Let singleuser.cloudMetadata.blockWithIptables block HTTP ports only
#3180
Labels
Comments
|
Closing, we opted to not do this as its complicated to say how this would behave in combination with different controllers providing NetworkPolicy enforcement. Instead we suggest users to rely on networkpolicy enforcement if they need fine grained access. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
It seems that the cloud metadata server can also be an IP for DNS queries (GKE clusters with Cloud DNS configured), and I don't think we should block these with
singleuser.cloudMetadata.blockWithIptablesby default.I suggest we just block the HTTP ports, 80 and possibly also 443. In practice it seems only port 80 is used but I'm not 100% sure. I've searched the internet and found no examples of some other port than port 80 being exposed to serve the metadata API.
If we do this, what we ship with by default in 3.0.0 would work for GKE clusters with Cloud DNS, GKE clusters with kube-dns and nodelocal cache, with GKE/EKS/AKS clusters with pods in k8s clusters, with Cilium (GKE dataplane v2) as a network policy enforcer - and no additional config exceptions would be required.
Currently without this, users of GKE's Cloud DNS would need to disable all blocking of the cloud metadata server, including the metadata API, just to still be able to access the DNS on the same IP.
The text was updated successfully, but these errors were encountered: