mirror of
https://github.com/k3s-io/kubernetes.git
synced 2025-07-23 19:56:01 +00:00
Merge pull request #93492 from zshihang/nolocal
bind metadata proxy to 0.0.0.0
This commit is contained in:
commit
c236285708
@ -44,6 +44,7 @@ spec:
|
||||
containers:
|
||||
- name: metadata-proxy
|
||||
image: k8s.gcr.io/metadata-proxy:v0.1.12
|
||||
args: ["--addr=0.0.0.0:988"]
|
||||
securityContext:
|
||||
privileged: true
|
||||
# Request and limit resources to get guaranteed QoS.
|
||||
|
@ -173,7 +173,7 @@ function config-ip-firewall {
|
||||
# node because we don't expect the daemonset to run on this node.
|
||||
if [[ "${ENABLE_METADATA_CONCEALMENT:-}" == "true" ]] && [[ ! "${METADATA_CONCEALMENT_NO_FIREWALL:-}" == "true" ]]; then
|
||||
echo "Add rule for metadata concealment"
|
||||
iptables -w -t nat -I PREROUTING -p tcp -d "${METADATA_SERVER_IP}" --dport 80 -m comment --comment "metadata-concealment: bridge traffic to metadata server goes to metadata proxy" -j DNAT --to-destination 127.0.0.1:988
|
||||
iptables -w -t nat -I PREROUTING -p tcp ! -i eth0 -d "${METADATA_SERVER_IP}" --dport 80 -m comment --comment "metadata-concealment: bridge traffic to metadata server goes to metadata proxy" -j REDIRECT --to-ports 988
|
||||
fi
|
||||
|
||||
# Log all metadata access not from approved processes.
|
||||
@ -940,7 +940,7 @@ EOF
|
||||
limitedResources:
|
||||
- resource: pods
|
||||
matchScopes:
|
||||
- scopeName: PriorityClass
|
||||
- scopeName: PriorityClass
|
||||
operator: In
|
||||
values: ["system-node-critical", "system-cluster-critical"]
|
||||
EOF
|
||||
|
Loading…
Reference in New Issue
Block a user