mirror of
https://github.com/k3s-io/kubernetes.git
synced 2025-07-23 19:56:01 +00:00
Install firewall logging rules to log metadata server access for unauthorized components.
This commit is contained in:
parent
f38ce5725a
commit
2f7874bd4b
@ -25,6 +25,9 @@ set -o errexit
|
||||
set -o nounset
|
||||
set -o pipefail
|
||||
|
||||
### Hardcoded constants
|
||||
METADATA_SERVER_IP="${METADATA_SERVER_IP:-169.254.169.254}"
|
||||
|
||||
function convert-manifest-params {
|
||||
# A helper function to convert the manifest args from a string to a list of
|
||||
# flag arguments.
|
||||
@ -96,6 +99,28 @@ function secure_random {
|
||||
echo -n "${out}" | xxd -r -p | base64 -w 0
|
||||
}
|
||||
|
||||
# Helper for configuring iptables rules for metadata server.
|
||||
#
|
||||
# $1 is the command flag (-I or -D).
|
||||
# $2 is the firewall action (LOG or REJECT).
|
||||
# $3 is the prefix for log output.
|
||||
# $4 is "!" to optionally invert the uid range.
|
||||
function gce-metadata-fw-helper {
|
||||
local -r command="$1"
|
||||
local action="$2"
|
||||
local -r prefix="$3"
|
||||
local -r invert="${4:-}"
|
||||
|
||||
# Expand rule action to include relevant option flags.
|
||||
case "${action}" in
|
||||
LOG)
|
||||
action="LOG --log-prefix "${prefix}:" --log-uid --log-tcp-options --log-ip-option"
|
||||
;;
|
||||
esac
|
||||
|
||||
iptables ${command} OUTPUT -p tcp --dport 80 -d ${METADATA_SERVER_IP} -m owner ${invert:-} --uid-owner=${METADATA_SERVER_ALLOWED_UID_RANGE:-0-2999} -j ${action}
|
||||
}
|
||||
|
||||
function config-ip-firewall {
|
||||
echo "Configuring IP firewall rules"
|
||||
|
||||
@ -146,8 +171,17 @@ function config-ip-firewall {
|
||||
# node because we don't expect the daemonset to run on this node.
|
||||
if [[ "${ENABLE_METADATA_CONCEALMENT:-}" == "true" ]] && [[ ! "${METADATA_CONCEALMENT_NO_FIREWALL:-}" == "true" ]]; then
|
||||
echo "Add rule for metadata concealment"
|
||||
iptables -w -t nat -I PREROUTING -p tcp -d 169.254.169.254 --dport 80 -m comment --comment "metadata-concealment: bridge traffic to metadata server goes to metadata proxy" -j DNAT --to-destination 127.0.0.1:988
|
||||
iptables -w -t nat -I PREROUTING -p tcp -d ${METADATA_SERVER_IP} --dport 80 -m comment --comment "metadata-concealment: bridge traffic to metadata server goes to metadata proxy" -j DNAT --to-destination 127.0.0.1:988
|
||||
fi
|
||||
|
||||
# Log all metadata access not from approved processes.
|
||||
case "${METADATA_SERVER_FIREWALL_MODE:-off}" in
|
||||
log)
|
||||
echo "Installing metadata firewall logging rules"
|
||||
gce-metadata-fw-helper -I LOG "MetadataServerFirewallReject" !
|
||||
gce-metadata-fw-helper -I LOG "MetadataServerFirewallAccept"
|
||||
;;
|
||||
esac
|
||||
}
|
||||
|
||||
function create-dirs {
|
||||
|
Loading…
Reference in New Issue
Block a user