth herein; rather, these embodiments are provided so that this disclosure will be thorough and complete and will fully convey the concept of example embodiments to those skilled in the art. The described features, structures, or characteristics may be combined in any suitable manner in one or more embodiments.

此外，附图仅为本公开的示意性图解，并非一定是按比例绘制。图中相同的附图标记表示相同或类似的部分，因而将省略对它们的重复描述。附图中所示的一些方框图是功能实体，不一定必须与物理或逻辑上独立的实体相对应。可以采用软件形式来实现这些功能实体，或在一个或多个硬件模块或集成电路中实现这些功能实体，或在不同网络和/或处理器装置和/或微控制器装置中实现这些功能实体。Furthermore, the drawings are merely schematic illustrations of the present disclosure and are not necessarily drawn to scale. The same reference numerals in the drawings denote the same or similar parts, and thus repeated descriptions thereof will be omitted. Some of the block diagrams shown in the drawings are functional entities and do not necessarily correspond to physically or logically separate entities. These functional entities may be implemented in software, or in one or more hardware modules or integrated circuits, or in different network and/or processor means and/or microcontroller means.

应当理解，本公开的方法实施方式中记载的各个步骤可以按照不同的顺序执行，和/或并行执行。此外，方法实施方式可以包括附加的步骤和/或省略执行示出的步骤。本公开的范围在此方面不受限制。It should be understood that the various steps described in the method implementations of the present disclosure may be executed in different orders, and/or executed in parallel. Additionally, method embodiments may include additional steps and/or omit performing illustrated steps. The scope of the present disclosure is not limited in this regard.

需要注意，本公开中提及的“第一”、“第二”等概念仅用于对不同的装置、模块或单元进行区分，并非用于限定这些装置、模块或单元所执行的功能的顺序或者相互依存关系。It should be noted that concepts such as "first" and "second" mentioned in this disclosure are only used to distinguish different devices, modules or units, and are not used to limit the sequence of functions performed by these devices, modules or units or interdependence.

需要注意，本公开中提及的“一个”、“多个”的修饰是示意性而非限制性的，本领域技术人员应当理解，除非在上下文另有明确指出，否则应该理解为“一个或多个”。It should be noted that the modifications of "one" and "multiple" mentioned in the present disclosure are illustrative and not restrictive, and those skilled in the art should understand that unless the context clearly indicates otherwise, it should be understood as "one or more" multiple".

为了解决上述问题，本公开实施例提供了一种信息传输方法、装置、设备及存储介质。In order to solve the above problems, embodiments of the present disclosure provide an information transmission method, device, device, and storage medium.

为了便于理解，本公开实施例首先介绍信息传输系统。For ease of understanding, the embodiments of the present disclosure first introduce an information transmission system.

图1示出了本公开实施例中一种信息传输系统架构图。Fig. 1 shows an architecture diagram of an information transmission system in an embodiment of the present disclosure.

如图1所示，信息传输系统10可以包括：As shown in Figure 1, the information transmission system 10 may include:

容器管理模块102以及用户设备104；container management module 102 and user equipment 104;

用户设备104用于向容器管理模块102发送加解密策略以及数据拦截规则；The user equipment 104 is used to send the encryption and decryption policy and data interception rules to the container management module 102;

容器管理模块102，用于根据加解密策略以及数据拦截规则生成eBPF附着模块，以使eBPF附着模块根据容器的标识确定待拦截的容器，并根据加解密策略将拦截的容器的传输信息进行加解密。The container management module 102 is configured to generate an eBPF attachment module according to the encryption and decryption policy and data interception rules, so that the eBPF attachment module determines the container to be intercepted according to the identifier of the container, and encrypts and decrypts the transmission information of the intercepted container according to the encryption and decryption policy .

在一个实施例中，用户设备可以为终端设备。In an embodiment, the user equipment may be a terminal equipment.

终端设备可以是各种电子设备，包括但不限于智能手机、平板电脑、膝上型便携计算机、台式计算机、可穿戴设备、增强现实设备、虚拟现实设备等。Terminal devices may be various electronic devices, including but not limited to smart phones, tablet computers, laptop computers, desktop computers, wearable devices, augmented reality devices, virtual reality devices, and the like.

可选地，不同的终端设备中安装的应用程序的客户端是相同的，或基于不同操作系统的同一类型应用程序的客户端。基于终端平台的不同，该应用程序的客户端的具体形态也可以不同，比如，该应用程序客户端可以是手机客户端、PC客户端等。Optionally, clients of application programs installed in different terminal devices are the same, or clients of the same type of application programs based on different operating systems. Based on different terminal platforms, the specific form of the client of the application program may also be different, for example, the client of the application program may be a mobile phone client, a PC client, and the like.

在一个实施例中，应用管理模块可以被配置在服务器上。In one embodiment, the application management module can be configured on a server.

服务器可以是提供各种服务的服务器，例如对用户利用终端设备所进行操作的装置提供支持的后台管理服务器。后台管理服务器可以对接收到的请求等数据进行分析等处理，并将处理结果反馈给终端设备。The server may be a server that provides various services, such as a background management server that provides support for devices operated by users using terminal equipment. The background management server can analyze and process the received data such as requests, and feed back the processing results to the terminal device.

