Node Metadata

1. 介绍

2. Access Node Metadata

curl "http://metadata.google.internal/computeMetadata/v1/instance/disks/" -H "Metadata-Flavor: Google"


curl "http://metadata.google.internal/computeMetadata/v1/instance/disks/0/" -H "Metadata-Flavor: Google"

root@master:~/clash# k run nginx --image=nginx
pod/nginx created
root@master:~/clash# k get pods
NAME      READY   STATUS    RESTARTS   AGE
backend   1/1     Running   0          43h
nginx     1/1     Running   0          22s
pod1      1/1     Running   0          20h
pod2      1/1     Running   0          20h
root@master:~/clash# k exec -ti nginx bash
root@nginx:/# curl "http://metadata.google.internal/computeMetadata/v1/instance/disks/" -H "Metadata-Flavor: Google"

3. Protect Node Metadata via NetworkPolicy

root@master:~/cks/metadata# cat deny.yaml
# all pods in namespace cannot access metadata endpoint
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: cloud-metadata-deny
  namespace: default
spec:
  podSelector: {}
  policyTypes:
  - Egress
  egress:
  - to:
    - ipBlock:
        cidr: 0.0.0.0/0
        except:
        - 169.254.169.254/32


root@master:~/cks/metadata#  k create -f deny.yaml 
networkpolicy.networking.k8s.io/cloud-metadata-deny created
root@master:~/clash# k exec -ti nginx bash
root@nginx:/# curl "http://metadata.google.internal/computeMetadata/v1/instance/disks/" -H "Metadata-Flavor: Google"         ## 卡住



root@master:~/cks/metadata# cat allow.yaml
# only pods with label are allowed to access metadata endpoint
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: cloud-metadata-allow
  namespace: default
spec:
  podSelector:
    matchLabels:
      role: metadata-accessor
  policyTypes:
  - Egress
  egress:
  - to:
    - ipBlock:
        cidr: 169.254.169.254/32


root@master:~/cks/metadata# k create -f allow.yaml 
networkpolicy.networking.k8s.io/cloud-metadata-allow created

root@master:~/cks/metadata# k label pod nginx role=metadata-accessor
pod/nginx labeled


root@master:~/cks/metadata# k get pods nginx --show-labels
NAME    READY   STATUS    RESTARTS   AGE   LABELS
nginx   1/1     Running   0          10m   role=metadata-accessor,run=nginx
root@master:~/clash# k exec -ti nginx bash
root@nginx:/# curl "http://metadata.google.internal/computeMetadata/v1/instance/disks/" -H "Metadata-Flavor: Google"  #正常访问

测试删除metadata中的role

root@master:~/cks/metadata# k edit pod nginx
metadata:
  annotations:
    cni.projectcalico.org/podIP: 192.168.104.31/32
  creationTimestamp: "2021-04-22T03:17:45Z"
  labels:
    role: metadata-accessor   #删除
    run: nginx
  name: nginx
  namespace: default

root@master:~/clash# k exec -ti nginx bash
root@nginx:/# curl "http://metadata.google.internal/computeMetadata/v1/instance/disks/" -H "Metadata-Flavor: Google"  #卡住无法访问

上一页Secure Ingress 下一页CIS Benchmarks

最后更新于3年前

curl "http://metadata.google.internal/computeMetadata/v1/instance/disks/" -H "Metadata-Flavor: Google" curl "http://metadata.google.internal/computeMetadata/v1/instance/disks/0/" -H "Metadata-Flavor: Google" root@master:~/clash# k run nginx --image=nginx pod/nginx created root@master:~/clash# k get pods NAME READY STATUS RESTARTS AGE backend 1/1 Running 0 43h nginx 1/1 Running 0 22s pod1 1/1 Running 0 20h pod2 1/1 Running 0 20h root@master:~/clash# k exec -ti nginx bash root@nginx:/# curl "http://metadata.google.internal/computeMetadata/v1/instance/disks/" -H "Metadata-Flavor: Google"

root@master:~/cks/metadata# cat deny.yaml # all pods in namespace cannot access metadata endpoint apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: cloud-metadata-deny namespace: default spec: podSelector: {} policyTypes: - Egress egress: - to: - ipBlock: cidr: 0.0.0.0/0 except: - 169.254.169.254/32 root@master:~/cks/metadata# k create -f deny.yaml networkpolicy.networking.k8s.io/cloud-metadata-deny created root@master:~/clash# k exec -ti nginx bash root@nginx:/# curl "http://metadata.google.internal/computeMetadata/v1/instance/disks/" -H "Metadata-Flavor: Google" ## 卡住 root@master:~/cks/metadata# cat allow.yaml # only pods with label are allowed to access metadata endpoint apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: cloud-metadata-allow namespace: default spec: podSelector: matchLabels: role: metadata-accessor policyTypes: - Egress egress: - to: - ipBlock: cidr: 169.254.169.254/32 root@master:~/cks/metadata# k create -f allow.yaml networkpolicy.networking.k8s.io/cloud-metadata-allow created root@master:~/cks/metadata# k label pod nginx role=metadata-accessor pod/nginx labeled root@master:~/cks/metadata# k get pods nginx --show-labels NAME READY STATUS RESTARTS AGE LABELS nginx 1/1 Running 0 10m role=metadata-accessor,run=nginx root@master:~/clash# k exec -ti nginx bash root@nginx:/# curl "http://metadata.google.internal/computeMetadata/v1/instance/disks/" -H "Metadata-Flavor: Google" #正常访问

root@master:~/cks/metadata# k edit pod nginx metadata: annotations: cni.projectcalico.org/podIP: 192.168.104.31/32 creationTimestamp: "2021-04-22T03:17:45Z" labels: role: metadata-accessor #删除 run: nginx name: nginx namespace: default root@master:~/clash# k exec -ti nginx bash root@nginx:/# curl "http://metadata.google.internal/computeMetadata/v1/instance/disks/" -H "Metadata-Flavor: Google" #卡住无法访问