Add --metadata-protection

jtblin · Oct 22, 2019 · 6885a63 · 6885a63
1 parent 39a0038
commit 6885a63
Show file tree

Hide file tree

Showing 3 changed files with 39 additions and 9 deletions.
diff --git a/cmd/main.go b/cmd/main.go
@@ -27,6 +27,7 @@ func addFlags(s *server.Server, fs *pflag.FlagSet) {
 	fs.BoolVar(&s.Insecure, "insecure", false, "Kubernetes server should be accessed without verifying the TLS. Testing only")
 	fs.StringVar(&s.MetadataAddress, "metadata-addr", s.MetadataAddress, "Address for the ec2 metadata")
 	fs.BoolVar(&s.AddIPTablesRule, "iptables", false, "Add iptables rule (also requires --host-ip)")
+	fs.BoolVar(&s.MetadataProtection, "metadata-protection", false, "Block metadata requests that don't have a correct AWS User Agent")
 	fs.BoolVar(&s.AutoDiscoverBaseArn, "auto-discover-base-arn", false, "Queries EC2 Metadata to determine the base ARN")
 	fs.BoolVar(&s.AutoDiscoverDefaultRole, "auto-discover-default-role", false, "Queries EC2 Metadata to determine the default Iam Role and base ARN, cannot be used with --default-role, overwrites any previous setting for --base-role-arn")
 	fs.StringVar(&s.HostInterface, "host-interface", "docker0", "Host interface for proxying AWS metadata")

diff --git a/glide.lock b/glide.lock
diff --git a/server/server.go b/server/server.go
@@ -43,6 +43,9 @@ const (
 // Keeps track of the names of registered handlers for metric value/label initialization
 var registeredHandlerNames []string
 
+// Allowed user-agent prefixes when --metadata-protection is enabled
+var userAgentPrefixAllowlist []string
+
 // Server encapsulates all of the parameters necessary for starting up
 // the server. These can either be set via command line or directly.
 type Server struct {
@@ -65,6 +68,7 @@ type Server struct {
 	NamespaceRestrictionFormat string
 	UseRegionalStsEndpoint     bool
 	AddIPTablesRule            bool
+	MetadataProtection         bool
 	AutoDiscoverBaseArn        bool
 	AutoDiscoverDefaultRole    bool
 	Debug                      bool
@@ -94,6 +98,10 @@ type responseWriter struct {
 	statusCode int
 }
 
+func init() {
+	userAgentPrefixAllowlist = []string{"aws-sdk-", "Botocore/", "Boto3/", "aws-cli/", "aws-chalice/"}
+}
+
 func (rw *responseWriter) WriteHeader(code int) {
 	rw.statusCode = code
 	rw.ResponseWriter.WriteHeader(code)
@@ -365,6 +373,19 @@ func write(logger *log.Entry, w http.ResponseWriter, s string) {
 	}
 }
 
+func (s *Server) checkUserAgent(next http.Handler) http.Handler {
+	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		userAgent := r.UserAgent()
+		for _, prefix := range userAgentPrefixAllowlist {
+			if strings.HasPrefix(userAgent, prefix) {
+				next.ServeHTTP(w, r)
+				return
+			}
+		}
+		http.Error(w, fmt.Sprintf("User-agent '%s' is not allowed", userAgent), http.StatusForbidden)
+	})
+}
+
 // Run runs the specified Server.
 func (s *Server) Run(host, token, nodeName string, insecure bool) error {
 	k, err := k8s.NewClient(host, token, nodeName, insecure)
@@ -393,24 +414,32 @@ func (s *Server) Run(host, token, nodeName string, insecure bool) error {
 	s.beginPollHealthcheck(healthcheckInterval)
 
 	r := mux.NewRouter()
-	securityHandler := newAppHandler("securityCredentialsHandler", s.securityCredentialsHandler)
+
+	r.Handle("/healthz", newAppHandler("healthHandler", s.healthHandler))
+
+	if s.MetricsPort == s.AppPort {
+		r.Handle("/metrics", metrics.GetHandler())
+	} else {
+		metrics.StartMetricsServer(s.MetricsPort)
+	}
 
 	if s.Debug {
 		// This is a potential security risk if enabled in some clusters, hence the flag
 		r.Handle("/debug/store", newAppHandler("debugStoreHandler", s.debugStoreHandler))
 	}
+
+	if s.MetadataProtection {
+		// All routes added below here will have user-agent validation
+		r.Use(s.checkUserAgent)
+	}
+
+	securityHandler := newAppHandler("securityCredentialsHandler", s.securityCredentialsHandler)
+
 	r.Handle("/{version}/meta-data/iam/security-credentials", securityHandler)
 	r.Handle("/{version}/meta-data/iam/security-credentials/", securityHandler)
 	r.Handle(
 		"/{version}/meta-data/iam/security-credentials/{role:.*}",
 		newAppHandler("roleHandler", s.roleHandler))
-	r.Handle("/healthz", newAppHandler("healthHandler", s.healthHandler))
-
-	if s.MetricsPort == s.AppPort {
-		r.Handle("/metrics", metrics.GetHandler())
-	} else {
-		metrics.StartMetricsServer(s.MetricsPort)
-	}
 
 	// This has to be registered last so that it catches fall-throughs
 	r.Handle("/{path:.*}", newAppHandler("reverseProxyHandler", s.reverseProxyHandler))