可选地，服务器可以是独立的物理服务器，也可以是多个物理服务器构成的服务器集群或者分布式系统，还可以是提供云服务、云数据库、云计算、云函数、云存储、网络服务、云通信、中间件服务、域名服务、安全服务、CDN(Content Delivery Network，内容分发网络)、以及大数据和人工智能平台等基础云计算服务的云服务器。终端可以是智能手机、平板电脑、笔记本电脑、台式计算机、智能音箱、智能手表等，但并不局限于此。终端以及服务器可以通过有线或无线通信方式进行直接或间接地连接，本申请在此不做限制。Optionally, the server can be an independent physical server, or a server cluster or a distributed system composed of multiple physical servers, and can also provide cloud services, cloud databases, cloud computing, cloud functions, cloud storage, network services, Cloud servers for basic cloud computing services such as cloud communications, middleware services, domain name services, security services, CDN (Content Delivery Network, content distribution network), and big data and artificial intelligence platforms. The terminal may be a smart phone, a tablet computer, a laptop computer, a desktop computer, a smart speaker, a smart watch, etc., but is not limited thereto. The terminal and the server may be connected directly or indirectly through wired or wireless communication, which is not limited in this application.

在一个实施例中，网络用以在终端设备和服务器之间提供通信链路的介质，可以是有线网络，也可以是无线网络。In an embodiment, the medium used by the network to provide a communication link between the terminal device and the server may be a wired network or a wireless network.

可选地，上述的无线网络或有线网络使用标准通信技术和/或协议。网络通常为因特网、但也可以是任何网络，包括但不限于局域网(Local Area Network，LAN)、城域网(Metropolitan Area Network，MAN)、广域网(Wide Area Network，WAN)、移动、有线或者无线网络、专用网络或者虚拟专用网络的任何组合)。在一些实施例中，使用包括超文本标记语言(Hyper Text Mark-up Language，HTML)、可扩展标记语言(ExtensibleMarkupLanguage，XML)等的技术和/或格式来代表通过网络交换的数据。此外还可以使用诸如安全套接字层(Secure Socket Layer，SSL)、传输层安全(Transport Layer Security，TLS)、虚拟专用网络(Virtual Private Network，VPN)、网际协议安全(InternetProtocolSecurity，IPsec)等常规加密技术来加密所有或者一些链路。在另一些实施例中，还可以使用定制和/或专用数据通信技术取代或者补充上述数据通信技术。Optionally, the aforementioned wireless network or wired network uses standard communication technologies and/or protocols. The network is usually the Internet, but can be any network, including but not limited to Local Area Network (LAN), Metropolitan Area Network (MAN), Wide Area Network (WAN), mobile, wired or wireless network, private network, or any combination of virtual private networks). In some embodiments, data exchanged over a network is represented using technologies and/or formats including Hyper Text Mark-up Language (HTML), Extensible Markup Language (XML), and the like. In addition, conventional methods such as Secure Socket Layer (Secure Socket Layer, SSL), Transport Layer Security (Transport Layer Security, TLS), Virtual Private Network (Virtual Private Network, VPN), Internet Protocol Security (Internet Protocol Security, IPsec) can also be used. Encryption technology to encrypt all or some links. In some other embodiments, customized and/or dedicated data communication technologies may also be used to replace or supplement the above data communication technologies.

本领域技术人员可以知晓，图1中的终端设备、网络和服务器的数量仅仅是示意性的，根据实际需要，可以具有任意数目的终端设备、网络和服务器。本公开实施例对此不作限定。Those skilled in the art may know that the numbers of terminal devices, networks and servers in FIG. 1 are only illustrative, and there may be any number of terminal devices, networks and servers according to actual needs. The embodiment of the present disclosure does not limit this.

下面结合附图及实施例对本示例实施方式进行详细说明。The exemplary implementation manner will be described in detail below in conjunction with the accompanying drawings and embodiments.

首先，本公开实施例中提供了一种信息传输方法，应用于容器管理模块，该方法可以由任意具备计算处理能力的电子设备执行。First, an information transmission method is provided in an embodiment of the present disclosure, which is applied to a container management module, and the method can be executed by any electronic device capable of computing and processing.

图2示出本公开实施例中一种信息传输方法流程图，如图1所示，本公开实施例中提供的信息传输方法包括如下步骤：Fig. 2 shows a flow chart of an information transmission method in an embodiment of the present disclosure. As shown in Fig. 1, the information transmission method provided in an embodiment of the present disclosure includes the following steps:

步骤S202，接收用户设备发送的加解密策略以及数据拦截规则；数据拦截规则包括容器的标识。Step S202, receiving the encryption and decryption policy and the data interception rules sent by the user equipment; the data interception rules include the identifier of the container.

在一个实施例中容器管理模块可以包括对容器进行管理的内核。In one embodiment, the container management module may include a kernel for managing containers.

