Merge pull request #47626 from Q-Lee/metadata-fix

Automatic merge from submit-queue (batch tested with PRs 47626, 47674, 47683, 47290, 47688)

The KUBE-METADATA-SERVER firewall must be applied before the universa…

…l tcp ACCEPT



**What this PR does / why we need it**: the metadata firewall rule was broken by being appended after the universal tcp accept.

**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #

**Special notes for your reviewer**:

**Release note**:

```release-note
```
This commit is contained in:
Kubernetes Submit Queue 2017-06-16 19:56:55 -07:00 committed by GitHub
commit d7e5a8b67e
2 changed files with 2 additions and 2 deletions

View File

@ -91,7 +91,7 @@ function config-ip-firewall {
echo "Configuring IP firewall rules"
iptables -N KUBE-METADATA-SERVER
iptables -A FORWARD -p tcp -d 169.254.169.254 --dport 80 -j KUBE-METADATA-SERVER
iptables -I FORWARD -p tcp -d 169.254.169.254 --dport 80 -j KUBE-METADATA-SERVER
if [[ -n "${KUBE_FIREWALL_METADATA_SERVER:-}" ]]; then
iptables -A KUBE-METADATA-SERVER -j DROP

View File

@ -103,7 +103,7 @@ function config-ip-firewall {
fi
iptables -N KUBE-METADATA-SERVER
iptables -A FORWARD -p tcp -d 169.254.169.254 --dport 80 -j KUBE-METADATA-SERVER
iptables -I FORWARD -p tcp -d 169.254.169.254 --dport 80 -j KUBE-METADATA-SERVER
if [[ -n "${KUBE_FIREWALL_METADATA_SERVER:-}" ]]; then
iptables -A KUBE-METADATA-SERVER -j DROP