Install firewall logging rules to log metadata server access for unauthorized components.

2025-07-29 06:27:05 +00:00 · 2020-06-12 10:59:32 -07:00 · 2020-06-12 10:59:32 -07:00 · 2f7874bd4b
commit 2f7874bd4b
parent f38ce5725a
1 changed files with 35 additions and 1 deletions
--- a/cluster/gce/gci/configure-helper.sh
+++ b/cluster/gce/gci/configure-helper.sh
@ -25,6 +25,9 @@ set -o errexit
 set -o nounset
 set -o pipefail

+### Hardcoded constants
+METADATA_SERVER_IP="${METADATA_SERVER_IP:-169.254.169.254}"
+
 function convert-manifest-params {
  # A helper function to convert the manifest args from a string to a list of
  # flag arguments.
@ -96,6 +99,28 @@ function secure_random {
  echo -n "${out}" | xxd -r -p | base64 -w 0
 }

+# Helper for configuring iptables rules for metadata server.
+#
+# $1 is the command flag (-I or -D).
+# $2 is the firewall action (LOG or REJECT).
+# $3 is the prefix for log output.
+# $4 is "!" to optionally invert the uid range.
+function gce-metadata-fw-helper {
+  local -r command="$1"
+  local action="$2"
+  local -r prefix="$3"
+  local -r invert="${4:-}"
+
+  # Expand rule action to include relevant option flags.
+  case "${action}" in
+    LOG)
+      action="LOG --log-prefix "${prefix}:" --log-uid --log-tcp-options --log-ip-option"
+      ;;
+  esac
+
+  iptables ${command} OUTPUT -p tcp --dport 80 -d ${METADATA_SERVER_IP} -m owner ${invert:-} --uid-owner=${METADATA_SERVER_ALLOWED_UID_RANGE:-0-2999} -j ${action}
+}
+
 function config-ip-firewall {
  echo "Configuring IP firewall rules"

@ -146,8 +171,17 @@ function config-ip-firewall {
  # node because we don't expect the daemonset to run on this node.
  if [[ "${ENABLE_METADATA_CONCEALMENT:-}" == "true" ]] && [[ ! "${METADATA_CONCEALMENT_NO_FIREWALL:-}" == "true" ]]; then
    echo "Add rule for metadata concealment"
-    iptables -w -t nat -I PREROUTING -p tcp -d 169.254.169.254 --dport 80 -m comment --comment "metadata-concealment: bridge traffic to metadata server goes to metadata proxy" -j DNAT --to-destination 127.0.0.1:988
+    iptables -w -t nat -I PREROUTING -p tcp -d ${METADATA_SERVER_IP} --dport 80 -m comment --comment "metadata-concealment: bridge traffic to metadata server goes to metadata proxy" -j DNAT --to-destination 127.0.0.1:988
  fi
+
+  # Log all metadata access not from approved processes.
+  case "${METADATA_SERVER_FIREWALL_MODE:-off}" in
+    log)
+      echo "Installing metadata firewall logging rules"
+      gce-metadata-fw-helper -I LOG "MetadataServerFirewallReject" !
+      gce-metadata-fw-helper -I LOG "MetadataServerFirewallAccept"
+      ;;
+  esac
 }

 function create-dirs {