在一个实施例中，容器可以包括Pod或Service。In one embodiment, a container may include a Pod or a Service.

容器的标识可以包括容器的接口或端口的标识，容器的标识还可以包括容器的IP地址。The identifier of the container may include an identifier of an interface or port of the container, and the identifier of the container may also include an IP address of the container.

在一个实施例中，接收用户设备发送的加解密策略以及数据拦截规则可以包括：In an embodiment, receiving the encryption and decryption policies and data interception rules sent by the user equipment may include:

在一个实施例中，用户设备可以根据安全关联、安全策略以及获取的容器标识确定安全关联与容器标识的对应关系、安全策略与容器标识的对应关系。In an embodiment, the user equipment may determine the corresponding relationship between the security association and the container ID, and the corresponding relationship between the security policy and the container ID according to the security association, the security policy, and the acquired container ID.

在确定上述对应关系之后，用户设备可以将上述对应关系、安全策略以及安全关联发送至加密策略控制器。由加密策略控制器根据对应关系、安全策略以及安全关联生成加密策略以及数据拦截规则。After the above correspondence is determined, the user equipment may send the above correspondence, the security policy, and the security association to the encryption policy controller. The encryption policy controller generates encryption policies and data interception rules according to the correspondence, security policies, and security associations.

在加密策略控制器生成加密策略以及数据拦截规则之后，可以将生成的加密策略以及数据拦截规则发送至容器管理模块。After the encryption policy controller generates the encryption policy and the data interception rule, the generated encryption policy and the data interception rule may be sent to the container management module.

在一个实施例中，加密策略控制器可以首先将加密策略以及数据拦截规则发送至字节码生成器，由字节码生成器将上述加密策略以及数据拦截规则生成能够被容器管理模块识别的汇编语言，然后将上述汇编语言发送至容器管理模块。In one embodiment, the encryption policy controller may first send the encryption policy and data interception rules to the bytecode generator, and the bytecode generator generates the above-mentioned encryption policy and data interception rules into an assembly that can be recognized by the container management module language, and then send the above assembly language to the container management module.

需要说明的是，加密策略控制器可以配置在容器管理模块上，It should be noted that the encryption policy controller can be configured on the container management module,

步骤S204，根据加解密策略以及数据拦截规则生成eBPF附着模块，以使eBPF附着模块根据容器的标识确定待拦截的容器，并根据加解密策略将拦截的容器的传输信息进行加解密。Step S204, generate an eBPF attachment module according to the encryption and decryption policy and data interception rules, so that the eBPF attachment module determines the container to be intercepted according to the container identifier, and encrypts and decrypts the transmission information of the intercepted container according to the encryption and decryption policy.

在一个实施例中，eBPF附着模块可以调用容器管理模块对容器进行拦截。In one embodiment, the eBPF attachment module can call the container management module to intercept the container.

在一个实施例中，eBPF附着模块可以与用户设备实时进行数据传输。In one embodiment, the eBPF attach module can perform data transmission with the user equipment in real time.

在一个实施例中，用户设备可以将更新后的加解密策略以及数据拦截规则发送至eBPF附着模块，由eBPF附着模块根据更新后的加解密策略以及数据拦截规则对容器传输的数据包进行拦截并进行加解密操作。In one embodiment, the user equipment can send the updated encryption and decryption policy and data interception rules to the eBPF attachment module, and the eBPF attachment module intercepts the data packets transmitted by the container according to the updated encryption and decryption policies and data interception rules and Perform encryption and decryption operations.

图3示出本公开实施例中另一种信息传输方法流程图，如,3所示，本公开实施例中提供的信息传输方法包括如下步骤：FIG. 3 shows a flow chart of another information transmission method in the embodiment of the disclosure. As shown in 3, the information transmission method provided in the embodiment of the disclosure includes the following steps:

S302，接收用户设备发送的创建容器请求。S302. Receive a container creation request sent by the user equipment.

在一个实施例中，用户设备可以直接向容器管理模块发送创建容器请求。In one embodiment, the user equipment may directly send a container creation request to the container management module.

S304，根据创建容器请求创建容器。S304. Create a container according to the container creation request.

S306，创建加密策略控制器。S306. Create an encryption policy controller.

在一个实施例中，本公开并不对创建容器与创建加密策略控制器的顺序进行限制。In one embodiment, the present disclosure does not limit the sequence of creating the container and creating the encryption policy controller.

S308，获取创建的容器的容器标识。S308. Obtain the container identifier of the created container.

在一个实施例中，容器的标识可以包括容器的名称或容器端口的标识。In one embodiment, the identifier of the container may include the name of the container or the identifier of the port of the container.

S310，将容器标识发送至加密策略控制器，以使加密策略控制器将容器标识发至用户设备。S310. Send the container identifier to the encryption policy controller, so that the encryption policy controller sends the container identifier to the user equipment.

在一个实施例中，加密策略控制器可以不将上述容器标识发送至用户设备，而是在接收到用户设备发送的安全关联和安全策略后，直接根据安全关联、安全策略以及用户标识生成加解密策略以及数据拦截规则。In an embodiment, the encryption policy controller may not send the above-mentioned container ID to the user equipment, but directly generates encryption and decryption according to the security association, security policy, and user ID after receiving the security association and security policy sent by the user equipment. Policies and data blocking rules.

