Merge pull request #42192 from mikedanese/mds-block

Automatic merge from submit-queue (batch tested with PRs 41980, 42192, 42223, 41822, 42048) add kube-env variable to block traffic to metadataserver @Q-Lee @thockin
2017-03-02 00:59:16 -08:00 · 2017-03-02 00:59:16 -08:00 · 1864e0516d
parent db5e85af5f 34e02c9989
commit 1864e0516d
2 changed files with 19 additions and 0 deletions
--- a/cluster/gce/configure-vm.sh
+++ b/cluster/gce/configure-vm.sh
@ -90,6 +90,17 @@ ensure-local-disks() {
  done
 }

+function config-ip-firewall {
+  echo "Configuring IP firewall rules"
+
+  iptables -N KUBE-METADATA-SERVER
+  iptables -A FORWARD -p tcp -d 169.254.169.254 --dport 80 -j KUBE-METADATA-SERVER
+
+  if [[ -n "${KUBE_FIREWALL_METADATA_SERVER:-}" ]]; then
+    iptables -A KUBE-METADATA-SERVER -j DROP
+  fi
+}
+
 function ensure-install-dir() {
  INSTALL_DIR="/var/cache/kubernetes-install"
  mkdir -p ${INSTALL_DIR}
@ -1136,6 +1147,7 @@ function create-salt-master-etcd-auth {
 if [[ -z "${is_push}" ]]; then
  echo "== kube-up node config starting =="
  set-broken-motd
+  config-ip-firewall
  ensure-basic-networking
  fix-apt-sources
  ensure-install-dir
--- a/cluster/gce/gci/configure-helper.sh
+++ b/cluster/gce/gci/configure-helper.sh
@ -48,6 +48,13 @@ function config-ip-firewall {
    iptables -A FORWARD -w -p UDP -j ACCEPT
    iptables -A FORWARD -w -p ICMP -j ACCEPT
  fi
+
+  iptables -N KUBE-METADATA-SERVER
+  iptables -A FORWARD -p tcp -d 169.254.169.254 --dport 80 -j KUBE-METADATA-SERVER
+
+  if [[ -n "${KUBE_FIREWALL_METADATA_SERVER:-}" ]]; then
+    iptables -A KUBE-METADATA-SERVER -j DROP
+  fi
 }

 function create-dirs {