Adding a metadata proxy addon to gce

cluster/addons/metadata-proxy/OWNERS

@@ -0,0 +1,8 @@
+approvers:
+- q-lee
+- cjcullen
+- mikedanese
+reviewers:
+- q-lee
+- cjcullen
+- mikedanese

cluster/addons/metadata-proxy/README.md

@@ -0,0 +1,5 @@
+# Metadata proxy
+==============
+
+This metadata proxy returns a 403 for kubelet's kube-env data, but otherwise allows
+pods access to the metadata server.

cluster/addons/metadata-proxy/gce/metadata-proxy-configmap.yaml

@@ -0,0 +1,60 @@
+kind: ConfigMap
+apiVersion: v1
+metadata:
+  name: metadata-proxy-config
+  namespace: kube-system
+  labels:
+    addonmanager.kubernetes.io/mode: EnsureExists
+data:
+  nginx.conf: |-
+    user www-data;
+    worker_processes 4;
+    pid /run/nginx.pid;
+    error_log /dev/stdout;
+
+    events {
+      worker_connections 20;
+    }
+
+    http {
+      access_log /dev/stdout;
+      server {
+        listen 127.0.0.1:988;
+
+        # By default, return 403. This protects us from new API versions.
+        location / {
+            return 403;
+        }
+
+        # Allow for REST discovery.
+        location = / {
+            proxy_pass http://169.254.169.254;
+        }
+        location = /computeMetadata/ {
+            proxy_pass http://169.254.169.254;
+        }
+
+        # By default, allow the v0.1, v1beta1, and v1 APIs.
+        location /0.1/ {
+            proxy_pass http://169.254.169.254;
+        }
+        location /computeMetadata/v1beta1/ {
+            proxy_pass http://169.254.169.254;
+        }
+        location /computeMetadata/v1/ {
+            proxy_pass http://169.254.169.254;
+        }
+
+        # Return a 403 for the kube-env attribute in all allowed API versions.
+        location /0.1/meta-data/attributes/kube-env {
+            return 403;
+        }
+        location /computeMetadata/v1beta1/instance/attributes/kube-env {
+            return 403;
+        }
+        location /computeMetadata/v1/instance/attributes/kube-env {
+            return 403;
+        }
+      }
+    }
+

cluster/addons/metadata-proxy/gce/metadata-proxy.yaml

@@ -0,0 +1,52 @@
+apiVersion: extensions/v1beta1
+kind: DaemonSet
+metadata:
+  name: metadata-proxy-v0.1
+  namespace: kube-system
+  labels:
+    k8s-app: metadata-proxy
+    kubernetes.io/cluster-service: "true"
+    addonmanager.kubernetes.io/mode: Reconcile
+    version: v0.1
+spec:
+  updateStrategy:
+    type: RollingUpdate
+  template:
+    metadata:
+      labels:
+        k8s-app: metadata-proxy
+        kubernetes.io/cluster-service: "true"
+        version: v0.1
+      # This annotation ensures that the proxy does not get evicted if the node
+      # supports critical pod annotation based priority scheme.
+      # Note that this does not guarantee admission on the nodes (#40573).
+      annotations:
+        scheduler.alpha.kubernetes.io/critical-pod: ''
+    spec:
+      hostNetwork: true
+      dnsPolicy: Default
+      containers:
+      - name: metadata-proxy
+        image: gcr.io/google-containers/metadata-proxy:0.1
+        imagePullPolicy: Always
+        securityContext:
+          privileged: true
+        command:
+          - '/start-proxy.sh'
+        resources:
+          requests:
+            memory: "32Mi"
+            cpu: "50m"
+          limits:
+            memory: "32Mi"
+            cpu: "50m"
+        volumeMounts:
+          - name: config-volume
+            mountPath: /etc/nginx/
+      nodeSelector:
+        beta.kubernetes.io/metadata-proxy-ready: "true"
+      terminationGracePeriodSeconds: 30
+      volumes:
+      - name: config-volume
+        configMap:
+          name: metadata-proxy-config