在一个实施例中，加密策略控制器可以在接收到用户设备发送的安全关联以及安全策略后可以将安全关联、安全策略以及容器的标识发送至字节码生成器，由字节码生成器编码后发送至容器管理模块。In one embodiment, after receiving the security association and the security policy sent by the user equipment, the encryption policy controller can send the security association, the security policy, and the identifier of the container to the bytecode generator, and the bytecode generator encodes the and then sent to the container management module.

本公开实施例中，容器管理模块接收用户设备发送的的创建容器请求，根据创建容器请求创建容器，然后创建加密策略控制器，由加密策略控制器将容器标识转发至用户设备，以便于用户设备基于容器标识生成加解密策略以及数据拦截规则。基于容器标识生成加解密策略以及数据拦截规则，可以使得在对容器进行拦截的过程中，对容器拦截更加准确。In the embodiment of the present disclosure, the container management module receives the container creation request sent by the user equipment, creates a container according to the container creation request, and then creates an encryption policy controller, and the encryption policy controller forwards the container identifier to the user equipment, so that the user equipment Generate encryption and decryption policies and data interception rules based on container identifiers. Generating encryption and decryption policies and data interception rules based on container identifiers can make container interception more accurate during the process of intercepting containers.

基于相同的发明构思，本公开实施例中提供了再一种信息传输方法，应用于用户设备，该方法可以由任意具备计算处理能力的电子设备执行。Based on the same inventive concept, another information transmission method is provided in the embodiments of the present disclosure, which is applied to a user equipment, and the method can be executed by any electronic device with computing and processing capabilities.

图4示出本公开实施例中再一种信息传输方法流程图，如,4所示，本公开实施例中提供的信息传输方法包括如下步骤：FIG. 4 shows a flowchart of another information transmission method in the embodiment of the present disclosure. As shown in 4, the information transmission method provided in the embodiment of the present disclosure includes the following steps:

S402，向容器管理模块发送加解密策略以及数据拦截规则；数据拦截规则包括容器的标识，以使容器管理模块根据加解密策略以及数据拦截规则生成eBPF附着模块，由eBPF附着模块根据容器的标识确定待拦截的容器，并根据加解密策略将拦截的容器的传输信息进行加解密。S402, sending the encryption and decryption policy and the data interception rule to the container management module; the data interception rule includes the identification of the container, so that the container management module generates an eBPF attachment module according to the encryption and decryption policy and the data interception rule, which is determined by the eBPF attachment module according to the identification of the container The container to be intercepted, and the transmission information of the intercepted container is encrypted and decrypted according to the encryption and decryption strategy.

在一个实施例中，向容器管理模块发送加解密策略以及数据拦截规则，包括：In one embodiment, the encryption and decryption policy and data interception rules are sent to the container management module, including:

在一个实施例中，上述实施例已经对上述步骤进行了详细的说明，此处不再赘述。In one embodiment, the above-mentioned steps have been described in detail in the above-mentioned embodiments, and details are not repeated here.

基于相同的发明构思，本公开实施例中提供了又一种信息传输方法，应用于用户设备，该方法可以由任意具备计算处理能力的电子设备执行。Based on the same inventive concept, another information transmission method is provided in the embodiments of the present disclosure, which is applied to a user equipment, and the method can be executed by any electronic device with computing and processing capabilities.

图5示出本公开实施例中又一种信息传输方法流程图，如图5所示，本公开实施例中提供的信息传输方法包括如下步骤：Fig. 5 shows a flowchart of another information transmission method in the embodiment of the present disclosure. As shown in Fig. 5, the information transmission method provided in the embodiment of the present disclosure includes the following steps:

S502，向容器管理模块发送创建容器请求，以使容器管理模块创建容器并创建加密策略控制器；S502. Send a container creation request to the container management module, so that the container management module creates a container and creates an encryption policy controller;

S504，接收用户设备根据加密策略控制器转发的容器标识。S504. Receive the container identifier forwarded by the user equipment according to the encryption policy controller.

基于同一发明构思，本公开实施例中还提供了一种信息传输装置，如下面的实施例。由于该装置实施例解决问题的原理与上述方法实施例相似，因此该装置实施例的实施可以参见上述方法实施例的实施，重复之处不再赘述。Based on the same inventive concept, embodiments of the present disclosure also provide an information transmission device, such as the following embodiments. Since the problem-solving principle of this device embodiment is similar to that of the above-mentioned method embodiment, the implementation of this device embodiment can refer to the implementation of the above-mentioned method embodiment, and repeated descriptions will not be repeated.

