Merge pull request #93492 from zshihang/nolocal

bind metadata proxy to 0.0.0.0
This commit is contained in:
Kubernetes Prow Robot 2020-09-02 00:41:34 -07:00 committed by GitHub
commit c236285708
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 3 additions and 2 deletions

View File

@ -44,6 +44,7 @@ spec:
containers:
- name: metadata-proxy
image: k8s.gcr.io/metadata-proxy:v0.1.12
args: ["--addr=0.0.0.0:988"]
securityContext:
privileged: true
# Request and limit resources to get guaranteed QoS.

View File

@ -173,7 +173,7 @@ function config-ip-firewall {
# node because we don't expect the daemonset to run on this node.
if [[ "${ENABLE_METADATA_CONCEALMENT:-}" == "true" ]] && [[ ! "${METADATA_CONCEALMENT_NO_FIREWALL:-}" == "true" ]]; then
echo "Add rule for metadata concealment"
iptables -w -t nat -I PREROUTING -p tcp -d "${METADATA_SERVER_IP}" --dport 80 -m comment --comment "metadata-concealment: bridge traffic to metadata server goes to metadata proxy" -j DNAT --to-destination 127.0.0.1:988
iptables -w -t nat -I PREROUTING -p tcp ! -i eth0 -d "${METADATA_SERVER_IP}" --dport 80 -m comment --comment "metadata-concealment: bridge traffic to metadata server goes to metadata proxy" -j REDIRECT --to-ports 988
fi
# Log all metadata access not from approved processes.
@ -940,7 +940,7 @@ EOF
limitedResources:
- resource: pods
matchScopes:
- scopeName: PriorityClass
- scopeName: PriorityClass
operator: In
values: ["system-node-critical", "system-cluster-critical"]
EOF