github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-08-05 02:09:56 +00:00
Code Issues Projects Releases Wiki Activity

add kube-env variable to block traffic to metadataserver

Browse Source
This commit is contained in:
Mike Danese 2017-02-27 14:07:07 -08:00
parent 6d9e2afeda
commit 34e02c9989
2 changed files with 19 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
cluster/gce/configure-vm.sh
View File

@ -89,6 +89,17 @@ ensure-local-disks() {
done
}
function config-ip-firewall {
echo "Configuring IP firewall rules"
iptables -N KUBE-METADATA-SERVER
iptables -A FORWARD -p tcp -d 169.254.169.254 --dport 80 -j KUBE-METADATA-SERVER
if [[ -n "${KUBE_FIREWALL_METADATA_SERVER:-}" ]]; then
iptables -A KUBE-METADATA-SERVER -j DROP
fi
}
function ensure-install-dir() {
INSTALL_DIR="/var/cache/kubernetes-install"
mkdir -p ${INSTALL_DIR}
@ -1135,6 +1146,7 @@ function create-salt-master-etcd-auth {
if [[ -z "${is_push}" ]]; then
echo "== kube-up node config starting =="
set-broken-motd
config-ip-firewall
ensure-basic-networking
fix-apt-sources
ensure-install-dir

7
cluster/gce/gci/configure-helper.sh
View File

@ -48,6 +48,13 @@ function config-ip-firewall {
iptables -A FORWARD -w -p UDP -j ACCEPT
iptables -A FORWARD -w -p ICMP -j ACCEPT
fi
iptables -N KUBE-METADATA-SERVER
iptables -A FORWARD -p tcp -d 169.254.169.254 --dport 80 -j KUBE-METADATA-SERVER
if [[ -n "${KUBE_FIREWALL_METADATA_SERVER:-}" ]]; then
iptables -A KUBE-METADATA-SERVER -j DROP
fi
}
function create-dirs {