图6示出本公开实施例中一种信息传输装置示意图，如图6所示，信息传输装置600包括：FIG. 6 shows a schematic diagram of an information transmission device in an embodiment of the present disclosure. As shown in FIG. 6, the information transmission device 600 includes:

第一接收模块602，用于接收用户设备发送的加解密策略以及数据拦截规则；数据拦截规则包括容器的标识；The first receiving module 602 is configured to receive the encryption and decryption policy and data interception rules sent by the user equipment; the data interception rules include the identification of the container;

生成模块604，用于根据加解密策略以及数据拦截规则生成eBPF附着模块，以使eBPF附着模块根据容器的标识确定待拦截的容器，并根据加解密策略将拦截的容器的传输信息进行加解密。The generating module 604 is configured to generate an eBPF attachment module according to the encryption and decryption policy and data interception rules, so that the eBPF attachment module determines the container to be intercepted according to the container identifier, and encrypts and decrypts the transmission information of the intercepted container according to the encryption and decryption policy.

本公开的实施例所提供的信息传输装置，通过接收用户设备发送的加密策略以及数据拦截规则，然后根据加密策略以及数据拦截规则生成eBPF附着模块，由eBPF附着模块根据容器的标识确定待拦截的容器，根据加解密策略将拦截的容器的传输信息进行加解密。根据生成的eBPF附着模块对容器传输的信息进行加解密，避免了容器管理模块无法感知容器，且容器难以通过自身对传输的信息进行加解密的问题，在容器传输信息的过程中，提高了容器传输的信息的安全性。The information transmission device provided by the embodiments of the present disclosure receives the encryption policy and data interception rules sent by the user equipment, and then generates an eBPF attachment module according to the encryption policy and data interception rules, and the eBPF attachment module determines the to-be-intercepted The container encrypts and decrypts the transmission information of the intercepted container according to the encryption and decryption strategy. According to the generated eBPF attachment module, the information transmitted by the container is encrypted and decrypted, which avoids the problem that the container management module cannot perceive the container, and it is difficult for the container to encrypt and decrypt the transmitted information by itself. Security of Information Transmitted.

图7示出本公开实施例中另一种信息传输装置示意图，如图7所示，该信息传输装置700包括：FIG. 7 shows a schematic diagram of another information transmission device in an embodiment of the present disclosure. As shown in FIG. 7, the information transmission device 700 includes:

第一发送模块702，用于向容器管理模块发送加解密策略以及数据拦截规则；数据拦截规则包括容器的标识，以使容器管理模块根据加解密策略以及数据拦截规则生成eBPF附着模块，由eBPF附着模块根据容器的标识确定待拦截的容器，并根据加解密策略将拦截的容器的传输信息进行加解密。The first sending module 702 is used to send the encryption and decryption policy and data interception rules to the container management module; the data interception rules include the identification of the container, so that the container management module generates an eBPF attachment module according to the encryption and decryption policy and the data interception rules, and is attached by eBPF The module determines the container to be intercepted according to the identification of the container, and encrypts and decrypts the transmission information of the intercepted container according to the encryption and decryption strategy.

所属技术领域的技术人员能够理解，本公开的各个方面可以实现为系统、方法或程序产品。因此，本公开的各个方面可以具体实现为以下形式，即：完全的硬件实施方式、完全的软件实施方式(包括固件、微代码等)，或硬件和软件方面结合的实施方式，这里可以统称为“电路”、“模块”或“系统”。Those skilled in the art can understand that various aspects of the present disclosure can be implemented as a system, method or program product. Therefore, various aspects of the present disclosure can be embodied in the following forms, namely: a complete hardware implementation, a complete software implementation (including firmware, microcode, etc.), or a combination of hardware and software, which can be collectively referred to herein as "circuit", "module" or "system".

下面参照图8来描述根据本公开的这种实施方式的电子设备800。图8显示的电子设备800仅仅是一个示例，不应对本公开实施例的功能和使用范围带来任何限制。An electronic device 800 according to this embodiment of the present disclosure is described below with reference to FIG. 8 . The electronic device 800 shown in FIG. 8 is only an example, and should not limit the functions and application scope of the embodiments of the present disclosure.

如图8所示，电子设备800以通用计算设备的形式表现。电子设备800的组件可以包括但不限于：上述至少一个处理单元810、上述至少一个存储单元820、连接不同系统组件(包括存储单元820和处理单元810)的总线830。As shown in FIG. 8, electronic device 800 takes the form of a general-purpose computing device. Components of the electronic device 800 may include but not limited to: at least one processing unit 810 , at least one storage unit 820 , and a bus 830 connecting different system components (including the storage unit 820 and the processing unit 810 ).

其中，存储单元存储有程序代码，程序代码可以被处理单元810执行，使得处理单元810执行本说明书上述“示例性方法”部分中描述的根据本公开各种示例性实施方式的步骤。例如，处理单元810可以执行上述方法实施例的如下步骤：Wherein, the storage unit stores program codes, and the program codes can be executed by the processing unit 810, so that the processing unit 810 executes the steps according to various exemplary embodiments of the present disclosure described in the "Exemplary Method" section of this specification. For example, the processing unit 810 may perform the following steps in the foregoing method embodiments:

存储单元820可以包括易失性存储单元形式的可读介质，例如随机存取存储单元(RAM)8201和/或高速缓存存储单元8202，还可以进一步包括只读存储单元(ROM)8203。The storage unit 820 may include a readable medium in the form of a volatile storage unit, such as a random access storage unit (RAM) 8201 and/or a cache storage unit 8202 , and may further include a read-only storage unit (ROM) 8203 .

