Protect Kubernetes node metadata
Using Kubernetes NetworkPolicies to deny egress traffic to the cloud provider metadata server and selectively allow access for specific pods.
Deny all traffic to google’s metadata server
Study this rule carefully - it takes time to understand it.
The following NetworkPolicy denies egress traffic to the cloud provider metadata endpoint (169.254.169.254) for all pods in the default namespace, while still allowing traffic to all other destinations.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
cat <<'EOF' > np_cloud_metadata_deny.yaml
# all pods in namespace cannot access metadata endpoint
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: cloud-metadata-deny
namespace: default
spec:
podSelector: {}
policyTypes:
- Egress
egress:
- to:
- ipBlock:
cidr: 0.0.0.0/0 # < --- thanks to this rule PODS have an access everywhere, but 169.254.169.254!!!
except:
- 169.254.169.254/32
EOF
Allow certain pods to access this server
This second NetworkPolicy grants an exception: pods labeled with role: metadata-accessor are explicitly allowed egress access to the metadata endpoint at 169.254.169.254. Combined with the deny policy above, only these specifically labeled pods can reach the metadata server.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
cat <<'EOF' > np_cloud_metadata_allow.yaml
# only pods with label are allowed to access metadata endpoint
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: cloud-metadata-allow
namespace: default
spec:
podSelector:
matchLabels:
role: metadata-accessor # < --- thanks to this rule PODS with metadata-accessor would additionally have an access to 169.254.169.254 too !!!
policyTypes:
- Egress
egress:
- to:
- ipBlock:
cidr: 169.254.169.254/32
EOF
This post is licensed under CC BY 4.0 by the author.