From 9a7dcd36c1f188818c9ae846ef05d78fa6d63744 Mon Sep 17 00:00:00 2001
From: Matthew Cary <mattcary@google.com>
Date: Mon, 11 Jan 2021 15:17:25 -0800
Subject: [PATCH] Disallow local loopback for volume hosts

Change-Id: Ic356c3f859057153cfad97327f1938792a1a512c
---
 cluster/gce/gci/configure-helper.sh | 1 +
 1 file changed, 1 insertion(+)

diff --git a/cluster/gce/gci/configure-helper.sh b/cluster/gce/gci/configure-helper.sh
index 21634ad5c4a..99c1da989b4 100644
--- a/cluster/gce/gci/configure-helper.sh
+++ b/cluster/gce/gci/configure-helper.sh
@@ -1999,6 +1999,7 @@ function start-kube-controller-manager {
   params+=("--kubeconfig=${config_path}" "--authentication-kubeconfig=${config_path}" "--authorization-kubeconfig=${config_path}")
   params+=("--root-ca-file=${CA_CERT_BUNDLE_PATH}")
   params+=("--service-account-private-key-file=${SERVICEACCOUNT_KEY_PATH}")
+  params+=("--volume-host-allow-local-loopback=false")
   if [[ -n "${ENABLE_GARBAGE_COLLECTOR:-}" ]]; then
     params+=("--enable-garbage-collector=${ENABLE_GARBAGE_COLLECTOR}")
   fi