存储单元820还可以包括具有一组(至少一个)程序模块8205的程序/实用工具8204，这样的程序模块8205包括但不限于：操作系统、一个或者多个应用程序、其它程序模块以及程序数据，这些示例中的每一个或某种组合中可能包括网络环境的实现。Storage unit 820 may also include programs/utilities 8204 having a set (at least one) of program modules 8205, such program modules 8205 including but not limited to: an operating system, one or more application programs, other program modules, and program data, Implementations of networked environments may be included in each or some combination of these examples.

总线830可以为表示几类总线结构中的一种或多种，包括存储单元总线或者存储单元控制器、外围总线、图形加速端口、处理单元或者使用多种总线结构中的任意总线结构的局域总线。Bus 830 may represent one or more of several types of bus structures, including a memory cell bus or memory cell controller, a peripheral bus, an accelerated graphics port, a processing unit, or a local area using any of a variety of bus structures. bus.

电子设备800也可以与一个或多个外部设备840(例如键盘、指向设备、蓝牙设备等)通信，还可与一个或者多个使得用户能与该电子设备800交互的设备通信，和/或与使得该电子设备800能与一个或多个其它计算设备进行通信的任何设备(例如路由器、调制解调器等等)通信。这种通信可以通过输入/输出(I/O)接口850进行。并且，电子设备800还可以通过网络适配器860与一个或者多个网络(例如局域网(LAN)，广域网(WAN)和/或公共网络，例如因特网)通信。如图所示，网络适配器860通过总线830与电子设备800的其它模块通信。应当明白，尽管图中未示出，可以结合电子设备800使用其它硬件和/或软件模块，包括但不限于：微代码、设备驱动器、冗余处理单元、外部磁盘驱动阵列、RAID系统、磁带驱动器以及数据备份存储系统等。The electronic device 800 can also communicate with one or more external devices 840 (such as keyboards, pointing devices, Bluetooth devices, etc.), and can also communicate with one or more devices that enable the user to interact with the electronic device 800, and/or communicate with Any device (eg, router, modem, etc.) that enables the electronic device 800 to communicate with one or more other computing devices. Such communication may occur through input/output (I/O) interface 850 . Moreover, the electronic device 800 can also communicate with one or more networks (such as a local area network (LAN), a wide area network (WAN) and/or a public network such as the Internet) through the network adapter 860 . As shown, network adapter 860 communicates with other modules of electronic device 800 via bus 830 . It should be appreciated that although not shown, other hardware and/or software modules may be used in conjunction with electronic device 800, including but not limited to: microcode, device drivers, redundant processing units, external disk drive arrays, RAID systems, tape drives And data backup storage system, etc.

通过以上的实施方式的描述，本领域的技术人员易于理解，这里描述的示例实施方式可以通过软件实现，也可以通过软件结合必要的硬件的方式来实现。因此，根据本公开实施方式的技术方案可以以软件产品的形式体现出来，该软件产品可以存储在一个非易失性存储介质(可以是CD-ROM，U盘，移动硬盘等)中或网络上，包括若干指令以使得一台计算设备(可以是个人计算机、服务器、终端装置、或者网络设备等)执行根据本公开实施方式的方法。Through the description of the above implementations, those skilled in the art can easily understand that the example implementations described here can be implemented by software, or by combining software with necessary hardware. Therefore, the technical solutions according to the embodiments of the present disclosure can be embodied in the form of software products, and the software products can be stored in a non-volatile storage medium (which can be CD-ROM, U disk, mobile hard disk, etc.) or on the network , including several instructions to make a computing device (which may be a personal computer, a server, a terminal device, or a network device, etc.) execute the method according to the embodiments of the present disclosure.

在本公开的示例性实施例中，还提供了一种计算机可读存储介质，该计算机可读存储介质可以是可读信号介质或者可读存储介质。其上存储有能够实现本公开上述方法的程序产品。在一些可能的实施方式中，本公开的各个方面还可以实现为一种程序产品的形式，其包括程序代码，当程序产品在终端设备上运行时，程序代码用于使终端设备执行本说明书上述“示例性方法”部分中描述的根据本公开各种示例性实施方式的步骤。In an exemplary embodiment of the present disclosure, a computer-readable storage medium is also provided, and the computer-readable storage medium may be a readable signal medium or a readable storage medium. A program product capable of realizing the above-mentioned methods of the present disclosure is stored thereon. In some possible implementations, various aspects of the present disclosure can also be implemented in the form of a program product, which includes program code. When the program product runs on the terminal device, the program code is used to make the terminal device execute the above-mentioned Steps according to various exemplary embodiments of the present disclosure described in the "Exemplary Methods" section.

