From 38f040c0a82f74b711e540ea06fd1aa80b2e3916 Mon Sep 17 00:00:00 2001 From: Shihang Zhang Date: Mon, 27 Jul 2020 18:14:33 -0700 Subject: [PATCH] bind metadata proxy to 0.0.0.0 --- cluster/addons/metadata-proxy/gce/metadata-proxy.yaml | 1 + cluster/gce/gci/configure-helper.sh | 4 ++-- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/cluster/addons/metadata-proxy/gce/metadata-proxy.yaml b/cluster/addons/metadata-proxy/gce/metadata-proxy.yaml index 2d07cd48f6b..126766d5429 100644 --- a/cluster/addons/metadata-proxy/gce/metadata-proxy.yaml +++ b/cluster/addons/metadata-proxy/gce/metadata-proxy.yaml @@ -44,6 +44,7 @@ spec: containers: - name: metadata-proxy image: k8s.gcr.io/metadata-proxy:v0.1.12 + args: ["--addr=0.0.0.0:988"] securityContext: privileged: true # Request and limit resources to get guaranteed QoS. diff --git a/cluster/gce/gci/configure-helper.sh b/cluster/gce/gci/configure-helper.sh index b04cabd3c32..fada2784b7c 100644 --- a/cluster/gce/gci/configure-helper.sh +++ b/cluster/gce/gci/configure-helper.sh @@ -173,7 +173,7 @@ function config-ip-firewall { # node because we don't expect the daemonset to run on this node. if [[ "${ENABLE_METADATA_CONCEALMENT:-}" == "true" ]] && [[ ! "${METADATA_CONCEALMENT_NO_FIREWALL:-}" == "true" ]]; then echo "Add rule for metadata concealment" - iptables -w -t nat -I PREROUTING -p tcp -d "${METADATA_SERVER_IP}" --dport 80 -m comment --comment "metadata-concealment: bridge traffic to metadata server goes to metadata proxy" -j DNAT --to-destination 127.0.0.1:988 + iptables -w -t nat -I PREROUTING -p tcp ! -i eth0 -d "${METADATA_SERVER_IP}" --dport 80 -m comment --comment "metadata-concealment: bridge traffic to metadata server goes to metadata proxy" -j REDIRECT --to-ports 988 fi # Log all metadata access not from approved processes. @@ -940,7 +940,7 @@ EOF limitedResources: - resource: pods matchScopes: - - scopeName: PriorityClass + - scopeName: PriorityClass operator: In values: ["system-node-critical", "system-cluster-critical"] EOF