Protect Kubernetes node metadata
Protect Kubernetes node metadata
Posted Updated 
By
1 min read
Deny all traffic to google’s metadata server
Study this rule carefully - it takes time to understand it :)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
cat <<'EOF' > np_cloud_metadata_deny.yaml
# all pods in namespace cannot access metadata endpoint
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: cloud-metadata-deny
namespace: default
spec:
podSelector: {}
policyTypes:
- Egress
egress:
- to:
- ipBlock:
cidr: 0.0.0.0/0 # < --- thanks to this rule PODS have an access everywhere, but 169.254.169.254!!!
except:
- 169.254.169.254/32
EOF
Allow certain pods to access this server
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
cat <<'EOF' > np_cloud_metadata_allow.yaml
# only pods with label are allowed to access metadata endpoint
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: cloud-metadata-allow
namespace: default
spec:
podSelector:
matchLabels:
role: metadata-accessor # < --- thanks to this rule PODS with metadata-accessor would additionally have an access to 169.254.169.254 too !!!
policyTypes:
- Egress
egress:
- to:
- ipBlock:
cidr: 169.254.169.254/32
EOF
This post is licensed under CC BY 4.0 by the author.