post image :date_long | 1 min Read

Protect Kubernetes node metadata

Deny all traffic to google’s metadata server

Study this rule carefully - it takes time to understand it :)

cat <<'EOF' > np_cloud_metadata_deny.yaml
# all pods in namespace cannot access metadata endpoint
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: cloud-metadata-deny
  namespace: default
spec:
  podSelector: {}
  policyTypes:
  - Egress
  egress:
  - to:
    - ipBlock:
        cidr: 0.0.0.0/0            # < --- thanks to this rule PODS have an access everywhere, but 169.254.169.254!!!
        except:
        - 169.254.169.254/32
EOF
Allow certain pods to access this server

cat <<'EOF' > np_cloud_metadata_allow.yaml
# only pods with label are allowed to access metadata endpoint
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: cloud-metadata-allow
  namespace: default
spec:
  podSelector:
    matchLabels:
      role: metadata-accessor       # < --- thanks to this rule PODS with metadata-accessor would additionally have an access to 169.254.169.254 too !!!
  policyTypes:
  - Egress
  egress:
  - to:
    - ipBlock:
        cidr: 169.254.169.254/32
EOF
author image

Jan Toth

I have been in DevOps related jobs for past 6 years dealing mainly with Kubernetes in AWS and on-premise as well. I spent quite a lot …

comments powered by Disqus