github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-07-25 12:43:23 +00:00
Code Issues Projects Releases Wiki Activity

Merge pull request #95077 from mikedanese/mds-block

Browse Source 
gce: redirect handshake server requests to metadata-concealment too
This commit is contained in:
Kubernetes Prow Robot 2020-09-25 22:36:47 -07:00 committed by GitHub
commit c8ebc8ab75
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 2 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
cluster/gce/gci/configure-helper.sh
View File

@ -174,7 +174,9 @@ function config-ip-firewall {
if [[ "${ENABLE_METADATA_CONCEALMENT:-}" == "true" ]] && [[ ! "${METADATA_CONCEALMENT_NO_FIREWALL:-}" == "true" ]]; then if [[ "${ENABLE_METADATA_CONCEALMENT:-}" == "true" ]] && [[ ! "${METADATA_CONCEALMENT_NO_FIREWALL:-}" == "true" ]]; then
echo "Add rule for metadata concealment" echo "Add rule for metadata concealment"
iptables -w -t nat -I PREROUTING -p tcp ! -i eth0 -d "${METADATA_SERVER_IP}" --dport 80 -m comment --comment "metadata-concealment: bridge traffic to metadata server goes to metadata proxy" -j REDIRECT --to-ports 988 iptables -w -t nat -I PREROUTING -p tcp ! -i eth0 -d "${METADATA_SERVER_IP}" --dport 80 -m comment --comment "metadata-concealment: bridge traffic to metadata server goes to metadata proxy" -j REDIRECT --to-ports 988
iptables -w -t nat -I PREROUTING -p tcp ! -i eth0 -d "${METADATA_SERVER_IP}" --dport 8080 -m comment --comment "metadata-concealment: bridge traffic to metadata server goes to metadata proxy" -j REDIRECT --to-ports 987
fi fi
iptables -w -t raw -I OUTPUT -s 169.254.169.254 -j DROP
# Log all metadata access not from approved processes. # Log all metadata access not from approved processes.
case "${METADATA_SERVER_FIREWALL_MODE:-off}" in case "${METADATA_SERVER_FIREWALL_MODE:-off}" in