mirror of
https://github.com/k3s-io/kubernetes.git
synced 2025-07-23 11:50:44 +00:00
Merge pull request #58104 from ihmccreery/no-firewall
Automatic merge from submit-queue (batch tested with PRs 58104, 58492, 58491). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>. Optionally prevent metadata concealment firewall from being set **What this PR does / why we need it**: GCP: allow a master to not include a metadata concealment firewall rule (if it's not running the metadata proxy). **Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*: Fixes # **Special notes for your reviewer**: **Release note**: ```release-note GCP: allow a master to not include a metadata concealment firewall rule (if it's not running the metadata proxy). ```
This commit is contained in:
commit
7ad797e1cc
@ -186,7 +186,7 @@ if [[ ${ENABLE_METADATA_CONCEALMENT:-} == "true" ]]; then
|
||||
# Put the necessary label on the node so the daemonset gets scheduled.
|
||||
NODE_LABELS="${NODE_LABELS},beta.kubernetes.io/metadata-proxy-ready=true"
|
||||
# Add to the provider custom variables.
|
||||
PROVIDER_VARS="${PROVIDER_VARS:-} ENABLE_METADATA_CONCEALMENT"
|
||||
PROVIDER_VARS="${PROVIDER_VARS:-} ENABLE_METADATA_CONCEALMENT METADATA_CONCEALMENT_NO_FIREWALL"
|
||||
fi
|
||||
|
||||
# Optional: Enable node logging.
|
||||
|
@ -216,7 +216,7 @@ if [[ ${ENABLE_METADATA_CONCEALMENT:-} == "true" ]]; then
|
||||
# Put the necessary label on the node so the daemonset gets scheduled.
|
||||
NODE_LABELS="${NODE_LABELS},beta.kubernetes.io/metadata-proxy-ready=true"
|
||||
# Add to the provider custom variables.
|
||||
PROVIDER_VARS="${PROVIDER_VARS:-} ENABLE_METADATA_CONCEALMENT"
|
||||
PROVIDER_VARS="${PROVIDER_VARS:-} ENABLE_METADATA_CONCEALMENT METADATA_CONCEALMENT_NO_FIREWALL"
|
||||
fi
|
||||
|
||||
# Optional: Enable node logging.
|
||||
|
@ -77,7 +77,9 @@ function config-ip-firewall {
|
||||
iptables -w -t nat -A IP-MASQ -m comment --comment "ip-masq: outbound traffic is subject to MASQUERADE (must be last in chain)" -j MASQUERADE
|
||||
fi
|
||||
|
||||
if [[ "${ENABLE_METADATA_CONCEALMENT:-}" == "true" ]]; then
|
||||
# If METADATA_CONCEALMENT_NO_FIREWALL is set, don't create a firewall on this
|
||||
# node because we don't expect the daemonset to run on this node.
|
||||
if [[ "${ENABLE_METADATA_CONCEALMENT:-}" == "true" ]] && [[ ! "${METADATA_CONCEALMENT_NO_FIREWALL:-}" == "true" ]]; then
|
||||
echo "Add rule for metadata concealment"
|
||||
iptables -w -t nat -I PREROUTING -p tcp -d 169.254.169.254 --dport 80 -m comment --comment "metadata-concealment: bridge traffic to metadata server goes to metadata proxy" -j DNAT --to-destination 127.0.0.1:988
|
||||
fi
|
||||
|
Loading…
Reference in New Issue
Block a user