From 98a7311afcf13f78273f0bb101786f5dd1431cd7 Mon Sep 17 00:00:00 2001
From: Isaac Hollander McCreery <ihmccreery@google.com>
Date: Thu, 24 Aug 2017 11:33:23 -0700
Subject: [PATCH 1/3] Block instance identity, block recursive=true

---
 .../gce/metadata-proxy-configmap.yaml         | 34 ++++++++++++++++---
 1 file changed, 30 insertions(+), 4 deletions(-)

diff --git a/cluster/addons/metadata-proxy/gce/metadata-proxy-configmap.yaml b/cluster/addons/metadata-proxy/gce/metadata-proxy-configmap.yaml
index 5be4cbe3b61..af8b8c974b5 100644
--- a/cluster/addons/metadata-proxy/gce/metadata-proxy-configmap.yaml
+++ b/cluster/addons/metadata-proxy/gce/metadata-proxy-configmap.yaml
@@ -23,37 +23,63 @@ data:
 
         # By default, return 403. This protects us from new API versions.
         location / {
-            return 403;
+            return 403 "This metadata API is not allowed by the metadata proxy.";
         }
 
         # Allow for REST discovery.
         location = / {
+            if ($args ~ "recursive=true") {
+                    return 403 "?recursive calls are not allowed by the metadata proxy.";
+            }
             proxy_pass http://169.254.169.254;
         }
         location = /computeMetadata/ {
+            if ($args ~ "recursive=true") {
+                    return 403 "?recursive calls are not allowed by the metadata proxy.";
+            }
             proxy_pass http://169.254.169.254;
         }
 
         # By default, allow the v0.1, v1beta1, and v1 APIs.
         location /0.1/ {
+            if ($args ~ "recursive=true") {
+                    return 403 "?recursive calls are not allowed by the metadata proxy.";
+            }
             proxy_pass http://169.254.169.254;
         }
         location /computeMetadata/v1beta1/ {
+            if ($args ~ "recursive=true") {
+                    return 403 "?recursive calls are not allowed by the metadata proxy.";
+            }
             proxy_pass http://169.254.169.254;
         }
         location /computeMetadata/v1/ {
+            if ($args ~ "recursive=true") {
+                    return 403 "?recursive calls are not allowed by the metadata proxy.";
+            }
             proxy_pass http://169.254.169.254;
         }
 
         # Return a 403 for the kube-env attribute in all allowed API versions.
         location /0.1/meta-data/attributes/kube-env {
-            return 403;
+            return 403 "This metadata endpoint is concealed.";
         }
         location /computeMetadata/v1beta1/instance/attributes/kube-env {
-            return 403;
+            return 403 "This metadata endpoint is concealed.";
         }
         location /computeMetadata/v1/instance/attributes/kube-env {
-            return 403;
+            return 403 "This metadata endpoint is concealed.";
+        }
+
+        # Return a 403 for instance identity in all allowed API versions.
+        location ~ /0.1/meta-data/service-accounts/.+/identity {
+            return 403 "This metadata endpoint is concealed.";
+        }
+        location ~ /computeMetadata/v1beta1/instance/service-accounts/.+/identity {
+            return 403 "This metadata endpoint is concealed.";
+        }
+        location ~ /computeMetadata/v1/instance/service-accounts/.+/identity {
+            return 403 "This metadata endpoint is concealed.";
         }
       }
     }

From 86c0579ee5c987350a72c3b324dbfff104e36ac0 Mon Sep 17 00:00:00 2001
From: Isaac Hollander McCreery <ihmccreery@google.com>
Date: Mon, 28 Aug 2017 09:04:42 -0700
Subject: [PATCH 2/3] Made blacklist stricter to deal with alternate versions
 of true

---
 .../metadata-proxy/gce/metadata-proxy-configmap.yaml   | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/cluster/addons/metadata-proxy/gce/metadata-proxy-configmap.yaml b/cluster/addons/metadata-proxy/gce/metadata-proxy-configmap.yaml
index af8b8c974b5..65dfc3d7ec3 100644
--- a/cluster/addons/metadata-proxy/gce/metadata-proxy-configmap.yaml
+++ b/cluster/addons/metadata-proxy/gce/metadata-proxy-configmap.yaml
@@ -28,13 +28,13 @@ data:
 
