github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-07-31 07:20:13 +00:00
Code Issues Projects Releases Wiki Activity

Merge pull request #51302 from ihmccreery/fix-mdc

Browse Source 
Automatic merge from submit-queue (batch tested with PRs 51628, 51637, 51490, 51279, 51302)

GCE metadata proxy blocks instance identity & recursive calls, & excludes port from redirects

**What this PR does / why we need it**: Metadata proxy blocks [instance identity](https://cloud.google.com/compute/docs/instances/verifying-instance-identity) & [recursive](https://cloud.google.com/compute/docs/storing-retrieving-metadata#aggcontents) calls, and no longer includes port in redirects (it was serving redirects to `http://metadata.google.internal:988`, which doesn't resolve.  Ref #8867.

**Special notes for your reviewer**: Container is defined https://github.com/kubernetes/contrib/tree/master/metadata-proxy; I plan to send a separate PR to remove the `nginx.conf` directly in the container to reduce confusion.

**Release note**:

```release-note
NONE
```
This commit is contained in:
Kubernetes Submit Queue 2017-09-01 00:11:23 -07:00 committed by GitHub
commit 61bc3aa562
1 changed files with 32 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

36
cluster/addons/metadata-proxy/gce/metadata-proxy-configmap.yaml
View File

@ -20,40 +20,68 @@ data:
access_log /dev/stdout;
server {
listen 127.0.0.1:988;
# When serving 301s, don't redirect to port 988.
port_in_redirect off;
# By default, return 403. This protects us from new API versions.
location / {
return 403;
return 403 "This metadata API is not allowed by the metadata proxy.";
}
# Allow for REST discovery.
location = / {
if ($args ~* "^(.+&)?recursive=") {
return 403 "?recursive calls are not allowed by the metadata proxy.";
}
proxy_pass http://169.254.169.254;
}
location = /computeMetadata/ {
if ($args ~* "^(.+&)?recursive=") {
return 403 "?recursive calls are not allowed by the metadata proxy.";
}
proxy_pass http://169.254.169.254;
}
# By default, allow the v0.1, v1beta1, and v1 APIs.
location /0.1/ {
if ($args ~* "^(.+&)?recursive=") {
return 403 "?recursive calls are not allowed by the metadata proxy.";
}
proxy_pass http://169.254.169.254;
}
location /computeMetadata/v1beta1/ {
if ($args ~* "^(.+&)?recursive=") {
return 403 "?recursive calls are not allowed by the metadata proxy.";
}
proxy_pass http://169.254.169.254;
}
location /computeMetadata/v1/ {
if ($args ~* "^(.+&)?recursive=") {
return 403 "?recursive calls are not allowed by the metadata proxy.";
}
proxy_pass http://169.254.169.254;
}
# Return a 403 for the kube-env attribute in all allowed API versions.
location /0.1/meta-data/attributes/kube-env {
return 403;
return 403 "This metadata endpoint is concealed.";
}
location /computeMetadata/v1beta1/instance/attributes/kube-env {
return 403;
return 403 "This metadata endpoint is concealed.";
}
location /computeMetadata/v1/instance/attributes/kube-env {
return 403;
return 403 "This metadata endpoint is concealed.";
}
# Return a 403 for instance identity in all allowed API versions.
location ~ /0.1/meta-data/service-accounts/.+/identity {
return 403 "This metadata endpoint is concealed.";
}
location ~ /computeMetadata/v1beta1/instance/service-accounts/.+/identity {
return 403 "This metadata endpoint is concealed.";
}
location ~ /computeMetadata/v1/instance/service-accounts/.+/identity {
return 403 "This metadata endpoint is concealed.";
}
}
}