github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-07-27 05:27:21 +00:00
Code Issues Projects Releases Wiki Activity

Merge pull request #107502 from zshihang/metadata

Browse Source 
limit the scope of 169.254.169.252/32 to host
This commit is contained in:
Kubernetes Prow Robot 2022-01-13 15:54:27 -08:00 committed by GitHub
commit 6b399153ba
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 6 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
cluster/gce/gci/configure-helper.sh
View File

@ -179,7 +179,7 @@ function config-ip-firewall {
# node because we don't expect the daemonset to run on this node. # node because we don't expect the daemonset to run on this node.
if [[ "${ENABLE_METADATA_CONCEALMENT:-}" == "true" ]] && [[ ! "${METADATA_CONCEALMENT_NO_FIREWALL:-}" == "true" ]]; then if [[ "${ENABLE_METADATA_CONCEALMENT:-}" == "true" ]] && [[ ! "${METADATA_CONCEALMENT_NO_FIREWALL:-}" == "true" ]]; then
echo "Add rule for metadata concealment" echo "Add rule for metadata concealment"
ip addr add dev lo 169.254.169.252/32 ip addr add dev lo 169.254.169.252/32 scope host
iptables -w -t nat -I PREROUTING -p tcp ! -i eth0 -d "${METADATA_SERVER_IP}" --dport 80 -m comment --comment "metadata-concealment: bridge traffic to metadata server goes to metadata proxy" -j DNAT --to-destination 169.254.169.252:988 iptables -w -t nat -I PREROUTING -p tcp ! -i eth0 -d "${METADATA_SERVER_IP}" --dport 80 -m comment --comment "metadata-concealment: bridge traffic to metadata server goes to metadata proxy" -j DNAT --to-destination 169.254.169.252:988
iptables -w -t nat -I PREROUTING -p tcp ! -i eth0 -d "${METADATA_SERVER_IP}" --dport 8080 -m comment --comment "metadata-concealment: bridge traffic to metadata server goes to metadata proxy" -j DNAT --to-destination 169.254.169.252:987 iptables -w -t nat -I PREROUTING -p tcp ! -i eth0 -d "${METADATA_SERVER_IP}" --dport 8080 -m comment --comment "metadata-concealment: bridge traffic to metadata server goes to metadata proxy" -j DNAT --to-destination 169.254.169.252:987
fi fi
@ -1537,7 +1537,7 @@ EOF
function disable_aufs() { function disable_aufs() {
# disable aufs module if aufs is loaded # disable aufs module if aufs is loaded
if lsmod | grep "aufs" &> /dev/null ; then if lsmod | grep "aufs" &> /dev/null ; then
sudo modprobe -r aufs sudo modprobe -r aufs
fi fi
} }
@ -1601,7 +1601,7 @@ addockeropt "\"pidfile\": \"/var/run/docker.pid\",
if [[ -n "${DOCKER_REGISTRY_MIRROR_URL:-}" ]]; then if [[ -n "${DOCKER_REGISTRY_MIRROR_URL:-}" ]]; then
docker_opts+="--registry-mirror=${DOCKER_REGISTRY_MIRROR_URL} " docker_opts+="--registry-mirror=${DOCKER_REGISTRY_MIRROR_URL} "
fi fi
disable_aufs disable_aufs
set_docker_options_non_ubuntu set_docker_options_non_ubuntu
@ -1993,8 +1993,8 @@ function prepare-konnectivity-server-manifest {
if [[ "${KONNECTIVITY_SERVICE_PROXY_PROTOCOL_MODE:-grpc}" == 'grpc' ]]; then if [[ "${KONNECTIVITY_SERVICE_PROXY_PROTOCOL_MODE:-grpc}" == 'grpc' ]]; then
params+=("--uds-name=/etc/srv/kubernetes/konnectivity-server/konnectivity-server.socket") params+=("--uds-name=/etc/srv/kubernetes/konnectivity-server/konnectivity-server.socket")
elif [[ "${KONNECTIVITY_SERVICE_PROXY_PROTOCOL_MODE:-grpc}" == 'http-connect' ]]; then elif [[ "${KONNECTIVITY_SERVICE_PROXY_PROTOCOL_MODE:-grpc}" == 'http-connect' ]]; then
# HTTP-CONNECT can work with either UDS or mTLS. # HTTP-CONNECT can work with either UDS or mTLS.
# Linking them here to make sure we get good coverage with two test configurations. # Linking them here to make sure we get good coverage with two test configurations.
params+=("--server-ca-cert=${KONNECTIVITY_SERVER_CA_CERT_PATH}") params+=("--server-ca-cert=${KONNECTIVITY_SERVER_CA_CERT_PATH}")
params+=("--server-cert=${KONNECTIVITY_SERVER_CERT_PATH}") params+=("--server-cert=${KONNECTIVITY_SERVER_CERT_PATH}")
params+=("--server-key=${KONNECTIVITY_SERVER_KEY_PATH}") params+=("--server-key=${KONNECTIVITY_SERVER_KEY_PATH}")
@ -2011,7 +2011,7 @@ function prepare-konnectivity-server-manifest {
params+=("--kubeconfig=/etc/srv/kubernetes/konnectivity-server/kubeconfig") params+=("--kubeconfig=/etc/srv/kubernetes/konnectivity-server/kubeconfig")
params+=("--proxy-strategies=default") params+=("--proxy-strategies=default")
elif [[ "${KONNECTIVITY_SERVICE_PROXY_PROTOCOL_MODE:-grpc}" == 'http-connect' ]]; then elif [[ "${KONNECTIVITY_SERVICE_PROXY_PROTOCOL_MODE:-grpc}" == 'http-connect' ]]; then
# GRPC can work with either UDS or mTLS. # GRPC can work with either UDS or mTLS.
params+=("--mode=http-connect") params+=("--mode=http-connect")
params+=("--server-port=8131") params+=("--server-port=8131")
params+=("--agent-namespace=") params+=("--agent-namespace=")