Cluster Setup – Node Metadata Protection

title: “Cluster Setup – Node Metadata Protection”
date: 2020-12-09T21:07:02
slug: cluster-setup-node-metadata-protection

Protect Pods to query the meatada server from the cloud Provider
(curl “http://metadata.google.internal/computeMetadata/v1/instance/disks/0” -H “Metadata-Flavor: Google”)

Get the IP Address from the metadata server to use it in the deny network policy

~# ping metadata.google.internal
PING metadata.google.internal (169.254.169.254) 56(84) bytes of data.

Create a network policy to deny traffic from all pods to the metadata server

# all pods in namespace cannot access metadata endpoint
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
 name: cloud-metadata-deny
 namespace: default
spec:
 podSelector: {}
 policyTypes:
 - Egress
 egress:
 - to:
 - ipBlock:
 cidr: 0.0.0.0/0
 except:
 - 169.254.169.254/32

Create an allow rule which applies to Pods with Label: “role: metadata-accessor”

# only pods with label are allowed to access metadata endpoint
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
 name: cloud-metadata-allow
 namespace: default
spec:
 podSelector:
 matchLabels:
 role: metadata-accessor
 policyTypes:
 - Egress
 egress:
 - to:
 - ipBlock:
 cidr: 169.254.169.254/32

Add the Label “role=metadata-accessor” to a Pod

k label pod nginx role=metadata-accessor
Print Friendly, PDF & Email