I have been in DevOps related jobs for past 6 years dealing mainly with Kubernetes in AWS and on-premise as well. I spent quite a lot …
Protect Kubernetes node metadata
Deny all traffic to google’s metadata server
Study this rule carefully - it takes time to understand it :)
cat <<'EOF' > np_cloud_metadata_deny.yaml
# all pods in namespace cannot access metadata endpoint
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: cloud-metadata-deny
namespace: default
spec:
podSelector: {}
policyTypes:
- Egress
egress:
- to:
- ipBlock:
cidr: 0.0.0.0/0 # < --- thanks to this rule PODS have an access everywhere, but 169.254.169.254!!!
except:
- 169.254.169.254/32
EOF
Allow certain pods to access this server
cat <<'EOF' > np_cloud_metadata_allow.yaml
# only pods with label are allowed to access metadata endpoint
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: cloud-metadata-allow
namespace: default
spec:
podSelector:
matchLabels:
role: metadata-accessor # < --- thanks to this rule PODS with metadata-accessor would additionally have an access to 169.254.169.254 too !!!
policyTypes:
- Egress
egress:
- to:
- ipBlock:
cidr: 169.254.169.254/32
EOF