本公开中的计算机可读存储介质的更具体的例子可以包括但不限于：具有一个或多个导线的电连接、便携式计算机磁盘、硬盘、随机访问存储器(RAM)、只读存储器(ROM)、可擦式可编程只读存储器(EPROM或闪存)、光纤、便携式紧凑磁盘只读存储器(CD-ROM)、光存储器件、磁存储器件、或者上述的任意合适的组合。More specific examples of computer-readable storage media in this disclosure may include, but are not limited to: electrical connections with one or more wires, portable computer disks, hard disks, random access memory (RAM), read only memory (ROM), Erasable programmable read-only memory (EPROM or flash memory), optical fiber, portable compact disk read-only memory (CD-ROM), optical storage device, magnetic storage device, or any suitable combination of the above.

在本公开中，计算机可读存储介质可以包括在基带中或者作为载波一部分传播的数据信号，其中承载了可读程序代码。这种传播的数据信号可以采用多种形式，包括但不限于电磁信号、光信号或上述的任意合适的组合。可读信号介质还可以是可读存储介质以外的任何可读介质，该可读介质可以发送、传播或者传输用于由指令执行系统、装置或者器件使用或者与其结合使用的程序。In the present disclosure, a computer-readable storage medium may include a data signal carrying readable program code in baseband or as part of a carrier wave traveling as a data signal. Such propagated data signals may take many forms, including but not limited to electromagnetic signals, optical signals, or any suitable combination of the foregoing. A readable signal medium may also be any readable medium other than a readable storage medium that can transmit, propagate, or transport a program for use by or in conjunction with an instruction execution system, apparatus, or device.

可选地，计算机可读存储介质上包含的程序代码可以用任何适当的介质传输，包括但不限于无线、有线、光缆、RF等等，或者上述的任意合适的组合。Alternatively, program code contained on a computer-readable storage medium may be transmitted using any appropriate medium, including but not limited to wireless, cable, optical cable, RF, etc., or any suitable combination of the above.

在具体实施时，可以以一种或多种程序设计语言的任意组合来编写用于执行本公开操作的程序代码，程序设计语言包括面向对象的程序设计语言—诸如Java、C++等，还包括常规的过程式程序设计语言—诸如“C”语言或类似的程序设计语言。程序代码可以完全地在用户计算设备上执行、部分地在用户设备上执行、作为一个独立的软件包执行、部分在用户计算设备上部分在远程计算设备上执行、或者完全在远程计算设备或服务器上执行。在涉及远程计算设备的情形中，远程计算设备可以通过任意种类的网络，包括局域网(LAN)或广域网(WAN)，连接到用户计算设备，或者，可以连接到外部计算设备(例如利用因特网服务提供商来通过因特网连接)。During specific implementation, the program code for performing the operations of the present disclosure can be written in any combination of one or more programming languages, and the programming language includes an object-oriented programming language—such as Java, C++, etc., and also includes conventional A procedural programming language—such as "C" or a similar programming language. The program code may execute entirely on the user's computing device, partly on the user's device, as a stand-alone software package, partly on the user's computing device and partly on a remote computing device, or entirely on the remote computing device or server to execute. In cases involving a remote computing device, the remote computing device may be connected to the user computing device through any kind of network, including a local area network (LAN) or a wide area network (WAN), or may be connected to an external computing device (e.g., using an Internet service provider). business to connect via the Internet).

应当注意，尽管在上文详细描述中提及了用于动作执行的设备的若干模块或者单元，但是这种划分并非强制性的。实际上，根据本公开的实施方式，上文描述的两个或更多模块或者单元的特征和功能可以在一个模块或者单元中具体化。反之，上文描述的一个模块或者单元的特征和功能可以进一步划分为由多个模块或者单元来具体化。It should be noted that although several modules or units of the device for action execution are mentioned in the above detailed description, this division is not mandatory. Actually, according to the embodiment of the present disclosure, the features and functions of two or more modules or units described above may be embodied in one module or unit. Conversely, the features and functions of one module or unit described above can be further divided to be embodied by a plurality of modules or units.

此外，尽管在附图中以特定顺序描述了本公开中方法的各个步骤，但是，这并非要求或者暗示必须按照该特定顺序来执行这些步骤，或是必须执行全部所示的步骤才能实现期望的结果。附加的或备选的，可以省略某些步骤，将多个步骤合并为一个步骤执行，以及/或者将一个步骤分解为多个步骤执行等。In addition, although steps of the methods of the present disclosure are depicted in the drawings in a particular order, there is no requirement or implication that the steps must be performed in that particular order, or that all illustrated steps must be performed to achieve the desired result. Additionally or alternatively, certain steps may be omitted, multiple steps may be combined into one step for execution, and/or one step may be decomposed into multiple steps for execution, etc.

