github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-09-21 01:50:55 +00:00
Code Issues Projects Releases Wiki Activity

add kube-env variable to block traffic to metadataserver

Browse Source
This commit is contained in:
Mike Danese
2017-02-27 14:07:07 -08:00
parent 6d9e2afeda
commit 34e02c9989
2 changed files with 19 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
cluster/gce/configure-vm.sh
View File

@@ -89,6 +89,17 @@ ensure-local-disks() {
done done
} }
function config-ip-firewall {
echo "Configuring IP firewall rules"
iptables -N KUBE-METADATA-SERVER
iptables -A FORWARD -p tcp -d 169.254.169.254 --dport 80 -j KUBE-METADATA-SERVER
if [[ -n "${KUBE_FIREWALL_METADATA_SERVER:-}" ]]; then
iptables -A KUBE-METADATA-SERVER -j DROP
fi
}
function ensure-install-dir() { function ensure-install-dir() {
INSTALL_DIR="/var/cache/kubernetes-install" INSTALL_DIR="/var/cache/kubernetes-install"
mkdir -p ${INSTALL_DIR} mkdir -p ${INSTALL_DIR}
@@ -1135,6 +1146,7 @@ function create-salt-master-etcd-auth {
if [[ -z "${is_push}" ]]; then if [[ -z "${is_push}" ]]; then
echo "== kube-up node config starting ==" echo "== kube-up node config starting =="
set-broken-motd set-broken-motd
config-ip-firewall
ensure-basic-networking ensure-basic-networking
fix-apt-sources fix-apt-sources
ensure-install-dir ensure-install-dir

7
cluster/gce/gci/configure-helper.sh
View File

@@ -48,6 +48,13 @@ function config-ip-firewall {
iptables -A FORWARD -w -p UDP -j ACCEPT iptables -A FORWARD -w -p UDP -j ACCEPT
iptables -A FORWARD -w -p ICMP -j ACCEPT iptables -A FORWARD -w -p ICMP -j ACCEPT
fi fi
iptables -N KUBE-METADATA-SERVER
iptables -A FORWARD -p tcp -d 169.254.169.254 --dport 80 -j KUBE-METADATA-SERVER
if [[ -n "${KUBE_FIREWALL_METADATA_SERVER:-}" ]]; then
iptables -A KUBE-METADATA-SERVER -j DROP
fi
} }
function create-dirs { function create-dirs {