mirror of
https://github.com/k3s-io/kubernetes.git
synced 2025-07-22 19:31:44 +00:00
Merge pull request #95077 from mikedanese/mds-block
gce: redirect handshake server requests to metadata-concealment too
This commit is contained in:
commit
c8ebc8ab75
@ -174,7 +174,9 @@ function config-ip-firewall {
|
|||||||
if [[ "${ENABLE_METADATA_CONCEALMENT:-}" == "true" ]] && [[ ! "${METADATA_CONCEALMENT_NO_FIREWALL:-}" == "true" ]]; then
|
if [[ "${ENABLE_METADATA_CONCEALMENT:-}" == "true" ]] && [[ ! "${METADATA_CONCEALMENT_NO_FIREWALL:-}" == "true" ]]; then
|
||||||
echo "Add rule for metadata concealment"
|
echo "Add rule for metadata concealment"
|
||||||
iptables -w -t nat -I PREROUTING -p tcp ! -i eth0 -d "${METADATA_SERVER_IP}" --dport 80 -m comment --comment "metadata-concealment: bridge traffic to metadata server goes to metadata proxy" -j REDIRECT --to-ports 988
|
iptables -w -t nat -I PREROUTING -p tcp ! -i eth0 -d "${METADATA_SERVER_IP}" --dport 80 -m comment --comment "metadata-concealment: bridge traffic to metadata server goes to metadata proxy" -j REDIRECT --to-ports 988
|
||||||
|
iptables -w -t nat -I PREROUTING -p tcp ! -i eth0 -d "${METADATA_SERVER_IP}" --dport 8080 -m comment --comment "metadata-concealment: bridge traffic to metadata server goes to metadata proxy" -j REDIRECT --to-ports 987
|
||||||
fi
|
fi
|
||||||
|
iptables -w -t raw -I OUTPUT -s 169.254.169.254 -j DROP
|
||||||
|
|
||||||
# Log all metadata access not from approved processes.
|
# Log all metadata access not from approved processes.
|
||||||
case "${METADATA_SERVER_FIREWALL_MODE:-off}" in
|
case "${METADATA_SERVER_FIREWALL_MODE:-off}" in
|
||||||
|
Loading…
Reference in New Issue
Block a user