Based on Kubernetes cluster, HEPS computing platform creates a container computing environment to provide analysis services for users. The computing platform provides a container data analysis environment based on jupyterlab with the jupyterhub web page as the entry point. The platform uses CVMFS to store the software library, and the container environment accesses the CVMFS by CSI. The Lustre is used to store user experiment data, map storage volumes to the container virtualization environment in localhost mode, and provide read/write data access services for users.

HEPS platform uses Kubernetes tool to manage LAN computing resources and create container environment for users to use. WAN users are authenticated by Oauth2.0 to access the LAN container environment for data analysis. The container environment that provides interactive functions for users needs to meet both communication requirements of accessing scale data of WAN and experimental data of LAN. In this service mode, how to effectively limit the activity range of hackers after they invade the container environment and how to quickly locate the container and login users after the IHEPSOC system detects the attack behavior, requires a series of security policies to protect the security of HEPS computing platform.

In view of the above security problems, this paper introduces the design scheme and application effect of the security policy of HEPS container computing platform from the aspects of Kubernetes network security policy, login behavior audit, network information association analysis, and so on, so as to realize configurable management of the activity scope of user analysis environment and traceability of abnormal container environment, so as to ensure the security of HEPS computing platform.