Add --extra-security flag

jtblin · Jul 16, 2018 · a76a0e5 · a76a0e5
1 parent 9c62efa
commit a76a0e5
Show file tree

Hide file tree

Showing 3 changed files with 16 additions and 0 deletions.
diff --git a/README.md b/README.md
@@ -515,6 +515,7 @@ Usage of ./build/bin/darwin/kube2iam:
       --base-role-arn string                Base role ARN
       --debug                               Enable debug features
       --default-role string                 Fallback role to use when annotation is not set
+      --extra-security                      Hide additional metadata URLs
       --hide-user-data                      Hide the instance's user-data
       --host-interface string               Host interface for proxying AWS metadata (default "docker0")
       --host-ip string                      IP address of host

diff --git a/cmd/main.go b/cmd/main.go
@@ -38,6 +38,7 @@ func addFlags(s *server.Server, fs *pflag.FlagSet) {
 	fs.BoolVar(&s.Verbose, "verbose", false, "Verbose")
 	fs.BoolVar(&s.Version, "version", false, "Print the version and exits")
 	fs.BoolVar(&s.HideUserData, "hide-user-data", false, "Hide the instance's user-data")
+	fs.BoolVar(&s.ExtraSecurity, "extra-security", false, "Hide additional metadata URLs")
 }
 
 func main() {

diff --git a/server/server.go b/server/server.go
@@ -60,6 +60,7 @@ type Server struct {
 	Verbose                 bool
 	Version                 bool
 	HideUserData            bool
+	ExtraSecurity           bool
 	iam                     *iam.Client
 	k8s                     *k8s.Client
 	roleMapper              *mappings.RoleMapper
@@ -299,6 +300,19 @@ func (s *Server) Run(host, token, nodeName string, insecure bool) error {
 		r.Handle("/{version}/user-data", appHandler(s.emptyResponseHandler))
 		r.Handle("/{version}/user-data/{path:.*}", appHandler(s.emptyResponseHandler))
 	}
+	if(s.ExtraSecurity) {
+		// permit instance identity document, but not its signatures
+		r.Handle("/{version}/dynamic/instance-identity/document", appHandler(s.reverseProxyHandler))
+		r.Handle("/{version}/dynamic/instance-identity/{path:.+}", appHandler(s.emptyResponseHandler))
+		// hide public keys, disk configuration, security group & iam information
+		r.Handle("/{version}/meta-data/public-keys/{path:.*}", appHandler(s.emptyResponseHandler))
+		r.Handle("/{version}/meta-data/block-device-mapping/{path:.*}", appHandler(s.emptyResponseHandler))
+		r.Handle("/{version}/meta-data/network/{path:.*}", appHandler(s.emptyResponseHandler))
+		r.Handle("/{version}/meta-data/security-groups", appHandler(s.emptyResponseHandler))
+		r.Handle("/{version}/meta-data/security-groups/{path:.*}", appHandler(s.emptyResponseHandler))
+		r.Handle("/{version}/meta-data/iam/info", appHandler(s.emptyResponseHandler))
+		r.Handle("/{version}/meta-data/iam/info/{path:.*}", appHandler(s.emptyResponseHandler))
+	}
 	r.Handle("/{version}/meta-data/iam/security-credentials", appHandler(s.securityCredentialsHandler))
 	r.Handle("/{version}/meta-data/iam/security-credentials/", appHandler(s.securityCredentialsHandler))
 	r.Handle("/{version}/meta-data/iam/security-credentials/{role:.*}", appHandler(s.roleHandler))