Prepend the metadata firewall in gce, so it isn't superceded.

2025-07-23 11:50:44 +00:00 · 2017-06-16 10:08:48 -07:00 · 2017-06-16 10:08:48 -07:00 · b886897f9d
commit b886897f9d
parent 289de0ee14
2 changed files with 2 additions and 2 deletions
--- a/cluster/gce/configure-vm.sh
+++ b/cluster/gce/configure-vm.sh
@ -91,7 +91,7 @@ function config-ip-firewall {
  echo "Configuring IP firewall rules"

  iptables -N KUBE-METADATA-SERVER
-  iptables -A FORWARD -p tcp -d 169.254.169.254 --dport 80 -j KUBE-METADATA-SERVER
+  iptables -I FORWARD -p tcp -d 169.254.169.254 --dport 80 -j KUBE-METADATA-SERVER

  if [[ -n "${KUBE_FIREWALL_METADATA_SERVER:-}" ]]; then
    iptables -A KUBE-METADATA-SERVER -j DROP
--- a/cluster/gce/gci/configure-helper.sh
+++ b/cluster/gce/gci/configure-helper.sh
@ -99,7 +99,7 @@ function config-ip-firewall {
  fi

  iptables -N KUBE-METADATA-SERVER
-  iptables -A FORWARD -p tcp -d 169.254.169.254 --dport 80 -j KUBE-METADATA-SERVER
+  iptables -I FORWARD -p tcp -d 169.254.169.254 --dport 80 -j KUBE-METADATA-SERVER

  if [[ -n "${KUBE_FIREWALL_METADATA_SERVER:-}" ]]; then
    iptables -A KUBE-METADATA-SERVER -j DROP