github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-07-22 11:21:47 +00:00
Code Issues Projects Releases Wiki Activity

Add prometheus-to-sd-exporter to metadata-proxy addon; bump to proxy to v0.1.4 and e2e to v0.0.2; remove configmag

Browse Source
This commit is contained in:
Isaac Hollander McCreery 2017-10-26 13:54:21 -07:00
parent 92952cfe77
commit be8aaf9ff8
5 changed files with 29 additions and 104 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

88
cluster/addons/metadata-proxy/gce/metadata-proxy-configmap.yaml
View File

@ -1,88 +0,0 @@
kind: ConfigMap
apiVersion: v1
metadata:
name: metadata-proxy-config
namespace: kube-system
labels:
addonmanager.kubernetes.io/mode: EnsureExists
data:
nginx.conf: |-
user www-data;
worker_processes 4;
pid /run/nginx.pid;
error_log /dev/stdout;
events {
worker_connections 20;
}
http {
access_log /dev/stdout;
server {
listen 127.0.0.1:988;
# When serving 301s, don't redirect to port 988.
port_in_redirect off;
# By default, return 403. This protects us from new API versions.
location / {
return 403 "This metadata API is not allowed by the metadata proxy.";
}
# Allow for REST discovery.
location = / {
if ($args ~* "^(.+&)?recursive=") {
return 403 "?recursive calls are not allowed by the metadata proxy.";
}
proxy_pass http://169.254.169.254;
}
location = /computeMetadata/ {
if ($args ~* "^(.+&)?recursive=") {
return 403 "?recursive calls are not allowed by the metadata proxy.";
}
proxy_pass http://169.254.169.254;
}
# By default, allow the v0.1, v1beta1, and v1 APIs.
location /0.1/ {
if ($args ~* "^(.+&)?recursive=") {
return 403 "?recursive calls are not allowed by the metadata proxy.";
}
proxy_pass http://169.254.169.254;
}
location /computeMetadata/v1beta1/ {
if ($args ~* "^(.+&)?recursive=") {
return 403 "?recursive calls are not allowed by the metadata proxy.";
}
proxy_pass http://169.254.169.254;
}
location /computeMetadata/v1/ {
if ($args ~* "^(.+&)?recursive=") {
return 403 "?recursive calls are not allowed by the metadata proxy.";
}
proxy_pass http://169.254.169.254;
}
# Return a 403 for the kube-env attribute in all allowed API versions.
location /0.1/meta-data/attributes/kube-env {
return 403 "This metadata endpoint is concealed.";
}
location /computeMetadata/v1beta1/instance/attributes/kube-env {
return 403 "This metadata endpoint is concealed.";
}
location /computeMetadata/v1/instance/attributes/kube-env {
return 403 "This metadata endpoint is concealed.";
}
# Return a 403 for instance identity in all allowed API versions.
location ~ /0.1/meta-data/service-accounts/.+/identity {
return 403 "This metadata endpoint is concealed.";
}
location ~ /computeMetadata/v1beta1/instance/service-accounts/.+/identity {
return 403 "This metadata endpoint is concealed.";
}
location ~ /computeMetadata/v1/instance/service-accounts/.+/identity {
return 403 "This metadata endpoint is concealed.";
}
}
}

36
cluster/addons/metadata-proxy/gce/metadata-proxy.yaml
View File

@ -38,26 +38,32 @@ spec:
dnsPolicy: Default
containers:
- name: metadata-proxy
image: gcr.io/google-containers/metadata-proxy:0.1.3
imagePullPolicy: Always
image: gcr.io/google_containers/metadata-proxy:v0.1.4
securityContext:
privileged: true
command:
- '/start-proxy.sh'
resources:
requests:
memory: "32Mi"
cpu: "30m"
memory: "16Mi"
cpu: "15m"
limits:
memory: "32Mi"
cpu: "30m"
volumeMounts:
- name: config-volume
mountPath: /etc/nginx/
memory: "16Mi"
cpu: "15m"
# BEGIN_PROMETHEUS_TO_SD
- name: prometheus-to-sd-exporter
image: gcr.io/google_containers/prometheus-to-sd:v0.2.2
command:
- /monitor
- --stackdriver-prefix={{ prometheus_to_sd_prefix }}/addons
- --api-override={{ prometheus_to_sd_endpoint }}
- --source=metadata_proxy:http://127.0.0.1:989?whitelisted=request_count
resources:
requests:
memory: "16Mi"
cpu: "15m"
limits:
memory: "16Mi"
cpu: "15m"
# END_PROMETHEUS_TO_SD
nodeSelector:
beta.kubernetes.io/metadata-proxy-ready: "true"
terminationGracePeriodSeconds: 30
volumes:
- name: config-volume
configMap:
name: metadata-proxy-config

5
cluster/gce/container-linux/configure-helper.sh
View File

@ -1348,6 +1348,11 @@ EOF
if [[ "${ENABLE_DEFAULT_STORAGE_CLASS:-}" == "true" ]]; then
setup-addon-manifests "addons" "storage-class/gce"
fi
if [[ "${ENABLE_METADATA_CONCEALMENT:-}" == "true" ]]; then
setup-addon-manifests "addons" "metadata-proxy/gce"
local -r metadata_proxy_yaml="${dst_dir}/metadata-proxy/gce/metadata-proxy.yaml"
update-prometheus-to-sd-parameters ${metadata_proxy_yaml}
fi
# Place addon manager pod manifest.
cp "${src_dir}/kube-addon-manager.yaml" /etc/kubernetes/manifests

2
cluster/gce/gci/configure-helper.sh
View File

@ -1897,6 +1897,8 @@ EOF
fi
if [[ "${ENABLE_METADATA_CONCEALMENT:-}" == "true" ]]; then
setup-addon-manifests "addons" "metadata-proxy/gce"
local -r metadata_proxy_yaml="${dst_dir}/metadata-proxy/gce/metadata-proxy.yaml"
update-prometheus-to-sd-parameters ${metadata_proxy_yaml}
fi
# Place addon manager pod manifest.

2
test/e2e/auth/metadata_concealment.go
View File

@ -45,7 +45,7 @@ var _ = SIGDescribe("Metadata Concealment", func() {
Containers: []v1.Container{
{
Name: "check-metadata-concealment",
Image: "gcr.io/google_containers/check-metadata-concealment:v0.0.1",
Image: "gcr.io/google_containers/check-metadata-concealment:v0.0.2",
},
},
RestartPolicy: v1.RestartPolicyOnFailure,