github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-08-03 09:22:44 +00:00
Code Issues Projects Releases Wiki Activity

Block instance identity, block recursive=true

Browse Source
This commit is contained in:
Isaac Hollander McCreery 2017-08-24 11:33:23 -07:00
parent 1f580ae898
commit 98a7311afc
1 changed files with 30 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

34
cluster/addons/metadata-proxy/gce/metadata-proxy-configmap.yaml
View File

@ -23,37 +23,63 @@ data:
# By default, return 403. This protects us from new API versions. # By default, return 403. This protects us from new API versions.
location / { location / {
return 403; return 403 "This metadata API is not allowed by the metadata proxy.";
} }
# Allow for REST discovery. # Allow for REST discovery.
location = / { location = / {
if ($args ~ "recursive=true") {
return 403 "?recursive calls are not allowed by the metadata proxy.";
}
proxy_pass http://169.254.169.254; proxy_pass http://169.254.169.254;
} }
location = /computeMetadata/ { location = /computeMetadata/ {
if ($args ~ "recursive=true") {
return 403 "?recursive calls are not allowed by the metadata proxy.";
}
proxy_pass http://169.254.169.254; proxy_pass http://169.254.169.254;
} }
# By default, allow the v0.1, v1beta1, and v1 APIs. # By default, allow the v0.1, v1beta1, and v1 APIs.
location /0.1/ { location /0.1/ {
if ($args ~ "recursive=true") {
return 403 "?recursive calls are not allowed by the metadata proxy.";
}
proxy_pass http://169.254.169.254; proxy_pass http://169.254.169.254;
} }
location /computeMetadata/v1beta1/ { location /computeMetadata/v1beta1/ {
if ($args ~ "recursive=true") {
return 403 "?recursive calls are not allowed by the metadata proxy.";
}
proxy_pass http://169.254.169.254; proxy_pass http://169.254.169.254;
} }
location /computeMetadata/v1/ { location /computeMetadata/v1/ {
if ($args ~ "recursive=true") {
return 403 "?recursive calls are not allowed by the metadata proxy.";
}
proxy_pass http://169.254.169.254; proxy_pass http://169.254.169.254;
} }
# Return a 403 for the kube-env attribute in all allowed API versions. # Return a 403 for the kube-env attribute in all allowed API versions.
location /0.1/meta-data/attributes/kube-env { location /0.1/meta-data/attributes/kube-env {
return 403; return 403 "This metadata endpoint is concealed.";
} }
location /computeMetadata/v1beta1/instance/attributes/kube-env { location /computeMetadata/v1beta1/instance/attributes/kube-env {
return 403; return 403 "This metadata endpoint is concealed.";
} }
location /computeMetadata/v1/instance/attributes/kube-env { location /computeMetadata/v1/instance/attributes/kube-env {
return 403; return 403 "This metadata endpoint is concealed.";
}
# Return a 403 for instance identity in all allowed API versions.
location ~ /0.1/meta-data/service-accounts/.+/identity {
return 403 "This metadata endpoint is concealed.";
}
location ~ /computeMetadata/v1beta1/instance/service-accounts/.+/identity {
return 403 "This metadata endpoint is concealed.";
}
location ~ /computeMetadata/v1/instance/service-accounts/.+/identity {
return 403 "This metadata endpoint is concealed.";
} }
} }
} }