通过以上实施方式的描述，本领域的技术人员易于理解，这里描述的示例实施方式可以通过软件实现，也可以通过软件结合必要的硬件的方式来实现。因此，根据本公开实施方式的技术方案可以以软件产品的形式体现出来，该软件产品可以存储在一个非易失性存储介质(可以是CD-ROM，U盘，移动硬盘等)中或网络上，包括若干指令以使得一台计算设备(可以是个人计算机、服务器、移动终端、或者网络设备等)执行根据本公开实施方式的方法。Through the description of the above embodiments, those skilled in the art can easily understand that the example embodiments described here can be implemented by software, or by combining software with necessary hardware. Therefore, the technical solutions according to the embodiments of the present disclosure can be embodied in the form of software products, and the software products can be stored in a non-volatile storage medium (which can be CD-ROM, U disk, mobile hard disk, etc.) or on the network , including several instructions to make a computing device (which may be a personal computer, a server, a mobile terminal, or a network device, etc.) execute the method according to the embodiments of the present disclosure.

本领域技术人员在考虑说明书及实践这里公开的发明后，将容易想到本公开的其它实施方案。本公开旨在涵盖本公开的任何变型、用途或者适应性变化，这些变型、用途或者适应性变化遵循本公开的一般性原理并包括本公开未公开的本技术领域中的公知常识或惯用技术手段。说明书和实施例仅被视为示例性的，本公开的真正范围和精神由所附的权利要求指出。Other embodiments of the present disclosure will be readily apparent to those skilled in the art from consideration of the specification and practice of the invention disclosed herein. The present disclosure is intended to cover any modification, use or adaptation of the present disclosure. These modifications, uses or adaptations follow the general principles of the present disclosure and include common knowledge or conventional technical means in the technical field not disclosed in the present disclosure. . The specification and examples are to be considered exemplary only, with the true scope and spirit of the disclosure indicated by the appended claims.

Claims

1. An information transmission method is applied to a container management module, and the method comprises the following steps:

receiving an encryption and decryption strategy and a data interception rule sent by user equipment; the data interception rule comprises an identification of a container;

and generating an eBPF attachment module according to the encryption and decryption strategy and the data interception rule so that the eBPF attachment module determines a container to be intercepted according to the identifier of the container and encrypts and decrypts the transmission information of the intercepted container according to the encryption and decryption strategy.

2. The information transmission method according to claim 1, wherein before receiving the encryption and decryption policy and the data interception rule sent by the user equipment, the method further comprises:

receiving a container creating request sent by user equipment;

creating a container according to the container creating request;

creating an encryption policy controller;

acquiring a container identifier of the created container;

and sending the container identifier to the encryption policy controller so that the encryption policy controller sends the container identifier to the user equipment.

3. The information transmission method according to claim 1, wherein the receiving the encryption/decryption policy and the data interception rule sent by the user equipment includes:

receiving an encryption and decryption policy and the data interception rule sent by an encryption policy controller, wherein the encryption and decryption policy and the data interception rule are generated by the encryption policy controller according to the container identifier and the security association, the security policy and the corresponding relation sent by the user equipment; the corresponding relation comprises the corresponding relation between the security association and the container identifier and the corresponding relation between the security policy and the container identifier.

4. An information transmission method is applied to user equipment, and the method comprises the following steps:

sending an encryption and decryption strategy and a data interception rule to a container management module; the data interception rule comprises an identifier of a container, so that the container management module generates an eBPF attachment module according to the encryption and decryption strategy and the data interception rule, the eBPF attachment module determines the container to be intercepted according to the identifier of the container, and the transmission information of the intercepted container is encrypted and decrypted according to the encryption and decryption strategy.

5. The information transmission method according to claim 4, wherein the method further comprises:

sending a create container request to the container management module to cause the container management module to create a container and create an encryption policy controller;

and receiving the container identifier forwarded by the user equipment according to the encryption policy controller.

6. The information transmission method according to claim 5, wherein the sending the encryption and decryption policy and the data interception rule to the container management module includes:

generating security association and security policy according to the container identifier;

and sending the security association, the security policy and the corresponding relation to the encryption policy controller, so that the encryption policy controller generates the encryption and decryption policy and the data interception rule according to the container identifier and the security association, the security policy and the corresponding relation sent by the user equipment.

7. An information transmission device, applied to a container management module, the device comprising:

the first receiving module is used for receiving an encryption and decryption strategy and a data interception rule sent by user equipment; the data interception rule comprises an identification of a container;

and the generating module is used for generating an eBPF attachment module according to the encryption and decryption strategy and the data interception rule so that the eBPF attachment module determines the container to be intercepted according to the identifier of the container and encrypts and decrypts the transmission information of the intercepted container according to the encryption and decryption strategy.

8. An information transmission apparatus, applied to a user equipment, the apparatus comprising:

the first sending module is used for sending the encryption and decryption strategy and the data interception rule to the container management module; the data interception rule comprises an identifier of a container, so that the container management module generates an eBPF attachment module according to the encryption and decryption strategy and the data interception rule, the eBPF attachment module determines the container to be intercepted according to the identifier of the container, and the transmission information of the intercepted container is encrypted and decrypted according to the encryption and decryption strategy.

9. An electronic device, comprising:

a processor; and

a memory for storing executable instructions of the processor;

wherein the processor is configured to perform the information transmission method of any one of claims 1 to 6 via execution of the executable instructions.

10. A computer-readable storage medium, on which a computer program is stored, which, when being executed by a processor, carries out the information transmission method according to any one of claims 1 to 6.