github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-07-27 05:27:21 +00:00
Code Issues Projects Releases Wiki Activity

bind metadata proxy to 0.0.0.0

Browse Source
This commit is contained in:
Shihang Zhang 2020-07-27 18:14:33 -07:00 committed by Mike Danese
parent a0eb9d146a
commit 38f040c0a8
2 changed files with 3 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
cluster/addons/metadata-proxy/gce/metadata-proxy.yaml
View File

@ -44,6 +44,7 @@ spec:
containers: containers:
- name: metadata-proxy - name: metadata-proxy
image: k8s.gcr.io/metadata-proxy:v0.1.12 image: k8s.gcr.io/metadata-proxy:v0.1.12
args: ["--addr=0.0.0.0:988"]
securityContext: securityContext:
privileged: true privileged: true
# Request and limit resources to get guaranteed QoS. # Request and limit resources to get guaranteed QoS.

2
cluster/gce/gci/configure-helper.sh
View File

@ -173,7 +173,7 @@ function config-ip-firewall {
# node because we don't expect the daemonset to run on this node. # node because we don't expect the daemonset to run on this node.
if [[ "${ENABLE_METADATA_CONCEALMENT:-}" == "true" ]] && [[ ! "${METADATA_CONCEALMENT_NO_FIREWALL:-}" == "true" ]]; then if [[ "${ENABLE_METADATA_CONCEALMENT:-}" == "true" ]] && [[ ! "${METADATA_CONCEALMENT_NO_FIREWALL:-}" == "true" ]]; then
echo "Add rule for metadata concealment" echo "Add rule for metadata concealment"
iptables -w -t nat -I PREROUTING -p tcp -d "${METADATA_SERVER_IP}" --dport 80 -m comment --comment "metadata-concealment: bridge traffic to metadata server goes to metadata proxy" -j DNAT --to-destination 127.0.0.1:988 iptables -w -t nat -I PREROUTING -p tcp ! -i eth0 -d "${METADATA_SERVER_IP}" --dport 80 -m comment --comment "metadata-concealment: bridge traffic to metadata server goes to metadata proxy" -j REDIRECT --to-ports 988
fi fi
# Log all metadata access not from approved processes. # Log all metadata access not from approved processes.