Permalink
Browse files

Adding simple proxy container for GCE metadata server

  • Loading branch information...
Q-Lee committed May 2, 2017
1 parent 65ad924 commit 55ad9ce40a3b883388b974c0992ea64c9febf776
View
@@ -37,13 +37,13 @@ container:
docker build --pull -t $(PREFIX)-$(ARCH):$(TAG) .
push: container
gcloud docker push $(PREFIX)-$(ARCH):$(TAG)
gcloud docker -- push $(PREFIX)-$(ARCH):$(TAG)
push-legacy: container
ifeq ($(ARCH),amd64)
# Backward compatibility. TODO: deprecate this image tag
docker tag -f $(PREFIX)-$(ARCH):$(TAG) $(PREFIX):$(TAG)
gcloud docker push $(PREFIX):$(TAG)
gcloud docker -- push $(PREFIX):$(TAG)
endif
clean:
View
@@ -49,4 +49,4 @@ build: go
docker: build
push: docker
gcloud docker push ${PREFIX}/addon-resizer:$(TAG)
gcloud docker -- push ${PREFIX}/addon-resizer:$(TAG)
View
@@ -16,8 +16,8 @@ container: server
docker build --pull -t $(NODEJS_PREFIX):$(NODEJS_TAG) client/nodejs
push: container
gcloud docker push $(PREFIX):$(TAG)
gcloud docker push $(NODEJS_PREFIX):$(NODEJS_TAG)
gcloud docker -- push $(PREFIX):$(TAG)
gcloud docker -- push $(NODEJS_PREFIX):$(NODEJS_TAG)
clean:
rm -f server
View
@@ -113,7 +113,7 @@ container-name:
push: .push-$(DOTFILE_IMAGE) push-name
.push-$(DOTFILE_IMAGE): .container-$(DOTFILE_IMAGE)
@gcloud docker push $(IMAGE):$(VERSION)
@gcloud docker -- push $(IMAGE):$(VERSION)
@docker images -q $(IMAGE):$(VERSION) > $@
push-name:
View
@@ -11,7 +11,7 @@ container: server
docker build --pull -t $(PREFIX):$(TAG) .
push: container
gcloud docker push $(PREFIX):$(TAG)
gcloud docker -- push $(PREFIX):$(TAG)
clean:
rm -f flannel_helper
@@ -14,4 +14,4 @@ container:
docker build --pull -t $(PREFIX)/$(NAME):$(TAG) .
push:
gcloud docker push $(PREFIX)/$(NAME):$(TAG)
gcloud docker -- push $(PREFIX)/$(NAME):$(TAG)
@@ -14,9 +14,9 @@ container: serve_hostname
fi
push:
gcloud docker push $(PREFIX)/serve_hostname:$(TAG)
gcloud docker -- push $(PREFIX)/serve_hostname:$(TAG)
if [ -n "$(TEST_PREFIX)" ]; then \
gcloud docker push $(TEST_PREFIX)/serve_hostname:$(TAG); \
gcloud docker -- push $(TEST_PREFIX)/serve_hostname:$(TAG); \
fi
clean:
@@ -7,7 +7,7 @@ container: test-webserver
sudo docker build --pull -t gcr.io/google_containers/test-webserver .
push: container
gcloud docker push gcr.io/google_containers/test-webserver
gcloud docker -- push gcr.io/google_containers/test-webserver
clean:
rm -f test-webserver
View
@@ -9,7 +9,7 @@ container:
docker build --pull -t $(PREFIX):$(TAG) .
push: container
gcloud docker push $(PREFIX):$(TAG)
gcloud docker -- push $(PREFIX):$(TAG)
clean:
# remove haproxy images
@@ -8,4 +8,4 @@ container:
docker build --pull -t $(PREFIX):$(TAG) .
push: container
gcloud docker push $(PREFIX):$(TAG)
gcloud docker -- push $(PREFIX):$(TAG)
@@ -8,4 +8,4 @@ container:
docker build --pull -t $(PREFIX):$(TAG) .
push: container
gcloud docker push $(PREFIX):$(TAG)
gcloud docker -- push $(PREFIX):$(TAG)
View
@@ -20,7 +20,7 @@ keepalived:
docker rm -f $(BUILD_IMAGE)
push: container
gcloud docker push $(PREFIX):$(TAG)
gcloud docker -- push $(PREFIX):$(TAG)
clean:
rm -f kube-keepalived-vip
View
@@ -49,4 +49,4 @@ build: go
docker: build
push: docker
gcloud docker push ${PREFIX}/kubelet-to-gcm:$(TAG)
gcloud docker -- push ${PREFIX}/kubelet-to-gcm:$(TAG)
View
@@ -0,0 +1,27 @@
# Copyright 2017 The Kubernetes Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
FROM gcr.io/google-containers/debian-base-amd64:0.1
LABEL maintainer "qlee@google.com"
ARG DEBIAN_FRONTEND=noninteractive
RUN apt-get update && apt-get install -y \
apt-utils && clean-install iptables nginx
# Give nginx its config file.
COPY nginx.conf /etc/nginx/nginx.conf
# Place our wrapper script into the image.
COPY start-proxy.sh /
ENTRYPOINT ["/start-proxy.sh"]
View
@@ -0,0 +1,28 @@
# Copyright 2017 The Kubernetes Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
.PHONY: build push
# TAG is the version to build and push to.
PREFIX = gcr.io/google_containers
TAG = 0.1
build:
# We explicitly add "--pull" flag to always fetch the latest version
# of the base image. This is necessary to avoid using cached local
# versions of image e.g. when updating insecure base images.
docker build --pull -t ${PREFIX}/metadata-proxy:$(TAG) .
push: build
gcloud docker -- push ${PREFIX}/metadata-proxy:$(TAG)
View
@@ -0,0 +1,63 @@
# Copyright 2017 The Kubernetes Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
user www-data;
worker_processes 4;
pid /run/nginx.pid;
events {
worker_connections 20;
}
http {
server {
listen 127.0.0.1:988;
# By default, return 403. This protects us from new API versions.
location / {
return 403;
}
# Allow for REST discovery.
location = / {
proxy_pass http://169.254.169.254;
}
location = /computeMetadata/ {
proxy_pass http://169.254.169.254;
}
# By default, allow the v0.1, v1beta1, and v1 APIs.
location /0.1/ {
proxy_pass http://169.254.169.254;
}
location /computeMetadata/v1beta1/ {
proxy_pass http://169.254.169.254;
}
location /computeMetadata/v1/ {
proxy_pass http://169.254.169.254;
}
# Return a 403 for the kube-env attribute in all allowed API versions.
location /0.1/meta-data/attributes/kube-env {
return 403;
}
location /computeMetadata/v1beta1/instance/attributes/kube-env {
return 403;
}
location /computeMetadata/v1/instance/attributes/kube-env {
return 403;
}
}
}
@@ -0,0 +1,31 @@
#!/bin/dash
# Copyright 2017 The Kubernetes Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
_term() {
iptables -D -t filter -I KUBE-METADATA-SERVER -j ACCEPT
iptables -D -t nat -I PREROUTING -p tcp -d 169.254.169.254 --dport 80 -j DNAT --to-destination 127.0.0.1:988
exit
}
# Forward traffic to nginx.
iptables -t nat -I PREROUTING -p tcp -d 169.254.169.254 --dport 80 -j DNAT --to-destination 127.0.0.1:988
iptables -t filter -I KUBE-METADATA-SERVER -j ACCEPT
# Clean up the iptables rule if we're exiting gracefully.
trap _term TERM
# Run nginx in the foreground.
nginx -g 'daemon off;'
View
@@ -12,7 +12,7 @@ container: node-perf-dash
docker build --pull -t $(REPO)/node-perf-dash:$(TAG) .
push: container
gcloud docker push $(REPO)/node-perf-dash:$(TAG)
gcloud docker -- push $(REPO)/node-perf-dash:$(TAG)
clean:
rm -f node-perf-dash
View
@@ -12,7 +12,7 @@ container: perfdash
docker build --pull -t gcr.io/$(PROJ)/perfdash:$(TAG) .
push: container
gcloud docker push gcr.io/$(PROJ)/perfdash:$(TAG)
gcloud docker -- push gcr.io/$(PROJ)/perfdash:$(TAG)
clean:
rm -f perfdash
@@ -21,7 +21,7 @@ container:
docker build --pull -t $(PREFIX):$(TAG) .
push: container
gcloud docker push $(PREFIX):$(TAG)
gcloud docker -- push $(PREFIX):$(TAG)
clean:
docker rmi $(PREFIX):$(TAG)
@@ -25,7 +25,7 @@ container: server
docker build --pull -t $(PREFIX):$(TAG) .
push: container
gcloud docker push $(PREFIX):$(TAG)
gcloud docker -- push $(PREFIX):$(TAG)
clean:
rm -f mysql_healthz
@@ -27,7 +27,7 @@ container: server
docker build --pull -t $(PREFIX):$(TAG) .
push: container
gcloud docker push $(PREFIX):$(TAG)
gcloud docker -- push $(PREFIX):$(TAG)
clean:
rm -f peer-finder
View
@@ -21,7 +21,7 @@ container:
docker build --pull -t $(PREFIX):$(TAG) .
push: container
gcloud docker push $(PREFIX):$(TAG)
gcloud docker -- push $(PREFIX):$(TAG)
clean:
docker rmi $(PREFIX):$(TAG)
@@ -21,7 +21,7 @@ container:
docker build --pull -t $(PREFIX):$(TAG) .
push: container
gcloud docker push $(PREFIX):$(TAG)
gcloud docker -- push $(PREFIX):$(TAG)
clean:
docker rmi $(PREFIX):$(TAG)
@@ -15,7 +15,7 @@ local_dryrun: container
docker run --rm -p 8090:8080 gcr.io/google_containers/aggregator:$(TAG)
push: container
gcloud docker push gcr.io/google_containers/aggregator:$(TAG)
gcloud docker -- push gcr.io/google_containers/aggregator:$(TAG)
clean:
rm -f aggregator
@@ -10,7 +10,7 @@ container: loader
docker build --pull -t gcr.io/google_containers/loader:$(TAG) .
push: container
gcloud docker push gcr.io/google_containers/loader:$(TAG)
gcloud docker -- push gcr.io/google_containers/loader:$(TAG)
clean:
rm -f loader

0 comments on commit 55ad9ce

Please sign in to comment.