         # Allow for REST discovery.
         location = / {
-            if ($args ~ "recursive=true") {
+            if ($args ~* "recursive") {
                     return 403 "?recursive calls are not allowed by the metadata proxy.";
             }
             proxy_pass http://169.254.169.254;
         }
         location = /computeMetadata/ {
-            if ($args ~ "recursive=true") {
+            if ($args ~* "recursive") {
                     return 403 "?recursive calls are not allowed by the metadata proxy.";
             }
             proxy_pass http://169.254.169.254;
@@ -42,19 +42,19 @@ data:
 
         # By default, allow the v0.1, v1beta1, and v1 APIs.
         location /0.1/ {
-            if ($args ~ "recursive=true") {
+            if ($args ~* "recursive") {
                     return 403 "?recursive calls are not allowed by the metadata proxy.";
             }
             proxy_pass http://169.254.169.254;
         }
         location /computeMetadata/v1beta1/ {
-            if ($args ~ "recursive=true") {
+            if ($args ~* "recursive") {
                     return 403 "?recursive calls are not allowed by the metadata proxy.";
             }
             proxy_pass http://169.254.169.254;
         }
         location /computeMetadata/v1/ {
-            if ($args ~ "recursive=true") {
+            if ($args ~* "recursive") {
                     return 403 "?recursive calls are not allowed by the metadata proxy.";
             }
             proxy_pass http://169.254.169.254;

From 6f4ee0d2aa92c2ee8463f44b4a3f00eb461b4723 Mon Sep 17 00:00:00 2001
From: Isaac Hollander McCreery <ihmccreery@google.com>
Date: Wed, 30 Aug 2017 11:27:50 -0700
Subject: [PATCH 3/3] Fix regex's and redirect port

---
 .../metadata-proxy/gce/metadata-proxy-configmap.yaml | 12 +++++++-----
 1 file changed, 7 insertions(+), 5 deletions(-)

diff --git a/cluster/addons/metadata-proxy/gce/metadata-proxy-configmap.yaml b/cluster/addons/metadata-proxy/gce/metadata-proxy-configmap.yaml
index 65dfc3d7ec3..2d23f42ad63 100644
--- a/cluster/addons/metadata-proxy/gce/metadata-proxy-configmap.yaml
+++ b/cluster/addons/metadata-proxy/gce/metadata-proxy-configmap.yaml
@@ -20,6 +20,8 @@ data:
       access_log /dev/stdout;
       server {
         listen 127.0.0.1:988;
+        # When serving 301s, don't redirect to port 988.
+        port_in_redirect off;
 
         # By default, return 403. This protects us from new API versions.
         location / {
@@ -28,13 +30,13 @@ data:
 
         # Allow for REST discovery.
         location = / {
-            if ($args ~* "recursive") {
+            if ($args ~* "^(.+&)?recursive=") {
                     return 403 "?recursive calls are not allowed by the metadata proxy.";
             }
             proxy_pass http://169.254.169.254;
         }
         location = /computeMetadata/ {
-            if ($args ~* "recursive") {
+            if ($args ~* "^(.+&)?recursive=") {
                     return 403 "?recursive calls are not allowed by the metadata proxy.";
             }
             proxy_pass http://169.254.169.254;
@@ -42,19 +44,19 @@ data:
 
         # By default, allow the v0.1, v1beta1, and v1 APIs.
         location /0.1/ {
-            if ($args ~* "recursive") {
+            if ($args ~* "^(.+&)?recursive=") {
                     return 403 "?recursive calls are not allowed by the metadata proxy.";
             }
             proxy_pass http://169.254.169.254;
         }
         location /computeMetadata/v1beta1/ {
-            if ($args ~* "recursive") {
+            if ($args ~* "^(.+&)?recursive=") {
                     return 403 "?recursive calls are not allowed by the metadata proxy.";
             }
             proxy_pass http://169.254.169.254;
         }
         location /computeMetadata/v1/ {
-            if ($args ~* "recursive") {
+            if ($args ~* "^(.+&)?recursive=") {
                     return 403 "?recursive calls are not allowed by the metadata proxy.";
             }
             proxy_pass http://169.254.169.254;