From 34e02c9989dd577a8daf375f276c7e26ebe3b58f Mon Sep 17 00:00:00 2001 From: Mike Danese Date: Mon, 27 Feb 2017 14:07:07 -0800 Subject: [PATCH] add kube-env variable to block traffic to metadataserver --- cluster/gce/configure-vm.sh | 12 ++++++++++++ cluster/gce/gci/configure-helper.sh | 7 +++++++ 2 files changed, 19 insertions(+) diff --git a/cluster/gce/configure-vm.sh b/cluster/gce/configure-vm.sh index 092f9c80af8..7448f2cb837 100755 --- a/cluster/gce/configure-vm.sh +++ b/cluster/gce/configure-vm.sh @@ -89,6 +89,17 @@ ensure-local-disks() { done } +function config-ip-firewall { + echo "Configuring IP firewall rules" + + iptables -N KUBE-METADATA-SERVER + iptables -A FORWARD -p tcp -d 169.254.169.254 --dport 80 -j KUBE-METADATA-SERVER + + if [[ -n "${KUBE_FIREWALL_METADATA_SERVER:-}" ]]; then + iptables -A KUBE-METADATA-SERVER -j DROP + fi +} + function ensure-install-dir() { INSTALL_DIR="/var/cache/kubernetes-install" mkdir -p ${INSTALL_DIR} @@ -1135,6 +1146,7 @@ function create-salt-master-etcd-auth { if [[ -z "${is_push}" ]]; then echo "== kube-up node config starting ==" set-broken-motd + config-ip-firewall ensure-basic-networking fix-apt-sources ensure-install-dir diff --git a/cluster/gce/gci/configure-helper.sh b/cluster/gce/gci/configure-helper.sh index 7dab90a221f..c644afc4456 100644 --- a/cluster/gce/gci/configure-helper.sh +++ b/cluster/gce/gci/configure-helper.sh @@ -48,6 +48,13 @@ function config-ip-firewall { iptables -A FORWARD -w -p UDP -j ACCEPT iptables -A FORWARD -w -p ICMP -j ACCEPT fi + + iptables -N KUBE-METADATA-SERVER + iptables -A FORWARD -p tcp -d 169.254.169.254 --dport 80 -j KUBE-METADATA-SERVER + + if [[ -n "${KUBE_FIREWALL_METADATA_SERVER:-}" ]]; then + iptables -A KUBE-METADATA-SERVER -j DROP + fi } function create-dirs {