ecs: add iptables rules for ECS introspection server

[mchaker]

Issue number:

Closes #2195

Description of changes:

Adds iptables rules that forward traffic destined for the ECS Introspection port on the Docker Bridge interface address to the ECS Introspection port on the localhost interface (where the ECS Introspection Server is listening).

Testing done:

• tested on Bottlerocket aws-ecs-1 variant in an ECS cluster, which consisted of:
  1. Run an ECS Task on a cluster consisting of Bottlerocket nodes (task was: a fedora image that sat and waited)
  2. Attempt to curl the API endpoint (172.17.0.1:51678) over HTTP from within that fedora container (ECS Task)

Terms of contribution:

By submitting this pull request, I agree that this contribution is dual-licensed under the terms of both the Apache License, version 2.0, and the MIT license.

[etungsten]

Can you elaborate on the testing you've done to specifically test these changes? I'm not too familiar with the ECS agent introspection API. Looking at the issue, can you try verifying you can access the introspection API endpoint in a running ECS task?

[etungsten]

These ExecStopPost directives are deleting the iptable rules right? Would this be more accurate?:

Suggested change

	# Grant access to metadata server
	# Remove access to IMDS from ECS tasks

Same for the new comments below

[etungsten]

"metadata server" is somewhat ambiguous. Also might be good specify what we're granting access to.
Would this be accurate?

Suggested change

	# Grant access to metadata server
	# Grant ECS tasks access to IMDS

[mchaker]

Discussed with @arnaldo2792 and I agree - clarifying the "metadata server" is a good idea. :)

[mchaker]

Can you elaborate on the testing you've done to specifically test these changes? I'm not too familiar with the ECS agent introspection API. Looking at the issue, can you try verifying you can access the introspection API endpoint in a running ECS task?

@etungsten Sure, I'll add further details in the PR description, but essentially:

1. Ran ECS task which was just a fedora container
2. Attempted to curl the API endpoint (172.17.0.1:51678) over HTTP

[mchaker]

Latest force push: respond to PR suggestions (fix comment clarity)

[mchaker]

Latest force push: replace IMDS with proper name

[mchaker]

Latest force push: fix commit message

[bcressey]

The code change looks fine to me as long as the Datadog agent is working on the ECS variant now.

Can you fix the commit subject to align to conventions?

ecs: add iptables rules for introspection server

[mchaker]

The code change looks fine to me as long as the Datadog agent is working on the ECS variant now.

Can you fix the commit subject to align to conventions?

ecs: add iptables rules for introspection server

@bcressey: @arnaldo2792 and I just finished testing the Datadog agent. We confirmed that docker labels get translated to Datadog tags using the following environment variable in the Datadog agent Task configuration:

{
      "name": "DD_DOCKER_LABELS_AS_TAGS",
      "value": "'{\"com.amazonaws.ecs.task-definition-family\": \"task_name_test\", \"com.amazonaws.ecs.task-definition-version\": \"task_version_test\"}'"
}

The tags appeared for a Task scoped to a Bottlerocket host containing my changes, and did not appear for a Task scoped to a Bottlerocket host without my changes.

[mchaker]

Latest force push: fix commit message to align to convention