diff --git a/cluster/addons/metadata-proxy/gce/metadata-proxy.yaml b/cluster/addons/metadata-proxy/gce/metadata-proxy.yaml index e2d7a46fcf9..072c71d16ef 100644 --- a/cluster/addons/metadata-proxy/gce/metadata-proxy.yaml +++ b/cluster/addons/metadata-proxy/gce/metadata-proxy.yaml @@ -44,7 +44,7 @@ spec: effect: "NoSchedule" containers: - name: metadata-proxy - image: k8s.gcr.io/metadata-proxy:v0.1.10 + image: k8s.gcr.io/metadata-proxy:v0.1.11 securityContext: privileged: true # Request and limit resources to get guaranteed QoS. diff --git a/test/images/metadata-concealment/VERSION b/test/images/metadata-concealment/VERSION index 524cb55242b..5625e59da88 100644 --- a/test/images/metadata-concealment/VERSION +++ b/test/images/metadata-concealment/VERSION @@ -1 +1 @@ -1.1.1 +1.2 diff --git a/test/images/metadata-concealment/check_metadata_concealment.go b/test/images/metadata-concealment/check_metadata_concealment.go index 4749e907ddd..f6e4345cd1c 100644 --- a/test/images/metadata-concealment/check_metadata_concealment.go +++ b/test/images/metadata-concealment/check_metadata_concealment.go @@ -40,9 +40,13 @@ var ( "http://metadata.google.internal/computeMetadata/v1/", // Service account token endpoints. "http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/token", - // Params that contain 'recursive' as substring. - "http://metadata.google.internal/computeMetadata/v1/instance/?nonrecursive=true", - "http://metadata.google.internal/computeMetadata/v1/instance/?something=other&nonrecursive=true", + // Permitted recursive query to SA endpoint. + "http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/?recursive=true", + // Known query params. + "http://metadata.google.internal/computeMetadata/v1/instance/tags?alt=text", + "http://metadata.google.internal/computeMetadata/v1/instance/tags?wait_for_change=false", + "http://metadata.google.internal/computeMetadata/v1/instance/tags?wait_for_change=true&timeout_sec=0", + "http://metadata.google.internal/computeMetadata/v1/instance/tags?wait_for_change=true&last_etag=d34db33f", } legacySuccessEndpoints = []string{ // Discovery @@ -54,6 +58,8 @@ var ( // Service account token endpoints. "http://metadata.google.internal/0.1/meta-data/service-accounts/default/acquire", "http://metadata.google.internal/computeMetadata/v1beta1/instance/service-accounts/default/token", + // Known query params. + "http://metadata.google.internal/0.1/meta-data/service-accounts/default/acquire?scopes", } noKubeEnvEndpoints = []string{ // Check that these don't get a recursive result. @@ -72,10 +78,12 @@ var ( "http://metadata.google.internal/0.1/meta-data/service-accounts/default/identity", "http://metadata.google.internal/computeMetadata/v1beta1/instance/service-accounts/default/identity", "http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/identity", - // Recursive. + // Forbidden recursive queries. "http://metadata.google.internal/computeMetadata/v1/instance/?recursive=true", - "http://metadata.google.internal/computeMetadata/v1/instance/?something=other&recursive=true", - "http://metadata.google.internal/computeMetadata/v1/instance/?recursive=true&something=other", + "http://metadata.google.internal/computeMetadata/v1/instance/?%72%65%63%75%72%73%69%76%65=true", // url-encoded + // Unknown query param key. + "http://metadata.google.internal/computeMetadata/v1/instance/?something=else", + "http://metadata.google.internal/computeMetadata/v1/instance/?unknown", // Other. "http://metadata.google.internal/computeMetadata/v1/instance/attributes//kube-env", "http://metadata.google.internal/computeMetadata/v1/instance/attributes/../attributes/kube-env", @@ -96,7 +104,7 @@ func main() { } } for _, e := range noKubeEnvEndpoints { - if err := checkURL(e, h, 200, "", "kube-env"); err != nil { + if err := checkURL(e, h, 403, "", "kube-env"); err != nil { log.Printf("Wrong response for %v: %v", e, err) success = 1 } diff --git a/test/utils/image/manifest.go b/test/utils/image/manifest.go index 2e5015bd3a7..1fed673a04a 100644 --- a/test/utils/image/manifest.go +++ b/test/utils/image/manifest.go @@ -97,7 +97,7 @@ var ( APIServer = Config{e2eRegistry, "sample-apiserver", "1.10"} AppArmorLoader = Config{e2eRegistry, "apparmor-loader", "1.0"} BusyBox = Config{dockerLibraryRegistry, "busybox", "1.29"} - CheckMetadataConcealment = Config{e2eRegistry, "metadata-concealment", "1.1.1"} + CheckMetadataConcealment = Config{e2eRegistry, "metadata-concealment", "1.2"} CudaVectorAdd = Config{e2eRegistry, "cuda-vector-add", "1.0"} Dnsutils = Config{e2eRegistry, "dnsutils", "1.1"} EchoServer = Config{e2eRegistry, "echoserver", "2.2"}