Design And Implementation Of Container-Based VPN System

Cloud computing has been developing at a surprising speed since appeared.It goes through a development from the beginning of the virtualization technologies such as Xen,v Sphere,KVM etc.to Iaa S layer technology represented by Open Stack,and now it has become a mature and stable technology.After that,the emergence of Docker and Kubernetes further promoted the improvement and popularization of the cloud computing Paa S layer.Nowadays,more and more enterprises and institutions are migrating their business to the cloud.The container has the advantages of fast delivery and deployment,efficient virtualization,easy expansion and migration,high availability and rapid recovery,etc.,while having the flexibility of Iaa S and the convenience of Paa S.For this reason,the ratio of choosing container cloud methods in the migration of cloud business continues to rise.Although cloud computing has a series of advantages,there are still a series of security problems.For example,the data transfered in network may be stolen,tampered and disguised.As a security service,VPN can establish a secure virtual connection on a public network to securely connect different networks through this tunnel.Applying VPN to the cloud environment can efficiently solve the security risks of user data transmission in public networks.However,the current kubernetes platform does not support secure connections between VPNs and external networks.The container cloud built by the enterprise in the local data center basically realizes the connection between the cluster and the peer VPN by deploying traditional VPN equipment at the border gateway of the cluster.However,this has low resource utilization,poor scalability,difficult equipment deployment,and network Problems such as difficulty in structural adjustment and difficulty in guaranteeing reliability.Aiming at the problem that VPNs are difficult to apply in the container cloud environment,this thesis proposes a solution to implement VPN services through the containers.Taking the methods to solve the network inapplicability of container VPNs on the kubernetes platform and provide a higher level of security of virtual encryption card as main goals,the results of this thesis are as follows:1)Designed and implemented a set of VPN system through which users can manage container VPN.The user only needs to configure some necessary VPN configuration,and the system can automatically create a VPN container according to the user’s configuration and configure the network of each node in the cluster through a network plug-in,and establish a secure connection channel with the opposite VPN gateway to realize data Secure transmission.2)Due to the demand of VPN for multiple network interfaces,it is difficult to directly apply VPN to the kubernetes network.This paper studies the implementation of kubernetes network,and designs and implements a cluster multi network communication network plug-in following the concept of kubernetes plug-in,which mainly solves the cross machine communication problem of kubernetes and the isolation between multi networks,and realizes kubernetes service and policy control,so that the access between pods in the cluster is consistent with the native kubernetes,and there is no need to modify the kubernetes.3)Aiming at the problem that encryption cards cannot be shared in a container environment,this thesis uses a hardware-level virtualization solution based on SR-IOV technology to extend the kubernetes API through a custom resource method.Adds encrypted resources to the cluster and managed unifiedly.For the use of VPN container,these virtualized encryption cards are allocated to different containers and can be automatically redistributed after the container is restarted or migrated.