Application isolation method, system and device, and computer-readable storage medium

1 . An application isolation method, comprising: determining a target application to be isolated in Kubernetes; acquiring an isolation policy for each component in the target application; creating an initial network security policy corresponding to the target application; modifying a push rule, a pop rule, and a match label of the initial network security policy according to the isolation policy to obtain a target network security policy; converting the target network security policy into an Iptables rule matching the Kubernetes; and isolating the target application according to the Iptables rule. 2 . The method according to claim 1 , wherein creating the initial network security policy corresponding to the target application comprises: creating the initial network security policy; setting a podSelector field of the initial network security policy as in a form of matchExpression; setting a value of an operator of the initial network security policy as a conditional operator In; and setting the match label of the initial network security policy as a set of identifications of all components in the target application. 3 . The method according to claim 2 , wherein modifying the push rule, the pop rule, and the match label of the initial network security policy according to the isolation policy comprises: modifying the push rule according to a passive access policy in the isolation policy; modifying the pop rule according to an active access policy in the isolation policy; and setting a value of the match label as an identification of the component being isolated in the isolation policy; wherein the passive access policy characterizes a policy of other components accessing the components of the target application; and the active access policy characterizes the policy of the components of the target application accessing other components. 4 . The method according to claim 3 , wherein modifying the push rule according to the passive access policy in the isolation policy comprises: determining a first component corresponding to the passive access policy; changing a port number corresponding to the first component in the push rule to a corresponding port number in the passive access policy; changing a network data exchange rule corresponding to the first component in the push rule to a corresponding network data exchange rule in the passive access policy; and changing the podSelector field corresponding to the first component in the push rule to matchlabel, and setting a value of the matchlabel to be an identification of corresponding other components in the passive access policy. 5 . The method according to claim 4 , wherein modifying the pop rule according to the active access policy in the isolation policy comprises: determining a second component corresponding to the active access policy; changing a port number corresponding to the second component in the pop rule to a corresponding port number in the active access policy; changing a network data exchange rule corresponding to the second component in the pop rule to a corresponding network data exchange rule in the active access policy; and changing the podSelector field corresponding to the second component in the pop rule to matchlabel, and setting a value of the matchlabel as an identification of corresponding other components in the active access policy. 6 . The method according to claim 1 , before determining the target application to be isolated in Kubernetes, further comprising: deploying a calico network plug-in in the Kubernetes; setting the calico node in the calico network plug-in to operate in a demonest mode; and setting a calicocontroller in the calico network plug-in to run in a stateless load mode. 7 . The method according to claim 6 , wherein the identification of the component comprises a label of the component. 8 . (canceled) 9 . An application isolation apparatus, comprising: a processor; and a memory, storing a computer program that is executed executable by a processor, and upon execution by the processor, is configured to cause the processor to: determine a target application to be isolated in Kubernetes; acquire an isolation policy for each component in the target application; create an initial network security policy corresponding to the target application; modify a push rule, a pop rule, and a match label of the initial network security policy according to the isolation policy to obtain a target network security policy; convert the target network security policy into an Iptables rule matching the Kubernetes; and isolate the target application according to the Iptables rule. 10 . A non-transitory computer-readable storage medium storing a computer program that is executed executable by a processor, and upon execution by the processor, is configured to cause the processor to: determine a target application to be isolated in the Kubernetes; acquire an isolation policy for each component in the target application; create an initial network security policy corresponding to the target application; modify a push rule, a pop rule, and a match label of the initial network security policy according to the isolation policy to obtain a target network security policy; convert the target network security policy into an Iptables rule matching the Kubernetes; and isolate the target application according to the Iptables rule. 11 . The application isolation method according to claim 1 , wherein the initial network security policy is a network security policy for isolating each component of the target application. 12 . The application isolation method according to claim 11 , wherein isolating each component of the target application comprises: complete isolation or complete disclosure. 13 . The application isolation method according to claim 1 , wherein the push rule is to limit other components to access the access information of the current component; the pop rule is to limit the current component to access the access information of other components; and the match label is to limit identity information of other components. 14 . The application isolation method according to claim 1 , wherein the Iptables rule is an IP information packet filtering system integrated with version 3.5 Linux kernel. 15 . The application isolation method according to claim 2 , wherein commas are added between the identifications to separate the identifications. 16 . The application isolation method according to claim 6 , wherein calico is a pure three-layer protocol that provides multi-host communication for Docker containers. 17 . The application isolation method according to claim 16 , wherein in the pure three-layer protocol, virtual routes are used instead of virtual exchanges, and each virtual route propagates reachable information to remaining data centers through the border gateway protocol. 18 . The application isolation apparatus according to claim 9 , wherein creating the initial network security policy corresponding to the target application comprises: creating the initial network security policy; setting a podSelector field of the initial network security policy as in a form of matchExpression; setting a value of an operator of the initial network security policy as a conditional operator In; and setting the match label of the initial network security policy as a set of identifications of all components in the target application. 19 . The application isolation apparatus according to claim 18 , wherein m